From 87a80ac79479c0f3b7ab082687e18a6d39f4a62e Mon Sep 17 00:00:00 2001 From: James Addison Date: Wed, 16 Nov 2022 19:23:14 +0000 Subject: [PATCH 1/5] Experimental: migrate frontend webserver to Caddy --- Containerfile-frontend | 21 +++++++++------------ static/frontend/Caddyfile | 21 +++++++++++++++++++++ 2 files changed, 30 insertions(+), 12 deletions(-) create mode 100644 static/frontend/Caddyfile diff --git a/Containerfile-frontend b/Containerfile-frontend index db0f110..b20cc17 100644 --- a/Containerfile-frontend +++ b/Containerfile-frontend @@ -15,19 +15,16 @@ RUN apk add --no-cache \ # Install system dependencies RUN apk update && \ apk add --no-cache \ - nginx + caddy # Configure directory permissions -RUN chown -R nginx /var/log/nginx && \ - rm -rf /var/www/localhost && \ - chown nginx /var/www +RUN mkdir /var/www && \ + chown caddy /var/www -COPY static/frontend/nginx.conf /etc/nginx/nginx.conf -COPY static/frontend/common.conf /etc/nginx/common.conf -COPY static/frontend/conf.d/default.conf /etc/nginx/conf.d/default.conf +COPY static/frontend/Caddyfile /etc/caddy/Caddyfile # Install application dependencies (unprivileged) -USER nginx +USER caddy WORKDIR /var/www # Extract application release package @@ -51,10 +48,10 @@ RUN apk del \ wget \ yarn -VOLUME ["/var/log/nginx"] +VOLUME ["/var/lib/caddy"] -EXPOSE 8080 +EXPOSE 8080 8443 -USER nginx +USER caddy -CMD ["nginx", "-g", "daemon off;"] +CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile"] diff --git a/static/frontend/Caddyfile b/static/frontend/Caddyfile new file mode 100644 index 0000000..5cd5da6 --- /dev/null +++ b/static/frontend/Caddyfile @@ -0,0 +1,21 @@ +http://localhost:8080, https://localhost:8443 { + # Issue self-signed certificates on-demand from local certificate authority + tls { + issuer internal + on_demand + } + + # Serve static file content + file_server + root * /var/www/public + + # Fallback to PHP handling for missing files + try_files {path} /index.php?{query} + + # Proxy PHP requests to the backend service + @php path *.php + php_fastcgi @php backend:9000 + + # Enable gzip compression + encode gzip +} From ff788361be18dcf61a0da9d80c5281d15dc43191 Mon Sep 17 00:00:00 2001 From: James Addison Date: Wed, 16 Nov 2022 19:29:14 +0000 Subject: [PATCH 2/5] Run 'caddy fmt' on Caddyfile --- static/frontend/Caddyfile | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/static/frontend/Caddyfile b/static/frontend/Caddyfile index 5cd5da6..1d61eb0 100644 --- a/static/frontend/Caddyfile +++ b/static/frontend/Caddyfile @@ -1,21 +1,21 @@ http://localhost:8080, https://localhost:8443 { - # Issue self-signed certificates on-demand from local certificate authority - tls { - issuer internal - on_demand - } + # Issue self-signed certificates on-demand from local certificate authority + tls { + issuer internal + on_demand + } - # Serve static file content - file_server - root * /var/www/public + # Serve static file content + file_server + root * /var/www/public - # Fallback to PHP handling for missing files - try_files {path} /index.php?{query} + # Fallback to PHP handling for missing files + try_files {path} /index.php?{query} - # Proxy PHP requests to the backend service - @php path *.php - php_fastcgi @php backend:9000 + # Proxy PHP requests to the backend service + @php path *.php + php_fastcgi @php backend:9000 - # Enable gzip compression - encode gzip + # Enable gzip compression + encode gzip } From 680aa1890b4fa7910bb8d081706dcc297159d95a Mon Sep 17 00:00:00 2001 From: James Addison Date: Wed, 16 Nov 2022 19:54:32 +0000 Subject: [PATCH 3/5] Refactor: relocate HTTP, HTTPS port definitions --- static/frontend/Caddyfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/static/frontend/Caddyfile b/static/frontend/Caddyfile index 1d61eb0..b9c7c43 100644 --- a/static/frontend/Caddyfile +++ b/static/frontend/Caddyfile @@ -1,4 +1,9 @@ -http://localhost:8080, https://localhost:8443 { +{ + http_port 8080 + https_port 8443 +} + +localhost { # Issue self-signed certificates on-demand from local certificate authority tls { issuer internal From 5ee4b6ca6caeb44b222b2b437eac7dcc3b7297d7 Mon Sep 17 00:00:00 2001 From: James Addison Date: Wed, 16 Nov 2022 20:04:25 +0000 Subject: [PATCH 4/5] Caddy configuration: do not add the webserver's local certificate authority to the container's trust store --- static/frontend/Caddyfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/static/frontend/Caddyfile b/static/frontend/Caddyfile index b9c7c43..a4344b1 100644 --- a/static/frontend/Caddyfile +++ b/static/frontend/Caddyfile @@ -1,6 +1,9 @@ { http_port 8080 https_port 8443 + + # Do not add the webserver's local certificate authority to the container's trust store + skip_install_trust } localhost { From 016e8cfb584ac234cc56e49cf57d5eac7db8ad5b Mon Sep 17 00:00:00 2001 From: James Addison Date: Wed, 16 Nov 2022 20:09:08 +0000 Subject: [PATCH 5/5] Caddy configuration: disable the caddy admin API endpoint --- static/frontend/Caddyfile | 1 + 1 file changed, 1 insertion(+) diff --git a/static/frontend/Caddyfile b/static/frontend/Caddyfile index a4344b1..78d0276 100644 --- a/static/frontend/Caddyfile +++ b/static/frontend/Caddyfile @@ -1,4 +1,5 @@ { + admin off http_port 8080 https_port 8443