Skip to content

docs: add nginx reverse-proxy example #6185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 33 commits into from
Feb 15, 2023
Merged

docs: add nginx reverse-proxy example #6185

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
2c7f0cf
docs: Add nginx reverse-proxy example
matifali Feb 13, 2023
d29da64
change nginx example to to absolute path
matifali Feb 13, 2023
247a060
Merge branch 'coder:main' into rev-proxy-auto-tls
matifali Feb 13, 2023
3c247a5
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
8a96176
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
4f25817
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
099428a
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
d3913b3
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
7f8d795
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
3d306a4
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
69eb387
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
c1111b3
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
af32c58
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
b672a1f
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
f080259
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
838e008
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
23dd1e3
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
7a7e7e4
Update examples/web-server/nginx/README.md
matifali Feb 13, 2023
a5abc85
refactor: replaced bullets with numbered lists
matifali Feb 13, 2023
3f1353e
remove the ambiguous ip addr.
matifali Feb 13, 2023
8e5531d
fixed a typo
matifali Feb 13, 2023
8c343f0
correctly handle the wildcard subdomain
matifali Feb 13, 2023
86e7dae
simplified after testing
matifali Feb 13, 2023
7d28e51
fmt: prettier formatting
matifali Feb 13, 2023
a642933
Adapt to the coder style guide
matifali Feb 13, 2023
77149bc
fix: agent disconnection
matifali Feb 14, 2023
ff6fd37
Merge branch 'coder:main' into rev-proxy-auto-tls
matifali Feb 15, 2023
4b5362c
Update examples/web-server/nginx/README.md
matifali Feb 15, 2023
35247ed
Update docs/admin/configure.md
matifali Feb 15, 2023
30163f4
Update examples/web-server/nginx/README.md
matifali Feb 15, 2023
5b54368
updated with suggested changes
matifali Feb 15, 2023
4d0deb6
updated with requested changes
matifali Feb 15, 2023
065ed25
add reference to certbot docs for other dns providers
matifali Feb 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
docs: Add nginx reverse-proxy example 
This PR adds nginx reverse-proxy example to provision coder with tls certificate using letsencrypt certbot.

This will partially resolve #6086.
  • Loading branch information
@matifali
matifali committed Feb 13, 2023
commit 2c7f0cfd9af7f75655001fdce1beffcabcdeae34
3 changes: 2 additions & 1 deletion docs/admin/configure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`).

The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example.

- Example: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
- Caddy: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
- Nginx: [Run Coder with Nginx and LetsEncrypt](https://../../../examples/web-server/nginx)

## PostgreSQL Database

Expand Down
100 changes: 100 additions & 0 deletions examples/web-server/nginx/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
# How to use nginx as a reverse-proxy with letsencrypt

## Requirements

1. You'll need a subdomain and the a wildcard subdomain configured that resolves to server.
2. Install **nginx** (assuming you're on debian/ubuntu):

- `sudo apt install nginx`

3. Stop **nginx** :

- `sudo service stop nginx`

## Adding Coder deployment subdomain

> this example assumes coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`.

- create a new file for this app : `sudo touch /etc/nginx/sites-available/YOUR_SUBDOMAIN`

- and activate this file : `sudo ln -s /etc/nginx/sites-available/YOUR_SUBDOMAIN /etc/nginx/sites-enabled/YOUR_SUBDOMAIN`

## Install and configure letsencrypt certbot

Install letsencrypt **certbot** : follow the instructions on [certbot website](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard)

## Create dns provider credentials

- Create an API token for the dns provider you're using : e.g cloudflare [here](https://dash.cloudflare.com/profile/api-tokens) with the following permissions :
- Zone - DNS - Edit
- Create a file in `.secrets/certbot/cloudflare.ini` with the following content :
- `dns_cloudflare_api_token = YOUR_API_TOKEN`

## Create the certificate

- Create the wildcard certificate :

```console
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com *.coder.example.com
```

## Configure nginx
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Configure nginx
## Configure NGINX


Edit the file with : `sudo nano /etc/nginx/sites-available/YOUR_SUBDOMAIN` and add the following content :

```nginx
server {
server_name YOUR_SUBDOMAIN;

# HTTP configuration
listen 80;
listen [::]:80;

# HTTP to HTTPS
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot

# HTTPS configuration
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}
```

> Don't forget to change :
>
> - `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com`
> - the port and ip in `proxy_pass` if applicable
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain here what this port and IP should be (Coder server URL)?


## Automatic certificates refreshing

- Create a new file in `/etc/cron.weekly` : `sudo touch /etc/cron.weekly/certbot`
- Make it executable : `sudo chmod +x /etc/cron.weekly/certbot`
- And add this code :

```sh
#!/bin/sh
sudo certbot renew -q
```

## Restart nginx

- `sudo service nginx restart`

And that's it, you should now be able to access coder via `https://YOUR_SUBDOMAIN` !