proxying with nginx

abra.sh

@@ -1,2 +1,3 @@
 export CONFIG_WRITEFREELY_VERSION=v1
 export CONFIG_ENTRYPOINT_VERSION=v1
+export NGINX_CONFIG_VERSION=v1

compose.yml

@@ -2,6 +2,32 @@
 version: "3.8"
 
 services:
+  web:
+    image: nginx:1.20.0
+    networks:
+      - proxy
+      - internal
+    environment:
+      - DOMAIN
+      - STACK_NAME
+    configs:
+      - source: nginx_config
+        target: /etc/nginx/nginx.conf
+    deploy:
+      update_config:
+        failure_action: rollback
+        order: start-first
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "coop-cloud.${STACK_NAME}.version=0.1.0+latest"
+
   app:
     image: "writeas/writefreely:latest"
     environment:
@@ -26,20 +52,6 @@ services:
     networks:
       - internal
       - proxy
-    deploy:
-      update_config:
-        failure_action: rollback
-        order: start-first
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`${EXTRA_DOMAINS})"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
-        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
-        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.1.0+latest"
 
   db:
     image: "mariadb:10.7"
@@ -78,3 +90,7 @@ configs:
     name: ${STACK_NAME}_config_${CONFIG_WRITEFREELY_VERSION}
     file: config.ini.tmpl
     template_driver: golang
+  nginx_config:
+    name: ${STACK_NAME}_nginx_config_${NGINX_CONFIG_VERSION}
+    file: nginx.conf.tmpl
+    template_driver: golang

nginx.conf.tmpl

@@ -0,0 +1,60 @@
+user www-data;
+
+events {
+  worker_connections 768;
+}
+
+http {
+  upstream backend {
+    server {{ env "STACK_NAME" }}_app:8080;
+  }
+
+  include /etc/nginx/mime.types;
+
+  server {
+    listen 80;
+    listen [::]:80;
+
+    server_name example.com;
+
+    gzip on;
+    gzip_types
+      application/javascript
+      application/x-javascript
+      application/json
+      application/rss+xml
+      application/xml
+      image/svg+xml
+      image/x-icon
+      application/vnd.ms-fontobject
+      application/font-sfnt
+      text/css
+      text/plain;
+    gzip_min_length 256;
+    gzip_comp_level 5;
+    gzip_http_version 1.1;
+    gzip_vary on;
+
+    location ~ ^/.well-known/(webfinger|nodeinfo|host-meta) {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_pass http://backend;
+        proxy_redirect off;
+    }
+
+    location ~ ^/(css|img|js|fonts)/ {
+        root /var/www/example.com/static;
+        # Optionally cache these files in the browser:
+        # expires 12M;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_pass http://backend;
+        proxy_redirect off;
+    }
+  }
+}