SexyCoders/proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
proxy/README.md

119 lines
4.9 KiB
Markdown
Raw Normal View History

initial public commit
2025-06-18 17:16:13 +00:00
# Nginx + Certbot + ACMEDNS Proxy Stack
> **A batteriesincluded reverseproxy scaffold that Just Works™ on a single node or a Docker Swarm.**
>
> *Oldschool Unix philosophy under the hood, modern container workflow on top.*
---
## ✨ What you get
| Component | Job |
| ---------------------------- | --------------------------------------------------------------------------- |
| **Nginx** | Serves HTTP/S, terminates TLS, proxies upstreams, handles TCP/UDP streams |
| **Certbot** | Automates Lets Encrypt certificate issuance / renewal |
| **acmednsauth.py** | ACMEDNS helper for DNS01 challenges (wildcards, no public port 80 needed) |
| **Docker (image & compose)** | Reproducible environment; optional Swarm placement rules |
---
## 🗺️ Repo layout
```
.
├── acme-dns-auth.py # DNS01 hook script (public upstream helper)
├── certbot-runner # Convenience wrapper for interactive work inside the image
├── new-domain-runner # Example oneshot script for adhoc certs
├── compose.yml # Singleservice stack definition
├── dockerfile.debian # Image build (Debian slim + Nginx + Certbot)
├── conf.d/ # Pervhost HTTP configs
├── stream.d/ # TCP/UDP proxy configs (PostgreSQL, MQTT, …)
├── letsencrypt/ # **Empty dir private keys & certs live here at runtime**
├── work/ # Certbot working directory (also ignored by Git)
└── lib/backups/ # Optional local backup dumps (ignored by Git)
```
---
## 🚀 Quick start
> **Prerequisites**: Docker (24 +) & Docker Compose v2, or Docker Swarm if you want clustering.
```bash
# 1. Clone
$ git clone https://github.com/youruser/proxy-stack.git
$ cd proxy-stack
# 2. Create empty state dirs so the volume binds succeed
$ mkdir -p letsencrypt work lib/backups
$ touch letsencrypt/.gitkeep work/.gitkeep lib/backups/.gitkeep
# 3. (Optional) Build your own image
$ docker build -t my-proxy:latest -f dockerfile.debian .
# 4. Launch the stack (Compose)
$ IMAGE_NAME=my-proxy:latest docker compose up -d
# 5. Obtain the first certificate (DNS01)
$ DOMAIN=my.example.com ./new-domain-runner
# Follow the prompts → add the TXT record → hit <Enter>
```
### Swarm mode
```bash
# Initialize swarm once per host (if not already a manager)
$ docker swarm init
# Deploy with placement label (edit compose.yml if needed)
$ docker stack deploy -c compose.yml proxy
```
---
## 🔐 TLS & certificates
* **Automatic renewals** A cron inside the container runs `certbot renew` and hotreloads Nginx.
* **No secrets in Git** `letsencrypt/` is `gitignored`; keys stay on disk only.
* **acmedns** Ideal when ports 80/443 are busy or you need wildcard certs. Change `ACMEDNS_URL` via env var if you selfhost acmedns.
---
## ⚙️ Configuration knobs
| Variable | Default | Purpose |
| --------------- | ------------------------------- | -------------------------------------------------------- |
| `IMAGE_NAME` | `ghcr.io/youruser/proxy:latest` | Override in scripts / compose to point at your own build |
| `ACMEDNS_URL` | `https://auth.acme-dns.io` | Where `acme-dns-auth.py` registers & updates records |
| `CERTBOT_EMAIL` | | Address Certbot uses for expiry mails |
| Swarm label | `node.labels.server_id==lnd1` | Example placement constraint comment or change |
Edit `conf.d/*.conf` and `stream.d/*.conf` to define your virtual hosts and upstreams.
---
## 🛠️ Maintenance
| Task | Oldschool command | Modern alternative |
| ---------------------------------------- | ---------------------------------------- | --------------------------------------------- |
| Rebuild image after Nginx or OpenSSL CVE | `docker build -t my-proxy .` | GitHub Actions → `docker buildx build --push` |
| List certs expiring in ≤30 days | `docker exec proxy certbot certificates` | Prometheus + exporter |
| Tail logs | `docker compose logs -f proxy` | Grafana Loki |
---
## 🤝 Contributing
Patches and issues are welcome just follow the **kernelstyle rule**: *one patch, one purpose.*
1. Fork → branch → commit (signedoff)
2. Make sure `pre-commit run --all` passes (gitleaks, shellcheck, etc.)
3. Open a PR.
---
## 📜 License
This project is released under the **GNU General Public License v2.0** see [`LICENSE`](LICENSE) for details.
Reference in a new issue Copy permalink