examples update and multiple REVERSE_PROXY_* on single site

confs/site/reverse-proxy-headers.conf

@@ -1,6 +1,3 @@
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
+proxy_set_header X-Real-IP $remote_addr;
-location / {
-	proxy_pass http://app;
-}

confs/site/reverse-proxy.conf

@@ -1,7 +1,3 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Real-IP $remote_addr;
-
 location %REVERSE_PROXY_URL% {
 	proxy_pass %REVERSE_PROXY_LOCATION%;
 }

entrypoint/defaults.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
+MULTISITE="${MULTISITE-yes}"
 HTTP_PORT="${HTTP_PORT-8080}"
 HTTPS_PORT="${HTTPS_PORT-8443}"
 MAX_CLIENT_SIZE="${MAX_CLIENT_SIZE-10m}"

entrypoint/site-config.sh

@@ -44,10 +44,20 @@ replace_in_file "{NGINX_PREFIX}server.conf" "%SERVER_TOKENS%" "$SERVER_TOKENS"
 
 # reverse proxy
 if [ "$USE_REVERSE_PROXY" = "yes" ] ; then
-	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy.conf"
+	i=1
-	replace_in_file "${NGINX_PREFIX}reverse-proxy.conf" "%REVERSE_PROXY_URL%" "$REVERSE_PROXY_URL"
+	for var in $(env) ; do
-	replace_in_file "${NGINX_PREFIX}reverse-proxy.conf" "%REVERSE_PROXY_HOST%" "$REVERSE_PROXY_HOST"
+		check=$(echo "$var" | grep "^REVERSE_PROXY_URL")
-
+		if [ "$check" != "" ] ; then
+			name=$(echo "$var" | cut -d '=' -f 1)
+			value=$(echo "$var" | sed "s/${name}//")
+			host=$(echo "$name" | sed "s/URL/HOST//")
+			cp "${NGINX_PREFIX}reverse-proxy.conf" "${NGINX_PREFIX}reverse-proxy-${i}.conf"
+			replace_in_file "${NGINX_PREFIX}reverse-proxy-${i}.conf" "%REVERSE_PROXY_URL%" "$value"
+			replace_in_file "${NGINX_PREFIX}reverse-proxy.${i}conf" "%REVERSE_PROXY_HOST%" "${!host}"
+			i=$(($i + 1))
+		fi
+	done
+	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" "include ${NGINX_PREFIX}reverse-proxy-*.conf"
 else
 	replace_in_file "${NGINX_PREFIX}server.conf" "%USE_REVERSE_PROXY%" ""
 fi

examples/basic-website-with-php/docker-compose.yml

@@ -9,7 +9,7 @@ services:
       - 80:8080
       - 443:8443
     volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
     environment:
       - SERVER_NAME=www.website.com # replace with your domain
@@ -17,6 +17,8 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - REMOTE_PHP=myphp
       - REMOTE_PHP_PATH=/app
 

examples/behind-traefik/docker-compose.yml

@@ -12,43 +12,70 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./traefik/traefik.toml:/traefik.toml
       - ./traefik/acme.json:/acme.json
+    networks:
+      - netwww1
+      - netwww2
 
   mywww1:
     image: bunkerity/bunkerized-nginx
     restart: always
     volumes:
-      - ./web1:/www
+      - ./web1:/www:ro
     environment:
+      - SERVER_NAME=app1.website.com
       - PROXY_REAL_IP=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - REMOTE_PHP=myphp1
       - REMOTE_PHP_PATH=/app
     labels:
       - 'traefik.enable=true'
       - 'traefik.port=8080'
       - 'traefik.frontend.rule=Host:app1.website.com' # replace with your domain
+    networks:
+      - netwww1
+      - netphp1
 
   mywww2:
     image: bunkerity/bunkerized-nginx
     restart: always
     volumes:
-      - ./web2:/www
+      - ./web2:/www:ro
     environment:
+      - SERVER_NAME=app2.website.com
       - PROXY_REAL_IP=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - REMOTE_PHP=myphp2
       - REMOTE_PHP_PATH=/app
     labels:
       - 'traefik.enable=true'
       - 'traefik.port=8080'
       - 'traefik.frontend.rule=Host:app2.website.com' # replace with your domain
+    networks:
+      - netwww2
+      - netphp2
 
   myphp1:
     image: php:fpm
     restart: always
     volumes:
       - ./web1:/app
+    networks:
+      - netphp1
 
   myphp2:
     image: php:fpm
     restart: always
     volumes:
       - ./web2:/app
+    networks:
+      - netphp2
+
+  networks:
+    netwww1:
+    netwww2:
+    netphp1:
+    netphp2:

examples/load-balancer/docker-compose.yml

@@ -10,14 +10,19 @@ services:
       - 443:8443
     volumes:
       - ./letsencrypt:/etc/letsencrypt
-      - ./http-confs:/http-confs
+      - ./http-confs:/http-confs:ro
-      - ./server-confs:/server-confs
     environment:
       - SERVER_NAME=www.website.com # replace with your domain
       - SERVE_FILES=no
       - DISABLE_DEFAULT_SERVER=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://app
 
   app1:
     build: js-app

examples/moodle/docker-compose.yml

@@ -10,13 +10,19 @@ services:
       - 443:8443
     volumes:
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom confs to reverse proxy to moodle
     environment:
       - SERVER_NAME=www.website.com          # replace with your domain
       - AUTO_LETS_ENCRYPT=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - MAX_CLIENT_SIZE=50m
+      - SERVE_FILES=no
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=https://mymoodle:8443
 
   mymoodle:
     image: bitnami/moodle

examples/moodle/server-confs/reverse-proxy.conf

@@ -1,6 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass https://mymoodle:8443;
-}

examples/multisite-basic/docker-compose.yml

@@ -9,9 +9,8 @@ services:
       - 80:8080
       - 443:8443
     volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
     environment:
       - SERVER_NAME=app1.website.com app2.website.com app3.website.com # replace with your domains
       - MULTISITE=yes
@@ -19,12 +18,18 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - app1.website.com_REMOTE_PHP=myapp1
       - app1.website.com_REMOTE_PHP_PATH=/app
       - app2.website.com_REMOTE_PHP=myapp2
       - app2.website.com_REMOTE_PHP_PATH=/app
       - app3.website.com_SERVE_FILES=no
       - app3.website.com_USE_CLIENT_CACHE=no
+      - app3.website.com_USE_PROXY_CACHE=yes
+      - app3.website.com_USE_REVERSE_PROXY=yes
+      - app3.website.com_REVERSE_PROXY_URL=/
+      - app3.website.com_REVERSE_PROXY_HOST=http://myapp3:3000
     networks:
       - net1
       - net2

examples/multisite-custom-server-confs/docker-compose.yml

@@ -9,11 +9,11 @@ services:
       - 80:8080
       - 443:8443
     volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
+      - ./server-confs:/server-confs:ro
-      - ./modsec-confs:/modsec-confs
+      - ./modsec-confs:/modsec-confs:ro
-      - ./modsec-crs-confs:/modsec-crs-conf
+      - ./modsec-crs-confs:/modsec-crs-conf:ro
     environment:
       - SERVER_NAME=wp.website.com nc.website.com # replace with your domains
       - MULTISITE=yes
@@ -21,6 +21,8 @@ services:
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - wp.website.com_REMOTE_PHP=mywp
       - wp.website.com_REMOTE_PHP_PATH=/var/www/html
       - nc.website.com_REMOTE_PHP=mync

examples/nextcloud/docker-compose.yml

@@ -9,11 +9,11 @@ services:
       - 80:8080
       - 443:8443
     volumes:
-      - ./nc-files:/www
+      - ./nc-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom nginx confs at server context to make Nextcloud working
+      - ./server-confs:/server-confs:ro         # custom nginx confs at server context to make Nextcloud working
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Nextcloud exclusions
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Nextcloud exclusions
-      - ./modsec-confs:/modsec-confs         # disable some false positive
+      - ./modsec-confs:/modsec-confs:ro         # disable some false positive
     environment:
       - SERVER_NAME=www.website.com          # replace with your domain
       - AUTO_LETS_ENCRYPT=yes
@@ -27,6 +27,9 @@ services:
       - LIMIT_REQ_BURST=60
       - ALLOWED_METHODS=GET|POST|HEAD|PROPFIND|DELETE|PUT|MKCOL|MOVE|COPY|PROPPATCH|REPORT
       - X_FRAME_OPTIONS=SAMEORIGIN
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
 
   mync:
     image: nextcloud:stable-fpm

examples/passbolt/docker-compose.yml

@@ -10,25 +10,31 @@ services:
       - 443:8443
     volumes:
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs              # custom confs to reverse proxy to passbolt
+      - ./modsec-crs-confs:/modsec-crs-confs:ro      # disable some false positive
-      - ./modsec-crs-confs:/modsec-crs-confs      # disable some false positive
+      - ./modsec-confs:/modsec-confs:ro              # disable some false positive
-      - ./modsec-confs:/modsec-confs              # disable some false positive
     environment:
-      - SERVER_NAME=www.website.com               # replace with your domain
+      - SERVER_NAME=www.website.com                  # replace with your domain
       - AUTO_LETS_ENCRYPT=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - ALLOWED_METHODS=GET|POST|HEAD|PUT|DELETE
+      - SERVE_FILES=no
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=https://mypassbolt
 
   mypassbolt:
     image: passbolt/passbolt
     restart: always
     environment:
       - DATASOURCES_DEFAULT_HOST=mydb
-      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd  # replace with a stronger password (must match MYSQL_PASSWORD)
+      - DATASOURCES_DEFAULT_PASSWORD=db-user-pwd     # replace with a stronger password (must match MYSQL_PASSWORD)
       - DATASOURCES_DEFAULT_USERNAME=user
       - DATASOURCES_DEFAULT_DATABASE=passbolt
-      - APP_FULL_BASE_URL=https://www.website.com # replace with your URL
+      - APP_FULL_BASE_URL=https://www.website.com    # replace with your URL
 
   mydb:
     image: mariadb
@@ -36,7 +42,7 @@ services:
     volumes:
       - ./db-data:/var/lib/mysql
     environment:
-      - MYSQL_ROOT_PASSWORD=db-root-pwd           # replace with a stronger password
+      - MYSQL_ROOT_PASSWORD=db-root-pwd              # replace with a stronger password
       - MYSQL_DATABASE=passbolt
       - MYSQL_USER=user
-      - MYSQL_PASSWORD=db-user-pwd                # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)
+      - MYSQL_PASSWORD=db-user-pwd                   # replace with a stronger password (must match DATASOURCES_DEFAULT_PASSWORD)

examples/passbolt/server-confs/reverse-proxy.conf

@@ -1,7 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	proxy_pass https://mypassbolt;
-}
-

examples/reverse-proxy-multisite/docker-compose.yml

@@ -10,13 +10,21 @@ services:
       - 443:8443
     volumes:
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
     environment:
-      - SERVER_NAME=app1.website.com app2.website.com # replace with your domains
+      - USE_MULTISITE=yes
+      - SERVER_NAME=app1.website.com app2.website.com # replace with your domain
       - SERVE_FILES=no
       - DISABLE_DEFAULT_SERVER=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - app1.website.com_REVERSE_PROXY_URL=/
+      - app1.website.com_REVERSE_PROXY_HOST=http://app1:3000
+      - app2.website.com_REVERSE_PROXY_URL=/
+      - app2.website.com_REVERSE_PROXY_HOST=http://app2
 
   app1:
     image: node

examples/reverse-proxy-singlesite/docker-compose.yml

@@ -0,0 +1,43 @@
+version: '3'
+
+services:
+
+  myreverse:
+    image: bunkerity/bunkerized-nginx
+    restart: always
+    ports:
+      - 80:8080
+      - 443:8443
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+    environment:
+      - SERVER_NAME=www.website.com                          # replace with your domain
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - REDIRECT_HTTP_TO_HTTPS=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL_1=/app1
+      - REVERSE_PROXY_HOST_1=http://app1:3000
+      - REVERSE_PROXY_URL_2=/app2
+      - REVERSE_PROXY_HOST_2=http://app2
+
+  app1:
+    image: node
+    restart: always
+    working_dir: /home/node/app
+    volumes:
+      - ./js-app:/home/node/app
+    environment:
+      - NODE_ENV=production
+    command: bash -c "npm install express && node index.js"
+
+  app2:
+    image: phpmyadmin:apache
+    restart: always
+    environment:
+      - PMA_ARBITRARY=1
+      - PMA_ABSOLUTE_URI=https://www.website.com/app2        # replace with your absolute URI

examples/reverse-proxy-singlesite/js-app/index.js

@@ -0,0 +1,12 @@
+const express = require('express')
+const app = express()
+const port = 3000
+
+app.get('/', (req, res) => {
+  res.send('Hello World!')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening at http://localhost:${port}`)
+})
+

examples/reverse-proxy-singlesite/js-app/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "js-app",
+  "version": "1.0.0",
+  "description": "demo",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.17.1"
+  }
+}

examples/reverse-proxy/server-confs/reverse-proxy.conf

@@ -1,12 +0,0 @@
-proxy_set_header Host $host;
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-location / {
-	if ($host = app1.website.com) {
-		proxy_pass http://app1:3000;
-	}
-
-	if ($host = app2.website.com) {
-		proxy_pass http://app2;
-	}
-}

examples/tomcat/docker-compose.yml

@@ -10,13 +10,18 @@ services:
       - 443:8443
     volumes:
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs
     environment:
-      - SERVER_NAME=app1.website.com         # replace with your domain
+      - SERVER_NAME=www.website.com                     # replace with your domain
       - SERVE_FILES=no
       - DISABLE_DEFAULT_SERVER=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - AUTO_LETS_ENCRYPT=yes
+      - USE_PROXY_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
+      - USE_REVERSE_PROXY=yes
+      - REVERSE_PROXY_URL=/
+      - REVERSE_PROXY_HOST=http://mytomcat:8080/sample
 
   mytomcat:
     image: tomcat

examples/tor-hidden-service/docker-compose.yml

@@ -15,7 +15,7 @@ services:
     image: bunkerity/bunkerized-nginx
     restart: always
     volumes:
-      - ./web-files:/www
+      - ./web-files:/www:ro
     environment:
       - BLOCK_TOR_EXIT_NODE=no
       - BLOCK_ABUSERS=no
@@ -28,6 +28,8 @@ services:
       - USE_BLACKLIST_REVERSE=no
       - USE_FAIL2BAN=no
       - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - REMOTE_PHP=myphp
       - REMOTE_PHP_PATH=/app
 

examples/wordpress/docker-compose.yml

@@ -9,17 +9,19 @@ services:
       - 80:8080
       - 443:8443
     volumes:
-      - ./wp-files:/www
+      - ./wp-files:/www:ro
       - ./letsencrypt:/etc/letsencrypt
-      - ./server-confs:/server-confs         # custom confs at server context for permalinks
+      - ./server-confs:/server-confs:ro         # custom confs at server context for permalinks
-      - ./modsec-crs-confs:/modsec-crs-confs # custom Core Rule Set confs to add Wordpress exclusions
+      - ./modsec-crs-confs:/modsec-crs-confs:ro # custom Core Rule Set confs to add Wordpress exclusions
     environment:
-      - SERVER_NAME=www.website.com          # replace with your domain
+      - SERVER_NAME=www.website.com             # replace with your domain
       - AUTO_LETS_ENCRYPT=yes
       - REDIRECT_HTTP_TO_HTTPS=yes
       - DISABLE_DEFAULT_SERVER=yes
       - MAX_CLIENT_SIZE=50m
       - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_BROTLI=yes
       - REMOTE_PHP=mywp
       - REMOTE_PHP_PATH=/var/www/html
 
@@ -32,8 +34,8 @@ services:
       - WORDPRESS_DB_HOST=mydb
       - WORDPRESS_DB_NAME=wp
       - WORDPRESS_DB_USER=user
-      - WORDPRESS_DB_PASSWORD=db-user-pwd    # replace with a stronger password (must match MYSQL_PASSWORD)
+      - WORDPRESS_DB_PASSWORD=db-user-pwd       # replace with a stronger password (must match MYSQL_PASSWORD)
-      - WORDPRESS_TABLE_PREFIX=prefix_       # best practice : replace with a random prefix
+      - WORDPRESS_TABLE_PREFIX=prefix_          # best practice : replace with a random prefix
 
   mydb:
     image: mariadb
@@ -41,7 +43,7 @@ services:
     volumes:
       - ./db-data:/var/lib/mysql
     environment:
-      - MYSQL_ROOT_PASSWORD=db-root-pwd      # replace with a stronger password
+      - MYSQL_ROOT_PASSWORD=db-root-pwd         # replace with a stronger password
       - MYSQL_DATABASE=wp
       - MYSQL_USER=user
-      - MYSQL_PASSWORD=db-user-pwd           # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)
+      - MYSQL_PASSWORD=db-user-pwd              # replace with a stronger password (must match WORDPRESS_DB_PASSWORD)