The v4 uses Nginx in two different ways. One is plain old way of serving a site using Nginx as a web server. The other is to route traffic to different sites using Nginx as a reverse proxy. This article explains nginx-proxy part in details.
Why we need reverse proxy?
EasyEngine v4 uses docker for every site. This means, if you create 10 sites, then there will be 10 nginx web servers running on your machine.
But the host machine has only one port 80/443. So by default, only one container (site) can use these ports.
So we need an intermediate layer which will listen to these ports (80/443) and based on HTTP Host header route requests to correct nginx containers.
This layer is reverse proxy layer which is a bit complicated to understand if you are new to the container world.
What we liked about nginx proxy?
We wanted to find a lightweight and transparent solution for reverse proxy needs. We explored many, even tried traefik.io but finally settled on jwilder’s nginx-proxy.
For us – using Nginx for reverse proxy and web server gave many advantages such as the ability to use Nginx features we are already familiar with at both levels.
Also, since we know Nginx very well, debugging Nginx reverse-proxy was easy.
How Nginx Proxy Works?
You may visit request cycle article to understand how it works in overall scheme.
Nginx Proxy File Structure
Nginx Proxy stores all data, config, logs and other files in a top-level host directory
/opt/easyengine/services/nginx-proxy/. This directory has following directory for different purpose:
|Purpose||Host Directory Path|
|Let’s encrypt acme-php libraries work directory||acme-conf/|
|SSL certificates and keys for each sites||certs/|
|Global nginx reverse proxy config||conf.d/|
|Diffie-Hellman key folder||dhparam/|
|Folder used during let’s encrypt certificate generation for .well-know||html/|
|HTTP auth password file||htpasswd/|
|Nginx reverse proxy logs folder||logs/|
|Site-specific configs folder||vhost.d/|
Nginx Proxy & Containers
We are using containers for almost everything. When container starts or even recreated, containers gets a random IP assigned.
The Nginx Proxy keeps track of these events and regenerates the nginx configuration to allow traffic for a domain to be passed to the correct Nginx container.
This config is regenerated from a go template and stored in file:
Do not modify this file as it will gets regenerated whenever any of container starts/stops.
Nginx Proxy Config Customization
Please refer to jwilder/nginx-proxy’s readme for more info.
EasyEngine supports adding basic HTTP Authentication via auth-command. So please do not modify files inside
/opt/easyengine/services/nginx-proxy/htpasswd. You may ignore basic authentication support from jwilder/nginx-proxy as it is not required and also can conflict with EasyEngine’s auth-command.
Nginx Reverse Proxy is where external SSL requests are terminated. The site-specific Nginx doesn’t expose port 443. Traffic between outer Nginx reverse-proxy to inner site-specific Nginx is not encrypted but both Nginx being on same host machine, it is not needed.
For each site, EasyEngine creates three files for reverse nginx-proxy and store them in
example.com.crt– SSL Certificate(Public Key)
example.com.key– Private key
example.com.chain.pem– Certificate Chain File