build: replace staging and prod proxy with bunkerweb

hotosm · Mar 4, 2025 · e69c7cf · e69c7cf
1 parent f74f7f0
commit e69c7cf
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 48 deletions.
diff --git a/compose.yaml b/compose.yaml
@@ -40,6 +40,7 @@ x-proxy-env: &proxy-env # General
   BUNKERWEB_INSTANCES: proxy:5000
   LOG_LEVEL: notice
   USE_BUNKERNET: no
+  DISABLE_DEFAULT_SERVER: "yes"
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
@@ -53,6 +54,8 @@ x-proxy-env: &proxy-env # General
   USE_BAD_BEHAVIOR: no
   USE_LIMIT_REQ: no
   USE_MODSECURITY: no
+  USE_GZIP: yes
+  # On client, brotli is preferred over gzip if both are enabled
   USE_BROTLI: yes
   # Reverse proxy configs
   SERVER_NAME: fmtm.localhost mapper.fmtm.localhost api.fmtm.localhost s3.fmtm.localhost sync.fmtm.localhost odk.fmtm.localhost odkcentral

diff --git a/deploy/compose.development.yaml b/deploy/compose.development.yaml
@@ -56,6 +56,7 @@ x-proxy-env: &proxy-env # General
   BUNKERWEB_INSTANCES: proxy:5000
   LOG_LEVEL: notice
   USE_BUNKERNET: no
+  DISABLE_DEFAULT_SERVER: yes
   API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24
   MULTISITE: yes
   USE_REVERSE_PROXY: yes
@@ -69,14 +70,15 @@ x-proxy-env: &proxy-env # General
   USE_BAD_BEHAVIOR: no
   USE_LIMIT_REQ: no
   USE_MODSECURITY: no
+  USE_GZIP: yes
+  # On client, brotli is preferred over gzip if both are enabled
   USE_BROTLI: yes
   # For OpenTelemetry
   KEEP_UPSTREAM_HEADERS: "*"
   CUSTOM_HEADER: "Access-Control-Allow-Headers: traceparent,tracestate"
   AUTO_LETS_ENCRYPT: yes
   EMAIL_LETS_ENCRYPT: ${CERT_EMAIL}
-  # Use staging certs as this isn't prod security
-  USE_LETS_ENCRYPT_STAGING: yes
+  # USE_LETS_ENCRYPT_STAGING: yes
   # Reverse proxy configs
   SERVER_NAME: dev.fmtm.hotosm.org mapper.dev.fmtm.hotosm.org api.dev.fmtm.hotosm.org s3.dev.fmtm.hotosm.org sync.dev.fmtm.hotosm.org odk.dev.fmtm.hotosm.org
   api.dev.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://api:8000

diff --git a/deploy/compose.main.yaml b/deploy/compose.main.yaml
@@ -18,8 +18,12 @@
 name: fmtm-main
 
 volumes:
+  nginx-configs:
+    name: fmtm-nginx-configs-main
   fmtm_frontend:
     name: fmtm-frontend-main
+  fmtm_mapper_frontend:
+    name: fmtm-mapper-frontend-main
   fmtm_db_data:
     name: fmtm-db-data-main
   fmtm_data:
@@ -38,36 +42,41 @@ volumes:
 networks:
   fmtm-net:
     name: fmtm-main
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
 
 services:
   proxy:
-    image: "ghcr.io/hotosm/fmtm/proxy:main"
-    depends_on:
-      api:
-        condition: service_started
-      certbot:
-        condition: service_completed_successfully
-      s3:
-        condition: service_healthy
-      ui:
-        condition: service_completed_successfully
-      electric:
-        condition: service_started
+    extends:
+      file: compose.staging.yaml
+      service: proxy
+
+  proxy-setup:
+    extends:
+      file: compose.staging.yaml
+      service: proxy-setup
     volumes:
-      - fmtm_frontend:/usr/share/nginx/html/fmtm
+      - nginx-configs:/etc/nginx
+      - fmtm_frontend:/var/www/html/stage.fmtm.hotosm.org:ro
+      - fmtm_mapper_frontend:/var/www/html/mapper.stage.fmtm.hotosm.org:ro
+      - central_frontend:/var/www/html/odk.stage.fmtm.hotosm.org:ro
       - certs:/etc/letsencrypt
       - certbot_data:/var/www/certbot
     environment:
-      FMTM_DOMAIN: ${FMTM_DOMAIN}
-      FMTM_API_DOMAIN: ${FMTM_API_DOMAIN:-api.${FMTM_DOMAIN}}
-      FMTM_S3_DOMAIN: ${FMTM_S3_DOMAIN:-s3.${FMTM_DOMAIN}}
-      FMTM_SYNC_DOMAIN: ${FMTM_SYNC_DOMAIN:-sync.${FMTM_DOMAIN}}
-    ports:
-      - 80:80
-      - 443:443
-    networks:
-      - fmtm-net
-    restart: "unless-stopped"
+      SERVER_NAME: dev.fmtm.hotosm.org mapper.fmtm.hotosm.org api.fmtm.hotosm.org s3.fmtm.hotosm.org sync.fmtm.hotosm.org odk.fmtm.hotosm.org
+      api.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://api:8000
+      api.fmtm.hotosm.org_MAX_CLIENT_SIZE: 1G
+      s3.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://s3:9000
+      s3.fmtm.hotosm.org_MAX_CLIENT_SIZE: 10G
+      sync.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://electric:3000
+      sync.fmtm.hotosm.org_MAX_CLIENT_SIZE: 1G
+      odk.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://central:8383
+      odk.fmtm.hotosm.org_REVERSE_PROXY_URL: ~ ^/v\d
+      # buffer requests, but not responses, so streaming out works
+      odk.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
+      odk.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
 
   api:
     extends:
@@ -123,21 +132,3 @@ services:
       interval: 10s
       timeout: 5s
       retries: 3
-
-  certbot:
-    image: "ghcr.io/hotosm/fmtm/proxy:certs-init-main"
-    volumes:
-      - certs:/etc/letsencrypt
-      - certbot_data:/var/www/certbot
-    environment:
-      FMTM_DOMAIN: ${FMTM_DOMAIN}
-      FMTM_API_DOMAIN: ${FMTM_API_DOMAIN:-api.${FMTM_DOMAIN}}
-      FMTM_S3_DOMAIN: ${FMTM_S3_DOMAIN:-s3.${FMTM_DOMAIN}}
-      FMTM_SYNC_DOMAIN: ${FMTM_SYNC_DOMAIN:-sync.${FMTM_DOMAIN}}
-      CERT_EMAIL: ${CERT_EMAIL}
-    ports:
-      - 80:80
-      - 443:443
-    networks:
-      - fmtm-net
-    restart: "on-failure:2"
diff --git a/deploy/compose.staging.yaml b/deploy/compose.staging.yaml
@@ -48,6 +48,30 @@ services:
     extends:
       file: compose.development.yaml
       service: proxy
+  proxy-setup:
+    extends:
+      file: compose.development.yaml
+      service: proxy-setup
+    volumes:
+      - nginx-configs:/etc/nginx
+      - fmtm_frontend:/var/www/html/stage.fmtm.hotosm.org:ro
+      - fmtm_mapper_frontend:/var/www/html/mapper.stage.fmtm.hotosm.org:ro
+      - central_frontend:/var/www/html/odk.stage.fmtm.hotosm.org:ro
+      - certs:/etc/letsencrypt
+      - certbot_data:/var/www/certbot
+    environment:
+      SERVER_NAME: stage.fmtm.hotosm.org mapper.stage.fmtm.hotosm.org api.stage.fmtm.hotosm.org s3.stage.fmtm.hotosm.org sync.stage.fmtm.hotosm.org odk.stage.fmtm.hotosm.org
+      api.stage.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://api:8000
+      api.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 1G
+      s3.stage.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://s3:9000
+      s3.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 10G
+      sync.stage.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://electric:3000
+      sync.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 1G
+      odk.stage.fmtm.hotosm.org_REVERSE_PROXY_HOST: http://central:8383
+      odk.stage.fmtm.hotosm.org_REVERSE_PROXY_URL: ~ ^/v\d
+      # buffer requests, but not responses, so streaming out works
+      odk.stage.fmtm.hotosm.org_REVERSE_PROXY_BUFFERING: no
+      odk.stage.fmtm.hotosm.org_MAX_CLIENT_SIZE: 500m
   api:
     extends:
       file: compose.development.yaml
@@ -113,8 +137,3 @@ services:
       interval: 10s
       timeout: 5s
       retries: 3
-  certbot:
-    extends:
-      file: compose.development.yaml
-      service: certbot
-    image: "ghcr.io/hotosm/fmtm/proxy:certs-init-staging"