Merge pull request #509 from bigcapitalhq/BIG-193

feat: Migrating to Envoy proxy instead of Nginx

docker-compose.prod.yml

@@ -3,24 +3,17 @@
 version: '3.3'
 
 services:
-  nginx:
+  proxy:
-    container_name: bigcapital-nginx-gateway
+    image: envoyproxy/envoy:v1.30-latest
-    build:
+    depends_on:
-      context: ./docker/nginx
+      - server
-      args:
+      - webapp
-        - SERVER_PROXY_PORT=3000
-        - WEB_SSL=false
-        - SELF_SIGNED=false
-    volumes:
-      - ./data/logs/nginx/:/var/log/nginx
-      - ./docker/certbot/certs/:/var/certs
     ports:
       - '${PUBLIC_PROXY_PORT:-80}:80'
       - '${PUBLIC_PROXY_SSL_PORT:-443}:443'
     tty: true
-    depends_on:
+    volumes:
-      - server
+      - ./docker/envoy/envoy.yaml:/etc/envoy/envoy.yaml
-      - webapp
     restart: on-failure
     networks:
       - bigcapital_network
@@ -46,6 +39,8 @@ services:
       - mongo
       - redis
     restart: on-failure
+    networks:
+      - bigcapital_network
     environment:
       # Mail
       - MAIL_HOST=${MAIL_HOST}
@@ -127,8 +122,6 @@ services:
       - S3_SECRET_ACCESS_KEY=${S3_SECRET_ACCESS_KEY}
       - S3_ENDPOINT=${S3_ENDPOINT}
       - S3_BUCKET=${S3_BUCKET}
-    networks:
-      - bigcapital_network
 
   database_migration:
     container_name: bigcapital-database-migration

docker/envoy/envoy.yaml

@@ -0,0 +1,62 @@
+static_resources:
+  listeners:
+    - name: listener_0
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 80
+      filter_chains:
+        - filters:
+            - name: envoy.filters.network.http_connection_manager
+              typed_config:
+                '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: backend
+                      domains: ['*']
+                      routes:
+                        - match:
+                            prefix: '/api'
+                          route:
+                            cluster: dynamic_server
+                        - match:
+                            prefix: '/'
+                          route:
+                            cluster: webapp
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+    - name: dynamic_server
+      connect_timeout: 0.25s
+      type: STRICT_DNS
+      dns_lookup_family: V4_ONLY
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: dynamic_server
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: server
+                      port_value: 3000
+
+    - name: webapp
+      connect_timeout: 0.25s
+      type: STRICT_DNS
+      dns_lookup_family: V4_ONLY
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: webapp
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: webapp
+                      port_value: 80

docker/nginx/Dockerfile

@@ -1,21 +0,0 @@
-FROM nginx:1.11
-
-RUN mkdir /etc/nginx/sites-available && rm /etc/nginx/conf.d/default.conf
-ADD nginx.conf /etc/nginx/
-
-COPY scripts /root/scripts/
-COPY certs /etc/ssl/
-
-COPY sites /etc/nginx/templates
-
-ARG SERVER_PROXY_PORT=3000
-ARG WEB_SSL=false
-ARG SELF_SIGNED=false
-
-ENV SERVER_PROXY_PORT=$SERVER_PROXY_PORT
-ENV WEB_SSL=$WEB_SSL
-ENV SELF_SIGNED=$SELF_SIGNED
-
-RUN /bin/bash /root/scripts/build-nginx.sh
-
-CMD nginx

docker/nginx/nginx.conf

@@ -1,33 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-daemon off;
-
-events {
-  worker_connections  2048;
-  use epoll;
-}
-
-http {
-  server_tokens off;
-  sendfile on;
-  tcp_nopush on;
-  tcp_nodelay on;
-  keepalive_timeout 15;
-  types_hash_max_size 2048;
-  client_max_body_size 20M;
-  open_file_cache max=100;
-  gzip on;
-  gzip_disable "msie6";
-
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
-
-  include /etc/nginx/mime.types;
-  default_type application/octet-stream;
-
-  include /etc/nginx/conf.d/*.conf;
-  include /etc/nginx/sites-available/*;
-  access_log /var/log/nginx/access.log;
-  error_log /var/log/nginx/error.log;
-}

docker/nginx/scripts/build-nginx.sh

@@ -1,9 +0,0 @@
-#!/bin/bash
-
-for conf in /etc/nginx/templates/*.conf; do
-  mv $conf "/etc/nginx/sites-available/"$(basename $conf) > /dev/null
-done
-
-for template in /etc/nginx/templates/*.template; do
-  envsubst < $template > "/etc/nginx/sites-available/"$(basename $template)".conf"
-done

docker/nginx/sites/server.template

@@ -1,16 +0,0 @@
-server {
-  listen 80 default_server;
-
-  location /api {
-    proxy_pass http://server:${SERVER_PROXY_PORT};
-  }
-
-  location / {
-    proxy_pass http://webapp;
-  }
-
-  location /.well-known/acme-challenge/ {
-    root /var/www/letsencrypt/;
-    log_not_found off;
-  }
-}