Add boilerplate nginx setup for prod self-hosting

2026-01-10 07:58:15 -05:00 · 2022-11-18 18:12:27 -05:00
parent 688aa856ab
commit baa0a21b38
9 changed files with 148 additions and 92 deletions
--- a/.env.example
+++ b/.env.example
@@ -28,8 +28,8 @@ EMAIL_TOKEN_LIFETIME=
 MONGO_URL=mongodb://root:example@mongo:27017/?authSource=admin

 # Optional credentials for MongoDB container instance
-MONGO_USERNAME=root
-MONGO_PASSWORD=example
+MONGO_INITDB_ROOT_USERNAME=root
+MONGO_INITDB_ROOT_PASSWORD=example

 # Mongo-Express vars (needed for development only)
 ME_CONFIG_MONGODB_ADMINUSERNAME=root
--- a/8
+++ b/8
@@ -1,14 +1,14 @@
 build:
-	docker-compose -f docker-compose.yml -f docker-compose.prod.yml build
+	docker-compose -f docker-compose.yml build

 push:
-	docker-compose -f docker-compose.yml -f docker-compose.prod.yml push
+	docker-compose -f docker-compose.yml push

 up-dev:
-	docker-compose -f docker-compose.yml -f docker-compose.dev.yml up --build
+	docker-compose -f docker-compose.dev.yml up

 up-prod:
-	docker-compose -f docker-compose.yml -f docker-compose.prod.yml up --build
+	docker-compose -f docker-compose.yml up

 down:
 	docker-compose down
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@
 **[Infisical](https://infisical.com)** is an open source tool to help teams manage and sync environment variables across their development workflow and infrastructure. It's designed to be simple and end-to-end encrypted. You can start with just 1 line of code within 10 minutes.

 - **User-Friendly Dashboard** to manage your organization's environment variables within projects
- **[Language-Agnostic CLI](https://infisical.com/docs/CLI)**  that pulls and injects environment variables into your local workflow
+- **[Language-Agnostic CLI](https://infisical.com/docs/CLI)** that pulls and injects environment variables into your local workflow
 - **[Complete control over your data](https://infisical.com/docs/self_host_overview)** - host it yourself on any infrastructure
 - **Navigate Multiple Environments** per project (e.g. development, staging, production, etc.)
 - **Personal/Shared** scoping for environment variables
@@ -46,9 +46,9 @@ And more.

 ## What's cool about this?

-Infisical is the first open-source end-to-end encrypted secret manager that takes less than 10 minutes to setup. 
+Infisical is the first open-source end-to-end encrypted secret manager that takes less than 10 minutes to setup.

-Yes. There are other secret managers out there. Some of them are incredibly complicated - they were built for security teams, not developers. The other ones are not end-to-end encrypted, and because of that they can read your secrets. If you care about efficiency and security at the same time - Infisical is right for you. 
+Yes. There are other secret managers out there. Some of them are incredibly complicated - they were built for security teams, not developers. The other ones are not end-to-end encrypted, and because of that they can read your secrets. If you care about efficiency and security at the same time - Infisical is right for you.

 On top of that, Infisical is one of the few open source solutions. Need any integrations or want a new feature? You can [create an issue for us](https://github.com/Infisical/infisical/issues) or contribute directly! This is the power of open-source. :)

@@ -88,7 +88,6 @@ We're currently setting the foundation and building integrations so secrets can
 - [ ] GitLab
 - [ ] CircleCI

-
 We're currently in Public Alpha.

 ## Open-source vs. paid
@@ -99,7 +98,6 @@ This repo is entirely MIT licensed, with the exception of the `ee` directory whi

 Looking to report a security vulnerability? Please don't post about it in GitHub issue. Instead, refer to our [SECURITY.md](./SECURITY.md) file.

-
 ## Contributors 🦸

 [//]: contributor-faces
@@ -107,4 +105,5 @@ Looking to report a security vulnerability? Please don't post about it in GitHub
 <!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
 <!-- prettier-ignore-start -->
 <!-- markdownlint-disable -->
- <a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/vlad-matsiiako"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a> 
+
+<a href="https://github.com/dangtony98"><img src="https://avatars.githubusercontent.com/u/25857006?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/vlad-matsiiako"><img src="https://avatars.githubusercontent.com/u/78047717?s=96&v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/maidul98"><img src="https://avatars.githubusercontent.com/u/9300960?v=4" width="50" height="50" alt=""/></a> <a href="https://github.com/hanywang2"><img src="https://avatars.githubusercontent.com/u/44352119?v=4" width="50" height="50" alt=""/></a>
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -38,6 +38,7 @@ import {
 } from './routes';

 const connectWithRetry = () => {
+	console.log('MONGO_URL', MONGO_URL);
 	mongoose.connect(MONGO_URL)
 	.then(() => console.log('Successfully connected to DB'))
 	.catch((e) => {
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -1,8 +1,21 @@
 version: '3'

 services:
+  nginx:
+    container_name: infisical-dev-nginx
+    image: nginx
+    ports:
+      - 8080:80
+    volumes:
+      - ./nginx/default.dev.conf:/etc/nginx/conf.d/default.conf:ro
+    depends_on:
+      - frontend
+      - backend
+    networks:
+      - infisical-dev
+
  backend:
-    container_name: infisical-backend
+    container_name: infisical-dev-backend
    restart: unless-stopped
    depends_on:
      - mongo
@@ -17,10 +30,10 @@ services:
    command: npm run dev
    env_file: .env
    networks:
-      - infisical
+      - infisical-dev
  
  frontend:
-    container_name: infisical-frontend
+    container_name: infisical-dev-frontend
    restart: unless-stopped
    depends_on:
      - backend
@@ -35,32 +48,31 @@ services:
      - ./frontend/components:/app/components
    env_file: .env
    networks:
-      - infisical
+      - infisical-dev

  mongo:
-    container_name: infisical-mongo
    image: mongo
+    container_name: infisical-dev-mongo
    restart: always
-    env_file:
-      - .env
+    env_file: .env
    volumes:
      - mongo-data:/data/db
    networks:
-      - infisical
+      - infisical-dev

  mongo-express:
-    container_name: infisical-mongo-express
+    container_name: infisical-dev-mongo-express
    image: mongo-express
    restart: always
-    depends_on:
-      - mongo
+    env_file: .env
    ports:
      - 8081:8081
-    env_file:
-      - .env
    networks:
-      - infisical
+      - infisical-dev

 volumes:
  mongo-data:
-    driver: local
+    driver: local
+
+networks:
+  infisical-dev:
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -1,57 +0,0 @@
-version: '3'
-
-services:
-  backend:
-    platform: linux/amd64
-    container_name: infisical-backend
-    restart: unless-stopped
-    depends_on:
-      - mongo
-    build:
-      context: ./backend
-      dockerfile: Dockerfile
-    image: infisical/backend
-    volumes:
-      - ./backend/src:/app/src
-      - ./backend/nodemon.json:/app/nodemon.json
-      - /app/node_modules
-    command: npm run start
-    env_file: .env
-    networks:
-      - infisical
-  
-  frontend:
-    platform: linux/amd64
-    container_name: infisical-frontend
-    restart: unless-stopped
-    depends_on:
-      - backend
-    build:
-      context: ./frontend
-      dockerfile: Dockerfile.prod
-    image: infisical/frontend
-    volumes:
-      - ./frontend/pages:/app/pages
-      - ./frontend/public:/app/public
-      - ./frontend/styles:/app/styles
-      - ./frontend/components:/app/components
-      - ./frontend/next.config.js:/app/next.config.js
-    env_file: .env
-    networks:
-      - infisical
-
-  mongo:
-    container_name: infisical-mongo
-    image: mongo
-    restart: always
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: root
-      MONGO_INITDB_ROOT_PASSWORD: example
-    volumes:
-      - mongo-data:/data/db
-    networks:
-      - infisical
-
-volumes:
-  mongo-data:
-    driver: local
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,13 +5,67 @@ services:
    container_name: infisical-nginx
    image: nginx
    ports:
-      - "8080:80"
+      - 80:80
+      - 443:443
    volumes:
      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf:ro
-    networks:
-      - infisical
    depends_on:
      - frontend
+      - backend
+    networks:
+      - infisical
+  
+  backend:
+    platform: linux/amd64
+    container_name: infisical-backend
+    restart: unless-stopped
+    depends_on:
+      - mongo
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    image: infisical/backend
+    volumes:
+      - ./backend/src:/app/src
+      - ./backend/nodemon.json:/app/nodemon.json
+      - /app/node_modules
+    command: npm run start
+    env_file: .env
+    networks:
+      - infisical
+  
+  frontend:
+    platform: linux/amd64
+    container_name: infisical-frontend
+    restart: unless-stopped
+    depends_on:
+      - backend
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile.prod
+    image: infisical/frontend
+    volumes:
+      - ./frontend/pages:/app/pages
+      - ./frontend/public:/app/public
+      - ./frontend/styles:/app/styles
+      - ./frontend/components:/app/components
+      - ./frontend/next.config.js:/app/next.config.js
+    env_file: .env
+    networks:
+      - infisical
+
+  mongo:
+    container_name: infisical-mongo
+    image: mongo
+    restart: always
+    volumes:
+      - mongo-data:/data/db
+    networks:
+      - infisical
+
+volumes:
+  mongo-data:
+    driver: local

 networks:
  infisical:
--- a/nginx/default.conf
+++ b/nginx/default.conf
@@ -1,10 +1,25 @@
 server {
    listen 80;
+    listen [::]:80;
    
+    server_name api.infisical.com;
+    
+    return 302 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 default_server ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name api.infiscal.com;
+
+    ssl_certificate /etc/ssl/cert.pem;
+    ssl_certificate_key /etc/ssl/cert.key;
+
    location /api {
        proxy_set_header X-Real-RIP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        
+
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;

@@ -13,16 +28,16 @@ server {

        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    }
-    
+
    location / {
        include /etc/nginx/mime.types;
-        
+
        proxy_set_header X-Real-RIP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        
+
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
-        
+
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

--- a/nginx/default.dev.conf
+++ b/nginx/default.dev.conf
@@ -0,0 +1,32 @@
+server {
+    listen 80;
+    
+    location /api {
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+
+        proxy_pass http://backend:4000;
+        proxy_redirect off;
+
+        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+    }
+    
+    location / {
+        include /etc/nginx/mime.types;
+        
+        proxy_set_header X-Real-RIP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        
+        proxy_set_header Host $http_host;
+        proxy_set_header X-NginX-Proxy true;
+        
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_pass http://frontend:3000;
+        proxy_redirect off;
+    }
+}