```{index} nginx, docker; docker-compose.yml, docker; docker config, docker; docker secret, secrets; docker secret, секреты; docker secret
```


# Фронтальный nginx с secret и config

`docker-compose.yml` для деплоя стека:

```yaml
version: "3.3"
  
services:
  nginx:
    image: nginx:latest
    ports:
      - 80:80
      - 443:443
    deploy:
      replicas: 1
    secrets:
      - openproject.sitefactory.cf.crt
      - openproject.sitefactory.cf.key
      - openproject.sitefactory.cf.htpasswd
    configs:
      - source: outside-nginx.conf_v0.02
        target: /etc/nginx/nginx.conf
      - source: openproject.sitefactory.cf.conf_v0.03
        target: /etc/nginx/conf.d/openproject.sitefactory.cf.conf
      - source: proxy-pass.rules_v0.01
        target: /etc/nginx/conf.d/proxy-pass.rules
      - source: ssl-settings.rules_v0.01
        target: /etc/nginx/conf.d/ssl-settings.rules

secrets:
  openproject.sitefactory.cf.crt:
    external: true
  openproject.sitefactory.cf.key:
    external: true
  openproject.sitefactory.cf.htpasswd:
    external: true

configs:
  outside-nginx.conf_v0.02:
    external: true
  ssl-settings.rules_v0.01:
    external: true
  openproject.sitefactory.cf.conf_v0.03:
    external: true
  proxy-pass.rules_v0.01:
    external: true
```

```{index} nginx; nginx.conf
```

Конфиг `nginx.conf`:

```nginx
user  nginx;
worker_processes  auto;
error_log /var/log/nginx/error.log crit;
pid       /var/run/nginx.pid;

events {
    worker_connections 4000;

    # Accept as many connections as possible, after nginx gets notification
    # about a new connection.
    multi_accept on;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format  additional  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      'rt=$request_time uct="$upstream_connect_time" '
                      'uht="$upstream_header_time" urt="$upstream_response_time"';

    access_log  /dev/stdout  main buffer=16k;

    server_tokens off;

    # Causes nginx to attempt to send its HTTP response head in one packet,
    # instead of using partial frames.
    tcp_nopush on;

    # Don't buffer data-sends (disable Nagle algorithm).
    tcp_nodelay on;

    # Timeout for keep-alive connections. Server will close connections
    # after this time.
    keepalive_timeout 30;

    # Number of requests a client can make over the keep-alive connection.
    keepalive_requests 1000;

    # Allow the server to close the connection after a client stops
    # responding.
    reset_timedout_connection on;

    # Send the client a "request timed out" if the body is not loaded
    # by this time.
    client_body_timeout 10;

    # If the client stops reading data, free up the stale client connection
    # after this much time.
    send_timeout 2;

    # Compression.
    gzip on;
    gzip_vary on;
    gzip_min_length 10240;
    gzip_proxied any;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;
    gzip_disable "msie6";

    include /etc/nginx/conf.d/*.conf;
}
```

Конфиг хоста на примере `openproject.sitefactory.cf`:

```nginx
upstream openproject-cluster {
    server 11.100.250.9:3456  weight=100 max_fails=15 fail_timeout=2;
    server 11.100.250.10:3456 weight=100 max_fails=15 fail_timeout=2;
    server 11.100.250.11:3456 weight=100 max_fails=15 fail_timeout=2;
    server 11.100.250.12:3456 weight=100 max_fails=15 fail_timeout=2;
}

server {
    listen 80;
    listen 443 ssl;

    include /etc/nginx/conf.d/ssl-settings.rules;
    ssl_certificate     /run/secrets/openproject.sitefactory.cf.crt;
    ssl_certificate_key /run/secrets/openproject.sitefactory.cf.key;

    server_name openproject.sitefactory.cf;
    set $host_header "openproject.sitefactory.cf";

    if ($scheme = http) {
    	return 301 https://$host_header$request_uri;
    }

    charset utf-8;

    access_log    /dev/stdout;

    location / {
    	auth_basic "Enter password";
        auth_basic_user_file /run/secrets/openproject.sitefactory.cf.htpasswd;

        include /etc/nginx/conf.d/proxy-pass.rules;
        proxy_pass http://openproject-cluster;
    }

    location ~* (\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|git|.docker.config)|~)$ {return 418;}
}
```