From 8e3b66a7bc231e1d23f38f40971faf17185b7bd0 Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 23:28:18 -0400 Subject: [PATCH 1/8] container-compose: add dependency from nginx to other containers nginx should not start until the other containers already have started. --- container-compose-dev.yml | 4 ++++ container-compose-staging.yml | 4 ++++ container-compose.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/container-compose-dev.yml b/container-compose-dev.yml index 43497bac..a7f92586 100644 --- a/container-compose-dev.yml +++ b/container-compose-dev.yml @@ -56,6 +56,10 @@ services: app_protocol: pop3s mode: host name: "port for pop3s connections to proxy" + depends_on: + - orbit + - smtp + - pop orbit: build: context: orbit diff --git a/container-compose-staging.yml b/container-compose-staging.yml index 6b558a2a..d4fdaab5 100644 --- a/container-compose-staging.yml +++ b/container-compose-staging.yml @@ -48,6 +48,10 @@ services: app_protocol: pop3s mode: host name: "port for pop3s connections to proxy" + depends_on: + - orbit + - smtp + - pop orbit: build: context: orbit diff --git a/container-compose.yml b/container-compose.yml index 6c677e8d..12fcf766 100644 --- a/container-compose.yml +++ b/container-compose.yml @@ -48,6 +48,10 @@ services: app_protocol: pop3s mode: host name: "port for pop3s connections to proxy" + depends_on: + - orbit + - smtp + - pop orbit: build: context: orbit From 2f8db7da19342cbfface2230606637d4e2ad1574 Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:25:55 -0400 Subject: [PATCH 2/8] nginx: connect directly to orbit container instead of host Since the containers are networked together, the orbit container can be reached from nginx directly without having to pass through the host. --- nginx_snippets/http/00-mail_auth.conf | 2 +- nginx_snippets/server_https/01-orbit-paths.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx_snippets/http/00-mail_auth.conf b/nginx_snippets/http/00-mail_auth.conf index 0e5aafbe..eed4d5cf 100644 --- a/nginx_snippets/http/00-mail_auth.conf +++ b/nginx_snippets/http/00-mail_auth.conf @@ -3,7 +3,7 @@ server { listen 127.0.0.1:13337 default_server; location /mail_auth { include uwsgi_params; - proxy_pass http://host.containers.internal:9098; + proxy_pass http://orbit:9098; } location = /mail_auth/pop { diff --git a/nginx_snippets/server_https/01-orbit-paths.conf b/nginx_snippets/server_https/01-orbit-paths.conf index 29f21b5b..84021ad2 100644 --- a/nginx_snippets/server_https/01-orbit-paths.conf +++ b/nginx_snippets/server_https/01-orbit-paths.conf @@ -8,5 +8,5 @@ location @login { location ~* ^((.*\.md)|/log(in|out)|/dashboard|/register|/cgit.*)$ { include uwsgi_params; proxy_intercept_errors on; - proxy_pass http://host.containers.internal:9098; + proxy_pass http://orbit:9098; } From 7d7d095557e8f0bad4c951900a5826974b3a4bdb Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 19:45:26 -0400 Subject: [PATCH 3/8] container-compose: remove host port mapping for orbit Now that nginx connects directly to the orbit container, there is no need to expose the port on the host. --- container-compose-dev.yml | 7 ------- container-compose-staging.yml | 7 ------- container-compose.yml | 7 ------- 3 files changed, 21 deletions(-) diff --git a/container-compose-dev.yml b/container-compose-dev.yml index a7f92586..ec2de818 100644 --- a/container-compose-dev.yml +++ b/container-compose-dev.yml @@ -80,13 +80,6 @@ services: target: /orbit/docs read_only: true selinux: z - ports: - - target: 9098 - published: 9098 - protocol: tcp - app_protocol: http - mode: host - name: "unencrypted http upstream server port" smtp: build: context: smtp diff --git a/container-compose-staging.yml b/container-compose-staging.yml index d4fdaab5..75188fd6 100644 --- a/container-compose-staging.yml +++ b/container-compose-staging.yml @@ -70,13 +70,6 @@ services: target: /orbit/docs read_only: true selinux: z - ports: - - target: 9098 - published: 9098 - protocol: tcp - app_protocol: http - mode: host - name: "unencrypted http upstream server port" smtp: build: context: smtp diff --git a/container-compose.yml b/container-compose.yml index 12fcf766..3b1825ec 100644 --- a/container-compose.yml +++ b/container-compose.yml @@ -70,13 +70,6 @@ services: target: /orbit/docs read_only: true selinux: z - ports: - - target: 9098 - published: 9098 - protocol: tcp - app_protocol: http - mode: host - name: "unencrypted http upstream server port" smtp: build: context: smtp From 36d42d772d5f789893e9e3999a2b0b687bcd089b Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:37:46 -0400 Subject: [PATCH 4/8] nginx: connect directly to pop container instead of host Since the containers are networked together, the pop container can be reached from nginx directly without having to pass through the host. --- nginx_snippets/stream/00-pop-proxy.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx_snippets/stream/00-pop-proxy.conf b/nginx_snippets/stream/00-pop-proxy.conf index 3abd6fc4..8959c75d 100644 --- a/nginx_snippets/stream/00-pop-proxy.conf +++ b/nginx_snippets/stream/00-pop-proxy.conf @@ -1,4 +1,4 @@ server { listen 127.0.0.1:2995; - proxy_pass host.containers.internal:11995; + proxy_pass pop:1995; } From bc902250185da9eea4ebd2bd3523fc340af5db3a Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:38:43 -0400 Subject: [PATCH 5/8] container-compose: remove host port mapping for pop Now that nginx connects directly to the pop container, there is no need to expose the port on the host. --- container-compose-dev.yml | 7 ------- container-compose-staging.yml | 7 ------- container-compose.yml | 7 ------- 3 files changed, 21 deletions(-) diff --git a/container-compose-dev.yml b/container-compose-dev.yml index ec2de818..6988f66f 100644 --- a/container-compose-dev.yml +++ b/container-compose-dev.yml @@ -118,10 +118,3 @@ services: target: /mnt/mail read_only: true selinux: z - ports: - - target: 1995 - published: 11995 - protocol: tcp - app_protocol: pop3 - mode: host - name: "unencrypted pop3 upstream server port" diff --git a/container-compose-staging.yml b/container-compose-staging.yml index 75188fd6..1b695ffc 100644 --- a/container-compose-staging.yml +++ b/container-compose-staging.yml @@ -108,10 +108,3 @@ services: target: /mnt/mail read_only: true selinux: z - ports: - - target: 1995 - published: 11995 - protocol: tcp - app_protocol: pop3 - mode: host - name: "unencrypted pop3 upstream server port" diff --git a/container-compose.yml b/container-compose.yml index 3b1825ec..7ae2d73e 100644 --- a/container-compose.yml +++ b/container-compose.yml @@ -108,10 +108,3 @@ services: target: /mnt/mail read_only: true selinux: z - ports: - - target: 1995 - published: 11995 - protocol: tcp - app_protocol: pop3 - mode: host - name: "unencrypted pop3 upstream server port" From 6a46eda74ccbfc8440d8398456a9a6e44399df5b Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:41:28 -0400 Subject: [PATCH 6/8] nginx: connect directly to smtp container instead of host Since the containers are networked together, the smtp container can be reached from nginx directly without having to pass through the host. --- nginx_snippets/stream/01-smtp-proxy.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx_snippets/stream/01-smtp-proxy.conf b/nginx_snippets/stream/01-smtp-proxy.conf index 228be045..3fc3baff 100644 --- a/nginx_snippets/stream/01-smtp-proxy.conf +++ b/nginx_snippets/stream/01-smtp-proxy.conf @@ -1,4 +1,4 @@ server { listen 127.0.0.1:2465; - proxy_pass host.containers.internal:11465; + proxy_pass smtp:1465; } From ba2fe826029bbb0e401bda1220d4f807c52d0145 Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:42:11 -0400 Subject: [PATCH 7/8] container-compose: remove host port mapping for smtp Now that nginx connects directly to the smtp container, there is no need to expose the port on the host. --- container-compose-dev.yml | 7 ------- container-compose-staging.yml | 7 ------- container-compose.yml | 7 ------- 3 files changed, 21 deletions(-) diff --git a/container-compose-dev.yml b/container-compose-dev.yml index 6988f66f..56395287 100644 --- a/container-compose-dev.yml +++ b/container-compose-dev.yml @@ -96,13 +96,6 @@ services: target: /mnt/email_data read_only: false selinux: z - ports: - - target: 1465 - published: 11465 - protocol: tcp - app_protocol: smtp - mode: host - name: "unencrypted smtp upstream server port" pop: build: context: pop diff --git a/container-compose-staging.yml b/container-compose-staging.yml index 1b695ffc..2262edc5 100644 --- a/container-compose-staging.yml +++ b/container-compose-staging.yml @@ -86,13 +86,6 @@ services: target: /mnt/email_data read_only: false selinux: z - ports: - - target: 1465 - published: 11465 - protocol: tcp - app_protocol: smtp - mode: host - name: "unencrypted smtp upstream server port" pop: build: context: pop diff --git a/container-compose.yml b/container-compose.yml index 7ae2d73e..2e19099b 100644 --- a/container-compose.yml +++ b/container-compose.yml @@ -86,13 +86,6 @@ services: target: /mnt/email_data read_only: false selinux: z - ports: - - target: 1465 - published: 11465 - protocol: tcp - app_protocol: smtp - mode: host - name: "unencrypted smtp upstream server port" pop: build: context: pop From bd187ddeaaf08695410d5d29d7e39c3d74ed7e3d Mon Sep 17 00:00:00 2001 From: charliemirabile <46761267+charliemirabile@users.noreply.github.com> Date: Mon, 25 Mar 2024 23:45:04 -0400 Subject: [PATCH 8/8] container-compose: isolate backend servers from eachother nginx needs to reach the backend servers, but they do not need to be able to talk amoungst themselves. Introduce networks so that while nginx is part of all of them, each backend is only part of its own isolated one so it cannot reach any of the other backend servers. --- container-compose-dev.yml | 14 ++++++++++++++ container-compose-staging.yml | 14 ++++++++++++++ container-compose.yml | 14 ++++++++++++++ 3 files changed, 42 insertions(+) diff --git a/container-compose-dev.yml b/container-compose-dev.yml index 56395287..47526959 100644 --- a/container-compose-dev.yml +++ b/container-compose-dev.yml @@ -60,6 +60,10 @@ services: - orbit - smtp - pop + networks: + - orbit + - smtp + - pop orbit: build: context: orbit @@ -80,6 +84,8 @@ services: target: /orbit/docs read_only: true selinux: z + networks: + - orbit smtp: build: context: smtp @@ -96,6 +102,8 @@ services: target: /mnt/email_data read_only: false selinux: z + networks: + - smtp pop: build: context: pop @@ -111,3 +119,9 @@ services: target: /mnt/mail read_only: true selinux: z + networks: + - pop +networks: + orbit: + smtp: + pop: diff --git a/container-compose-staging.yml b/container-compose-staging.yml index 2262edc5..94a6c72a 100644 --- a/container-compose-staging.yml +++ b/container-compose-staging.yml @@ -52,6 +52,10 @@ services: - orbit - smtp - pop + networks: + - orbit + - smtp + - pop orbit: build: context: orbit @@ -70,6 +74,8 @@ services: target: /orbit/docs read_only: true selinux: z + networks: + - orbit smtp: build: context: smtp @@ -86,6 +92,8 @@ services: target: /mnt/email_data read_only: false selinux: z + networks: + - smtp pop: build: context: pop @@ -101,3 +109,9 @@ services: target: /mnt/mail read_only: true selinux: z + networks: + - pop +networks: + orbit: + smtp: + pop: diff --git a/container-compose.yml b/container-compose.yml index 2e19099b..a1405aa5 100644 --- a/container-compose.yml +++ b/container-compose.yml @@ -52,6 +52,10 @@ services: - orbit - smtp - pop + networks: + - orbit + - smtp + - pop orbit: build: context: orbit @@ -70,6 +74,8 @@ services: target: /orbit/docs read_only: true selinux: z + networks: + - orbit smtp: build: context: smtp @@ -86,6 +92,8 @@ services: target: /mnt/email_data read_only: false selinux: z + networks: + - smtp pop: build: context: pop @@ -101,3 +109,9 @@ services: target: /mnt/mail read_only: true selinux: z + networks: + - pop +networks: + orbit: + smtp: + pop: