[server] Deploy behind nginx (#1132)

Tweaks and fixes as we go towards a real deployment
2024-03-18 19:35:54 +05:30 · 2024-03-18 19:35:54 +05:30 · 4e8222afa1
parent a341f81932 fb0e2d2604
commit 4e8222afa1
4 changed files with 37 additions and 4 deletions
--- a/infra/services/nginx/README.md
+++ b/infra/services/nginx/README.md
@ -38,3 +38,22 @@ When adding new services that sit behind Nginx,
 1. Add its nginx conf file to `/root/nginx/conf.d`

 2. Restart nginx (`sudo systemctl restart nginx`)
+
+## Configuration files
+
+All the files we put into `/root/nginx/conf.d` get included in an `http` block.
+We can see this in the default configuration of nginx:
+
+   http {
+       ...
+       include /etc/nginx/conf.d/*.conf;
+   }
+
+> To view the default configuration, run the following command against the
+> [official Docker image for Nginx](https://hub.docker.com/_/nginx), which is
+> also what we use:
+>
+>     docker run --rm --entrypoint=cat nginx /etc/nginx/nginx.conf > /tmp/nginx.conf
+
+This is a [handy tool](https://nginx-playground.wizardzines.com) to check the
+syntax of the configuration files.
--- a/server/scripts/deploy/README.md
+++ b/server/scripts/deploy/README.md
@ -55,6 +55,13 @@ To bring up an additional museum node:
      sudo tee /root/museum/credentials/fcm-service-account.json
      sudo tee /root/museum/credentials.yaml

+* Add billing data
+
+      scp /path/to/billing/*.json <instance>:
+
+      sudo mkdir -p /root/museum/data/billing
+      sudo mv *.json /root/museum/data/billing/
+
 * If not running behind Nginx, add the TLS credentials (otherwise add the to
  Nginx)

@ -79,7 +86,7 @@ To bring up an additional museum node:

      scp scripts/deploy/museum.nginx.conf <instance>:

-      sudo mv museum.nginx.conf /etc/systemd/system
+      sudo mv museum.nginx.conf /root/nginx/conf.d
      sudo systemctl restart nginx

 ## Starting
--- a/server/scripts/deploy/museum.nginx.conf
+++ b/server/scripts/deploy/museum.nginx.conf
@ -1,3 +1,11 @@
+# This file gets loaded in a top level http block by the default nginx.conf
+# See infra/services/nginx/README.md for more details.
+
+upstream museum {
+    # https://nginx.org/en/docs/http/ngx_http_upstream_module.html
+    server host.docker.internal:8080 max_conns=50;
+}
+
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
@ -7,7 +15,7 @@ server {
    server_name api.ente.io;

    location / {
-        proxy_pass http://host.docker.internal:8080;
+        proxy_pass http://museum;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
--- a/server/scripts/deploy/museum.nginx.service
+++ b/server/scripts/deploy/museum.nginx.service
@ -2,7 +2,6 @@
 Documentation=https://github.com/ente-io/ente/tree/main/server#readme
 Requires=docker.service
 After=docker.service
-Requires=nginx.service

 [Service]
 Restart=on-failure
@ -11,7 +10,7 @@ ExecStartPre=-docker stop museum
 ExecStartPre=-docker rm museum
 ExecStart=docker run --name museum \
     -e ENVIRONMENT=production \
-     -e ENTE_HTTP_USE-TLS=1 \
+     -e ENTE_HTTP_USE-TLS=0 \
     --hostname "%H" \
     -p 8080:8080 \
     -p 2112:2112 \