modications for existing traefik proxy

.gitignore

@@ -1 +0,0 @@
-/data/certbot

README.md

@@ -1,21 +1,24 @@
-# Signal TLS Proxy
+# Signal TLS Proxy for Docker Swarm and Traefik
 
-To run a Signal TLS proxy, you will need a host that has ports 80 and 443 available and a domain name that points to that host.
+To run this Signal TLS proxy, you will need the following setup:
+- a host that has ports 80 and 443 available
+- a domain name that points to that host
+- a [Docker Swarm Node](https://docs.docker.com/engine/swarm/) running on that host
+- a [Traefik reverse proxy](https://traefik.io/) running on that node
+- valid TLS certificates for that domain name
 
-1. Install docker and docker-compose (`apt update && apt install docker docker-compose`)
-1. Ensure your current user has access to docker (`adduser $USER docker`)
+## Setup
 1. Clone this repository
-1. `./init-certificate.sh`
-1. `docker-compose up --detach`
+2. Modify the `docker-stack.yml` file to use your domain name and traefik labels
+3. Run `docker stack deploy -c docker-stack.yml signal-tls-proxy`
+4. Run `docker service logs -f signal-tls-proxy` to see the logs
+5. Wait for the service to start
 
 Your proxy is now running! You can share this with the URL `https://signal.tube/#<your_host_name>`
 
-## Updating from a previous version
-
-If you've previously run a proxy, please update to the most recent version by pulling the most recent changes from `main`, then restarting your Docker containers:
-
-```shell
-git pull
-docker-compose down
-docker-compose up --detach
-```
+## Setup without Docker Swarm
+If you don't want to use Docker Swarm, you can run the proxy with Docker Compose:
+1. Clone this repository
+2. Modify the `docker-compose.yml` file to use your domain name and traefik labels
+3. Run `docker-compose up -d`
+4. Run `docker-compose logs -f` to see the logs

data/nginx-terminate/nginx.conf

@@ -1,41 +0,0 @@
-user  nginx;
-worker_processes  auto;
-
-events {
-    worker_connections  1024;
-}
-
-http {
-    server {
-        listen 80;
-
-        location /.well-known/acme-challenge/ {
-            alias /var/www/certbot/;
-        }
-
-        location / {
-            return 404;
-        }
-    }
-}
-
-stream {
-
-    upstream relay {
-         server nginx-relay:4433;
-    }
-
-    server {
-        listen                443 ssl;
-        proxy_pass            relay;
-
-        access_log            off;
-        error_log             /dev/null;
-
-        ssl_certificate /etc/letsencrypt/active/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/active/privkey.pem;
-        include /etc/letsencrypt/options-ssl-nginx.conf;
-        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-     }
-
-}

docker-compose.yml

@@ -1,27 +1,26 @@
-version: '3'
+version: '3.7'
 
 services:
-  nginx-terminate:
-    build: ./nginx-terminate/
-    restart: unless-stopped
-    volumes:
-      - ./data/nginx-terminate:/etc/nginx/conf.d
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
-    ports:
-      - "443:443"
-      - "80:80"
-    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
   nginx-relay:
-    build: ./nginx-relay/
-    restart: unless-stopped
-    volumes:
-      - ./data/nginx-relay:/etc/nginx/conf.d
-    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g \"daemon off;\"'"
-  certbot:
-    image: certbot/certbot
+    image: nginx:alpine
     restart: unless-stopped
+
     volumes:
-      - ./data/certbot/conf:/etc/letsencrypt
-      - ./data/certbot/www:/var/www/certbot
-    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+
+    networks:
+      - proxy
+
+    labels:
+      - 'traefik.enable=true'
+      - 'traefik.docker.network=proxy'
+      - 'traefik.tcp.routers.signal-proxy.rule=HostSNI("s1gn4l.example.com")'
+      - 'traefik.tcp.routers.signal-proxy.entrypoints=https'
+      - 'traefik.tcp.routers.signal-proxy.tls=true'
+      - 'traefik.tcp.routers.signal-proxy.tls.certresolver=letsencrypt'
+      - 'traefik.tcp.routers.signal-proxy.service=nginx-relay'
+      - 'traefik.tcp.services.nginx-relay.loadbalancer.server.port=4433'
+
+networks:
+  proxy:
+    external: true

docker-stack.yml

@@ -0,0 +1,34 @@
+version: '3.7'
+
+services:
+  nginx-relay:
+    image: nginx:alpine
+    configs:
+      - source: nginx
+        target: /etc/nginx/nginx.conf
+
+    networks:
+      - proxy
+
+    deploy:
+      restart_policy:
+        condition: any
+        delay: 1m
+
+      labels:
+        - 'traefik.enable=true'
+        - 'traefik.docker.network=proxy'
+        - 'traefik.tcp.routers.signal-proxy.rule=HostSNI("s1gn4l.example.com")'
+        - 'traefik.tcp.routers.signal-proxy.entrypoints=https'
+        - 'traefik.tcp.routers.signal-proxy.tls=true'
+        - 'traefik.tcp.routers.signal-proxy.tls.certresolver=letsencrypt'
+        - 'traefik.tcp.routers.signal-proxy.service=nginx-relay'
+        - 'traefik.tcp.services.nginx-relay.loadbalancer.server.port=4433'
+
+configs:
+  nginx:
+    file: ./nginx.conf
+
+networks:
+  proxy:
+    external: true

init-certificate.sh

@@ -1,43 +0,0 @@
-#!/bin/bash
-
-if ! [ -x "$(command -v docker-compose)" ]; then
-  echo 'Error: docker-compose is not installed.' >&2
-  exit 1
-fi
-
-data_path="./data/certbot"
-
-read -p "Enter domain name (eg. www.example.com): " domains
-
-if [ -d "$data_path" ]; then
-  read -p "Existing data found. Continue and replace existing certificate? (y/N) " decision
-  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
-    exit
-  fi
-fi
-
-
-if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
-  echo "### Downloading recommended TLS parameters ..."
-  mkdir -p "$data_path/conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
-  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
-  echo
-fi
-
-echo "### Requesting Let's Encrypt certificate for $domains ..."
-#Join $domains to -d args
-domain_args=""
-for domain in "${domains[@]}"; do
-  domain_args="$domain_args -d $domain"
-done
-
-docker-compose run -p 80:80 --rm --entrypoint "\
-  sh -c \"certbot certonly --standalone \
-    --register-unsafely-without-email \
-    $domain_args \
-    --agree-tos \
-    --force-renewal && \
-    ln -fs /etc/letsencrypt/live/$domains/ /etc/letsencrypt/active\"" certbot
-echo
-echo "After running 'docker-compose up --detach' you can share your proxy as: https://signal.tube/#$domains"

nginx-relay/Dockerfile

@@ -1,22 +0,0 @@
-FROM ubuntu:20.04
-
-RUN apt-get update && apt-get -y upgrade && \
-    apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \
-    rm -rf /var/lib/apt/lists/*
-
-WORKDIR /opt
-
-RUN wget https://nginx.org/download/nginx-1.18.0.tar.gz && \
-    tar -zxvf nginx-1.*.tar.gz && \
-    cd nginx-1.* && \
-    ./configure --prefix=/opt/nginx --user=nginx --group=nginx --with-http_ssl_module --with-ipv6 --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module && \
-    make && make install && \
-    cd .. && rm -rf nginx-1.*
-
-RUN adduser --system --no-create-home --disabled-login --disabled-password --group nginx
-
-WORKDIR /
-
-EXPOSE 443
-
-CMD ["/opt/nginx/sbin/nginx", "-c", "/etc/nginx/conf.d/nginx.conf", "-g", "daemon off;"]

nginx-terminate/Dockerfile

@@ -1,22 +0,0 @@
-FROM ubuntu:20.04
-
-RUN apt-get update && apt-get -y upgrade && \
-    apt-get install -y wget libpcre3-dev build-essential libssl-dev zlib1g-dev && \
-    rm -rf /var/lib/apt/lists/*
-
-WORKDIR /opt
-
-RUN wget https://nginx.org/download/nginx-1.18.0.tar.gz && \
-    tar -zxvf nginx-1.*.tar.gz && \
-    cd nginx-1.* && \
-    ./configure --prefix=/opt/nginx --user=nginx --group=nginx --with-http_ssl_module --with-ipv6 --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module && \
-    make && make install && \
-    cd .. && rm -rf nginx-1.*
-
-RUN adduser --system --no-create-home --disabled-login --disabled-password --group nginx
-
-WORKDIR /
-
-EXPOSE 443
-
-CMD ["/opt/nginx/sbin/nginx", "-c", "/etc/nginx/conf.d/nginx.conf", "-g", "daemon off;"]