From c61e44d55b6e69b94bd6c7a31890263aba0c614a Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Fri, 28 Dec 2018 17:26:30 +0200
Subject: - Add optional Nginx reverse proxy config to docker-compose.yml and
 nginx directory.

Thanks to MyTheValentinus !
---
 CHANGELOG.md       | 10 ++++--
 docker-compose.yml | 18 +++++++++++
 nginx/nginx.conf   | 92 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 nginx/ssl/.gitkeep |  1 +
 4 files changed, 118 insertions(+), 3 deletions(-)
 create mode 100644 nginx/nginx.conf
 create mode 100644 nginx/ssl/.gitkeep

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9f517504..82e98421 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,14 @@
 # Upcoming Wekan release
 
-This release fixes the following bugs:
+This release adds the following new features:
 
-- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet.
+- Add optional Nginx reverse proxy config to docker-compose.yml and nginx directory. Thanks to MyTheValentinus.
+
+and fixes the following bugs:
+
+- docker-compose.yml back to MongoDB 3.2.21 because 3.2.22 MongoDB container does not exist yet. Thanks to xet7.
     
-Thanks to GitHub user xet7 for contributions.
+Thanks to above GitHub users for their contributions.
 
 # v1.97 2018-12-26 Wekan release
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 9d635a33..abcaa48b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -145,6 +145,7 @@ services:
       # Docker outsideport:insideport. Do not add anything extra here.
       # For example, if you want to have wekan on port 3001,
       # use 3001:8080 . Do not add any extra address etc here, that way it does not work.
+      # remove port mapping if you use nginx reverse proxy, port 8080 is already exposed to wekan-tier network
       - 80:8080
     environment:
       - MONGO_URL=mongodb://wekandb:27017/wekan
@@ -492,6 +493,23 @@ services:
 #      ...COPY CONFIG FROM ABOVE TO HERE...
 #---------------------------------------------------------------------------------
 
+# OPTIONAL NGINX CONFIG FOR REVERSE PROXY
+#  nginx:
+#    image: nginx
+#    container_name: nginx
+#    restart: always
+#    networks:
+#      - wekan-tier
+#    depends_on:
+#      - wekan
+#    ports:
+#      - 80:80
+#      - 443:443
+#    volumes:
+#      - ./nginx/ssl:/etc/nginx/ssl/
+#      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+
+
 volumes:
   wekan-db:
     driver: local
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 00000000..9029a2b4
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,92 @@
+user  www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    map $http_host $this_host {
+        "" $host;
+        default $http_host;
+    }
+
+    map $http_x_forwarded_proto $the_scheme {
+        default $http_x_forwarded_proto;
+        "" $scheme;
+    }
+
+    map $http_x_forwarded_host $the_host {
+       default $http_x_forwarded_host;
+       "" $this_host;
+    }
+
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    server {
+   	listen 80;
+	listen 443 ssl;
+
+	if ($scheme = http) {
+  	    rewrite ^ https://$host$request_uri? permanent;
+	}
+
+
+  ssl_certificate /etc/nginx/ssl/server.crt;
+	ssl_certificate_key /etc/nginx/ssl/server.key;
+
+
+	ssl_protocols TLSv1.2;	
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
+
+	ssl_session_cache shared:SSL:10m;
+	ssl_session_timeout 10m;
+
+	ssl_ecdh_curve sect571r1:secp521r1:brainpoolP512r1:secp384r1;
+	add_header Strict-Transport-Security "max-age=31536000; preload";
+
+        # Add headers to serve security related headers
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+
+	add_header Referrer-Policy "same-origin";
+
+        root /var/www/html;
+        client_max_body_size 10G; # 0=unlimited - set max upload size
+        fastcgi_buffers 64 4K;
+
+        gzip off;
+
+	location / {
+		proxy_pass http://wekan:8080;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+    }
+}
diff --git a/nginx/ssl/.gitkeep b/nginx/ssl/.gitkeep
new file mode 100644
index 00000000..1fe3dd24
--- /dev/null
+++ b/nginx/ssl/.gitkeep
@@ -0,0 +1 @@
+PLACE YOUR SSL Certificates in this folder
-- 
cgit v1.2.3-1-g7c22