Dockerize lnproxy WebUI

[nir3shprabu]

No description provided.

[lnproxy]

Looks good! I don't know anything about ngnix but with relayd you can also forward some paths to different ports. Would be good to have the option to forward /api and /spec directly to lnproxy.

[nir3shprabu]

Would you post here the relayd and httpd config files, so that they will be very useful for reference to draft an Nginx config file. Avoid posting here if it contains any sensitive info.

[lnproxy]

Sure:

/etc/relayd.conf (with some lines removed):

table <lnproxy> { 127.0.0.1 }
table <httpd> { 127.0.0.1 }

http protocol https {
	tls keypair lnproxy.org

	match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
	match request header append "X-Forwarded-By" \
	    value "$SERVER_ADDR:$SERVER_PORT"
	match request header set "Connection" value "close"

	# Various TCP options
	tcp { sack, backlog 128 }

	tls ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
	match response header set "Content-Security-Policy" value "default-src 'none'; style-src 'self'; script-src 'self'; img-src 'self' blob: data:; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; manifest-src 'self'; connect-src *"
	match response header set "Feature-Policy" value "camera 'none'; microphone 'none'"
	match response header set "Referrer-Policy" value "no-referrer"
	match response header set "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
	match response header set "X-Content-Type-Options" value "nosniff"
	match response header set "X-Frame-Options" value "deny"
	match response header set "X-XSS-Protection" value "1; mode=block"

	match request path "/*" forward to <httpd>
	match request path "/assets/*" forward to <httpd>
	match request path "/spec" forward to <lnproxy>
	match request path "/api/*" forward to <lnproxy>

	return error
	pass	
}

relay wwwtls {
	# Run as a SSL/TLS accelerator
	listen on $ext_addr port 443 tls
	protocol "https"

	# Forward to hosts in the webhosts table using a src/dst hash
	forward to <lnproxy> port 7477 mode loadbalance check http "/spec" code 200
	forward to <httpd> port 8080 mode loadbalance check http "/" code 200
}

/etc/httpd.conf (with some lines removed):

server "lnproxy.org" {
        listen on * port 80
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        location * { block return 302 "https://$HTTP_HOST$REQUEST_URI" }
}
server "lnproxy.org" {
        listen on * port 8080
        root "/htdocs/lnproxy.org"
}
server "www.lnproxy.org" {
        listen on * port 80
        location * { block return 302 "https://lnproxy.org$REQUEST_URI" }
}
types {
        text/css                css
        text/html               html
        text/plain              txt
        image/gif               gif
        image/jpeg              jpg jpeg
        image/png               png
        application/javascript  js
        application/json        json
}

Can also configure tor to listen to the ports for both servers.