Docker and Ghost CMS overhaul

etc/nginx/HTTPS_default.conf.BAK

@@ -0,0 +1,119 @@
+upstream tomcat {
+    server tomcat:8080;
+}
+
+upstream ghost {
+    server ghost:2368;
+}
+
+# HTTP
+server {
+    listen 8080                             default_server;
+    listen [::]:8080                        default_server ipv6only=on;
+    server_name                             ${NGINX_HOST};
+
+    error_log                               /opt/bitnami/nginx/logs/error.log;
+    access_log                              /opt/bitnami/nginx/logs/access.log;
+
+    rewrite ^ https://$http_host$request_uri? permanent; #Redirect traffic to HTTPS
+
+    root /app;
+    index index.html index.htm index.php index.jsp;
+
+    client_max_body_size                    100M;
+
+    location / {
+        try_files $uri $uri/index.html;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        fastcgi_pass php:9001;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Ghost proxy
+    location /blog {
+        proxy_pass http://ghost;
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp|txt|zip) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass                          http://tomcat;
+    }
+
+}
+
+# HTTPS
+server {
+    listen      443           ssl http2;
+    listen [::]:443           ssl http2;
+    server_name               ${NGINX_HOST};
+
+    error_log                 /opt/bitnami/nginx/logs/error.log;
+    access_log                /opt/bitnami/nginx/logs/access.log;
+
+    add_header                Strict-Transport-Security "max-age=31536000" always;
+    ssl_session_cache         shared:SSL:20m;
+    ssl_session_timeout       10m;
+    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+    ssl_stapling              on;
+    ssl_stapling_verify       on;
+    resolver                  8.8.8.8 1.1.1.1;
+    ssl_certificate           /etc/letsencrypt/live/${NGINX_HOST}/fullchain.pem;
+    ssl_certificate_key       /etc/letsencrypt/live/${NGINX_HOST}/privkey.pem;
+    ssl_trusted_certificate   /etc/letsencrypt/live/${NGINX_HOST}/chain.pem;
+
+    root /app;
+    index index.html index.htm index.php index.jsp;
+
+    client_max_body_size                    100M;
+
+    location / {
+        try_files $uri $uri/index.html;
+    }
+
+    ####### Proxies #######
+    # PHP proxy
+    location ~ \.php$ {
+        fastcgi_pass php:9001;
+        fastcgi_index index.php;
+        include fastcgi.conf;
+    }
+
+    # Ghost proxy
+    location /blog {
+        proxy_pass http://ghost;
+        proxy_set_header  Host              $http_host;   # required for docker client's sake
+        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_read_timeout                  900;
+    }
+
+    # Tomcat proxy
+    location ~ \.(do|jspa|obr|jsp|txt|zip) {
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass                          http://tomcat;
+    }
+
+    # Certbot for HTTPS cert renewal
+    location ~ ^/.well-known {
+        root /data/letsencrypt/;
+    }
+
+}