From 75b97eb03db9940eb43ccbaeacdda4cfc99ed778 Mon Sep 17 00:00:00 2001 From: Xe Iaso Date: Sat, 19 Apr 2025 12:29:36 -0400 Subject: [PATCH] docs/admin: break per-environment details into their own pages (#292) Signed-off-by: Xe Iaso --- docs/docs/CHANGELOG.md | 1 + docs/docs/admin/environments/_category_.json | 8 + docs/docs/admin/environments/apache.mdx | 151 +++++++ .../admin/environments/docker-compose.mdx | 26 ++ docs/docs/admin/environments/kubernetes.mdx | 128 ++++++ docs/docs/admin/environments/nginx.mdx | 166 +++++++ docs/docs/admin/installation.mdx | 418 +----------------- 7 files changed, 490 insertions(+), 408 deletions(-) create mode 100644 docs/docs/admin/environments/_category_.json create mode 100644 docs/docs/admin/environments/apache.mdx create mode 100644 docs/docs/admin/environments/docker-compose.mdx create mode 100644 docs/docs/admin/environments/kubernetes.mdx create mode 100644 docs/docs/admin/environments/nginx.mdx diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index f2ff353..7dd5c26 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Allow requests from the Internet Archive - Added example nginx configuration to documentation - Added example Apache configuration to the documentation [#277](https://github.com/TecharoHQ/anubis/issues/277) +- Move per-environment configuration details into their own pages ## v1.16.0 diff --git a/docs/docs/admin/environments/_category_.json b/docs/docs/admin/environments/_category_.json new file mode 100644 index 0000000..3152271 --- /dev/null +++ b/docs/docs/admin/environments/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "Environments", + "position": 20, + "link": { + "type": "generated-index", + "description": "Detailed information about individual environments (such as HTTP servers, platforms, etc.) Anubis is known to work with." + } +} \ No newline at end of file diff --git a/docs/docs/admin/environments/apache.mdx b/docs/docs/admin/environments/apache.mdx new file mode 100644 index 0000000..b3f9b4f --- /dev/null +++ b/docs/docs/admin/environments/apache.mdx @@ -0,0 +1,151 @@ +# Apache + +import Tabs from "@theme/Tabs"; +import TabItem from "@theme/TabItem"; + +Anubis is intended to be a filter proxy. The way to integrate this is to break your configuration up into two parts: TLS termination and then HTTP routing. Consider this diagram: + +```mermaid +--- +title: Apache as tls terminator and HTTP router +--- + +flowchart LR + T(User Traffic) + subgraph Apache 2 + TCP(TCP 80/443) + US(TCP 3001) + end + + An(Anubis) + B(Backend) + + T --> |TLS termination| TCP + TCP --> |Traffic filtering| An + An --> |Happy traffic| US + US --> |whatever you're doing| B +``` + +Effectively you have one trip through Apache to do TLS termination, a detour through Anubis for traffic scrubbing, and then going to the backend directly. This final socket is what will do HTTP routing. + +:::note + +These examples assume that you are using a setup where your nginx configuration is made up of a bunch of files in `/etc/httpd/conf.d/*.conf`. This is not true for all deployments of Apache. If you are not in such an environment, append these snippets to your `/etc/httpd/conf/httpd.conf` file. + +::: + +## Dependencies + +Install the following dependencies for proxying HTTP: + + + + +```text +dnf -y install mod_proxy_html +``` + + + + +```text +apt-get install -y libapache2-mod-proxy-html libxml2-dev +``` + + + + +## Configuration + +Assuming you are protecting `anubistest.techaro.lol`, you need the following server configuration blocks: + +1. A block on port 80 that forwards HTTP to HTTPS +2. A block on port 443 that terminates TLS and forwards to Anubis +3. A block on port 3001 that actually serves your websites + +```text +# Plain HTTP redirect to HTTPS + + ServerAdmin your@email.here + ServerName anubistest.techaro.lol + DocumentRoot /var/www/anubistest.techaro.lol + ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log + CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined + RewriteEngine on + RewriteCond %{SERVER_NAME} =anubistest.techaro.lol + RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] + + +# HTTPS listener that forwards to Anubis + + ServerAdmin your@email.here + ServerName anubistest.techaro.lol + DocumentRoot /var/www/anubistest.techaro.lol + ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log + CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined + + SSLCertificateFile /etc/letsencrypt/live/anubistest.techaro.lol/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/anubistest.techaro.lol/privkey.pem + Include /etc/letsencrypt/options-ssl-apache.conf + + # These headers need to be set or else Anubis will + # throw an "admin misconfiguration" error. + RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR} + RequestHeader set X-Forwarded-Proto "https" + + ProxyPreserveHost On + + ProxyRequests Off + ProxyVia Off + + # Replace 9000 with the port Anubis listens on + ProxyPass / http://[::1]:9000/ + ProxyPassReverse / http://[::1]:9000/ + + + +# Actual website config + + ServerAdmin your@email.here + ServerName anubistest.techaro.lol + DocumentRoot /var/www/anubistest.techaro.lol + ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log + CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined + +``` + +Make sure to add a separate configuration file for the listener on port 3001: + +```text +# /etc/httpd/conf.d/listener-3001.conf + +Listen 3001 +``` + +This can be repeated for multiple sites. Anubis does not care about the HTTP `Host` header and will happily cope with multiple websites via the same instance. + +Then reload your Apache config and load your website. You should see Anubis protecting your apps! + +```text +sudo systemctl reload httpd.service +``` + +## Troubleshooting + +Here are some answers to questions that came in in testing: + +### I'm running on a Red Hat distribution and Apache is saying "service unavailable" for every page load + +If you see a "Service unavailable" error on every page load and run a Red Hat derived distribution, you are missing a `selinux` setting. The exact command will be in a journalctl log message like this: + +```text +***** Plugin catchall_boolean (89.3 confidence) suggests ****************** + +If you want to allow HTTPD scripts and modules to connect to the network using TCP. +Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. + +Do +setsebool -P httpd_can_network_connect 1 +``` + +This will fix the error immediately. diff --git a/docs/docs/admin/environments/docker-compose.mdx b/docs/docs/admin/environments/docker-compose.mdx new file mode 100644 index 0000000..bf890ff --- /dev/null +++ b/docs/docs/admin/environments/docker-compose.mdx @@ -0,0 +1,26 @@ +## Docker compose + +Docker compose is typically used in concert with other load balancers such as [Apache](./apache.mdx) or [Nginx](./nginx.mdx). Below is a minimal example showing you how to set up an instance of Anubis listening on host port 8080 that points to a static website containing data in `./www`: + +```yaml +services: + anubis-nginx: + image: ghcr.io/techarohq/anubis:latest + environment: + BIND: ":8080" + DIFFICULTY: "5" + METRICS_BIND: ":9090" + SERVE_ROBOTS_TXT: "true" + TARGET: "http://nginx" + POLICY_FNAME: "/data/cfg/botPolicy.json" + OG_PASSTHROUGH: "true" + OG_EXPIRY_TIME: "24h" + ports: + - 8080:8080 + volumes: + - "./botPolicy.json:/data/cfg/botPolicy.json:ro" + nginx: + image: nginx + volumes: + - "./www:/usr/share/nginx/html" +``` diff --git a/docs/docs/admin/environments/kubernetes.mdx b/docs/docs/admin/environments/kubernetes.mdx new file mode 100644 index 0000000..be25289 --- /dev/null +++ b/docs/docs/admin/environments/kubernetes.mdx @@ -0,0 +1,128 @@ +# Kubernetes + +When setting up Anubis in Kubernetes, you want to make sure that you thread requests through Anubis kinda like this: + +```mermaid +--- +title: Anubis embedded into workload pods +--- + +flowchart LR + T(User Traffic) + + IngressController(IngressController) + + subgraph Service + AnPort(Anubis Port) + BPort(Backend Port) + end + + subgraph Pod + An(Anubis) + B(Backend) + end + + T --> IngressController + IngressController --> AnPort + AnPort --> An + An --> B +``` + +Anubis is lightweight enough that you should be able to have many instances of it running without many problems. If this is a concern for you, please check out [ingress-anubis](https://github.com/jaredallard/ingress-anubis?ref=anubis.techaro.lol). + +This example makes the following assumptions: + +- Your target service is listening on TCP port `5000`. +- Anubis will be listening on port `8080`. + +Adjust these values as facts and circumstances demand. + +Create a secret with the signing key Anubis should use for its responses: + +``` +kubectl create secret generic anubis-key \ + --namespace default \ + --from-literal=ED25519_PRIVATE_KEY_HEX=$(openssl rand -hex 32) +``` + +Attach Anubis to your Deployment: + +```yaml +containers: + # ... + - name: anubis + image: ghcr.io/techarohq/anubis:latest + imagePullPolicy: Always + env: + - name: "BIND" + value: ":8080" + - name: "DIFFICULTY" + value: "4" + - name: ED25519_PRIVATE_KEY_HEX + valueFrom: + secretKeyRef: + name: anubis-key + key: ED25519_PRIVATE_KEY_HEX + - name: "METRICS_BIND" + value: ":9090" + - name: "SERVE_ROBOTS_TXT" + value: "true" + - name: "TARGET" + value: "http://localhost:5000" + - name: "OG_PASSTHROUGH" + value: "true" + - name: "OG_EXPIRY_TIME" + value: "24h" + resources: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 250m + memory: 256Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault +``` + +Then add a Service entry for Anubis: + +```yaml +# ... +spec: + ports: + # diff-add + - protocol: TCP + # diff-add + port: 8080 + # diff-add + targetPort: 8080 + # diff-add + name: anubis +``` + +Then point your Ingress to the Anubis port: + +```yaml + rules: + - host: git.xeserv.us + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: git + port: + # diff-remove + name: http + # diff-add + name: anubis +``` diff --git a/docs/docs/admin/environments/nginx.mdx b/docs/docs/admin/environments/nginx.mdx new file mode 100644 index 0000000..3875c58 --- /dev/null +++ b/docs/docs/admin/environments/nginx.mdx @@ -0,0 +1,166 @@ +# Nginx + +Anubis is intended to be a filter proxy. The way to integrate this with nginx is to break your configuration up into two parts: TLS termination and then HTTP routing. Consider this diagram: + +```mermaid +--- +title: Nginx as tls terminator and HTTP router +--- + +flowchart LR + T(User Traffic) + subgraph Nginx + TCP(TCP 80/443) + US(Unix Socket or +another TCP port) + end + + An(Anubis) + B(Backend) + + T --> |TLS termination| TCP + TCP --> |Traffic filtering| An + An --> |Happy traffic| US + US --> |whatever you're doing| B +``` + +Instead of your traffic going right from TLS termination into the backend, it takes a detour through Anubis. Anubis filters out the "bad" traffic and then passes the "good" traffic to another socket that Nginx has open. This final socket is what you will use to do HTTP routing. + +Effectively, you have two roles for nginx: TLS termination (converting HTTPS to HTTP) and HTTP routing (distributing requests to the individual vhosts). This can stack with something like Apache in case you have a legacy deployment. Make sure you have the right [TLS certificates configured](https://code.kuederle.com/letsencrypt/) at the TLS termination level. + +:::note + +These examples assume that you are using a setup where your nginx configuration is made up of a bunch of files in `/etc/nginx/conf.d/*.conf`. This is not true for all deployments of nginx. If you are not in such an environment, append these snippets to your `/etc/nginx/nginx.conf` file. + +::: + +Assuming that we are protecting `anubistest.techaro.lol`, here's what the server configuration file would look like: + +```nginx +# /etc/nginx/conf.d/server-anubistest-techaro-lol.conf + +# HTTP - Redirect all HTTP traffic to HTTPS +server { + listen 80; + listen [::]:80; + + server_name anubistest.techaro.lol; + + location / { + return 301 https://$host$request_uri; + } +} + +# TLS termination server, this will listen over TLS (https) and then +# proxy all traffic to the target via Anubis. +server { + # Listen on TCP port 443 with TLS (https) and HTTP/2 + listen 443 ssl http2; + listen [::]:443 ssl http2; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://anubis; + } + + server_name anubistest.techaro.lol; + + ssl_certificate /path/to/your/certs/anubistest.techaro.lol.crt; + ssl_certificate_key /path/to/your/certs/anubistest.techaro.lol.key; +} + +# Backend server, this is where your webapp should actually live. +server { + listen unix:/run/nginx/nginx.sock; + + server_name anubistest.techaro.lol; + root "/srv/http/anubistest.techaro.lol"; + index index.html; + + # Your normal configuration can go here + # location .php { fastcgi...} etc. +} +``` + +:::tip + +You can copy the `location /` block into a separate file named something like `conf-anubis.inc` and then include it inline to other `server` blocks: + +```nginx +# /etc/nginx/conf.d/conf-anubis.inc + +# Forward to anubis +location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass http://anubis; +} +``` + +Then in a server block: + +
+Full nginx config + +```nginx +# /etc/nginx/conf.d/server-mimi-techaro-lol.conf + +server { + # Listen on 443 with SSL + listen 443 ssl http2; + listen [::]:443 ssl http2; + + # Slipstream via Anubis + include "conf-anubis.inc"; + + server_name mimi.techaro.lol; + + ssl_certificate /path/to/your/certs/mimi.techaro.lol.crt; + ssl_certificate_key /path/to/your/certs/mimi.techaro.lol.key; +} + +server { + listen unix:/run/nginx/nginx.sock; + + server_name mimi.techaro.lol; + root "/srv/http/mimi.techaro.lol"; + index index.html; + + # Your normal configuration can go here + # location .php { fastcgi...} etc. +} +``` + +
+ +::: + +Create an upstream for Anubis. + +```nginx +# /etc/nginx/conf.d/upstream-anubis.conf + +upstream anubis { + # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`. + # If this does not match, your services will not be protected by Anubis. + + # Try anubis first over a UNIX socket + server unix:/run/anubis/nginx.sock; + #server http://127.0.0.1:8923; + + # Optional: fall back to serving the websites directly. This allows your + # websites to be resilient against Anubis failing, at the risk of exposing + # them to the raw internet without protection. This is a tradeoff and can + # be worth it in some edge cases. + #server unix:/run/nginx.sock backup; +} +``` + +This can be repeated for multiple sites. Anubis does not care about the HTTP `Host` header and will happily cope with multiple websites via the same instance. + +Then reload your nginx config and load your website. You should see Anubis protecting your apps! + +```text +sudo systemctl reload nginx.service +``` diff --git a/docs/docs/admin/installation.mdx b/docs/docs/admin/installation.mdx index 2b12d76..75618a6 100644 --- a/docs/docs/admin/installation.mdx +++ b/docs/docs/admin/installation.mdx @@ -41,6 +41,10 @@ The Docker image runs Anubis as user ID 1000 and group ID 1000. If you are mount Anubis has very minimal system requirements. I suspect that 128Mi of ram may be sufficient for a large number of concurrent clients. Anubis may be a poor fit for apps that use WebSockets and maintain open connections, but I don't have enough real-world experience to know one way or another. +## Native packages + +For more detailed information on installing Anubis with native packages, please read [the native install directions](./native-install.mdx). + ## Environment variables Anubis uses these environment variables for configuration: @@ -79,413 +83,11 @@ Alternatively here is a key generated by your browser: -## Apache +## Next steps -Anubis is intended to be a filter proxy. The way to integrate this with nginx is to break your configuration up into two parts: TLS termination and then HTTP routing. Consider this diagram: +To get Anubis filtering your traffic, you need to make sure it's added to your HTTP load balancer or platform configuration. See the [environments category](/docs/category/environments) for detailed information on individual environments. -```mermaid -flowchart LR - T(User Traffic) - subgraph Apache 2 - TCP(TCP 80/443) - US(TCP 3001) - end - - An(Anubis) - B(Backend) - - T --> |TLS termination| TCP - TCP --> |Traffic filtering| An - An --> |Happy traffic| US - US --> |whatever you're doing| B -``` - -Effectively you have one trip through Apache to do TLS termination, a detour through Anubis for traffic scrubbing, and then going to the backend directly. This final socket is what will do HTTP routing. - -:::note - -These examples assume that you are using a setup where your nginx configuration is made up of a bunch of files in `/etc/httpd/conf.d/*.conf`. This is not true for all deployments of Apache. If you are not in such an environment, append these snippets to your `/etc/httpd/conf/httpd.conf` file. - -::: - -Install the following dependencies: - - - - -```text -dnf -y install mod_proxy_html -``` - - - - -```text -apt-get install -y libapache2-mod-proxy-html libxml2-dev -``` - - - - -Assuming you are protecting `anubistest.techaro.lol`, you need the following server configuration blocks: - -1. A block on port 80 that forwards HTTP to HTTPS -2. A block on port 443 that terminates TLS and forwards to Anubis -3. A block on port 3001 that actually serves your websites - -```text -# Plain HTTP redirect to HTTPS - - ServerAdmin your@email.here - ServerName anubistest.techaro.lol - DocumentRoot /var/www/anubistest.techaro.lol - ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log - CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined - RewriteEngine on - RewriteCond %{SERVER_NAME} =anubistest.techaro.lol - RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] - - -# HTTPS listener that forwards to Anubis - - ServerAdmin your@email.here - ServerName anubistest.techaro.lol - DocumentRoot /var/www/anubistest.techaro.lol - ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log - CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined - - SSLCertificateFile /etc/letsencrypt/live/anubistest.techaro.lol/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/anubistest.techaro.lol/privkey.pem - Include /etc/letsencrypt/options-ssl-apache.conf - - # These headers need to be set or else Anubis will - # throw an "admin misconfiguration" error. - RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR} - RequestHeader set X-Forwarded-Proto "https" - - ProxyPreserveHost On - - ProxyRequests Off - ProxyVia Off - - # Replace 9000 with the port Anubis listens on - ProxyPass / http://[::1]:9000/ - ProxyPassReverse / http://[::1]:9000/ - - - -# Actual website config - - ServerAdmin your@email.here - ServerName anubistest.techaro.lol - DocumentRoot /var/www/anubistest.techaro.lol - ErrorLog /var/log/httpd/anubistest.techaro.lol_error.log - CustomLog /var/log/httpd/anubistest.techaro.lol_access.log combined - -``` - -Make sure to add a separate configuration file for the listener on port 3001: - -```text -# /etc/httpd/conf.d/listener-3001.conf - -Listen 3001 -``` - -This can be repeated for multiple sites. Anubis does not care about the HTTP `Host` header and will happily cope with multiple websites via the same instance. - -Then reload your Apache config and load your website. You should see Anubis protecting your apps! - -```text -sudo systemctl reload httpd.service -``` - -### I'm running on a Red Hat distribution and Apache is saying "service unavailable" for every page load - -If you see a "Service unavailable" error on every page load and run a Red Hat derived distribution, you are missing a `selinux` setting. The exact command will be in a log message like this: - -```text -***** Plugin catchall_boolean (89.3 confidence) suggests ****************** - -If you want to allow HTTPD scripts and modules to connect to the network using TCP. -Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. - -Do -setsebool -P httpd_can_network_connect 1 -``` - -This will fix the error immediately. - -## Docker compose - -Add Anubis to your compose file pointed at your service: - -```yaml -services: - anubis-nginx: - image: ghcr.io/techarohq/anubis:latest - environment: - BIND: ":8080" - DIFFICULTY: "5" - METRICS_BIND: ":9090" - SERVE_ROBOTS_TXT: "true" - TARGET: "http://nginx" - POLICY_FNAME: "/data/cfg/botPolicy.json" - OG_PASSTHROUGH: "true" - OG_EXPIRY_TIME: "24h" - ports: - - 8080:8080 - volumes: - - "./botPolicy.json:/data/cfg/botPolicy.json:ro" - nginx: - image: nginx - volumes: - - "./www:/usr/share/nginx/html" -``` - -## Kubernetes - -This example makes the following assumptions: - -- Your target service is listening on TCP port `5000`. -- Anubis will be listening on port `8080`. - -Attach Anubis to your Deployment: - -```yaml -containers: - # ... - - name: anubis - image: ghcr.io/techarohq/anubis:latest - imagePullPolicy: Always - env: - - name: "BIND" - value: ":8080" - - name: "DIFFICULTY" - value: "5" - - name: "METRICS_BIND" - value: ":9090" - - name: "SERVE_ROBOTS_TXT" - value: "true" - - name: "TARGET" - value: "http://localhost:5000" - - name: "OG_PASSTHROUGH" - value: "true" - - name: "OG_EXPIRY_TIME" - value: "24h" - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 250m - memory: 128Mi - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault -``` - -Then add a Service entry for Anubis: - -```yaml -# ... -spec: - ports: - # diff-add - - protocol: TCP - # diff-add - port: 8080 - # diff-add - targetPort: 8080 - # diff-add - name: anubis -``` - -Then point your Ingress to the Anubis port: - -```yaml - rules: - - host: git.xeserv.us - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: git - port: - # diff-remove - name: http - # diff-add - name: anubis -``` - -## Nginx - -Anubis is intended to be a filter proxy. The way to integrate this with nginx is to break your configuration up into two parts: TLS termination and then HTTP routing. Consider this diagram: - -```mermaid -flowchart LR - T(User Traffic) - subgraph Nginx - TCP(TCP 80/443) - US(Unix Socket or -another TCP port) - end - - An(Anubis) - B(Backend) - - T --> |TLS termination| TCP - TCP --> |Traffic filtering| An - An --> |Happy traffic| US - US --> |whatever you're doing| B -``` - -Instead of your traffic going right from TLS termination into the backend, it takes a detour through Anubis. Anubis filters out the "bad" traffic and then passes the "good" traffic to another socket that Nginx has open. This final socket is what you will use to do HTTP routing. - -Effectively, you have two roles for nginx: TLS termination (converting HTTPS to HTTP) and HTTP routing (distributing requests to the individual vhosts). This can stack with something like Apache in case you have a legacy deployment. Make sure you have the right [TLS certificates configured](https://code.kuederle.com/letsencrypt/) at the TLS termination level. - -:::note - -These examples assume that you are using a setup where your nginx configuration is made up of a bunch of files in `/etc/nginx/conf.d/*.conf`. This is not true for all deployments of nginx. If you are not in such an environment, append these snippets to your `/etc/nginx/nginx.conf` file. - -::: - -Assuming that we are protecting `anubistest.techaro.lol`, here's what the server configuration file would look like: - -```nginx -# /etc/nginx/conf.d/server-anubistest-techaro-lol.conf - -# HTTP - Redirect all HTTP traffic to HTTPS -server { - listen 80; - listen [::]:80; - - server_name anubistest.techaro.lol; - - location / { - return 301 https://$host$request_uri; - } -} - -# TLS termination server, this will listen over TLS (https) and then -# proxy all traffic to the target via Anubis. -server { - # Listen on TCP port 443 with TLS (https) and HTTP/2 - listen 443 ssl http2; - listen [::]:443 ssl http2; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://anubis; - } - - server_name anubistest.techaro.lol; - - ssl_certificate /path/to/your/certs/anubistest.techaro.lol.crt; - ssl_certificate_key /path/to/your/certs/anubistest.techaro.lol.key; -} - -# Backend server, this is where your webapp should actually live. -server { - listen unix:/run/nginx/nginx.sock; - - server_name anubistest.techaro.lol; - root "/srv/http/anubistest.techaro.lol"; - index index.html; - - # Your normal configuration can go here - # location .php { fastcgi...} etc. -} -``` - -:::tip - -You can copy the `location /` block into a separate file named something like `conf-anubis.inc` and then include it inline to other `server` blocks: - -```nginx -# /etc/nginx/conf.d/conf-anubis.inc - -# Forward to anubis -location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_pass http://anubis; -} -``` - -Then in a server block: - -
-Full nginx config - -```nginx -# /etc/nginx/conf.d/server-mimi-techaro-lol.conf - -server { - # Listen on 443 with SSL - listen 443 ssl http2; - listen [::]:443 ssl http2; - - # Slipstream via Anubis - include "conf-anubis.inc"; - - server_name mimi.techaro.lol; - - ssl_certificate /path/to/your/certs/mimi.techaro.lol.crt; - ssl_certificate_key /path/to/your/certs/mimi.techaro.lol.key; -} - -server { - listen unix:/run/nginx/nginx.sock; - - server_name mimi.techaro.lol; - root "/srv/http/mimi.techaro.lol"; - index index.html; - - # Your normal configuration can go here - # location .php { fastcgi...} etc. -} -``` - -
- -::: - -Create an upstream for Anubis. - -```nginx -# /etc/nginx/conf.d/upstream-anubis.conf - -upstream anubis { - # Make sure this matches the values you set for `BIND` and `BIND_NETWORK`. - # If this does not match, your services will not be protected by Anubis. - - # Try anubis first over a UNIX socket - server unix:/run/anubis/nginx.sock; - #server http://127.0.0.1:8923; - - # Optional: fall back to serving the websites directly. This allows your - # websites to be resilient against Anubis failing, at the risk of exposing - # them to the raw internet without protection. This is a tradeoff and can - # be worth it in some edge cases. - #server unix:/run/nginx.sock backup; -} -``` - -This can be repeated for multiple sites. Anubis does not care about the HTTP `Host` header and will happily cope with multiple websites via the same instance. - -Then reload your nginx config and load your website. You should see Anubis protecting your apps! - -```text -sudo systemctl reload nginx.service -``` +- [Apache](./environments/apache.mdx) +- [Docker compose](./environments/docker-compose.mdx) +- [Kubernetes](./environments/kubernetes.mdx) +- [Nginx](./environments/nginx.mdx)