Running rancher behind proxy at admin.example.com?

[aschrijver]

Hi @adi90x
Thanks a lot for this repo!! It looks like this is exactly what I need to setup a rancher CI/CD environment!
But I have a question regarding setup, some things unclear in README..

I have an AWS EC2 instance running RancherOS and want to setup the following:

• nginx reverse proxy in front of all containers
• static website (nginx redirect to gh-pages) with SSL termination, accessible at https://example.com
• rancher server running on port 8080, accessible at https://admin.example.com
• gitlab server running on port 8090, accessible at https://develop.example.com

Previously I manually setup nginx config and Letsencrypt certificates and accidentally bricked my docker installation, forcing me to recreate the instance entirely.

Going from the README I deduce I have to take following steps:

• Install/run proxy: From the AWS console run $ docker run -d -p 80:80 adi90x/rancher-active-proxy
• Create website redirect: Create an nginx config for the redirect to gh-pages on Github named example.com_server and copy it to /etc/nginx/vhost.d on the instance --> but this server block is just a redirect, without a container!
• Install/run rancher: From the AWS console run docker run -d --restart=unless-stopped -p 8080:8080 --name=rancher-server -l rap.host=admin.example.com -l rap.port=8080 -l rap.le_host=admin.example.com -l rap.le_email=foo@example.com -l rap.proto=https -l io.rancher.container.pull_image=always rancher/server

Presumably now I can use the Rancher UI to configure the gitlab stack and services, provided I add the proper labels using same UI.

Could you please verify if these steps are correct? I would be very thankful :)

PS. While I was at it I took the liberty to improve the readme a bit: #50

[adi90x]

Hello,
Thanks for the pull request was merged this morning !
On this issue, I would recommend to first start rancher server, then connect to rancher server on port 8080, setup rancher server (user, host, etc), then start a rancher-active-proxy service from Rancher server, and all your different service.
After RAP is setup and working you can even remove port 8080 from rancher/server containers, however I would not recommend that as first Added host are probably mapped to this port and second as a way to connect to Rancher in case of RAP problem !

Let me know if you have any issue !

[aschrijver]

Thanks @adi90x
So you advice to run Rancher at example.com:8080 and expose that port publicly on the EC2 instance? In that case the rancher server would not run under SSL, would it?
And can I add the redirect to gh-pages in the way described (i.e. add the example.com_server file and copy it to /etc/nginx/vhost.d? There is no container related to the redirect.

[adi90x]

Yes I would advise to keep an external port for slave host not to connect via RAP as there could be problem, if host running RAP is not up and running when a slave host from cluster try to connect Le 5 mars 2018 11:23, "Arnold Schrijver" <notifications@github.com> a écrit :

…

Thanks @adi90x <https://github.com/adi90x> So you advice to run Rancher at example.com:8080 and expose that port publicly on the EC2 instance? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#49 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AKpqdAtIb3rgg2XhiH-U4iGLftPsmPDcks5tbRIGgaJpZM4Sb1sL> .

[TemaSM]

Hi @adi90x, thanks for your project!

I already have a Rancher-server started via docker-compose.yml and installed RAP via custom Catalog, but I want to make RAP reverse proxy for open port of Rancher-server, so to visit in browser control.example.com (nginx proxy points to -> 127.0.0.1:8080) instead of 127.0.0.1:8080 (127 just for example), and make it works via using docker-compose file, not the Docker cli via docker run ....
My question sounds like duplicate of #21

The problem with docker-compose is that it creates a new default network for Rancher-server but RAP deployed via Catalog sits on Managed type network (changing not helps), so it can't detect any containers metadata changes, because it simply cannot see created container from docker-compose (with appropriate RAP labels declared of course) because of Docker networks security policy.
How can we achieve that, without using Docker cli directly?
Maybe not only via docker-compose, but start Rancher-server just from itself Rancher-server UI with attaching Rancher-server container to the same network as RAP uses?

Thanks!

Example of docker-compose.yml:

version: "2.3"
services:
  rancher:
    image: rancher/server:stable
    container_name: "control.example.com"
    restart: always
    ports:
      - "8080:8080"
      - "9345:9345"
      #- "3306:3306"
      #  About NO_PROXY: https://goo.gl/1jFQ3h & https://goo.gl/t5rvYs
      no_proxy: "localhost:8080,127.0.0.1:8080"
      NO_PROXY: "localhost:8080,127.0.0.1:8080"
    labels:
      - "rap.port=8080"
      - "rap.host=control.example.com"
      - "rap.le_host=control.example.com"
      - "rap.le_email=admin@example.com"
      - "rap.https_method=noredirect"
      - "io.rancher.container.pull_image=always"
      - "io.rancher.container.system=true"
      # Not sure if next line even needed
      - "io.rancher.container.network=true"
    command: --advertise-address ipify --advertise-http-port 8080

[aschrijver]

Thank you @adi90x everything worked fine! I'll leave this issue open because of the question by @TemaSM :)