From b3d2892e4c76576c389c8b0f491407435c218398 Mon Sep 17 00:00:00 2001 From: Elio Bischof Date: Fri, 4 Nov 2022 18:00:40 +0100 Subject: [PATCH] docs(proxy): add Apache httpd example (#4657) * docs(proxy): add httpd reverse proxy example * add httpd tab * add httpd tab * minor production checklist improvements --- .../guides/manage/self-hosted/production.md | 12 +- .../self-hosted/reverseproxy/_caddy.mdx | 6 +- .../self-hosted/reverseproxy/_httpd.mdx | 166 ++++++++++++++++++ .../self-hosted/reverseproxy/_nginx.mdx | 12 +- .../reverseproxy/reverse_proxy.mdx | 6 + 5 files changed, 187 insertions(+), 15 deletions(-) create mode 100644 docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx diff --git a/docs/docs/guides/manage/self-hosted/production.md b/docs/docs/guides/manage/self-hosted/production.md index ae8d457e7e..9a3fca85ac 100644 --- a/docs/docs/guides/manage/self-hosted/production.md +++ b/docs/docs/guides/manage/self-hosted/production.md @@ -7,11 +7,11 @@ you are ready to configure ZITADEL for production usage. ## High Availability -We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes). +We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes). For keeping startup times fast when scaling ZITADEL, you should also consider using separate jobs with `zitadel init` and `zitadel setup`, so your workload containers just have to execute `zitadel start`. ## Configuration -Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure the ZITADEL. +Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure ZITADEL. ## Networking @@ -70,7 +70,7 @@ Projections: ## Data Initialization - You can configure instance defaults in the DefaultInstance section. - If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect, too. + If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect. Also, these configurations apply to the first instance, that ZITADEL automatically creates for you. Especially the following properties are of special interest for your production setup. @@ -95,7 +95,7 @@ DefaultInstance: FromName: ``` -- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [startup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument. +- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [setup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument. - Learn how to configure ZITADEL via the [Console user interface](/docs/guides/manage/console/overview). -- Probably, you also want [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata) -- If you want to automatically setup ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics) +- Probably, you also want to [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata). +- If you want to automatically create ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics). diff --git a/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx b/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx index b871db7e44..5b0b32b6ad 100644 --- a/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx +++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx @@ -1,6 +1,6 @@ ## TLS mode external -```bash +``` https://localhost { reverse_proxy h2c://localhost:8080 tls internal #only non production @@ -9,7 +9,7 @@ https://localhost { ## TLS mode enabled -```bash +``` https://localhost { reverse_proxy https://localhost:8080 tls internal #only non production @@ -18,7 +18,7 @@ https://localhost { ## TLS mode disabled -```bash +``` http://localhost { reverse_proxy h2c://localhost:8080 } diff --git a/docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx b/docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx new file mode 100644 index 0000000000..b30d5494bc --- /dev/null +++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx @@ -0,0 +1,166 @@ +## TLS mode external + +``` +LoadModule mpm_event_module modules/mod_mpm_event.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +LoadModule filter_module modules/mod_filter.so +LoadModule mime_module modules/mod_mime.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule env_module modules/mod_env.so +LoadModule headers_module modules/mod_headers.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule ssl_module modules/mod_ssl.so +LoadModule proxy_http2_module modules/mod_proxy_http2.so +LoadModule unixd_module modules/mod_unixd.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so + +ServerRoot "/usr/local/apache2" +LogLevel warn +ErrorLog /proc/self/fd/2 +CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" + +ServerName my.domain +Listen 80 +Listen 443 + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + + ServerName my.domain + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + + + + ServerName my.domain + ProxyPreserveHost On + SSLCertificateFile /certs/server.crt + SSLCertificateKeyFile /certs/server.key + ProxyPass / h2c://localhost:8080/ + ProxyPassReverse / h2c://localhost:8080/ + +``` + +## TLS mode enabled + +``` +LoadModule mpm_event_module modules/mod_mpm_event.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +LoadModule filter_module modules/mod_filter.so +LoadModule mime_module modules/mod_mime.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule env_module modules/mod_env.so +LoadModule headers_module modules/mod_headers.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule ssl_module modules/mod_ssl.so +LoadModule proxy_http2_module modules/mod_proxy_http2.so +LoadModule unixd_module modules/mod_unixd.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so +LoadModule http2_module modules/mod_http2.so + +ServerRoot "/usr/local/apache2" +LogLevel debug +ErrorLog /proc/self/fd/2 +CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" + +ServerName my.domain +Listen 80 +Listen 443 + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + + + + ProxyPreserveHost On + SSLEngine on + SSLProxyEngine on + SSLCertificateFile /certs/server.crt + SSLCertificateKeyFile /certs/server.key + ProxyPass / h2://localhost:8080/ + +``` + +## TLS mode disabled + +``` +LoadModule mpm_event_module modules/mod_mpm_event.so +LoadModule authn_file_module modules/mod_authn_file.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +LoadModule authz_core_module modules/mod_authz_core.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +LoadModule filter_module modules/mod_filter.so +LoadModule mime_module modules/mod_mime.so +LoadModule log_config_module modules/mod_log_config.so +LoadModule env_module modules/mod_env.so +LoadModule headers_module modules/mod_headers.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule ssl_module modules/mod_ssl.so +LoadModule proxy_http2_module modules/mod_proxy_http2.so +LoadModule unixd_module modules/mod_unixd.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +LoadModule dir_module modules/mod_dir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so + +ServerRoot "/usr/local/apache2" +LogLevel warn +ErrorLog /proc/self/fd/2 +CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" + +ServerName my.domain +Listen 80 + + + ServerName my.domain + ProxyPreserveHost On + ProxyPass / h2c://localhost:8080/ + ProxyPassReverse / h2c://localhost:8080/ + +``` diff --git a/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx b/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx index 57c0476980..aa738ffc61 100644 --- a/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx +++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx @@ -1,6 +1,6 @@ ## TLS mode external -```bash +``` worker_processes 1; events { worker_connections 1024; @@ -12,7 +12,7 @@ http { ssl_certificate ssl/certificate.pem; ssl_certificate_key ssl/key.pem; - + location / { grpc_pass grpc://localhost:8080; grpc_set_header Host $host; @@ -33,7 +33,7 @@ with ## TLS mode enabled -```bash +``` worker_processes 1; events { worker_connections 1024; @@ -45,7 +45,7 @@ http { ssl_certificate ssl/certificate.pem; ssl_certificate_key ssl/key.pem; - + location / { grpc_pass grpcs://localhost:8080; grpc_set_header Host $host; @@ -66,7 +66,7 @@ with ## TLS mode disabled -```bash +``` worker_processes 1; events { worker_connections 1024; @@ -75,7 +75,7 @@ events { http { server { listen 80; - + location / { grpc_pass grpc://localhost:8080; grpc_set_header Host $host; diff --git a/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx b/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx index 6ddaf1edf2..c94c4cdcd8 100644 --- a/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx +++ b/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx @@ -8,6 +8,7 @@ import Zcloud from "./_zitadel_cloud.mdx"; import Nginx from "./_nginx.mdx"; import Traefik from "./_traefik.mdx"; import Caddy from "./_caddy.mdx"; +import Httpd from "./_httpd.mdx"; import Cftunnel from "./_cloudflare_tunnel.mdx"; import Cloudflare from "./_cloudflare.mdx"; import More from "./_more.mdx"; @@ -22,6 +23,7 @@ import More from "./_more.mdx"; { label: "NGINX", value: "nginx" }, { label: "Traefik", value: "traefik" }, { label: "Caddy", value: "caddy" }, + { label: "Apache httpd", value: "httpd" }, { label: "Cloudflare Tunnel", value: "cftunnel" }, { label: "Cloudflare", value: "cf" }, ]} @@ -42,6 +44,10 @@ import More from "./_more.mdx"; + + + +