1.5 KiB
Containerisation
Reverse proxy
The proxy receives all connections on TCP ports 80 and 443 and routes the requests to services listening on high-numbered ports.
Adding new services
New services are registered with the reverse proxy by adding a server configuration file.
- Add the configuration file.
- Restart the reverse proxy.
TLS
The proxy has a Let's Encrypt TLS certificate for each service that uses a public domain name.
The proxy automatically renews the certificates using an HTTP-01 challenge: Let's Encrypt requests a text file from the server to prove that the server is controlled by the domain owner.
The proxy generates a separate certificate for each domain; certificates are managed separately for each service.
Systemd services
Each service is registered as a Systemd service: Systemd starts the containers when the server boots; systemd auto restarts the containers when they stop.
Systemd also provides a unified interface for disabling/enabling services. The exact implementation details of the service's containers is not important: they can be standalone docker images or docker compose services.
Standard service containerisation pattern
Each service will use docker compose to run its containers, even if the service only uses a single container. This simplifies maintenance because each service can use a similar docker and systemd setup.
Services can break from this pattern for a couple of reasons:
- docker compose setup is too difficult.
- The service needs to run directly on the host.