update configuration docker setup for data platform
This commit is contained in:
391
01-infra/nginx-configs/nginx-proxy-manager-guide.md
Normal file
391
01-infra/nginx-configs/nginx-proxy-manager-guide.md
Normal file
@@ -0,0 +1,391 @@
|
||||
# Nginx Proxy Manager - Setup Guide
|
||||
|
||||
คู่มือการตั้งค่า Nginx Proxy Manager สำหรับ Sriphat Data Platform
|
||||
|
||||
## 📋 ข้อมูล Services
|
||||
|
||||
| Service | Subpath | Container Name | Port | Status |
|
||||
|---------|---------|----------------|------|--------|
|
||||
| API Service | `/apiservice` | apiservice | 8000 | ✅ Active |
|
||||
| Supabase Studio | `/supabase` | sdp-studio | 3000 | ✅ Active |
|
||||
| Supabase API | `/supabase-api` | sdp-kong | 8000 | ✅ Active |
|
||||
| Keycloak | `/keycloak` | keycloak | 8080 | ✅ Active |
|
||||
| Superset | `/superset` | superset | 8088 | ✅ Active |
|
||||
| Airflow | `/airflow` | airflow-webserver | 8080 | ⚠️ Optional |
|
||||
| DBT Docs | `/dbt` | dbt-docs | 8080 | ⚠️ Optional |
|
||||
|
||||
## 🚀 Quick Start
|
||||
|
||||
### 1. เข้า Nginx Proxy Manager
|
||||
|
||||
```
|
||||
URL: http://192.168.100.9:8021
|
||||
Default Login:
|
||||
Email: admin@example.com
|
||||
Password: changeme
|
||||
```
|
||||
|
||||
**⚠️ เปลี่ยน password ทันทีหลัง login ครั้งแรก!**
|
||||
|
||||
### 2. สร้าง Proxy Host
|
||||
|
||||
1. คลิก **Proxy Hosts** → **Add Proxy Host**
|
||||
2. กรอกข้อมูล:
|
||||
|
||||
**Tab: Details**
|
||||
```
|
||||
Domain Names: ai.sriphat.com
|
||||
Scheme: http
|
||||
Forward Hostname/IP: localhost
|
||||
Forward Port: 80
|
||||
```
|
||||
|
||||
**Tab: Advanced**
|
||||
- Copy config จาก `complete-example.conf` ทั้งหมด
|
||||
- Paste ลงใน **Custom Nginx Configuration**
|
||||
|
||||
3. กด **Save**
|
||||
|
||||
### 3. ตั้งค่า SSL (Production)
|
||||
|
||||
**Tab: SSL**
|
||||
```
|
||||
☑ Request a new SSL Certificate with Let's Encrypt
|
||||
☑ Force SSL
|
||||
☑ HTTP/2 Support
|
||||
☑ HSTS Enabled
|
||||
|
||||
Email: your-email@example.com
|
||||
```
|
||||
|
||||
กด **Save**
|
||||
|
||||
## 📝 การใช้งานแบบละเอียด
|
||||
|
||||
### วิธีที่ 1: ใช้ Complete Config (แนะนำ)
|
||||
|
||||
**ข้อดี:**
|
||||
- ตั้งค่าครั้งเดียว ได้ทุก service
|
||||
- ง่ายต่อการจัดการ
|
||||
- Consistent configuration
|
||||
|
||||
**ขั้นตอน:**
|
||||
1. สร้าง Proxy Host ตาม Quick Start
|
||||
2. Copy `complete-example.conf` ไปวางใน Advanced tab
|
||||
3. Save
|
||||
|
||||
### วิธีที่ 2: แยก Config แต่ละ Service
|
||||
|
||||
**ข้อดี:**
|
||||
- ควบคุมแต่ละ service ได้อิสระ
|
||||
- ง่ายต่อการ debug
|
||||
- สามารถตั้งค่า SSL แยกกันได้
|
||||
|
||||
**ขั้นตอน:**
|
||||
|
||||
#### API Service
|
||||
```
|
||||
Domain: api.sriphat.com
|
||||
Forward: apiservice:8000
|
||||
Advanced: ใช้ config จาก apiservice.conf
|
||||
```
|
||||
|
||||
#### Supabase Studio
|
||||
```
|
||||
Domain: supabase.sriphat.com
|
||||
Forward: sdp-studio:3000
|
||||
Advanced: ใช้ config จาก supabase-studio.conf
|
||||
```
|
||||
|
||||
#### Keycloak
|
||||
```
|
||||
Domain: auth.sriphat.com
|
||||
Forward: keycloak:8080
|
||||
Advanced: ใช้ config จาก keycloak.conf
|
||||
```
|
||||
|
||||
#### Superset
|
||||
```
|
||||
Domain: bi.sriphat.com
|
||||
Forward: superset:8088
|
||||
Advanced: ใช้ config จาก superset.conf
|
||||
```
|
||||
|
||||
## 🔧 Configuration Details
|
||||
|
||||
### API Service (`/apiservice`)
|
||||
|
||||
**สิ่งสำคัญ:**
|
||||
```nginx
|
||||
proxy_set_header X-Script-Name /apiservice;
|
||||
proxy_cookie_path / /apiservice/;
|
||||
```
|
||||
|
||||
**ทำไม:**
|
||||
- FastAPI ต้องรู้ว่าทำงานภายใต้ subpath
|
||||
- Session cookies ต้อง scope ถูกต้อง
|
||||
|
||||
### Keycloak (`/keycloak`)
|
||||
|
||||
**สิ่งสำคัญ:**
|
||||
```nginx
|
||||
proxy_set_header X-Forwarded-Prefix /keycloak;
|
||||
proxy_cookie_path / /keycloak/;
|
||||
```
|
||||
|
||||
**ทำไม:**
|
||||
- Keycloak ใช้ X-Forwarded-Prefix สำหรับ redirect URLs
|
||||
- Authentication flow ต้องการ cookie path ที่ถูกต้อง
|
||||
|
||||
### Supabase Studio (`/supabase`)
|
||||
|
||||
**สิ่งสำคัญ:**
|
||||
```nginx
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
```
|
||||
|
||||
**ทำไม:**
|
||||
- Supabase Studio ใช้ WebSocket สำหรับ real-time features
|
||||
- ต้อง support HTTP/1.1 upgrade
|
||||
|
||||
### Superset (`/superset`)
|
||||
|
||||
**สิ่งสำคัญ:**
|
||||
```nginx
|
||||
proxy_connect_timeout 300s;
|
||||
proxy_send_timeout 300s;
|
||||
proxy_read_timeout 300s;
|
||||
```
|
||||
|
||||
**ทำไม:**
|
||||
- Dashboard queries อาจใช้เวลานาน
|
||||
- ต้องการ timeout ที่สูงกว่าปกติ
|
||||
|
||||
## 🐛 Troubleshooting
|
||||
|
||||
### 502 Bad Gateway
|
||||
|
||||
**สาเหตุ:**
|
||||
- Backend service ไม่ทำงาน
|
||||
- Network configuration ผิด
|
||||
|
||||
**วิธีแก้:**
|
||||
```bash
|
||||
# ตรวจสอบ service
|
||||
docker ps | grep <service-name>
|
||||
|
||||
# ตรวจสอบ network
|
||||
docker network inspect shared_data_network
|
||||
|
||||
# ดู logs
|
||||
docker logs <service-name>
|
||||
docker logs nginx-proxy-manager
|
||||
```
|
||||
|
||||
### 404 Not Found
|
||||
|
||||
**สาเหตุ:**
|
||||
- Path rewriting ไม่ถูกต้อง
|
||||
- Backend ไม่ support subpath
|
||||
|
||||
**วิธีแก้:**
|
||||
```nginx
|
||||
# ตรวจสอบ rewrite rule
|
||||
rewrite ^/apiservice(/.*)$ $1 break;
|
||||
|
||||
# ดู nginx logs
|
||||
docker exec nginx-proxy-manager tail -f /data/logs/proxy-host-*.log
|
||||
```
|
||||
|
||||
### Redirect Loop
|
||||
|
||||
**สาเหตุ:**
|
||||
- Cookie path ไม่ถูกต้อง
|
||||
- X-Forwarded-* headers ขาดหาย
|
||||
|
||||
**วิธีแก้:**
|
||||
```nginx
|
||||
# เพิ่ม headers
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
|
||||
# ตั้งค่า cookie path
|
||||
proxy_cookie_path / /apiservice/;
|
||||
```
|
||||
|
||||
### WebSocket Connection Failed
|
||||
|
||||
**สาเหตุ:**
|
||||
- ไม่มี WebSocket headers
|
||||
- HTTP version ไม่ถูกต้อง
|
||||
|
||||
**วิธีแก้:**
|
||||
```nginx
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
```
|
||||
|
||||
### Session Lost After Refresh
|
||||
|
||||
**สาเหตุ:**
|
||||
- Cookie path ไม่ match กับ URL path
|
||||
- SameSite cookie policy
|
||||
|
||||
**วิธีแก้:**
|
||||
```nginx
|
||||
proxy_cookie_path / /apiservice/;
|
||||
proxy_cookie_flags ~ secure samesite=lax;
|
||||
```
|
||||
|
||||
## 🔐 Security Best Practices
|
||||
|
||||
### 1. เปลี่ยน Default Password
|
||||
```
|
||||
Settings → Users → Edit admin user
|
||||
```
|
||||
|
||||
### 2. ใช้ HTTPS ใน Production
|
||||
```
|
||||
SSL Tab → Request a new SSL Certificate
|
||||
☑ Force SSL
|
||||
☑ HSTS Enabled
|
||||
```
|
||||
|
||||
### 3. ตั้งค่า Access Lists
|
||||
```
|
||||
Access Lists → Add Access List
|
||||
- Whitelist IP addresses
|
||||
- Basic authentication
|
||||
- Apply to sensitive services (Keycloak Admin, Superset)
|
||||
```
|
||||
|
||||
### 4. Enable Rate Limiting
|
||||
```nginx
|
||||
# ใน Custom Nginx Configuration
|
||||
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
||||
limit_req zone=api_limit burst=20 nodelay;
|
||||
```
|
||||
|
||||
### 5. Hide Nginx Version
|
||||
```nginx
|
||||
# ใน Custom Nginx Configuration
|
||||
server_tokens off;
|
||||
```
|
||||
|
||||
## 📊 Monitoring
|
||||
|
||||
### ดู Logs
|
||||
|
||||
**ใน Nginx Proxy Manager UI:**
|
||||
```
|
||||
Proxy Hosts → Click on host → Logs tab
|
||||
```
|
||||
|
||||
**ใน Docker:**
|
||||
```bash
|
||||
# Nginx Proxy Manager logs
|
||||
docker logs nginx-proxy-manager -f
|
||||
|
||||
# Access logs
|
||||
docker exec nginx-proxy-manager tail -f /data/logs/proxy-host-*.log
|
||||
|
||||
# Error logs
|
||||
docker exec nginx-proxy-manager tail -f /data/logs/error.log
|
||||
```
|
||||
|
||||
### Health Checks
|
||||
|
||||
```bash
|
||||
# ตรวจสอบ Nginx Proxy Manager
|
||||
curl http://192.168.100.9:8021
|
||||
|
||||
# ตรวจสอบ services ผ่าน proxy
|
||||
curl http://ai.sriphat.com/apiservice/docs
|
||||
curl http://ai.sriphat.com/supabase
|
||||
curl http://ai.sriphat.com/keycloak
|
||||
```
|
||||
|
||||
## 🔄 Backup & Restore
|
||||
|
||||
### Backup Configuration
|
||||
|
||||
```bash
|
||||
# Backup Nginx Proxy Manager data
|
||||
cd /path/to/01-infra
|
||||
tar -czf npm-backup-$(date +%Y%m%d).tar.gz data/
|
||||
|
||||
# Backup specific configs
|
||||
docker exec nginx-proxy-manager tar -czf /tmp/configs.tar.gz /data/nginx
|
||||
docker cp nginx-proxy-manager:/tmp/configs.tar.gz ./npm-configs-backup.tar.gz
|
||||
```
|
||||
|
||||
### Restore Configuration
|
||||
|
||||
```bash
|
||||
# Stop Nginx Proxy Manager
|
||||
docker compose down
|
||||
|
||||
# Restore data
|
||||
tar -xzf npm-backup-YYYYMMDD.tar.gz
|
||||
|
||||
# Start Nginx Proxy Manager
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
## 📚 Additional Resources
|
||||
|
||||
- [Nginx Proxy Manager Docs](https://nginxproxymanager.com/guide/)
|
||||
- [Nginx Reverse Proxy Guide](https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/)
|
||||
- [Let's Encrypt SSL](https://letsencrypt.org/getting-started/)
|
||||
|
||||
## 💡 Tips & Tricks
|
||||
|
||||
### 1. Test Config Before Applying
|
||||
```bash
|
||||
# Test nginx config
|
||||
docker exec nginx-proxy-manager nginx -t
|
||||
```
|
||||
|
||||
### 2. Reload Without Restart
|
||||
```bash
|
||||
# Reload nginx (no downtime)
|
||||
docker exec nginx-proxy-manager nginx -s reload
|
||||
```
|
||||
|
||||
### 3. View Current Config
|
||||
```bash
|
||||
# View active nginx config
|
||||
docker exec nginx-proxy-manager cat /etc/nginx/nginx.conf
|
||||
```
|
||||
|
||||
### 4. Debug Mode
|
||||
```nginx
|
||||
# เพิ่มใน Custom Nginx Configuration
|
||||
error_log /data/logs/error.log debug;
|
||||
```
|
||||
|
||||
### 5. Custom Error Pages
|
||||
```nginx
|
||||
# เพิ่มใน Custom Nginx Configuration
|
||||
error_page 502 503 504 /50x.html;
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
```
|
||||
|
||||
## 🎯 Production Checklist
|
||||
|
||||
- [ ] เปลี่ยน default admin password
|
||||
- [ ] ตั้งค่า SSL certificate (Let's Encrypt)
|
||||
- [ ] Enable Force SSL
|
||||
- [ ] Enable HSTS
|
||||
- [ ] ตั้งค่า Access Lists สำหรับ admin panels
|
||||
- [ ] Enable rate limiting
|
||||
- [ ] Hide server tokens
|
||||
- [ ] ตั้งค่า backup schedule
|
||||
- [ ] Test all services ผ่าน proxy
|
||||
- [ ] Monitor logs สำหรับ errors
|
||||
- [ ] Document custom configurations
|
||||
Reference in New Issue
Block a user