move php serving to an nginx *inside* the docker container

doc/nginx_conf.md

-## Nginx configuration
+## Outer Nginx configuration
 
-Independantly from the backends like mysql or doors, the comex app is in two parts:
-  - the legacy php comex app
-  - the new python registration app
+The comex app is in 2 parts that are unified inside docker via an [inner nginx](https://github.com/moma/comex2/blob/master/setup/dockers/comex2_services/comex2_php_and_services.nginx.conf). However on the deployment machine (host machine that runs the dockers), we may want to have a webserver to redirect everything inside. This is the **outer** nginx exemple.
 
-A good way to make the two coexist is to use nginx as follows
 
 ### 1) Install nginx
 If you don't already have nginx on the deployment machine, follow these steps first:
@@ -18,12 +15,12 @@ sudo service nginx status
 ```
 
 
-### 2) Replace nginx conf by our *comex+reg* configuration
+### 2) Replace nginx conf by our comex2 configuration
 
 Create the conf files for comex
 ```
 cd /etc/nginx/sites-available
-sudo nano comex.conf
+sudo nano comex2_outer.conf
 ```
 
 This below is a full config exemple you can paste in nano:
@@ -31,41 +28,27 @@ This below is a full config exemple you can paste in nano:
   - it also serves registration app, in `/services/user/register`  
 
 
-```ini
+```nginxconf
 # Full server config: php comex as root and api + reg as services subpath
 # ========================================================================
 server {
     listen 80 ;
     listen [::]:80 ;
 
-    server_name communityexplorer.org;
-
-    # adapt path to your php docroot
-    root /home/me/comex2 ;
+    # server_name communityexplorer.org;
+    server_name _ ;
 
     # get the logs in a custom place
     # (adapt paths)
-    access_log /home/me/somewhere/access.log ;
-    error_log /home/me/somewhere/error.log ;
+    access_log /home/romain/comex/outer_nginx_access.log ;
+    error_log /home/romain/comex/outer_nginx_error.log ;
 
+    # independant app with its own nginx serving:
+    #     the php root on '/'
+    #     the python server on 'services/'
     location / {
-        index     index.html index.php ;
-    }
-
-    location ~ \.php$ {
-        include   snippets/fastcgi-php.conf;
-        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
-
-        # here we adapted $documentroot to our real php docroot
-        fastcgi_param SCRIPT_FILENAME /home/me/comex2/$fastcgi_script_name;
-        #                             ----------------
-    }
-
-    # no root here => independant app serving both services/user (formerly know as regcomex) and services/api (ex formerly known as comex_install)
-    # (but /locationpath must match this app's default route)
-    location /services {
-        # point to gunicorn server
-        proxy_pass http://0.0.0.0:9090;
+        # pointing to the local bridge to the dockerized nginx serving all comex2 parts
+        proxy_pass http://0.0.0.0:8080;
         proxy_redirect     off;
 
         # useful to keep track of original IP before reverse-proxy
@@ -75,15 +58,6 @@ server {
         proxy_set_header   X-Forwarded-Host $server_name;
     }
 
-    # faster static serving
-    location /static {
-        alias  /home/me/comex2/static/;
-        autoindex on;
-    }
-
-    location ~ /\.ht {
-        deny all;
-    }
 }
 ```
 
@@ -91,7 +65,7 @@ Finally, to enable the conf:
 
 ```
 cd /etc/nginx/sites-enabled
-sudo ln -s ../sites-available/regcomex.conf
+sudo ln -s ../sites-available/comex2_outer.conf
 ```
 
 **NB:**   

run.sh

 #! /bin/bash
-#
-# simple web server running services/main:app
 
-export COMEX_HOST=$(grep -oP '(?<=COMEX_HOST=).*' config/parametres_comex.ini)
-
-echo "using \$COMEX_HOST $COMEX_HOST"
+# if we're inside a docker (we're used as entrypoint)...
+if grep --quiet docker /proc/1/cgroup
+  then
+    # ... then we're also in charge of the inner nginx
+    #     (to package the php with the services below)
+    export REAL_DOCKER_HOST=$(hostname -i)
+    echo "starting nginx on $REAL_DOCKER_HOST"
+    service nginx start
+fi
 
-gunicorn -b $COMEX_HOST:9090 services.main:app
+# anyway we always need a simple web server to run the services
+export COMEX_HOST=$(grep -oP '(?<=COMEX_HOST=).*' config/parametres_comex.ini)
+export COMEX_PORT=$(grep -oP '(?<=COMEX_PORT=).*' config/parametres_comex.ini)
+echo "binding gunicorn to $COMEX_HOST:$COMEX_PORT"
+gunicorn -b $COMEX_HOST:$COMEX_PORT services.main:app

setup/dockers/comex2_services/Dockerfile

@@ -18,6 +18,13 @@ RUN apt install -y python3-pip libmysqlclient-dev git nano tree iputils-ping ngi
 RUN pip3 install --upgrade pip
 
 # for comex2 itself ----------------------------------------------------------
+# copy and symlink the nginx conf
+ADD comex2_php_and_services.nginx.conf /etc/nginx/sites-available
+WORKDIR /etc/nginx/sites-enabled
+RUN rm default
+RUN ln -s ../sites-available/comex2_php_and_services.nginx.conf
+WORKDIR /
+
 # pull the comex server from repository...
 RUN echo "updating git"
 RUN git clone https://github.com/moma/comex2.git
@@ -38,9 +45,10 @@ WORKDIR /comex2
 # gunicorn production server
 CMD bash run.sh
 
-# ports ------------------------------------------------------------------------
-# flask dev server
-# EXPOSE 5000
+# ports -----------------------------------------------------------------------
 
-# gunicorn production server
-EXPOSE 9090
+# nginx server (redirecting to php AND services)
+EXPOSE 80
+
+# TODO SSL configuration
+# EXPOSE 443

setup/dockers/comex2_services/comex2_php_and_services.nginx.conf

+# comex2 *inner* nginx server configuration
+# =========================================
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    # TODO SSL configuration
+    # listen 443 ssl default_server;
+    # listen [::]:443 ssl default_server;
+    # include snippets/snakeoil.conf;
+
+    root /comex2;
+
+    access_log /comex2/logs/inner_ngin_access.log ;
+    error_log /comex2/logs/inner_nginx_error.log ;
+
+    # we'll be using php but still index is an html file in comex2 anyway
+    index index.html;
+
+    # TODO check if this is not too permissive
+    server_name _;
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ =404;
+    }
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    location ~ \.php$ {
+        include snippets/fastcgi-php.conf;
+        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
+                fastcgi_param SCRIPT_FILENAME /comex2/$fastcgi_script_name;
+    }
+
+    # :80/services => subapp via 0.0.0.0:9090/services
+    #   - services/user (formerly known as regcomex)
+    #   - services/api  (formerly known as comex_install)
+    location /services {
+        # so we point to comex2's gunicorn server
+        proxy_pass http://0.0.0.0:9090;
+        proxy_redirect     off;
+
+        # useful to keep track of original IP before reverse-proxy
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host $server_name;
+    }
+
+    # faster static serving
+    location /static {
+        alias  /comex2/static/;
+        autoindex on;
+    }
+}

setup/dockers/docker-compose.yml

@@ -25,12 +25,15 @@
         # logs will show all that's printed to STDOUT with tty:true
         tty: true
         ports:
-         - "32790:9090"
+         # we expose the entire contained nginx
+         - "8080:80"
         links:
          - comex_db_test
         volumes:
          # /!\ this uses outside conf to replace :contained conf
          - ../../config:/comex2/config
+         # similar logic used to expose inner logs
+         - ../../logs:/comex2/logs
         environment:
             # override values from parametres_comex.ini
             # for a triple reason: