Nginx config for Rpi self-hosted

#1

It took me a while to figure how to configure it properly but it’s working now !

First, I don’t use “gBridge” in my config as explained in the documentation because the Auth page for google always redirect to https://YOUR-WEBSERVER’S-ADDRESS/gapi/auth so it’s a dead end for me.

So when creating your google action, use https://YOUR-WEBSERVER’S-ADDRESS/gapi link, and for the linking https://YOUR-WEBSERVER’S-ADDRESS/gapi/auth

For the nginx, I use this:

server {
    listen 80;
    listen 127.0.0.1;
    index index.php index.html;
    root /var/www/public;

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass web-fpm:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    location / {
        try_files $uri $uri/ /index.php?$query_string;
        gzip_static on;
    }
}

server {
    listen 443 ssl;

    #usually your public DNS name
    server_name YOUR-WEBSERVER'S-ADDRESS;

    #SSL-settings and generic server options here
   #YOUR SSL certificate parameters

    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;

    proxy_ssl_session_reuse off;

    #the IP of the Docker host gBridge is running on
    set $gbridge_host 127.0.0.1;
    #the port is 80 because you're already in the container
    set $gbridge_port 80;
    location ~ ^/gapi/(.*)$ {
        #public access to the account dashboard is disabled for security reasons
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_pass http://$gbridge_host:$gbridge_port/gapi/$1$is_args$args;
        }

    location ~ ^/gapi {
        #public access to the account dashboard is disabled for security reasons
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        proxy_pass http://$gbridge_host:$gbridge_port/gapi;
        }
}

I’m not a nginx expert, maybe the 2 locations can be merged but due to the parameters (token…) used by google on the auth page, I had to implement it like this.

For the docker-compose, I followed this post till the last comment: https://github.com/kservices/gBridge-docker/issues/1

And now it’s running perfectly !!

@peter will the containers be updated ? the arm32 too ?

0 Likes

#2

Can you make a short tuto how you make it works because i spend more than one week and this make me so angry.
I just want to have a stand alone gbridge.

0 Likes

#3

First, the prerequisites (from here):
The following points need to be satisfied in order to host your own instance of gBridge.

  • Availability of a (web-) server that is running constantly. Docker needs to be installed. A Raspberry Pi should have plenty of power for this purpose.
  • A webserver is running, available and configured, one needs to be available to access it publicly. A static domain (e.g. provided by a DDNS provider) has to be configured for your server, too.
  • Your webserver needs to be configured for HTTPS. A valid, signed certificate must be served via HTTPS. This should be no problem nowadays since one can get free certificates, e.g. from Let’s Encrypt.
  • A MQTT server needs to available in your network.

Next, please follow the instructions in the documentation.
When creating the project under google action, use the link https://YOUR-WEBSERVER'S-ADDRESS/gapi/auth in the Set up account linking part and for the Add action fulfillment use https://YOUR-WEBSERVER'S-ADDRESS/gapi

For the docker compose file, use the generator and insert the environment data in the following docker-compose.yml:

version: '3'
networks:
   backend:
      driver: bridge
   web_frontend:
      driver: bridge
services:
   web:
      image: 'pkap/gbridge-web-nginx:arm32v6-latest'
      restart: always
      ports:
         - '8080:80'
         - '443:443'
      environment: &webapp-environment
         ######YOUR ENVIRONMENT DATAS######
      links:
         - database
         - cache
         - web-fpm
      depends_on:
         - database
         - cache
         - web-fpm
      networks:
         - web_frontend
         - backend
      volumes:
         - websrc:/var/www
         - /opt/gbridge/gbridge.conf:/etc/nginx/conf.d/default.conf:ro
         - /home/pi:/home/pi
   web-fpm:
      image: pkap/gbridge-web-fpm:arm32v6-latest
      container_name: web-fpm
      restart: always
      networks:
         - backend
      volumes:
         - websrc:/var/www
      environment: *webapp-environment
   redis-worker:
      image: 'pkap/gbridge-redis-worker:arm32v6-latest'
      restart: always
      environment:
         ######YOUR ENVIRONMENT DATAS######
      networks:
         - backend
      links:
         - cache
      depends_on:
         - cache
   database:
      image: 'williamdes/docker-mariadb-debian:10.2.10-armhf'
      restart: always
      environment:
         ######YOUR ENVIRONMENT DATAS######
      expose:
         - '3306'
      networks:
         - backend
   cache:
      image: 'redis:4'
      restart: always
      expose:
         - '6379'
      networks:
         - backend

volumes:
   websrc:

For the volumes of the web service:

  • /opt/gbridge/ is where I put the yml file. In this folder, I have docker-compose.yml and gbridge.conf. gbridge.conf contains the nginx configuration.
  • /home/pi it’s where I put my ssh certificate files for the nginx configurations of the https

When this configuration is done, you can continue by running the docker images.
Try the web interface to know if it’s okay. In my case, the web interface on http://ip:8080 to configure the devices and https://ip/gapi/auth to check the certificate and the page google will use to authenticate.

I hope this will help you, I made my configuration several months ago and took me a while to figure all of this.

0 Likes

#4

Thank you for your tuto but they still missing information.
For google action, its ok.
For the docker file, not really
What is the web-fpm image ???
What is the webapp-environment Inside ?
What is the webapp-environment Inside the mariadb images?
Can you show your Nginx config file (gbridge.conf)
How you generate your certificate and how you renew them?
The https web server is working on docker ?
How the redirection works?
Regards

0 Likes

#5

I’m not a docker expert but my understanding is that the docker image peter created was not suitable for arm32 so he created 2 images: gbridge-web-nginx & gbridge-web-fpm. You can have details on the github.

For the environment, generate a docker file with the tool provided. You’ll see what is inside.

I don’t have access to my nginx config, I’ll send it later but most of it is in the 1st post, I just remove the certificate part as it’s not linked to gbridge.
I generate my certificate with my NAS but there is a lot of tutorials on how to generate certificate files with let’s encrypt.
The web image manage the webserver, the https is routed to the http internally and web-fpm manage the php part.

0 Likes

#6

Here my full nginx config file with my certificate:

server {
listen 80;
listen 127.0.0.1;
index index.php index.html;
root /var/www/public;

location ~ \.php$ {
    try_files $uri =404;
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass web-fpm:9000;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
}

location / {
    try_files $uri $uri/ /index.php?$query_string;
    gzip_static on;
}

}

server {
listen 443 ssl;

#usually your public DNS name
server_name XXXXXXX.com;

#SSL-settings and generic server options here
ssl_certificate           /home/pi/cert.pem;
ssl_certificate_key       /home/pi/privkey.pem;
ssl_trusted_certificate   /home/pi/chain.pem;
ssl_dhparam               /home/pi/dhparam4096.pem;

ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;

proxy_ssl_session_reuse off;

#the IP of the Docker host gBridge is running on
set $gbridge_host 127.0.0.1;
#the port you've defined for the gBridge web interface
set $gbridge_port 80;

location ~ ^/gapi/(.*)$ {

#public access to the account dashboard is disabled for security reasons
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;

proxy_pass http://$gbridge_host:$gbridge_port/gapi/$1$is_args$args;
}

location ~ ^/gapi {
    #public access to the account dashboard is disabled for security reasons
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_pass http://$gbridge_host:$gbridge_port/gapi;
 }

}

0 Likes

#7

It still not working,
I dont know what you have in your environment: *webapp-environment for web-fpm container.
I let this empty, I start the container but no response when I try to reach the websit (192.168.x.x) or (https://192.168.x.x)
when I try to make “docker-compose exec web-fpm php artisan migrate”
I have this error


This is my docker-compose.yml

version: '3'
networks:
   backend:
      driver: bridge
   web_frontend:
      driver: bridge
services:
   web:
      image: 'pkap/gbridge-web-nginx:arm32v6-latest'
      restart: always
      ports:
         - '8080:80'
         - '443:443'
      environment:
         APP_ENV: production
         APP_KEY: '-----------My API------------'
         APP_DEBUG: 'false'
         APP_LOG_LEVEL: warning
         APP_URL: 'http://192.168.2.16'
         DB_CONNECTION: mysql
         DB_HOST: database
         DB_PORT: 3306
         DB_DATABASE: gbridge_db
         DB_USERNAME: gbridge_db
         DB_PASSWORD: toto
         BROADCAST_DRIVER: log
         CACHE_DRIVER: file
         SESSION_DRIVER: file
         SESSION_LIFETIME: 120
         QUEUE_DRIVER: sync
         REDIS_HOST: cache
         REDIS_PASSWORD: 'null'
         REDIS_PORT: '6379'
         MAIL_DRIVER: smtp
         MAIL_HOST: ERROR
         MAIL_PORT: ERROR
         MAIL_USERNAME: ERROR
         MAIL_PASSWORD: ERROR
         MAIL_ENCRYPTION: ERROR
         GOOGLE_CLIENTID: '---Client ID---'
         GOOGLE_PROJECTID: '---My project ID---'
      links:
         - database
         - cache
         - web-fpm
      depends_on:
         - database
         - cache
         - web-fpm
      networks:
         - web_frontend
         - backend
      volumes:
         - websrc:/var/www
         - /opt/gbridge/gbridge.conf:/etc/nginx/conf.d/default.conf:ro
         - /home/pi:/home/pi
   web-fpm:
      image: pkap/gbridge-web-fpm:arm32v6-latest
      container_name: web-fpm
      restart: always
      networks:
         - backend
      volumes:
         - websrc:/var/www
   redis-worker:
      image: 'pkap/gbridge-redis-worker:arm32v6-latest'
      restart: always
      environment:
         GBRIDGE_REDISWORKER_REDIS: 'redis://cache:6379'
         GBRIDGE_REDISWORKER_MQTT: 'mqtt://192.168.2.50:'
         GBRIDGE_REDISWORKER_MQTTUSER: ""
         GBRIDGE_REDISWORKER_MQTTPASSWORD: ""
         GBRIDGE_REDISWORKER_HOMEGRAPHKEY: --- My API HOMEGRAPH ---
      networks:
         - backend
      links:
         - cache
      depends_on:
         - cache
   database:
      image: 'williamdes/docker-mariadb-debian:10.2.10-armhf'
      restart: always
      environment:
         MYSQL_RANDOM_ROOT_PASSWORD: 'false'
         MYSQL_DATABASE: gbridge_db
         MYSQL_USER: gbridge_db
         MYSQL_PASSWORD: toto
      expose:
         - '3306'
      networks:
         - backend
   cache:
      image: 'redis:4'
      restart: always
      expose:
         - '6379'
      networks:
         - backend

volumes:
   websrc:

I want to thank you for the time you spend to help the community.
If I try to make it works I will post a video on youtube to explain how to do gbridge self hosted

0 Likes

#8

If you have a look at my docker compose file, you’ll see that the environment is shared between the two gbridge images.
You must have a “&webapp-environment” on the environment line of gbridge-web-nginx and “environment: *webapp-environment” for gbridge-web-fpm

Before trying the migration, do you have a look at the log of the images running ?
By running “docker-compose up”, you could see what is happening and search for error.

0 Likes

#9

Still not working,
When i try to connect from local on localIP:8080 i have this message
“Whoops, looks like something went wrong” and this logs

web_1           | 192.168.2.12 - - [08/Jun/2019:08:57:41 +0000] "GET / HTTP/1.1" 500 1470 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0" "-"
web-fpm         | 172.20.0.3 -  08/Jun/2019:08:57:41 +0000 "GET /index.php" 500

Same problem with https
can you show me your environment you set on your docker-compose.yml
can you post all your files without credential please
can you explain how you create your own self signed certificat without let’s encrypt.
Thank you

0 Likes

#10

Not sure it will help:

version: '3'
networks:
   backend:
      driver: bridge
   web_frontend:
      driver: bridge
services:
   web:
      image: 'pkap/gbridge-web-nginx:arm32v6-latest'
      restart: always
      ports:
         - '8080:80'
         - '443:443'
      environment: &webapp-environment
         APP_ENV: production
         APP_KEY: '-----------My API------------'
         APP_DEBUG: 'false'
         APP_LOG_LEVEL: warning
         APP_URL: 'http://localhost'
         DB_CONNECTION: mysql
         DB_HOST: database
         DB_PORT: 3306
         DB_DATABASE: gbridge_db
         DB_USERNAME: gbridge_db
         DB_PASSWORD: --- db passwd ---
         BROADCAST_DRIVER: log
         CACHE_DRIVER: file
         SESSION_DRIVER: file
         SESSION_LIFETIME: 120
         QUEUE_DRIVER: sync
         REDIS_HOST: cache
         REDIS_PASSWORD: 'null'
         REDIS_PORT: '6379'
         MAIL_DRIVER: smtp
         MAIL_HOST: ERROR
         MAIL_PORT: ERROR
         MAIL_USERNAME: ERROR
         MAIL_PASSWORD: ERROR
         MAIL_ENCRYPTION: ERROR
         GOOGLE_CLIENTID: ---Client ID---
         GOOGLE_PROJECTID: '---My project ID---'
      links:
         - database
         - cache
         - web-fpm
      depends_on:
         - database
         - cache
         - web-fpm
      networks:
         - web_frontend
         - backend
      volumes:
         - websrc:/var/www
         - /opt/gbridge/gbridge.conf:/etc/nginx/conf.d/default.conf:ro
         - /home/pi:/home/pi
   web-fpm:
      image: pkap/gbridge-web-fpm:arm32v6-latest
      container_name: web-fpm
      restart: always
      networks:
         - backend
      volumes:
         - websrc:/var/www
      environment: *webapp-environment
   redis-worker:
      image: 'pkap/gbridge-redis-worker:arm32v6-latest'
      restart: always
      environment:
         GBRIDGE_REDISWORKER_REDIS: 'redis://cache:6379'
         GBRIDGE_REDISWORKER_MQTT: 'mqtt://192.168.1.3:1883'
         GBRIDGE_REDISWORKER_MQTTUSER: ""
         GBRIDGE_REDISWORKER_MQTTPASSWORD: ""
         GBRIDGE_REDISWORKER_HOMEGRAPHKEY: --- My API HOMEGRAPH ---
      networks:
         - backend
      links:
         - cache
      depends_on:
         - cache
   database:
      image: 'williamdes/docker-mariadb-debian:10.2.10-armhf'
      restart: always
      environment:
         MYSQL_RANDOM_ROOT_PASSWORD: 'true'
         MYSQL_DATABASE: gbridge_db
         MYSQL_USER: gbridge_db
         MYSQL_PASSWORD: --- db passwd ---
      expose:
         - '3306'
      networks:
         - backend
   cache:
      image: 'redis:4'
      restart: always
      expose:
         - '6379'
      networks:
         - backend


volumes:
   websrc:
0 Likes

#11

Maybe you should try to remove all the images and volume and start from scratch.

sudo docker-compose rm -f web redis-worker web-fpm database cache*
sudo docker volume rm gbridge_websrc

and restart
sudo docker-compose up

0 Likes