Skip to content

Xwiki | Docker Swarm Stack

Text Only
version: "3.7"

services:
  nginx:
    image: nginx:stable-alpine
    volumes:
      - ./nginx-conf:/etc/nginx/conf.d
      - ./ssl:/etc/nginx/ssl
#      - /webfolder:/var/www/html/webfolder
    networks:
      - durbok-net
    deploy:
      placement:
        constraints:
          - node.role == manager
      replicas: 1
      restart_policy:
        condition: on-failure
    ports:
      - 80:80
      - 443:443

  mysql:
    image: mysql:5.7
    hostname: mysql-5
    command: '--character-set-server=utf8 --collation-server=utf8_bin --explicit-defaults-for-timestamp=1'
    networks:
      - durbok-net
    deploy:
      placement:
        constraints:
        - node.role == manager
      replicas: 1
      restart_policy:
        condition: on-failure
    volumes:
      - ./db-data:/var/lib/mysql
    environment:
      MYSQL_ROOT_PASSWORD: xwiki
      MYSQL_USER: xwiki
      MYSQL_PASSWORD: xwiki
      MYSQL_DATABASE: xwiki

  xwiki:
    image: xwiki:stable-mysql-tomcat
    volumes:
      - ./xwiki-data:/usr/local/xwiki
    environment:
#      - XWIKI_VERSION=xwiki
      - DB_USER=xwiki
      - DB_PASSWORD=xwiki
      - DB_DATABASE=xwiki
      - DB_HOST=xwiki_mysql
#      - INDEX_HOST=xwiki-index
    networks:
      - durbok-net
    ports:
      - 8080:8080
    deploy:
      placement:
        constraints:
          - node.role == manager
      replicas: 1
      restart_policy:
        condition: on-failure
    networks:
      durbok-net:

networks:
  durbok-net:
    external: true

Nginx Config Example

Nginx Configuration File
server {
  listen 80;
  listen [::]:80;
  server_name your.domain.com;
  rewrite ^ https://$http_host$request_uri? permanent;
}

server {

  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name your.domain.com;

  error_log  /var/log/nginx/your.domain.com_error.log;
  access_log /var/log/nginx/your.domain.com_access.log;


   location ^~  {
     proxy_set_header        Host $host:$server_port;
     proxy_set_header        X-Real-IP $remote_addr;
     proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header        X-Forwarded-Proto $scheme;

     client_max_body_size 256M;

     proxy_http_version 1.1;
     proxy_set_header   Upgrade $http_upgrade;
     proxy_set_header   Connection 'upgrade';
     proxy_cache_bypass $http_upgrade;
     proxy_pass              http://xwiki_xwiki:8080;
     proxy_read_timeout      90;

   }

         location ~ /\.(?!well-known).* {
                 deny all;
                 access_log off;
                log_not_found off;
 }

  add_header Content-Security-Policy upgrade-insecure-requests;

  ssl_certificate /etc/nginx/ssl/ssl.pem;
  ssl_certificate_key /etc/nginx/ssl/ssl.key;
#  ssl_dhparam /etc/nginx/ssl/dhparams.pem;
  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;


  #SSL Security
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  #XP and IE6 support
  #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;
  ssl_session_tickets off;

  proxy_set_header X-Forwarded-For $remote_addr;

  #Compress and optimize delivery of files


  gzip on;
  gzip_comp_level    5;
  gzip_min_length    256;
  gzip_vary          on;
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
    # text/html is always compressed by gzip module

}