Deployment Overview of OpenLiteSpeed and Node.js on Server¶

Prerequisites and Basic Requirements¶

The deployment requires a server running a Debian-based operating system, such as Ubuntu. The following conditions must be met before proceeding: - Root privileges or sudo access are required to install packages and configure services. - The server must have internet access to download repositories and packages. - A domain name must be configured and pointing to the server's IP address for the proxy and SSL certificate generation. - Ports 80 and 443 must be open on the firewall to allow HTTP and HTTPS traffic for the Nginx proxy and Let's Encrypt validation.

File and Directory Structure¶

The application and supporting services utilize the following directory structure on the server: - /usr/local/lsws/: The installation directory for OpenLiteSpeed, containing binaries, configuration files, and logs. - /root/nginx/: The directory containing the Docker Compose configuration for the Nginx and Certbot stack. - /data/nginx/user_conf.d/: The directory storing custom Nginx virtual host configurations, specifically for the OpenLiteSpeed WebAdmin interface. - /data/nginx/nginx-certbot.env: The environment file containing configuration variables for the Nginx-Certbot container. - /etc/letsencrypt/: The mount point for SSL certificates and keys managed by Certbot. - /etc/docker/daemon.json: The configuration file for the Docker daemon, defining storage drivers and registry mirrors.

Application Installation Process¶

The installation involves setting up the core web server, the runtime environment, and the containerized proxy stack.

1. OpenLiteSpeed Installation:

   • The LiteSpeed repository is added to the system using the official installation script.
   • The openlitespeed package is installed via the apt package manager.
   • The lsws service is started and enabled to run on system boot.
   • The OpenLiteSpeed WebAdmin credentials are configured using the admpass.sh script, setting the username to admin and a secure password.

2. Node.js Installation:

   • The NodeSource repository for Node.js version 20.x is added to the system.
   • The nodejs package is installed via apt.
   • The installation is verified by checking the version output of the node command.

3. Docker Installation:

   • Required packages including ca-certificates, curl, gnupg, and lsb-release are installed.
   • The Docker GPG key is added to the system keyrings.
   • The official Docker repository is configured for the specific Linux distribution.
   • Docker Engine packages (docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin, docker-compose-plugin) are installed.
   • The containerd and docker services are started and enabled.

Access Rights and Security¶

Security is enforced through service isolation, firewall rules, and SSL encryption: - The Docker daemon is configured to use a specific storage driver, which may be set to vfs if size validation errors occur during container deployment. - The Nginx proxy container runs with network_mode: host to directly bind to host network interfaces. - SSL certificates are managed automatically by the nginx-certbot container, which communicates with Let's Encrypt. - The OpenLiteSpeed WebAdmin interface is accessed exclusively through the Nginx proxy on port 443, ensuring all administrative traffic is encrypted.

Proxy Servers¶

A reverse proxy stack is deployed using Docker to handle SSL termination and routing for the OpenLiteSpeed WebAdmin interface.

• Container Image: The proxy uses the jonasal/nginx-certbot:latest image.
• Configuration:
  • The Nginx container is configured to listen on port 443 with SSL enabled.
  • It proxies requests to the OpenLiteSpeed WebAdmin interface running locally on 127.0.0.1 at a specific internal port.
  • The server_name is set to a dynamic domain format (e.g., prefix-serverid.hostkey.in).
• SSL Configuration:
  • Certificates are stored in /etc/letsencrypt/live/ and mounted into the container.
  • The configuration includes ssl_dhparam for enhanced security.
  • Headers such as X-Forwarded-For, X-Real-IP, and X-Forwarded-Proto are passed to the backend service.
• Deployment:
  • The stack is managed via docker compose located in /root/nginx/compose.yml.
  • The nginx_secrets volume is used to persist Let's Encrypt data.

Docker Containers and Their Deployment¶

The proxy infrastructure is deployed using Docker Compose. The deployment process involves the following steps:

1. Compose File Generation:

   • A compose.yml file is generated in /root/nginx/ based on the system configuration.
   • The file defines the nginx service with environment variables and volume mounts.

2. Service Execution:

   • The command docker compose up -d is executed from the /root/nginx directory to start the containers.
   • If the initial deployment fails due to storage driver issues, the system automatically switches the Docker storage driver to vfs, clears the existing Docker storage, and retries the deployment.

3. Volume Management:

   • The nginx_secrets volume is marked as external to ensure certificate persistence across container restarts.
   • The /data/nginx/user_conf.d directory is mounted to /etc/nginx/user_conf.d inside the container to serve custom configurations.

Starting, Stopping, and Updating¶

The services are managed using standard system service commands and Docker Compose.

• OpenLiteSpeed Service:

  • Start: systemctl start lsws
  • Stop: systemctl stop lsws
  • Restart: systemctl restart lsws
  • Enable on boot: systemctl enable lsws

• Docker Services:

  • Start: systemctl start docker
  • Stop: systemctl stop docker
  • Restart: systemctl restart docker

• Nginx Proxy Stack:

  • Start/Update: Navigate to /root/nginx and run docker compose up -d.
  • Stop: Navigate to /root/nginx and run docker compose down.
  • View Logs: docker compose logs -f

• Containerd Service:

  • Start: systemctl start containerd
  • Stop: systemctl stop containerd