The container in the host never runs install-nginx as said above.
Iām not sure this topic is particularly useful.
You dislike the architecture of Discourse, wonāt accept the word of the developers on the ways in which the product is optimized, you donāt appear to be familar with Docker and by your own admission are lying in your questions which is wasting our time collectively.
This topic already has an #unsupported-install tag because youāre straying far from the scope of the free support provided to the community. If this stuff really matters to you why not start a topic over on #marketplace - then that way you can invest your own money paying a consultant to educate, rather than our time.
1 Like
I havenāt, sorry. So I need to put the above sed commands in the hooks section of app.yml? Is there an example somewhere for how to do that to modify a file in the docker_discourse repo at bootstrap? Currently that section only has a git clone command for plugins.
I could probably drop those sed commands in a cmd section like the git clone is, but I donāt know which dir where the install-nginx script will liveā¦
Also, where does app.yml live? I couldnāt link to the hooks section above as the containers dir is empty in the repo 
All of the documentation to do these things exists here on meta. We all like to skip reading the manual, but in this case you really should be going back to basics.
Youāre going about all of this backwards frankly.
Iām going to point back to the #unsupported-install tag - the expectation is that if you decide to deviate from the standard install you will assume the additional technical burden yourself.
How did you install the instance?
Sorry, but I do make an effort to search for documentation before posting. Iād love a Discourse manual, and Iāve read through many of the topics tagged #howo already. Unfortunately, there doesnāt appear to be a Discourse manualā¦
I do appreciate your help with this, and Iām sure it will help others in the future who are searching for documentation on how to do these thingsā¦
First discourse-setup, which ultimately gave me a broken install. Then manually editing app.yml followed by ./launcher rebuild app
I think this is an interesting discussion, just to get to know Discourse better.
Iād go with nginx, maybe modify the app.yml enough to add the mod_security module in the compiling process, and have my own base image built.
Now, Discourse is a complex piece of software, that runs on Rails that is even more complex to deploy easily and consistently, thatās why the staff has gone the extra mile in the Docker image they make.
The image has a lot of blackmagic happening, with tons and tons of optimizations just to run as good as possible in the supported install.
Knowing that, and being able to get all the pieces of the puzzle figured out (like, the 2-3 repositories needed to have Discourse running). It isnāt impossible to get what you want runnig.
Now, Knowing that your setup is nginx -> varnish -> apache, why donāt you run nginx -> varnish -> Discourse having the mod_security added to the base image and setup with hooks.
The likelihood that mod_security will increase your security is very, very, small. The people who maintain Discourse are very concerned with security, so the things that mod_security is supposed to fix are likely taken care of already. Further, the likelihood that if you were to get mod_security added to your image, it will make Discourse inoperable is significantly greater than zero. If you do install mod_security and find that Discourse wonāt work, youāll then be on your own to modify Discourse to work with mod_security and either convince the discourse maintainers that you have found a legitimate security concern or be forced to maintain your own fork going forward.
No good can come from this. It is highly improbable that any good can come from this.
2 Likes
Agreed, another WAF borders on security by obscurity.
Real proactive efforts to keep discourse secure are being made:
2 Likes
This topic has drifted from the original question of running discourse on apache (as opposed to a proxy back to nginx).
But I think a discussion on putting a WAF (mod_security or otherwise) before Discourse is useful to the community, so Iāve created a distinct topic to specifically discuss Discourse + WAF here: