-
Notifications
You must be signed in to change notification settings - Fork 33
Labels
refactoringAnything which could result in a API changeAnything which could result in a API change
Description
Except for special needs, the entire configuration would gain readability and maintainability by configuring a single server that could handles both HTTP and HTTPS requests (for the latter rules it should be enough to keep them commented to keep them disabled).
As per v3.4, this is what states the readme file:
HTTPS additional setup
To active https with LetsEncrypt just follow the following instructions:
- move
config/_nginx/django_ssl.conftoconfig/nginx/django_ssl.conf- check the domain name in the
.envfile and inconfig/nginx/django_ssl.conf- run:
docker pull certbot/certbot- launch
./run_certbot.sh- activate 301 redirect into
config/nginx/django.conf- restart compose
- make sure the certs are renewed by adding a cron job with
crontab -eand add the following line:
0 3 * * * /<path_to_your_docker_files>/run_certbot.sh- if you disabled HTTPS, you can move
config/nginx/django_ssl.confback to its original location now, and restart the Docker compose to finally enable HTTPS
g3w-suite-docker/config/nginx/django.conf
Lines 1 to 71 in e435dcc
| client_max_body_size 200M; | |
| client_body_timeout 600; | |
| upstream web { | |
| ip_hash; | |
| server g3w-suite:8000; | |
| } | |
| # portal | |
| server { | |
| # Block *.php | |
| location ~\.php$ { | |
| return 404; | |
| } | |
| # Secure project's folder | |
| location /static/projects/ { | |
| return 403; | |
| } | |
| location /static/ { | |
| root /shared-volume/; | |
| } | |
| location /media/ { | |
| root /shared-volume/; | |
| } | |
| location /media_user/ { | |
| root /shared-volume/project_data/; | |
| } | |
| # Certbot configuration | |
| location /.well-known/acme-challenge/ { | |
| root /var/www; | |
| } | |
| # Comment this if you enable HTTPS | |
| location / { | |
| keepalive_timeout 500; | |
| proxy_connect_timeout 600; | |
| proxy_send_timeout 600; | |
| send_timeout 600; | |
| fastcgi_read_timeout 300; | |
| proxy_read_timeout 600; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_pass http://web/; | |
| } | |
| # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |
| # Uncomment the following lines if you want activate https | |
| # and comment the previous location / declaration | |
| #location / { | |
| # return 301 https://$host$request_uri; | |
| #} | |
| # Listen | |
| listen 8080; | |
| # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |
| # NOTE: change server_name according to your real hostname | |
| server_name dev.g3wsuite.it; | |
| } |
g3w-suite-docker/config/_nginx/django_ssl.conf
Lines 1 to 46 in e435dcc
| # HTTPS portal | |
| server { | |
| location ~\.php$ { | |
| return 404; | |
| } | |
| # Secure project's folder | |
| location /static/projects/ { | |
| return 403; | |
| } | |
| location /static/ { | |
| root /shared-volume/; | |
| } | |
| location /media/ { | |
| root /shared-volume/; | |
| } | |
| location / { | |
| proxy_read_timeout 120; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Forwarded-For $remote_addr; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_pass http://web/; | |
| } | |
| listen 443 ssl; | |
| # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! | |
| # NOTE: change server_name and cert paths according to | |
| # your real hostname | |
| server_name dev.g3wsuite.it; | |
| ssl_certificate /etc/letsencrypt/live/dev.g3wsuite.it/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/dev.g3wsuite.it/privkey.pem; | |
| include /etc/letsencrypt/options-ssl-nginx.conf; | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | |
| resolver 8.8.8.8; | |
| } |
g3w-suite-docker/run_certbot.sh
Lines 1 to 31 in e435dcc
| #!/bin/bash | |
| # Run certbot docker container to renew the HTTPS certificate. | |
| # Requires .env file with container configuration variables | |
| CURRENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" | |
| source ${CURRENT_DIR}/.env | |
| if [ "${WEBGIS_PUBLIC_HOSTNAME}" = "" ]; then | |
| echo "WEBGIS_PUBLIC_HOSTNAME not defined: exiting" | |
| exit 1 | |
| fi | |
| if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then | |
| echo "WEBGIS_DOCKER_SHARED_VOLUME not defined: exiting" | |
| exit 1 | |
| fi | |
| mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/" | |
| curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf" | |
| curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem" | |
| docker run -it --rm --name certbot \ | |
| -v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \ | |
| -v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \ | |
| certbot/certbot -t certonly \ | |
| --agree-tos --renew-by-default \ | |
| --no-eff-email \ | |
| --webroot -w /var/www \ | |
| -d ${WEBGIS_PUBLIC_HOSTNAME} |
More info:
Metadata
Metadata
Assignees
Labels
refactoringAnything which could result in a API changeAnything which could result in a API change