Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove /config/_nginx/django_conf.ssl #67

Open
Raruto opened this issue Sep 8, 2022 · 0 comments · May be fixed by #99 or #77
Open

Remove /config/_nginx/django_conf.ssl #67

Raruto opened this issue Sep 8, 2022 · 0 comments · May be fixed by #99 or #77
Labels
refactoring Anything which could result in a API change

Comments

@Raruto
Copy link
Collaborator

Raruto commented Sep 8, 2022

Except for special needs, the entire configuration would gain readability and maintainability by configuring a single server that could handles both HTTP and HTTPS requests (for the latter rules it should be enough to keep them commented to keep them disabled).

As per v3.4, this is what states the readme file:

HTTPS additional setup

To active https with LetsEncrypt just follow the following instructions:

  • move config/_nginx/django_ssl.conf to config/nginx/django_ssl.conf
  • check the domain name in the .env file and in config/nginx/django_ssl.conf
  • run: docker pull certbot/certbot
  • launch ./run_certbot.sh
  • activate 301 redirect into config/nginx/django.conf
  • restart compose
  • make sure the certs are renewed by adding a cron job with crontab -e and add the following line:
    0 3 * * * /<path_to_your_docker_files>/run_certbot.sh
  • if you disabled HTTPS, you can move config/nginx/django_ssl.conf back to its original location now, and restart the Docker compose to finally enable HTTPS

g3w-suite-docker/config/nginx/django.conf

Lines 1 to 71 in e435dcc

client_max_body_size 200M;
client_body_timeout 600;
upstream web {
ip_hash;
server g3w-suite:8000;
}
# portal
server {
# Block *.php
location ~\.php$ {
return 404;
}
# Secure project's folder
location /static/projects/ {
return 403;
}
location /static/ {
root /shared-volume/;
}
location /media/ {
root /shared-volume/;
}
location /media_user/ {
root /shared-volume/project_data/;
}
# Certbot configuration
location /.well-known/acme-challenge/ {
root /var/www;
}
# Comment this if you enable HTTPS
location / {
keepalive_timeout 500;
proxy_connect_timeout 600;
proxy_send_timeout 600;
send_timeout 600;
fastcgi_read_timeout 300;
proxy_read_timeout 600;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://web/;
}
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Uncomment the following lines if you want activate https
# and comment the previous location / declaration
#location / {
# return 301 https://$host$request_uri;
#}
# Listen
listen 8080;
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# NOTE: change server_name according to your real hostname
server_name dev.g3wsuite.it;
}

g3w-suite-docker/config/_nginx/django_ssl.conf

Lines 1 to 46 in e435dcc

# HTTPS portal
server {
location ~\.php$ {
return 404;
}
# Secure project's folder
location /static/projects/ {
return 403;
}
location /static/ {
root /shared-volume/;
}
location /media/ {
root /shared-volume/;
}
location / {
proxy_read_timeout 120;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://web/;
}
listen 443 ssl;
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# NOTE: change server_name and cert paths according to
# your real hostname
server_name dev.g3wsuite.it;
ssl_certificate /etc/letsencrypt/live/dev.g3wsuite.it/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.g3wsuite.it/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
resolver 8.8.8.8;
}

g3w-suite-docker/run_certbot.sh

Lines 1 to 31 in e435dcc

#!/bin/bash
# Run certbot docker container to renew the HTTPS certificate.
# Requires .env file with container configuration variables
CURRENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
source ${CURRENT_DIR}/.env
if [ "${WEBGIS_PUBLIC_HOSTNAME}" = "" ]; then
echo "WEBGIS_PUBLIC_HOSTNAME not defined: exiting"
exit 1
fi
if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
echo "WEBGIS_DOCKER_SHARED_VOLUME not defined: exiting"
exit 1
fi
mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf"
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem"
docker run -it --rm --name certbot \
-v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \
-v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \
certbot/certbot -t certonly \
--agree-tos --renew-by-default \
--no-eff-email \
--webroot -w /var/www \
-d ${WEBGIS_PUBLIC_HOSTNAME}

More info:
@Raruto Raruto added the refactoring Anything which could result in a API change label Sep 22, 2022
@Raruto Raruto linked a pull request Sep 26, 2022 that will close this issue
Draft
@Raruto Raruto linked a pull request May 19, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
refactoring Anything which could result in a API change
Projects
None yet
Milestone
No milestone
1 participant
@Raruto