From 4fd149ca4557d3f56a2ef8d54a8a8a33d610149b Mon Sep 17 00:00:00 2001
From: Raruto <Raruto@users.noreply.github.com>
Date: Mon, 26 Sep 2022 13:21:38 +0200
Subject: [PATCH 1/9] Move `django_ssl.conf` into `django.conf`

- delete `config/_nginx/django_ssl.conf`
- update `config/nginx/django.conf` in order to use a singl HTTP/HTTPS server
- expose `WEBGIS_PUBLIC_HOSTNAME`
 environment variable to `nginx` container (`docker-compose.yml` and `docker-compose-consumer.yml`)
- update `README.md` section related to `HTTPS additional setup`
---
 README.md                     |  7 ++---
 config/_nginx/django_ssl.conf | 46 -------------------------------
 config/nginx/django.conf      | 52 +++++++++++++++++++----------------
 docker-compose-consumer.yml   |  2 ++
 docker-compose.yml            |  2 ++
 5 files changed, 35 insertions(+), 74 deletions(-)
 delete mode 100644 config/_nginx/django_ssl.conf

diff --git a/README.md b/README.md
index 221db981c..a482dd294 100644
--- a/README.md
+++ b/README.md
@@ -94,15 +94,14 @@ the conf file will be mounted into docker container at runtime to PGSERVICEFILE
 
 To active https with LetsEncrypt just follow the following instructions:
 
-- move `config/_nginx/django_ssl.conf` to `config/nginx/django_ssl.conf`
-- check the domain name in the `.env` file and in `config/nginx/django_ssl.conf`
+- uncomment ssl section within `config/nginx/django.conf`
+- update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` file
 - run: `docker pull certbot/certbot`
 - launch `./run_certbot.sh`
-- activate 301 redirect into `config/nginx/django.conf`
 - restart compose
 - make sure the certs are renewed by adding a cron job with `crontab -e` and add the following line:
   `0 3 * * * /<path_to_your_docker_files>/run_certbot.sh`
-- if you disabled HTTPS, you can move `config/nginx/django_ssl.conf` back to its original location now, and restart the Docker compose to finally enable HTTPS
+- if you disabled HTTPS, you can comment the ssl section within `config/nginx/django.conf` and restart the Docker compose to finally enable HTTPS
 
 
 ### Volumes
diff --git a/config/_nginx/django_ssl.conf b/config/_nginx/django_ssl.conf
deleted file mode 100644
index e878aed31..000000000
--- a/config/_nginx/django_ssl.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# HTTPS portal
-
-server {
-
-  location ~\.php$ {
-      return 404;
-  }
-
-  # Secure project's folder
-  location /static/projects/ {
-      return 403;
-  }
-
-  location /static/ {
-      root /shared-volume/;
-  }
-
-  location /media/ {
-      root /shared-volume/;
-  }
-
-  location / {
-        proxy_read_timeout 120;
-        proxy_set_header Host            $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header        X-Forwarded-Proto $scheme;
-        proxy_pass http://web/;
-  }
-
-  listen 443 ssl;
-
-  # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-  # NOTE: change server_name and cert paths according to 
-  # your real hostname
-  
-  server_name dev.g3wsuite.it;
-
-  ssl_certificate /etc/letsencrypt/live/dev.g3wsuite.it/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/dev.g3wsuite.it/privkey.pem;
-
-  include /etc/letsencrypt/options-ssl-nginx.conf;
-  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
-  resolver 8.8.8.8;
-
-}
diff --git a/config/nginx/django.conf b/config/nginx/django.conf
index 15b3a5c9a..b59970d60 100644
--- a/config/nginx/django.conf
+++ b/config/nginx/django.conf
@@ -1,14 +1,11 @@
-
 client_max_body_size 200M;
 client_body_timeout  600;
 
-
 upstream web {
   ip_hash;
   server g3w-suite:8000;
 }
 
-
 # portal
 server {
 
@@ -36,36 +33,43 @@ server {
 
   # Certbot configuration
   location /.well-known/acme-challenge/ {
-    root /var/www;
+      root /var/www;
   }
 
-  # Comment this if you enable HTTPS
   location / {
-        keepalive_timeout           500;
-        proxy_connect_timeout       600;
-        proxy_send_timeout          600;
-        send_timeout                600;
-        fastcgi_read_timeout        300;
-        proxy_read_timeout          600;
-        proxy_set_header Host            $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header        X-Forwarded-Proto $scheme;
-        proxy_pass http://web/;
+      keepalive_timeout                  500;
+      proxy_connect_timeout              600;
+      proxy_send_timeout                 600;
+      send_timeout                       600;
+      fastcgi_read_timeout               300;
+      # proxy_read_timeout                 600;
+      proxy_read_timeout                 120;
+      proxy_set_header Host              $host;
+      proxy_set_header X-Forwarded-For   $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_pass http://web/;
   }
 
+  server_name $WEBGIS_PUBLIC_HOSTNAME;
+
+  # Listen
+  listen 8080;
+
   # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   # Uncomment the following lines if you want activate https
-  # and comment the previous location / declaration
 
-  #location / {
-  #  return 301 https://$host$request_uri;
-  #}
+  # listen 443 default ssl;
 
-  # Listen
-  listen 8080;
+  # ssl_certificate /etc/letsencrypt/live/$WEBGIS_PUBLIC_HOSTNAME/fullchain.pem;
+  # ssl_certificate_key /etc/letsencrypt/live/$WEBGIS_PUBLIC_HOSTNAME/privkey.pem;
+
+  # include /etc/letsencrypt/options-ssl-nginx.conf;
+  # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  # resolver 8.8.8.8;
 
-  # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-  # NOTE: change server_name according to your real hostname
-  server_name dev.g3wsuite.it;
+  # if ($scheme = http) {
+  #     return 301 https://$server_name$request_uri;
+  # }
 
 }
diff --git a/docker-compose-consumer.yml b/docker-compose-consumer.yml
index a1a03e821..667152ad0 100644
--- a/docker-compose-consumer.yml
+++ b/docker-compose-consumer.yml
@@ -126,6 +126,8 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
diff --git a/docker-compose.yml b/docker-compose.yml
index 50c14f856..7918e18d7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -76,6 +76,8 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known

From 8b3e51cee29e2ee5a9bfd45a391b4bcace606d88 Mon Sep 17 00:00:00 2001
From: Raruto <Raruto@users.noreply.github.com>
Date: Thu, 3 Nov 2022 13:47:40 +0100
Subject: [PATCH 2/9] add sample `NGINX_ENVSUBST_TEMPLATE_SUFFIX`

---
 config/nginx/django.conf | 2 +-
 docker-compose.yml       | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/nginx/django.conf b/config/nginx/django.conf
index b59970d60..c42950bba 100644
--- a/config/nginx/django.conf
+++ b/config/nginx/django.conf
@@ -1,4 +1,4 @@
-client_max_body_size 200M;
+client_max_body_size $NGINX_CLIENT_MAX_BODY_SIZE;
 client_body_timeout  600;
 
 upstream web {
diff --git a/docker-compose.yml b/docker-compose.yml
index 77c944c89..89a3da203 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,12 +79,14 @@ services:
       - "8080"
     environment:
       - WEBGIS_PUBLIC_HOSTNAME
+      - NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-200M}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d:ro
+      - ./config/nginx:/etc/nginx/templates
     logging:
       driver: "json-file"
       options:

From 36e6142b202e39c5d1881830e9e32f07bef29b79 Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Thu, 3 Nov 2022 18:04:42 +0100
Subject: [PATCH 3/9] Fix for nginx `envsubst`.

---
 config/nginx/{django.conf => django.conf.template} | 0
 docker-compose-consumer.yml                        | 4 +++-
 docker-compose.yml                                 | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)
 rename config/nginx/{django.conf => django.conf.template} (100%)

diff --git a/config/nginx/django.conf b/config/nginx/django.conf.template
similarity index 100%
rename from config/nginx/django.conf
rename to config/nginx/django.conf.template
diff --git a/docker-compose-consumer.yml b/docker-compose-consumer.yml
index 05981f0c3..f7a0031fb 100644
--- a/docker-compose-consumer.yml
+++ b/docker-compose-consumer.yml
@@ -129,12 +129,14 @@ services:
       - "8080"
     environment:
       - WEBGIS_PUBLIC_HOSTNAME
+      - NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-200M}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d:ro
+      - ./config/nginx:/etc/nginx/templates
     logging:
       driver: "json-file"
       options:
diff --git a/docker-compose.yml b/docker-compose.yml
index 89a3da203..031319378 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -80,7 +80,7 @@ services:
     environment:
       - WEBGIS_PUBLIC_HOSTNAME
       - NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-200M}
-      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.conf
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known

From 8a81b24f75dcc2f69491e1b1971df9aee1989b77 Mon Sep 17 00:00:00 2001
From: Raruto <Raruto@users.noreply.github.com>
Date: Mon, 7 Nov 2022 11:13:39 +0100
Subject: [PATCH 4/9] refactor `run_certbot.sh`

- add some variables to improve readability
- echo some minimal info to terminal (current step)
- remove `docker pull certbot/certbot` step within README.md
---
 README.md      |  1 -
 run_certbot.sh | 23 ++++++++++++++++-------
 2 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index b1978680d..6b6aaf9cb 100644
--- a/README.md
+++ b/README.md
@@ -99,7 +99,6 @@ To active https with LetsEncrypt just follow the following instructions:
 
 - uncomment ssl section within `config/nginx/django.conf`
 - update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` file
-- run: `docker pull certbot/certbot`
 - launch `./run_certbot.sh`
 - restart compose
 - make sure the certs are renewed by adding a cron job with `crontab -e` and add the following line:
diff --git a/run_certbot.sh b/run_certbot.sh
index 683123f6c..42f91ea2e 100755
--- a/run_certbot.sh
+++ b/run_certbot.sh
@@ -16,16 +16,25 @@ if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
     exit 1
 fi
 
-mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/"
+certs_folder      = "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
+acme_folder       = "${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
+default_ssl_conf  = "https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
+default_ssl_pem   = "https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
+domain            = "$WEBGIS_PUBLIC_HOSTNAME"
 
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem"
+# STEP 1
+echo "### Downloading recommended TLS parameters ..."
+mkdir -p "$certs_folder"
+curl -s "$default_ssl_conf" > "${certs_folder}/options-ssl-nginx.conf"
+curl -s "$default_ssl_pem"  > "${certs_folder}/ssl-dhparams.pem"
 
-docker run -it --rm --name certbot \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \
+# STEP 2
+echo "### Requesting Let's Encrypt certificate for $domain ..."
+docker run -it --rm --name certbot --pull=missing \
+  -v ${certs_folder}:/etc/letsencrypt \
+  -v ${acme_folder}:/var/www/.well-known \
   certbot/certbot -t certonly \
   --agree-tos --renew-by-default \
   --no-eff-email \
   --webroot -w /var/www \
-  -d ${WEBGIS_PUBLIC_HOSTNAME}
+  -d ${domain}

From ff762c9b0ebbe96fc2744f37415297f9825e96cf Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Mon, 7 Nov 2022 15:33:16 +0100
Subject: [PATCH 5/9] Bash fix variable declaration.

---
 run_certbot.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/run_certbot.sh b/run_certbot.sh
index 42f91ea2e..f5b944403 100755
--- a/run_certbot.sh
+++ b/run_certbot.sh
@@ -16,11 +16,11 @@ if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
     exit 1
 fi
 
-certs_folder      = "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
-acme_folder       = "${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
-default_ssl_conf  = "https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
-default_ssl_pem   = "https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
-domain            = "$WEBGIS_PUBLIC_HOSTNAME"
+certs_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
+acme_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
+default_ssl_conf="https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
+default_ssl_pem="https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
+domain="$WEBGIS_PUBLIC_HOSTNAME"
 
 # STEP 1
 echo "### Downloading recommended TLS parameters ..."

From 9cfbbed1d69d9cbca6bdceeadce03b84aacec04a Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Tue, 8 Nov 2022 07:54:51 +0100
Subject: [PATCH 6/9] Remove certbot image from docker compose files.

---
 docker-compose-consumer.yml | 7 -------
 docker-compose.yml          | 7 -------
 2 files changed, 14 deletions(-)

diff --git a/docker-compose-consumer.yml b/docker-compose-consumer.yml
index f7a0031fb..17a718a30 100644
--- a/docker-compose-consumer.yml
+++ b/docker-compose-consumer.yml
@@ -146,13 +146,6 @@ services:
     networks:
       internal:
 
-  # Letsencrypt certs
-  certbot:
-    image: certbot/certbot
-    volumes:
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/certbot:/var/www/certbot
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt
-
 volumes:
   shared-volume:
   g3wsuite-pg-data:
diff --git a/docker-compose.yml b/docker-compose.yml
index 031319378..857e117c1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,13 +96,6 @@ services:
     networks:
       internal:
 
-  # Letsencrypt certs
-  certbot:
-    image: certbot/certbot
-    volumes:
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/certbot:/var/www/certbot
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt
-
 volumes:
   shared-volume:
   g3wsuite-pg-data:

From 162b0e3dfdb1ac07ac994e6982a9b073eedff9f8 Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Tue, 8 Nov 2022 08:05:25 +0100
Subject: [PATCH 7/9] Add line to close https activation section.

---
 config/nginx/django.conf.template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/nginx/django.conf.template b/config/nginx/django.conf.template
index c42950bba..dde2390a7 100644
--- a/config/nginx/django.conf.template
+++ b/config/nginx/django.conf.template
@@ -71,5 +71,6 @@ server {
   # if ($scheme = http) {
   #     return 301 https://$server_name$request_uri;
   # }
+  # -----------------------------------------------------
 
 }

From 0c30c8c5cc06a846481bfeae54f3c5955a81a35b Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Tue, 8 Nov 2022 09:03:16 +0100
Subject: [PATCH 8/9] Update https section into README.md

---
 README.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 8a8888ed4..06d772d24 100644
--- a/README.md
+++ b/README.md
@@ -97,13 +97,12 @@ the conf file will be mounted into docker container at runtime to PGSERVICEFILE
 
 To active https with LetsEncrypt just follow the following instructions:
 
-- uncomment ssl section within `config/nginx/django.conf`
+- uncomment ssl section within `config/nginx/django.conf.template`
 - update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` file
-- launch `./run_certbot.sh`
-- restart compose
-- make sure the certs are renewed by adding a cron job with `crontab -e` and add the following line:
+- launch `sudo ./run_certbot.sh`
+- restart compose: `docker compose down && docker compose up -d`
+- make sure the certs are renewed by adding a cron job with `sudo crontab -e` and add the following line:
   `0 3 * * * /<path_to_your_docker_files>/run_certbot.sh`
-- if you disabled HTTPS, you can comment the ssl section within `config/nginx/django.conf` and restart the Docker compose to finally enable HTTPS
 
 
 ### Volumes
@@ -117,7 +116,7 @@ This can be done by modifying the `.env` file.
 
 ### First time setup
 
-- log into the application web administation panel using default credentials (_admin/admin_)
+- log into the application web administration panel using default credentials (_admin/admin_)
 - change the password for the admin user and for any other example user that may be present
 
 ### Caching

From 5821488d854c467c94f3d9343b6ce2166ddf9711 Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzett@gis3w.it>
Date: Tue, 8 Nov 2022 09:21:41 +0100
Subject: [PATCH 9/9] Update contributors.

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 06d772d24..288c91713 100644
--- a/README.md
+++ b/README.md
@@ -206,3 +206,5 @@ Plese refer to the [Add new stack](https://docs.portainer.io/v/ce-2.9/user/docke
 * Walter Lorenzetti - Gis3W ([@wlorenzetti](https://github.com/wlorenzetti))
 * Alessandro Pasotti - ItOpen ([@elpaso](https://github.com/elpaso))
 * Mazano - Kartoza ([@NyakudyaA](https://github.com/NyakudyaA))
+* Matteo Tosi - Gis3W ([@Raruto](https://github.com/Raruto))
+* Eric Schirardin ([@rikamusik](https://github.com/rikamusik))