-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
… Pour pouvoir appeler le « token check » de FC+
- Loading branch information
Showing
5 changed files
with
162 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -106,6 +106,30 @@ de modifier diverses propriétés de Domibus depuis le fichier | |
Domibus](https://ec.europa.eu/digital-building-blocks/wikis/download/attachments/638060670/%28eDelivery%29%28AP%29%28AG%29%28Domibus%205.0.4%29%2817.7%29.pdf?version=2&modificationDate=1684157357586&api=v2) | ||
pour la signification des diverses propriétés. | ||
|
||
## Configurer NGinx | ||
|
||
OOTS-France s'appuie sur les services tiers de FranceConnect+, qui exigent que | ||
les interactions aient lieu sur HTTPS. Pour ce faire : | ||
|
||
```sh | ||
$ cp nginx.template nginx | ||
``` | ||
|
||
Ensuite, changer… | ||
- dans le fichier `nginx/conf/nginx.conf` : toutes les occurrences de | ||
`example.com` en le nom du domaine lié à la machine de développement. | ||
- dans le fichier `nginx/script/init-letsencrypt.sh` : toutes les occurrences | ||
de `example.com` en le nom du domaine lié à la machine de développement _et_ | ||
l'adresse `[email protected]` en l'adresse mail du développeur qui va demander | ||
les certificats. | ||
|
||
Lancer ensuite la demande de certificats. | ||
|
||
```sh | ||
$ nginx/scripts/init-letsencrypt.sh | ||
``` | ||
|
||
Le script doit installer les certificats et terminer en succès. | ||
|
||
## Lancement du serveur OOTS-France | ||
|
||
|
@@ -120,12 +144,11 @@ web_1 | OOTS-France est démarré et écoute le port [XXX] !… | |
``` | ||
|
||
Le serveur devrait être accessible depuis un navigateur à l'URL | ||
`http://localhost:[PORT_OOTS_FRANCE]` (avec comme valeur pour | ||
`PORT_OOTS_FRANCE` celle indiquée dans le fichier `.env`). | ||
`https://<nom.du.domaine>` | ||
|
||
Il est alors possible de tester l'envoi d'un message de test en requêtant l'URL | ||
suivante depuis un navigateur : | ||
`http://localhost:[PORT_OOTS_FRANCE]/requete/pieceJustificative?nomDestinataire=blue_gw`. | ||
`https://<nom.du.domaine>/requete/pieceJustificative?codeDemarche=00&codePays=FR` | ||
|
||
|
||
## Exécution de la suite de tests automatisés | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
server { | ||
listen 80; | ||
server_name example.com; | ||
server_tokens off; | ||
|
||
location /.well-known/acme-challenge/ { | ||
root /var/www/certbot; | ||
} | ||
|
||
location / { | ||
return 301 https://$host$request_uri; | ||
} | ||
} | ||
|
||
server { | ||
listen 443 ssl; | ||
server_name example.com; | ||
server_tokens off; | ||
|
||
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | ||
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | ||
include /etc/letsencrypt/options-ssl-nginx.conf; | ||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; | ||
|
||
location / { | ||
proxy_pass http://web:3000; | ||
proxy_set_header Host $http_host; | ||
proxy_set_header X-Real-IP $remote_addr; | ||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
#!/bin/bash | ||
|
||
if ! [ -x "$(command -v docker-compose)" ]; then | ||
echo 'Error: docker-compose is not installed.' >&2 | ||
exit 1 | ||
fi | ||
|
||
domains=(example.com) | ||
rsa_key_size=4096 | ||
data_path="./nginx/certbot" | ||
email="[email protected]" # Adding a valid address is strongly recommended | ||
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits | ||
|
||
if [ -d "$data_path" ]; then | ||
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision | ||
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then | ||
exit | ||
fi | ||
fi | ||
|
||
|
||
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then | ||
echo "### Downloading recommended TLS parameters ..." | ||
mkdir -p "$data_path/conf" | ||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf" | ||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem" | ||
echo | ||
fi | ||
|
||
echo "### Creating dummy certificate for $domains ..." | ||
path="/etc/letsencrypt/live/$domains" | ||
mkdir -p "$data_path/conf/live/$domains" | ||
docker-compose run --rm --entrypoint "\ | ||
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ | ||
-keyout '$path/privkey.pem' \ | ||
-out '$path/fullchain.pem' \ | ||
-subj '/CN=localhost'" certbot | ||
echo | ||
|
||
|
||
echo "### Starting nginx ..." | ||
docker-compose up --force-recreate -d nginx | ||
echo | ||
|
||
echo "### Deleting dummy certificate for $domains ..." | ||
docker-compose run --rm --entrypoint "\ | ||
rm -Rf /etc/letsencrypt/live/$domains && \ | ||
rm -Rf /etc/letsencrypt/archive/$domains && \ | ||
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot | ||
echo | ||
|
||
|
||
echo "### Requesting Let's Encrypt certificate for $domains ..." | ||
#Join $domains to -d args | ||
domain_args="" | ||
for domain in "${domains[@]}"; do | ||
domain_args="$domain_args -d $domain" | ||
done | ||
|
||
# Select appropriate email arg | ||
case "$email" in | ||
"") email_arg="--register-unsafely-without-email" ;; | ||
*) email_arg="--email $email" ;; | ||
esac | ||
|
||
# Enable staging mode if needed | ||
if [ $staging != "0" ]; then staging_arg="--staging"; fi | ||
|
||
docker-compose run --rm --entrypoint "\ | ||
certbot certonly --webroot -w /var/www/certbot \ | ||
$staging_arg \ | ||
$email_arg \ | ||
$domain_args \ | ||
--rsa-key-size $rsa_key_size \ | ||
--agree-tos \ | ||
--force-renewal" certbot | ||
echo | ||
|
||
echo "### Reloading nginx ..." | ||
docker-compose exec nginx nginx -s reload |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
docker-compose up web | ||
docker-compose up nginx |