Commit fdc494fd authored by p.jbowden's avatar p.jbowden
Browse files

start using dockerized nginx proxy

* expose public services through nginx-proxy container
* reconfigure services to commincate with each other over the internal
  docker network when possible
* remove previous nginx installation from ci
parent 06b86bd5
Pipeline #237175 passed with stage
in 37 seconds
......@@ -43,14 +43,26 @@ deploy-gwdg:
sudo rm -f -v "$SSH_UPLOAD_DIR/.configure.notls"
sudo mkdir -p -v "$SSH_UPLOAD_DIR/.env.d"
sudo chmod 700 "$SSH_UPLOAD_DIR/.env.d"
echo "keycloak.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/KEYCLOAK_HOST" > /dev/null
echo "https" | sudo tee "$SSH_UPLOAD_DIR/.env.d/KEYCLOAK_PROTOCOL" > /dev/null
echo "keycloak.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/KEYCLOAK_HOST" > /dev/null
echo "443" | sudo tee "$SSH_UPLOAD_DIR/.env.d/KEYCLOAK_PORT" > /dev/null
echo "https://keycloak.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/KEYCLOAK_BASE_URL" > /dev/null
echo "registration-authority.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/REGISTRATION_AUTHORITY_HOST" > /dev/null
echo "https" | sudo tee "$SSH_UPLOAD_DIR/.env.d/REGISTRATION_AUTHORITY_PROTOCOL" > /dev/null
echo "registration-authority.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/REGISTRATION_AUTHORITY_HOST" > /dev/null
echo "443" | sudo tee "$SSH_UPLOAD_DIR/.env.d/REGISTRATION_AUTHORITY_PORT" > /dev/null
echo "https://registration-authority.snet-apps.com" | sudo tee "$SSH_UPLOAD_DIR/.env.d/REGISTRATION_AUTHORITY_BASE_URL" > /dev/null
sudo ${SSH_UPLOAD_DIR}/configure
cp -v ${SSH_UPLOAD_DIR}/docker-compose/tls-gateway.yml.off ${SSH_UPLOAD_DIR}/docker-compose/tls-gateway.yml
docker-compose \
-f ${SSH_UPLOAD_DIR}/docker-compose/identity-authority.yml \
--env-file ${SSH_UPLOAD_DIR}/.env \
up -d
docker-compose \
-f ${SSH_UPLOAD_DIR}/docker-compose/tls-gateway.yml \
--env-file ${SSH_UPLOAD_DIR}/.env \
up -d
......@@ -13,14 +13,36 @@ These dependencies (and others) will be installed by the `configure` script (see
- [`dockerize`](https://github.com/jwilder/dockerize) installed in your local `$PATH`
### Running everything on a single node (for development)
1. Run `export APP_HOST_NAME="<your IP address>"` with your machine's IPv4 address. Note: export this to the root user's environment because the script in the next step requires root privileges. Alternatively, you can create the directory `.env.d` and put the value into the file `.env.d/APP_HOST_NAME`.
1. optional: You probably will not be able to get a SSL certificate for the value in `APP_HOST_NAME`. In order to avoid the next step to fail, run: `touch .configure.notls`
1. optional: You may want skip the depenency installation stage of the config script, and do this yourself manually, run: `touch .configure.noinstall`
1. Add the following to your local `/etc/hosts` file:
```
127.0.0.1 snet-apps.local
127.0.0.1 keycloak.snet-apps.local
127.0.0.1 registration-authority.snet-apps.local
127.0.0.1 keytray.snet-apps.local
127.0.0.1 zuul.snet-apps.local
127.0.0.1 xnat.snet-apps.local
```
1. Run `export APP_HOST_NAME="snet-apps.local"`.
Note: export this to the root user's environment because the script in the next step requires root privileges. Alternatively, you can create the directory `.env.d` and put the value into the file `.env.d/APP_HOST_NAME`.
1. optional: You may want skip the depenency installation stage of the config script, and install any depenencies using an alternative method. run: `touch .configure.noinstall`
1. Run `sudo ./configure` and follow instructions until you get a green success message.
1. Run `docker network create snet-asclepios`
1. Run `find docker-compose/ -name *.yml -exec docker-compose -f {} up -d \;` to bring up the whole stack.
1. Run `find docker-compose/ -name *.yml -exec docker-compose --env-file .env -f {} up -d \;` to bring up the whole stack.
### SSL
1. optional: may want to enable TLS and get a SSL certificates for any applications that you are running on a public host
For this to work you will need to be running on a host which has port 80 and port 443 available on the public internet (for certbot)
```
mv docker-compose/notls-gateway.yml docker-compose/notls-gateway.yml.off
mv docker-compose/tls-gateway.yml.off mv docker-compose/tls-gateway.yml
docker network create snet-asclepios
docker-compose up --env-file .env -f docker-compose/<application definition>.yml up -d
docker-compose up --env-file .env -f docker-compose/tls-gateway up -d
```
### Set up Keycloak
......
upstream keycloak {
server 127.0.0.1:{{ .Env.KEYCLOAK_PORT }};
}
upstream registration_authority {
server 127.0.0.1:{{ .Env.REGISTRATION_AUTHORITY_PORT }};
}
server {
listen 80;
listen 443 ssl;
server_name {{ .Env.KEYCLOAK_HOST }};
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://keycloak;
}
ssl_certificate /etc/letsencrypt/live/{{ .Env.KEYCLOAK_HOST }}/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ .Env.KEYCLOAK_HOST }}/privkey.pem;
}
server {
listen 80;
listen 443 ssl;
server_name {{ .Env.REGISTRATION_AUTHORITY_HOST }};
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://registration_authority;
}
ssl_certificate /etc/letsencrypt/live/{{ .Env.REGISTRATION_AUTHORITY_HOST }}/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ .Env.REGISTRATION_AUTHORITY_HOST }}/privkey.pem;
}
......@@ -59,7 +59,6 @@ else
default-jre \
apache2-utils \
maven \
certbot nginx python-certbot-nginx \
python3-dotenv \
apt-transport-https ca-certificates curl gnupg lsb-release
......@@ -226,46 +225,12 @@ while read -r LINE ; do
done < "$DIRECTORY/.env.tpl" > "$DIRECTORY/.env"
# ----- nginx TLS reverse proxy -----
status "setting up TLS..."
if [ -f "$DIRECTORY/.configure.notls" ];then
echo -e "${RED}warning: skipping TLS configuration${NC}"
else
echo -e "${BRN}info: if you run this on your local machine, consider turning this feature" \
"off with \`touch .configure.notls\`.${NC}"
APP_HOST_NAME=$(cat "$DIRECTORY/.env.d/APP_HOST_NAME")
HOST_FN_LIST=($(find "$DIRECTORY/.env.d" -name '*_HOST' | xargs -L1 -I{} basename "{}") "APP_HOST_NAME")
for HOST_FN in "${HOST_FN_LIST[@]}"; do
HOST=$(cat "$DIRECTORY/.env.d/$HOST_FN")
echo -e "${BLU} - $HOST${NC}"
certbot certonly \
--nginx \
--non-interactive \
--domain "$HOST" \
--agree-tos \
--email 'ilka.schulz@htw-berlin.de'
done
docker run \
--env-file=$DIRECTORY/.env \
--rm \
-v "$DIRECTORY/conf-tpl/nginx.tpl:/tmp/dockerize_template" \
-v "/etc/nginx/sites-available/default:/tmp/dockerize_output" \
jwilder/dockerize dockerize \
-template "/tmp/dockerize_template:/tmp/dockerize_output"
/etc/init.d/nginx reload
fi
# ----- run bootstrap containers -----
status "generating TLS certificates..."
status "generating unsigned certificates and truststore for internal TLS..."
mkdir -p -m 700 -v "$DIRECTORY/certs"
"$DIRECTORY/bin/generate-cert" $ABAC_SERVER_KEY_ALIAS $ABAC_SERVER_KEYSTORE_PASSWORD $COMMON_TRUSTSTORE_PASSWORD ./certs
"$DIRECTORY/bin/generate-cert" $ABAC_SERVER_KEY_ALIAS $ABAC_SERVER_KEYSTORE_PASSWORD $COMMON_TRUSTSTORE_PASSWORD $DIRECTORY/certs
status "rendering config templates..."
......
......@@ -14,8 +14,6 @@ services:
ABAC_SERVER_JPA_HIBERNATE_DDL_AUTO: ${ABAC_SERVER_JPA_HIBERNATE_DDL_AUTO}
ABAC_SERVER_ACCESS_KEY: ${ABAC_SERVER_ACCESS_KEY}
ABAC_SERVER_API_KEY: ${ABAC_SERVER_API_KEY}
# ABAC_SERVER_EXT_ATTRIBUTE_FINDERS: ${ABAC_SERVER_EXT_ATTRIBUTE_FINDERS}
# ABAC_SERVER_LIB_PATH: ${ABAC_SERVER_LIB_PATH}
expose:
- ${INTERNAL_ABAC_SERVER_PORT}
networks:
......@@ -40,13 +38,13 @@ services:
PDP_LOAD_BALANCE_METHOD: ${ABAC_ZUUL_PROXY_PDP_LOAD_BALANCE_METHOD}
PDP_RETRY_COUNT: ${ABAC_ZUUL_PROXY_PDP_RETRY_COUNT}
KEYCLOAK_ENABLED: ${ABAC_ZUUL_PROXY_KEYCLOAK_ENABLED}
KEYCLOAK_URL: ${KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_URL: ${INTERNAL_KEYCLOAK_PROTOCOL}://${INTERNAL_KEYCLOAK_HOST}:${INTERNAL_KEYCLOAK_PORT}/auth
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_RESOURCE: ${KEYCLOAK_RESOURCE}
VIRTUAL_HOST: ${ZUUL_HOST}
VIRTUAL_PORT: ${INTERNAL_ZUUL_PORT}
expose:
- ${ZUUL_PORT}
ports:
- ${ZUUL_PORT}:${ZUUL_PORT}
- ${INTERNAL_ZUUL_PORT}
networks:
- snet-asclepios
volumes:
......
......@@ -35,10 +35,11 @@ services:
DB_DATABASE: ${KEYCLOAK_DB_DATABASE}
DB_USER: ${KEYCLOAK_DB_USER}
DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD}
VIRTUAL_HOST: ${KEYCLOAK_HOST}
VIRTUAL_PORT: ${INTERNAL_KEYCLOAK_PORT}
LETSENCRYPT_HOST: ${KEYCLOAK_HOST}
expose:
- ${KEYCLOAK_PORT}
ports:
- ${KEYCLOAK_PORT}:${KEYCLOAK_PORT}
- ${INTERNAL_KEYCLOAK_PORT}
networks:
- snet-asclepios
......@@ -47,22 +48,20 @@ services:
container_name: registration-authority
environment:
MODE: ${REGISTRATION_AUTHORITY_MODE}
PORT: ${REGISTRATION_AUTHORITY_PORT}
PORT: ${INTERNAL_REGISTRATION_AUTHORITY_PORT}
VUE_ALLOWED_IP: ${REGISTRATION_AUTHORITY_HOST}
VUE_ALLOWED_ORIGINS: ${REGISTRATION_AUTHORITY_BASE_URL}
AZ_CALL_DISABLED: ${KEYTRAY_AZ_CALL_DISABLED}
# AZ_SERVER_ENDPOINTS: ${INTERNAL_ABAC_SERVER_PDP_ENDPOINT}
# AZ_CLIENT_TRUST_STORE_FILE: ${COMMON_TRUSTSTORE_FILE}
# AZ_CLIENT_TRUST_STORE_PASSWORD: ${COMMON_TRUSTSTORE_PASSWORD}
KEYCLOAK_URL: ${KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_URL: ${INTERNAL_KEYCLOAK_PROTOCOL}://${INTERNAL_KEYCLOAK_HOST}:${INTERNAL_KEYCLOAK_PORT}/auth
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_CLIENT: ${KEYCLOAK_RESOURCE}
KEYCLOAK_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
VIRTUAL_HOST: ${REGISTRATION_AUTHORITY_HOST}
VIRTUAL_PORT: ${INTERNAL_REGISTRATION_AUTHORITY_PORT}
LETSENCRYPT_HOST: ${REGISTRATION_AUTHORITY_HOST}
expose:
- ${REGISTRATION_AUTHORITY_PORT}
ports:
- ${REGISTRATION_AUTHORITY_PORT}:${REGISTRATION_AUTHORITY_PORT}
- ${INTERNAL_REGISTRATION_AUTHORITY_PORT}
networks:
- snet-asclepios
volumes:
......
......@@ -9,12 +9,12 @@ services:
MODE: ${CPABE_SERVER_MODE}
AZ_CLIENT_TRUST_STORE_FILE: ${COMMON_TRUSTSTORE_FILE}
AZ_CLIENT_TRUST_STORE_PASSWORD: ${COMMON_TRUSTSTORE_PASSWORD}
KEYCLOAK_URL: ${KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_URL: ${INTERNAL_KEYCLOAK_PROTOCOL}://${INTERNAL_KEYCLOAK_HOST}:${INTERNAL_KEYCLOAK_PORT}/auth
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_CLIENT: ${KEYCLOAK_RESOURCE}
KEYCLOAK_ADMIN_USERNAME: ${KEYCLOAK_ADMIN_USER}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
KEYTRAY_URL: ${KEYTRAY_API_URL}
KEYTRAY_URL: ${INTERNAL_KEYTRAY_PROTOCOL}://${INTERNAL_KEYTRAY_HOST}:${INTERNAL_KEYTRAY_PORT}/api/v1
KEYCLOAK_CORS: ${CPABE_SERVER_KEYCLOAK_CORS}
expose:
- ${CPABE_SERVER_PORT}
......
......@@ -20,25 +20,22 @@ services:
depends_on:
- keytray-db
environment:
PORT: ${KEYTRAY_PORT}
PORT: ${INTERNAL_KEYTRAY_PORT}
DATABASE_IP: ${INTERNAL_KEYTRAY_DB_HOST}
DATABASE_PORT: ${INTERNAL_KEYTRAY_DB_PORT}
DATABASE_DB: ${KEYTRAY_DATABASE_DB}
DATABASE_USERNAME: ${KEYTRAY_DATABASE_USER}
DATABASE_PSW: ${KEYTRAY_DATABASE_ROOT_PASSWORD}
KEYCLOAK_URL: ${KEYCLOAK_AUTH_ENDPOINT}
KEYCLOAK_URL: ${INTERNAL_KEYCLOAK_PROTOCOL}://${INTERNAL_KEYCLOAK_HOST}:${INTERNAL_KEYCLOAK_PORT}/auth
KEYCLOAK_REALM: ${KEYCLOAK_REALM}
KEYCLOAK_CLIENT: ${KEYCLOAK_RESOURCE}
AZ_CALL_DISABLED: ${KEYTRAY_AZ_CALL_DISABLED}
# AZ_SERVER_ENDPOINTS: ${INTERNAL_ABAC_SERVER_PDP_ENDPOINT}
# AZ_CLIENT_TRUST_STORE_FILE: ${COMMON_TRUSTSTORE_FILE}
# AZ_CLIENT_TRUST_STORE_PASSWORD: ${COMMON_TRUSTSTORE_PASSWORD}
VIRTUAL_HOST: ${KEYTRAY_HOST}
VIRTUAL_PORT: ${INTERNAL_KEYTRAY_PORT}
networks:
- snet-asclepios
expose:
- ${KEYTRAY_PORT}
ports:
- ${KEYTRAY_PORT}:${KEYTRAY_PORT}
- ${INTERNAL_KEYTRAY_PORT}
volumes:
- ../certs/common/common-truststore.p12:/etc/certs/common-truststore.p12
......@@ -65,7 +62,7 @@ services:
DJANGO_LOGLEVEL: ${SSE_SERVER_DJANGO_LOGLEVEL}
DJANGO_DEBUG: ${SSE_SERVER_DJANGO_DEBUG}
DJANGO_SECRET_KEY: ${SSE_SERVER_DJANGO_SECRET_KEY}
ALLOWED_HOSTS: "${APP_HOST_NAME} ${INTERNAL_SSE_SERVER_HOST}"
ALLOWED_HOSTS: "${ZUUL_HOST} ${INTERNAL_SSE_SERVER_HOST}"
DB_NAME: ${SSE_DB_NAME}
DB_USER: ${SSE_DB_USER}
DB_PASSWORD: ${SSE_DB_PASSWORD}
......@@ -118,7 +115,7 @@ services:
KS: ${SSE_TA_KS}
TEEP_SERVER: ${INTERNAL_TEEP_SERVER_ENDPOINT}
SGX: ${SSE_TA_SGX}
ALLOWED_HOSTS: "${APP_HOST_NAME} ${INTERNAL_SSE_TA_HOST}"
ALLOWED_HOSTS: "${ZUUL_HOST} ${INTERNAL_SSE_TA_HOST}"
expose:
- ${INTERNAL_SSE_TA_PORT}
networks:
......@@ -133,10 +130,10 @@ services:
environment:
MINIO_ROOT_USER: ${MINIO_ROOT_USER}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
VIRTUAL_HOST: ${MINIO_HOST}
VIRTUAL_PORT: ${INTERNAL_MINIO_PORT}
expose:
- ${MINIO_PORT}
ports:
- ${MINIO_PORT}:${MINIO_PORT}
- ${INTERNAL_MINIO_PORT}
networks:
- snet-asclepios
volumes:
......@@ -195,12 +192,12 @@ services:
DEBUG: ${SSE_CLIENT_DEBUG}
AUTH: ${SSE_CLIENT_AUTH}
SMALL_FILE: ${SSE_CLIENT_SMALL_FILE}
VIRTUAL_HOST: ${XNAT_HOST}
VIRTUAL_PORT: ${INTERNAL_XNAT_PORT}
networks:
- snet-asclepios
expose:
- ${XNAT_PORT}
ports:
- ${XNAT_PORT}:${XNAT_PORT}
- ${INTERNAL_XNAT_PORT}
volumes:
- ../data/xnat/logs:/data/xnat/home/logs
- ../data/xnat/archive:/data/xnat/archive
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment