Skip to content

Commit

Permalink
Updated SSL Certificate approach for #14 (#15)
Browse files Browse the repository at this point in the history 
* Updated SSL Certificate approach for #14

* Fixed and simplified NGinx config and added certificate management for #14
  • Loading branch information
@pmanko
pmanko authored Oct 13, 2021
1 parent 4c83bea commit 3837b18
Show file tree
Hide file tree
Showing 5 changed files with 172 additions and 155 deletions.
10 changes: 10 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,16 @@ cd hie-botswana
### 4. Boot up Docker containers
See step #3 in [Install Instructions](https://github.com/B-TECHBW/hie-botswana#install-instructions) section

## Certificate Management
For AWS setups, we use Letsencrypt to provide SSL certificates for the domain. See https://nandovieira.com/using-lets-encrypt-in-development-with-nginx-and-aws-route53
for more guidance.

Certificates are grabbed/managed by the certbot service in the `docker-compose.yaml` file. This service requires the following variables: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. See https://certbot-dns-route53.readthedocs.io/en/stable/ for information on how to obtain these values in AWS.

Certificate generation and renewal will eventually be automated, but currently can be run with the following command:
`sudo -E docker-compose up certbot`

The certificates are loaded into the `certs` volume, which can be mounted in any other docker container, and is primarily used by Nginx.
## Components
- NGINX Reverse Proxy
- Open Client Registry (https://github.com/intrahealth/client-registry)
Expand Down
143 changes: 20 additions & 123 deletions configs/nginx/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,13 @@ http {
fastcgi_read_timeout 1d;
client_max_body_size 1024M;
proxy_read_timeout 1d;


ssl_certificate /etc/letsencrypt/live/moh.org.bw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/moh.org.bw/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

# Redirect to use https
server {
listen 80 default_server;
Expand All @@ -20,162 +26,62 @@ http {
listen 443 ssl;
server_name moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://openhim-console;

set $upstream openhim-console;
proxy_pass http://$upstream;
}
}

server {
listen 443 ssl;
server_name core.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass https://openhim-core:8080;

set $upstream openhim-core;
proxy_pass https://$upstream:8080;
}
}

server {
listen 443 ssl;
server_name openhim.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass https://openhim-core:5000;
}
}

server {
listen 443 ssl;
server_name opencr-fhir.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://opencr-fhir:8080;
}
}

server {
listen 443 ssl;
server_name shr-fhir.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://shr-fhir:8080;
set $upstream openhim-core;
proxy_pass https://$upstream:5000;
}
}


server {
listen 443 ssl;
server_name es.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://es:9200;
}
}


server {
listen 80;
server_name openhim.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://openhim-core:5001;
}
}


# Mediators:
server {
listen 443 ssl;
server_name shr.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;

set $upstream shr;
proxy_pass http://$upstream:3000;
}
Expand All @@ -186,18 +92,13 @@ http {
listen 443 ssl;
server_name opencr.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;

set $upstream opencr;
proxy_pass http://$upstream:3000;
}
Expand All @@ -207,19 +108,15 @@ http {
listen 443 ssl;
server_name hl72fhir.moh.org.bw;

ssl_certificate /etc/letsencrypt/fullchain2.pem;
ssl_certificate_key /etc/letsencrypt/privkey2.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;

set $upstream fhir-converter;
proxy_pass http://fhir-converter:2019;
proxy_pass http://$upstream:2019;
}
}
}
117 changes: 117 additions & 0 deletions configs/nginx/nginx.dev.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
events {
worker_connections 4096;
}

http {
fastcgi_read_timeout 1d;
client_max_body_size 1024M;
proxy_read_timeout 1d;

ssl_certificate /etc/letsencrypt/live/moh.org.bw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/moh.org.bw/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;


# Redirect to use https
server {
listen 80 default_server;

server_name _;

return 301 https://$host$request_uri;
}

server {
listen 443 ssl;
server_name moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://openhim-console;
}
}

server {
listen 443 ssl;
server_name core.moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass https://openhim-core:8080;
}
}

server {
listen 443 ssl;
server_name openhim.moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
set $upstream shr;
proxy_pass https://$upstream:5000;
}
}


# Mediators:
server {
listen 443 ssl;
server_name shr.moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
set $upstream shr;
proxy_pass http://$upstream:3000;
}
}


server {
listen 443 ssl;
server_name opencr.moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
set $upstream opencr;
proxy_pass http://$upstream:3000;
}
}

server {
listen 443 ssl;
server_name hl72fhir.moh.org.bw;

location / {
resolver 127.0.0.11 valid=30s;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;

set $upstream fhir-converter;
proxy_pass http://$upstream:2019;
}
}
}
Empty file modified dist/package/docker/.gitkeep
100644 → 100755
View file
Empty file.
Loading

0 comments on commit 3837b18

Please sign in to comment.