Merge pull request #172 from FlowFuse/feat-custom-app-domain

feat: Add possibility to run application on custom domain name
FlowFuse · Nov 26, 2024 · 251b10f · 251b10f
2 parents 541f4a6 + 2e42dbd
commit 251b10f
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 20 deletions.
diff --git a/.env.example b/.env.example
@@ -1,9 +1,12 @@
 DOMAIN=
+APPLICATION_DOMAIN=""
 
 ### TLS certificates configuration
 TLS_ENABLED=""
 TLS_CERTIFICATE=""
 TLS_KEY=""
+APP_TLS_CERTIFICATE=""
+APP_TLS_KEY=""
 
 ### Database configuration
 DB_HOST=""
@@ -17,3 +20,6 @@ EMAIL_PORT=587
 EMAIL_SECURE=""
 EMAIL_USER=""
 EMAIL_PASSWORD=""
+
+### Docker Driver options
+DOCKER_DRIVER_PRIVATE_CA_PATH=""
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -38,7 +38,6 @@ This allows for easier management of the platform and better separation of conce
 
     ```bash
     curl -o docker-compose-new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose.yml
-    curl -o docker-compose-tls.override.new.yml https://raw.githubusercontent.com/flowfuse/docker-compose/main/docker-compose-tls.override.yml
     curl -o .env https://raw.githubusercontent.com/flowfuse/docker-compose/main/.env.example
     ```
 
@@ -48,6 +47,8 @@ This allows for easier management of the platform and better separation of conce
   * Make sure, that `broker.url` is seto fo `mqtt://broker:1883`. Update if needed.
 * Copy content of `./etc/flowforge-storage.yml` file to `docker-compose-new.yml` file, to `configs.flowfuse_storage.content` section. Remove all commented lines. Maintain indentation.
 * Set the `DOMAIN` variable in the `.env` file to the domain used by your instance of FlowFuse platform.
+* If FlowFuse application is running outside of the `DOMAIN` scope, set it as a value of `APPLICATION_DOMAIN` variable in the `.env` file.
+* If application should be accessible via seured connection (HTTPS), set `TLS_ENABLED` variable to `true` in `.env` file.
 * If custom certificates are used, copy their content to `.env` file, to `TLS_CERTIFICATE` and `TLS_KEY` variables. They should look like this:
 
   ```bash
@@ -69,6 +70,28 @@ This allows for easier management of the platform and better separation of conce
   "
   ```
 
+* If custom certificates are used and FlowFuse application is running on a different domain than other stack components (defined in `APPLICATION_DOMAIN` variable), 
+  use `APP_TLS_CERTIFICATE` and `APP_TLS_KEY` variabls to provide certificate and it's key. They should look like this:
+
+ ```bash
+  APP_TLS_CERTIFICATE="
+  -----BEGIN CERTIFICATE-----
+  MIIFfzCCBKegAwIBAgISA0
+  ...
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIIFfzCCBKegAwIBAgISA0
+  ...
+  -----END CERTIFICATE-----
+  "
+  APP_TLS_KEY="
+  -----BEGIN PRIVATE KEY-----
+  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQD
+  ...
+  -----END PRIVATE KEY-----
+  "
+  ```
+
 4. **Migrate database files**
 
     Move the database files from host to the new volume. This will allow you to keep the existing data.
@@ -98,7 +121,6 @@ This allows for easier management of the platform and better separation of conce
     ```bash
     mv docker-compose.yml docker-compose-old.yml
     mv docker-compose-new.yml docker-compose.yml
-    mv docker-compose-tls.override.new.yml docker-compose-tls.override.yml
     ```
 
 6. **Start FlowFuse**
@@ -107,13 +129,7 @@ This allows for easier management of the platform and better separation of conce
 
     * With automatic TLS certificate generation:
     ```bash
-    docker compose -f docker-compose.yml -f docker-compose-tls.override.yml --profile autossl -p flowfuse up -d
-    ```
-
-    * With custom TLS certificate:
-
-    ```bash
-    docker compose -f docker-compose.yml -f docker-compose-tls.override.yml -p flowfuse up -d
+    docker compose -f docker-compose.yml --profile autotls -p flowfuse up -d
     ```
 
     * In all other cases

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -6,7 +6,7 @@ configs:
       port: 3000
       host: 0.0.0.0
       domain: ${DOMAIN:?error}
-      base_url: http${TLS_ENABLED:+s}://forge.${DOMAIN:?error}
+      base_url: http${TLS_ENABLED:+s}://${APPLICATION_DOMAIN:-forge.${DOMAIN}}
       api_url: http://forge:3000
       create_admin: ${CREATE_ADMIN:-false}
       db:
@@ -17,7 +17,7 @@ configs:
         password: ${DB_PASSWORD:-secret}
       email:
         enabled: ${EMAIL_ENABLED:-false}
-        from: '"FlowFuse" <flowfuse@${DOMAIN:?error}>'
+        from: '"FlowFuse" <flowfuse@${APPLICATION_DOMAIN:-forge.${DOMAIN}}>'
         smtp:
           host: ${EMAIL_HOST}
           port: ${EMAIL_PORT:-587}
@@ -29,6 +29,7 @@ configs:
         type: docker
         options:
           socket: /tmp/docker.sock
+          ${DOCKER_DRIVER_PRIVATE_CA_PATH:+privateCA: ${DOCKER_DRIVER_PRIVATE_CA_PATH}}
       broker:
         url: mqtt://broker:1883
         public_url: ws${TLS_ENABLED:+s}://mqtt.${DOMAIN:?error}
@@ -59,10 +60,14 @@ configs:
   nginx:
     content: |
       client_max_body_size 5m;
-  nginx_tls_crt:
+  nginx_main_tls_crt:
     environment: TLS_CERTIFICATE
-  nginx_tls_key:
+  nginx_main_tls_key:
     environment: TLS_KEY
+  nginx_app_tls_crt:
+    environment: APP_TLS_CERTIFICATE
+  nginx_app_tls_key:
+    environment: APP_TLS_KEY
   nginx_stream:
     content: |
       # stream {
@@ -408,18 +413,22 @@ services:
     configs:
       - source: nginx
         target: /etc/nginx/conf.d/my_proxy.conf
-      - source: nginx_tls_crt
+      - source: nginx_main_tls_crt
         target: /etc/nginx/certs/${DOMAIN:?error}.crt
-      - source: nginx_tls_key
+      - source: nginx_main_tls_key
         target: /etc/nginx/certs/${DOMAIN:?error}.key
+      - source: nginx_app_tls_crt
+        target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.crt
+      - source: nginx_app_tls_key
+        target: /etc/nginx/certs/${APPLICATION_DOMAIN:-forge.${DOMAIN}}.key
       - source: nginx_stream
         target: /etc/nginx/toplevel.conf.d/mqtt.conf
     ports:
       - "80:80"
       - "443:443"
       - "1884:1884"
     environment:
-      - "HTTPS_METHOD=redirect"
+      - HTTPS_METHOD=${TLS_ENABLED:+redirect}
 
   postgres:
     image: postgres:14
@@ -448,9 +457,9 @@ services:
       timeout: 25s
       retries: 5
     environment:
-      - "VIRTUAL_HOST=broker.${DOMAIN:?error}"
+      - "VIRTUAL_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}"
       - "VIRTUAL_PORT=8080"
-      - "LETSENCRYPT_HOST=broker.${DOMAIN:?error}"
+      - "LETSENCRYPT_HOST=broker.${DOMAIN:?error},mqtt.${DOMAIN:?error}"
       - "EMQX_DASHBOARD__DEFAULT_PASSWORD=topSecret"
     configs:
       - source: emqx
@@ -465,8 +474,8 @@ services:
       - flowforge
     restart: always
     environment:
-      - "VIRTUAL_HOST=forge.${DOMAIN:?error}"
-      - "LETSENCRYPT_HOST=forge.${DOMAIN:?error}"
+      - "VIRTUAL_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}"
+      - "LETSENCRYPT_HOST=${APPLICATION_DOMAIN:-forge.${DOMAIN}}"
     configs:
       - source: flowfuse
         target: /usr/src/forge/etc/flowforge.yml