-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
SEAB-465 Load balancer will handle SSL termination, so remove https handling. Co-authored-by: Denis Yuen <[email protected]>
- Loading branch information
1 parent
0d9010b
commit e4c0151
Showing
8 changed files
with
116 additions
and
184 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,6 +2,9 @@ | |
| This project documents how to setup Dockstore staging and production using composed Docker containers. | ||
| Log issues and see general documentation at [dockstore](https://github.com/ga4gh/dockstore/issues) and [docs.dockstore.org](https://docs.dockstore.org/) respectively | ||
|
|
||
| Ports 80 and 8443 are exposed over http. These ports should not be exposed to the public. A separately [configured load | ||
| balancer](https://github.com/dockstore/dockstore-deploy) is responsible for SSL termination and forwarding traffic to this instance. Previously this repo handled the SSL termination with nginx and LetsEncrypt. | ||
|
|
||
| ## Prerequisities | ||
|
|
||
| 1. Tested on Ubuntu 16.04.3 LTS | ||
|
|
@@ -12,40 +15,28 @@ Log issues and see general documentation at [dockstore](https://github.com/ga4gh | |
|
|
||
| ## Usage | ||
|
|
||
| 1. Create a HTTP certificate if you want to run in HTTPS mode. Note that you'll actually have to create the certificate while nginx\_http is up and running. | ||
| ``` | ||
| docker run -it --rm -v composesetup_certs:/etc/letsencrypt -v composesetup_certs-data:/data/letsencrypt certbot/certbot certonly --agree-tos -m <your email address here> --webroot --webroot-path=/data/letsencrypt --staging -d staging.dockstore.org -d staging.dockstore.org | ||
| ``` | ||
| Change --staging as necessary and the domain names as necessary to match where you are tryign to setup Dockstore. Additionally, let's encrypt certificates expire in 90 days, you will want to renew them and restart nginx to pick up the new certificates. For example, for renewing staging on a monthly basis, stick this in the crontab | ||
|
|
||
| ``` | ||
| docker run -it --rm -v composesetup_certs:/etc/letsencrypt -v composesetup_certs-data:/data/letsencrypt certbot/certbot renew | ||
| docker-compose restart nginx_dockstore | ||
| ``` | ||
|
|
||
| 2. Call the install\_bootstrap script. This templates the contents of `templates` using mustache to the `config` directory while recording your answers for future use. Note that this will also | ||
| 1. Call the install\_bootstrap script. This templates the contents of `templates` using mustache to the `config` directory while recording your answers for future use. Note that this will also | ||
| rebuild your docker images without affecting existing running containers | ||
|
|
||
| 3. Some additional information on the answers requested in the script | ||
| 2. Some additional information on the answers requested in the script | ||
| 1. Each integration requires a client id and a secret, it is worth saying that you should not check these in | ||
| 2. The discourse URL is needed to link Dockstore to a discussion forum | ||
| 3. the Google verification code and tag manager ID are used if you want to properly track visitors to Dockstore and what pages they browse to | ||
|
|
||
| 4. The bootstrap script can also rebuild your Docker images. Keep in mind the following handy commands: | ||
| 3. The bootstrap script can also rebuild your Docker images. Keep in mind the following handy commands: | ||
| 1. `install_bootstrap --script` will template and build everything using your previous answers (useful for quick iteration) | ||
| 2. `docker-compose down` will bring all containers down safely | ||
| 3. `nohup docker-compose up --force-recreate --remove-orphans >/dev/null 2>&1 &` will re-create all containers known to docker-compose and delete those volumes that no longer are associated with running containers | ||
| 4. `docker system prune` for cleaning out old containers and images | ||
| 5. To watch the logs `docker-compose logs --follow` while debugging | ||
|
|
||
| 5. After following the instructions in the bootstrap script and starting up the site with `docker-compose`, you can browse to the Dockstore site hosted at port 443 by default. `https://<domain-name>` if you specified https or `http://<domain-name>:443` if you did not. | ||
| 4. After following the instructions in the bootstrap script and starting up the site with `docker-compose`, you can browse to the Dockstore site hosted at port 443 by default. `https://<domain-name>` if you specified https or `http://<domain-name>:443` if you did not. | ||
|
|
||
| 6. Note that the following volumes are created, `composesetup_certs` and `composesetup_certs-data` for https certificates, `composesetup_esdata1` for ephermeral elastic search data, `composesetup_log_volume` for logging, and `composesetup_ui2_content` for storing the built UIs before they are handed off the nginx for service. | ||
| 5. Note that the following volumes are created, `composesetup_esdata1` for ephermeral elastic search data, `composesetup_log_volume` for logging, and `composesetup_ui2_content` for storing the built UIs before they are handed off the nginx for service. | ||
|
|
||
| 7. For database backups, you can use a script setup in the cron for the host | ||
| 6. For database backups, you can use a script setup in the cron for the host | ||
|
|
||
| ``` | ||
| @monthly docker run -it --rm -v composesetup_certs:/etc/letsencrypt -v composesetup_certs-data:/data/letsencrypt certbot/certbot renew && docker-compose restart nginx_https && curl -sm 30 k.wdt.io/[email protected]/staging.https.renew?c=0_0_1_*_* | ||
| @daily (echo '['`date`'] Nightly Back-up' && /home/ubuntu/compose_setup/scripts/postgres_backup.sh) 2>&1 | tee -a /home/ubuntu/compose_setup/scripts/ds_backup.log | ||
| ``` | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,94 @@ | ||
| # Expires map | ||
| map $sent_http_content_type $expires { | ||
| default off; | ||
| text/html epoch; | ||
| text/css 86400; | ||
| application/javascript 86400; | ||
| application/octet-stream 604800; | ||
| ~image/ 604800; | ||
| } | ||
|
|
||
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
| server_name {{ DOMAIN_NAME }}; | ||
| server_name default_server; | ||
| include /etc/nginx/conf.d/default.nginx_http.shared.conf; | ||
| # listen 4200 http2; | ||
| # http2 not working over http for me | ||
| listen 4200; | ||
|
|
||
| ## | ||
| # `gzip` Settings | ||
| # https://www.digitalocean.com/community/tutorials/how-to-add-the-gzip-module-to-nginx-on-ubuntu-14-04 | ||
| # | ||
| gzip on; | ||
| gzip_disable "msie6"; | ||
|
|
||
| gzip_vary on; | ||
| gzip_proxied any; | ||
| gzip_comp_level 6; | ||
| gzip_buffers 16 8k; | ||
| gzip_http_version 1.1; | ||
| gzip_min_length 256; | ||
| gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon application/javascript; | ||
|
|
||
| expires $expires; | ||
|
|
||
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | ||
|
|
||
| # used to redirect swagger.json as retrieved by swagger ui without changes | ||
| location = /swagger.json { | ||
| #proxy_pass http://webservice:8080/swagger.json; | ||
| rewrite ^/(.*)$ http{{#HTTPS}}s{{/HTTPS}}://{{ DOMAIN_NAME}}/api/swagger.json permanent; | ||
| } | ||
|
|
||
| # used when port 8443 was unreachable from google | ||
| location = /sitemap.txt { | ||
| proxy_pass http://webservice:8080/metadata/sitemap; | ||
| } | ||
|
|
||
| location = /rss.xml { | ||
| proxy_pass http://webservice:8080/metadata/rss; | ||
| } | ||
|
|
||
| location /static { | ||
| proxy_pass http://webservice:8080/static; | ||
| } | ||
|
|
||
| location /api/ { | ||
| rewrite ^ $request_uri; | ||
| rewrite ^/api/(.*) $1 break; | ||
| return 400; | ||
| proxy_pass http://webservice:8080/$uri; | ||
| } | ||
|
|
||
| location /robots.txt { | ||
| root /usr/share/nginx/html2; | ||
| rewrite ^ /robots.txt break; | ||
| } | ||
|
|
||
| location / { | ||
| rewrite ^ http{{#HTTPS}}s{{/HTTPS}}://$host$request_uri? permanent; | ||
| root /usr/share/nginx/html2; | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html =404; | ||
| } | ||
|
|
||
| error_page 500 502 503 504 /50x.html; | ||
| location = /50x.html { | ||
| root /usr/share/nginx/html2; | ||
| } | ||
| } | ||
|
|
||
| # Port 8443 | ||
| server { | ||
| server_name default_server; | ||
| include /etc/nginx/conf.d/default.nginx_http.shared.conf; | ||
| listen 8080; | ||
|
|
||
| location ^~ /.well-known { | ||
| allow all; | ||
| root /data/letsencrypt/; | ||
| location /static { | ||
| rewrite ^/(.*)$ https://$hostname/$1 permanent; | ||
| proxy_pass http://webservice:8080/static; | ||
| } | ||
|
|
||
| location / { | ||
| proxy_pass http://webservice:8080; | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| error_page 404 /index.html; | ||
|
|
||
| proxy_connect_timeout 600; | ||
| proxy_send_timeout 600; | ||
| proxy_read_timeout 600; | ||
| send_timeout 600; | ||
|
|
||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-Proto https; | ||
| proxy_set_header X-Forwarded-For $remote_addr; | ||
| proxy_set_header X-Forwarded-Host $remote_addr; | ||
|
|
||
| # Limit body size of a request to 50K to protect Java server from DOS attacks. | ||
| client_max_body_size 50k; |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,4 @@ | ||
| User-Agent: * | ||
| Allow: / | ||
|
|
||
| Sitemap: http{{#HTTPS}}s{{/HTTPS}}://{{ DOMAIN_NAME }}/robots.txt; | ||
| Sitemap: http{{#HTTPS}}s{{/HTTPS}}://{{ DOMAIN_NAME }}/sitemap.txt; |