Commit 7b91efcd authored by Robin Tissot's avatar Robin Tissot
Browse files

Make ssl config optional and easy to setup.

parent d7ccb150
CELERY_MAIN_CORES=2
CELERY_LOW_CORES=2
FLOWER_BASIC_AUTH=flower:whatever
DOMAIN=localhost
......@@ -34,6 +34,9 @@ sys.path.append(APPS_DIR)
SITE_ID = 1
SECRET_KEY = os.getenv('SECRET_KEY', 'a-beautiful-snowflake')
# SECURE_SSL_REDIRECT = os.getenv('SECURE_SSL_REDIRECT', False) == 'True' # should be done by nginx
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = os.getenv('DEBUG', False)
......
......@@ -37,15 +37,16 @@ services:
nginx:
build: ./nginx
environment:
- SERVERNAME=${DOMAIN:-localhost}
volumes:
- static:/usr/src/app/static
- media:/usr/src/app/media
- ./nginx/certs/:/etc/certs
ports:
- 8080:80
- 443:443
depends_on:
- web
- channelserver
# elasticsearch:
# image: docker.elastic.co/elasticsearch/elasticsearch:6.5.1
......@@ -110,7 +111,7 @@ services:
expose:
- 25
environment:
- PRIMARY_HOST=${DOMAIN}
- PRIMARY_HOST=${DOMAIN:-localhost}
- ALLOWED_HOSTS=web ; celery-main ; celery-low-priority; docker0
volumes:
......
FROM nginx:1.15.0-alpine
RUN rm /etc/nginx/conf.d/default.conf
COPY nginx.conf /etc/nginx/conf.d
\ No newline at end of file
ARG NGINX_CONF=nginx.conf
ARG SSL_CERT=./certs/fullchain.pem
ARG SSL_KEY=./certs/privkey.pem
COPY ${NGINX_CONF} /etc/nginx/conf.d/nginx.conf
COPY ${SSL_CERT} /etc/certs/cert.pem
COPY ${SSL_KEY} /etc/certs/key.pem
......@@ -9,13 +9,11 @@ upstream websocket {
server {
listen 80 default_server;
listen 80;
charset utf-8;
client_max_body_size 150M;
listen 443 ssl;
ssl_certificate /etc/certs/fullchain.pem;
ssl_certificate_key /etc/certs/privkey.pem;
server_name ${SERVERNAME:-localhost};
location /ws/ {
proxy_pass http://websocket;
......@@ -32,9 +30,11 @@ server {
location / {
uwsgi_pass escriptorium;
# include /usr/src/app/escriptorium/uwsgi_params;
include uwsgi_params;
uwsgi_param HTTP_X_FORWARDED_PROTO $scheme;
proxy_pass http://escriptorium;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
......
upstream escriptorium {
server web:8000;
# server unix:/usr/src/app/escriptorium/app.sock;
}
upstream websocket {
server channelserver:5000;
}
# include /etc/nginx/auth_part1.conf;
server {
listen 443 ssl http2;
charset utf-8;
client_max_body_size 150M;
server_name ${SERVERNAME:-localhost};
ssl_certificate /etc/certs/cert.pem;
ssl_certificate_key /etc/certs/key.pem;
# Performance + Privacy improvements
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/certs/cert.pem;
resolver 8.8.8.8 208.67.222.222 valid=300s;
resolver_timeout 5s;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# ssl_dhparam /etc/nginx/dhparams.pem;
location /.well-known/acme-challenge {
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
default_type "text/plain";
root /usr/share/nginx/html;
try_files $uri =404;
}
location / {
uwsgi_pass escriptorium;
include uwsgi_params;
uwsgi_param HTTP_X_FORWARDED_PROTO $scheme;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://escriptorium;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 900s;
}
location /static/ {
alias /usr/src/app/static/;
}
location /media/ {
alias /usr/src/app/media/;
}
location = /robots.txt {
alias /usr/src/app/static/robots.txt;
}
}
server {
listen 80;
server_name ${SERVERNAME:-localhost};
location /.well-known/acme-challenge {
default_type "text/plain";
root /usr/share/nginx/html;
try_files $uri =404;
}
location = /silent_liveness_check {
access_log off;
return 301 https://$server_name$request_uri;
}
location / {
return 301 https://$server_name$request_uri;
}
}
......@@ -13,17 +13,20 @@ services:
nginx:
restart: always
ports:
- 80:80
- 443:443
volumes:
- static:/usr/src/app/static
- media:/usr/src/app/media
- /etc/letsencrypt/live/$DOMAIN/:/etc/certs
- "80:80"
# - "443:443"
### To enable SSL, generate keys with letsencrypt/certbot
### and uncomment this block and the port 443
# build:
# args:
# - NGINX_CONF=ssl.conf
# - SSL_CERT=/etc/letsencrypt/live/$DOMAIN/fullchain.pem
# - SSL_KEY=/etc/letsencrypt/live/$DOMAIN/privkey.pem
flower:
restart: always
# cpus and mem_limit imposes a hard limit on cpus usage,
# needed to keep some for http/db when working with a single machine
#
......
DOMAIN=localhost
SECRET_KEY=changeme
SQL_ENGINE=django.db.backends.postgresql
SQL_HOST=db
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment