Skip to content
GitLab
Commit ed022f50 authored by Robin Tissot's avatar Robin Tissot
Browse files

Merge branch 'feature/ssl' into 'develop' 

Feature/ssl

See merge request !45
parents fc10c10f 52303e52
Hide whitespace changes
Inline Side-by-side
.env deleted 100644 → 0
View file @ fc10c10f
CELERY_MAIN_CORES=2
CELERY_LOW_CORES=2
FLOWER_BASIC_AUTH=flower:whatever
\ No newline at end of file
app/escriptorium/settings.py
View file @ ed022f50
......@@ -34,6 +34,9 @@ sys.path.append(APPS_DIR)
SITE_ID = 1
SECRET_KEY = os.getenv('SECRET_KEY', 'a-beautiful-snowflake')
# SECURE_SSL_REDIRECT = os.getenv('SECURE_SSL_REDIRECT', False) == 'True' # should be done by nginx
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = os.getenv('DEBUG', False)
......
docker-compose.yml
View file @ ed022f50
......@@ -37,6 +37,8 @@ services:
nginx:
build: ./nginx
environment:
- SERVERNAME=${DOMAIN:-localhost}
volumes:
- static:/usr/src/app/static
- media:/usr/src/app/media
......@@ -44,6 +46,7 @@ services:
- 8080:80
depends_on:
- web
- channelserver
# elasticsearch:
# image: docker.elastic.co/elasticsearch/elasticsearch:6.5.1
......@@ -108,7 +111,7 @@ services:
expose:
- 25
environment:
- PRIMARY_HOST=${MAIL_PRIMARY_HOST}
- PRIMARY_HOST=${DOMAIN:-localhost}
- ALLOWED_HOSTS=web ; celery-main ; celery-low-priority; docker0
volumes:
......
nginx/Dockerfile
View file @ ed022f50
FROM nginx:1.15.0-alpine
RUN rm /etc/nginx/conf.d/default.conf
COPY nginx.conf /etc/nginx/conf.d
\ No newline at end of file
ARG NGINX_CONF=nginx.conf
ARG SSL_CERT
ARG SSL_KEY
COPY ${NGINX_CONF} /etc/nginx/conf.d/nginx.conf
COPY ${SSL_CERT} /etc/certs/cert.pem
COPY ${SSL_KEY} /etc/certs/key.pem
nginx/nginx.conf
View file @ ed022f50
......@@ -7,12 +7,12 @@ upstream websocket {
server channelserver:5000;
}
server {
listen 80 default_server;
server {
listen 80;
charset utf-8;
client_max_body_size 150M;
location /ws/ {
proxy_pass http://websocket;
proxy_http_version 1.1;
......@@ -28,9 +28,11 @@ server {
location / {
uwsgi_pass escriptorium;
# include /usr/src/app/escriptorium/uwsgi_params;
include uwsgi_params;
uwsgi_param HTTP_X_FORWARDED_PROTO $scheme;
proxy_pass http://escriptorium;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
......@@ -47,4 +49,4 @@ server {
location = /robots.txt {
alias /usr/src/app/static/robots.txt;
}
}
\ No newline at end of file
}
nginx/ssl.conf 0 → 100644
View file @ ed022f50
upstream escriptorium {
server web:8000;
# server unix:/usr/src/app/escriptorium/app.sock;
}
upstream websocket {
server channelserver:5000;
}
# include /etc/nginx/auth_part1.conf;
server {
listen 443 ssl http2;
charset utf-8;
client_max_body_size 150M;
ssl_certificate /etc/certs/cert.pem;
ssl_certificate_key /etc/certs/key.pem;
# Performance + Privacy improvements
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/certs/cert.pem;
resolver 8.8.8.8 208.67.222.222 valid=300s;
resolver_timeout 5s;
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# ssl_dhparam /etc/nginx/dhparams.pem;
location /.well-known/acme-challenge {
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
default_type "text/plain";
root /usr/share/nginx/html;
try_files $uri =404;
}
location /ws/ {
proxy_pass http://websocket;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location / {
uwsgi_pass escriptorium;
include uwsgi_params;
uwsgi_param HTTP_X_FORWARDED_PROTO $scheme;
add_header Strict-Transport-Security "max-age=31536000" always;
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://escriptorium;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 900s;
}
location /static/ {
alias /usr/src/app/static/;
}
location /media/ {
alias /usr/src/app/media/;
}
location = /robots.txt {
alias /usr/src/app/static/robots.txt;
}
}
server {
listen 80;
location /.well-known/acme-challenge {
default_type "text/plain";
root /usr/share/nginx/html;
try_files $uri =404;
}
location = /silent_liveness_check {
access_log off;
return 301 https://$host$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
production.yml_example
View file @ ed022f50
......@@ -13,12 +13,20 @@ services:
nginx:
restart: always
ports:
- 80:80
- "80:80"
# - "443:443"
### To enable SSL, generate keys with letsencrypt/certbot
### and uncomment this block and the port 443
# build:
# args:
# - NGINX_CONF=ssl.conf
# - SSL_CERT=/etc/letsencrypt/live/$DOMAIN/fullchain.pem
# - SSL_KEY=/etc/letsencrypt/live/$DOMAIN/privkey.pem
flower:
restart: always
# cpus and mem_limit imposes a hard limit on cpus usage,
# needed to keep some for http/db when working with a single machine
#
......
variables.env_example
View file @ ed022f50
DOMAIN=localhost
SECRET_KEY=changeme
SQL_ENGINE=django.db.backends.postgresql
SQL_HOST=db
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment