rooty/fab-manager
1
0
Fork 0
mirror of https://github.com/LaCasemate/fab-manager.git synced 2025-02-21 15:54:22 +01:00
Code Issues Releases Activity

adding documentation to configure letsencrpyt SSL with docker

Browse Source
This commit is contained in:
cyril 2016-07-21 15:11:08 +02:00
parent 61b9cf71f0
commit e04e25e825
4 changed files with 104 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
docker/README.md
View File

@ -85,13 +85,62 @@ exit
mkdir -p /home/core/fabmanager/config mkdir -p /home/core/fabmanager/config
``` ```
Copy the previously customized `env` file as `/home/core/fabmanager/config/env`. Copy the previously customized `env.example` file as `/home/core/fabmanager/config/env`
```bash ```bash
mkdir -p /home/core/fabmanager/config/nginx mkdir -p /home/core/fabmanager/config/nginx
``` ```
Copy the previously customized `nginx.conf` as `/home/core/fabmanager/config/nginx/fabmanager.conf`. Copy the previously customized `nginx_with_ssl.conf.example` as `/home/core/fabmanager/config/nginx/fabmanager.conf`
OR
Copy the previously customized `nginx.conf.example` as `/home/core/fabmanager/config/nginx/fabmanager.conf` if you do not want ssl support (not recommended !).
### If you want to add an SSL certificate with Letsencrypt (free)
Let's Encrypt is a new Certificate Authority that is free, automated, and open.
Lets Encrypt certificates expire after 90 days, so automation of renewing your certificates is important.
Here is the setup for a systemd timer and service to renew the certificates and reboot the app Docker container
```bash
mkdir -p /home/core/fabmanager/config/nginx/ssl
```
Run `openssl dhparam -out dhparam.pem 4096` in the folder /home/core/fabmanager/config/nginx/ssl (generate dhparam.pem file)
```bash
mkdir -p /home/core/fabmanager/letsencrypt/config/
```
Copy the previously customized `webroot.ini.example` as `/home/core/fabmanager/letsencrypt/config/webroot.ini`
```bash
mkdir -p /home/core/fabmanager/letsencrypt/etc/webrootauth
```
Run `docker pull quay.io/letsencrypt/letsencrypt:latest`
Create file (with sudo) /etc/systemd/system/letsencrypt.service with
```bash
[Unit]
Description=letsencrypt cert update oneshot
Requires=docker.service
[Service]
Type=oneshot
ExecStart=/usr/bin/docker run --rm --name letsencrypt -v "/home/core/fabmanager/log:/var/log/letsencrypt" -v "/home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt" -v "/home/core/fabmanager/letsencrypt/config:/letsencrypt-config" quay.io/letsencrypt/letsencrypt:latest -c "/letsencrypt-config/webroot.ini" certonly
ExecStartPost=-/usr/bin/docker restart fabmanager
```
Create file (with sudo) /etc/systemd/system/letsencrypt.timer with
```bash
[Unit]
Description=letsencrypt oneshot timer
Requires=docker.service
[Timer]
OnCalendar=*-*-1 06:00:00
Persistent=true
Unit=letsencrypt.service
```
Then deploy your app and read the "Generate SSL certificate by Letsencrypt" section to complete the installation of the letsencrypt certificate.
### Deploy dockers containers on host ### Deploy dockers containers on host
@ -196,10 +245,25 @@ docker run --restart=always -d --name=fabmanager \
-v /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads \ -v /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads \
-v /home/core/fabmanager/invoices:/usr/src/app/invoices \ -v /home/core/fabmanager/invoices:/usr/src/app/invoices \
-v /home/core/fabmanager/log:/var/log/supervisor \ -v /home/core/fabmanager/log:/var/log/supervisor \
-v /home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt \
sleede/fab-manager sleede/fab-manager
``` ```
### Generate SSL certificate by Letsencrypt (app must be run before start letsencrypt)
Start letsencrypt service :
```bash
sudo systemctl start letsencrypt.service
```
If the certificate was successfully generated then update the nginx configuration file and activate the ssl port and certificate.
Edit `/home/core/fabmanager/config/nginx/fabmanager.conf`
Remove your app and Run your app to apply changes
Finally, if everything is ok, start letsencrypt timer to update the certificate every 1st of the month :
```bash
sudo systemctl start letsencrypt.timer
```
### Dockers utils ### Dockers utils
@ -218,7 +282,7 @@ docker run --restart=always -d --name=fabmanager \
### Docker Compose ### If you want deploy with Docker Compose
#### download docker compose https://github.com/docker/compose/releases #### download docker compose https://github.com/docker/compose/releases

1
docker/docker-compose.yml
View File

@ -16,6 +16,7 @@ services:
- /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads - /home/core/fabmanager/public/uploads:/usr/src/app/public/uploads
- /home/core/fabmanager/invoices:/usr/src/app/invoices - /home/core/fabmanager/invoices:/usr/src/app/invoices
- /home/core/fabmanager/log:/var/log/supervisor - /home/core/fabmanager/log:/var/log/supervisor
- /home/core/fabmanager/letsencrypt/etc:/etc/letsencrypt
depends_on: depends_on:
- fabmanager-postgres - fabmanager-postgres
- fabmanager-redis - fabmanager-redis

31
docker/nginx_with_ssl.conf.example
View File

@ -7,12 +7,26 @@ server {
server_name MAIN_DOMAIN; server_name MAIN_DOMAIN;
root /usr/src/app/public; root /usr/src/app/public;
ssl on; ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/MAIN_DOMAIN.crt; ## with your ssl certificate
ssl_certificate_key /etc/nginx/conf.d/ssl/MAIN_DOMAIN.deprotected.key; #ssl_certificate /etc/nginx/conf.d/ssl/MAIN_DOMAIN.crt;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_certificate_key /etc/nginx/conf.d/ssl/MAIN_DOMAIN.deprotected.key;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ##
## with letsencrypt certificate (free)
ssl_certificate_key /etc/letsencrypt/live/MAIN_DOMAIN/privkey.pem;
ssl_certificate /etc/letsencrypt/live/MAIN_DOMAIN/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/MAIN_DOMAIN/chain.pem;
##
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m; ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
location ^~ /assets/ { location ^~ /assets/ {
gzip_static on; gzip_static on;
@ -20,6 +34,13 @@ server {
add_header Cache-Control public; add_header Cache-Control public;
} }
## required by letsencrypt to generate the certificat
location /.well-known/acme-challenge {
root /etc/letsencrypt/webrootauth;
default_type "text/plain";
}
##
try_files $uri/index.html $uri @puma; try_files $uri/index.html $uri @puma;
location @puma { location @puma {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

10
docker/webroot.ini.example Normal file
View File

@ -0,0 +1,10 @@
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = REPLACE_WITH_YOUR@EMAIL.COM
text = True
agree-tos = True
agree-dev-preview = True
renew-by-default = True
authenticator = webroot
domains = MAIN_DOMAIN, ANOTHER_DOMAIN_1, ANOTHER_DOMAIN_2
webroot-path = /etc/letsencrypt/webrootauth