gitea/ckan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

NGINX SSL config

Browse Source
This commit is contained in:
Brett 2022-08-16 14:02:49 +02:00
parent 650d01ba51
commit 1f3a50a476
7 changed files with 98 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -9,6 +9,7 @@
* [Extending the base images](#extending-the-base-images) * [Extending the base images](#extending-the-base-images)
* [Applying patches](#applying-patches) * [Applying patches](#applying-patches)
* [Debugging with pdb](#pdb) * [Debugging with pdb](#pdb)
* [NGINX](#nginx)
* [Known Issues](#known-issues) * [Known Issues](#known-issues)
@ -24,6 +25,7 @@ The non-CKAN images are as follows:
* PostgreSQL: Official PostgreSQL image. Database files are stored in a named volume. * PostgreSQL: Official PostgreSQL image. Database files are stored in a named volume.
* Solr: CKAN's [pre-configured Solr image](https://github.com/ckan/ckan-solr). Index data is stored in a named volume. * Solr: CKAN's [pre-configured Solr image](https://github.com/ckan/ckan-solr). Index data is stored in a named volume.
* Redis: standard Redis image * Redis: standard Redis image
* NGINX: latest stable nginx image
The site is configured via env vars (the base CKAN image loads [ckanext-envvars](https://github.com/okfn/ckanext-envvars)), that you can set in the `.env` file. The site is configured via env vars (the base CKAN image loads [ckanext-envvars](https://github.com/okfn/ckanext-envvars)), that you can set in the `.env` file.
@ -149,6 +151,10 @@ Debug with pdb (example) - Interact with `docker attach $(docker container ls -q
command: `python -m pdb /usr/lib/ckan/venv/bin/ckan --config /srv/app/ckan.ini run --host 0.0.0.0 --passthrough-errors` command: `python -m pdb /usr/lib/ckan/venv/bin/ckan --config /srv/app/ckan.ini run --host 0.0.0.0 --passthrough-errors`
## NGINX
* The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 443. A "self-signed" SSL certificate is generated beforehand and the server certificate and key files are included. The NGINX server_name directive and the CN field in the SSL certificate have been both ser to 'localhost'. This should obviously not be used for production.
## Known Issues ## Known Issues
* Running the tests: Running the tests for CKAN or an extension inside the container will delete your current database. We need to patch CKAN core in our image to work around that. * Running the tests: Running the tests for CKAN or an extension inside the container will delete your current database. We need to patch CKAN core in our image to work around that.

2
ckan/Dockerfile
View File

@ -9,4 +9,4 @@ RUN echo ${TZ} > /etc/timezone
# Make sure both files are not exactly the same # Make sure both files are not exactly the same
RUN if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then \ RUN if ! [ /usr/share/zoneinfo/${TZ} -ef /etc/localtime ]; then \
cp /usr/share/zoneinfo/${TZ} /etc/localtime ;\ cp /usr/share/zoneinfo/${TZ} /etc/localtime ;\
fi ; fi ;

3
docker-compose.yml
View File

@ -18,7 +18,8 @@ services:
ckan: ckan:
condition: service_healthy condition: service_healthy
ports: ports:
- "0.0.0.0:81:80" - "0.0.0.0:80:80"
- "0.0.0.0:443:443"
ckan: ckan:
container_name: ${CKAN_CONTAINER_NAME} container_name: ${CKAN_CONTAINER_NAME}

3
nginx/Dockerfile
View File

@ -6,4 +6,7 @@ COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf
COPY setup/index.html /usr/share/nginx/html/index.html COPY setup/index.html /usr/share/nginx/html/index.html
COPY setup/default.conf ${NGINX_DIR}/conf.d/ COPY setup/default.conf ${NGINX_DIR}/conf.d/
RUN mkdir -p ${NGINX_DIR}/certs
COPY setup/ckan-local.* ${NGINX_DIR}/certs/
EXPOSE 81 EXPOSE 81

30
nginx/setup/ckan-local.crt Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFJDCCAwwCCQCIrp/bc6dLYjANBgkqhkiG9w0BAQsFADBUMQswCQYDVQQGEwJE
RTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xDzANBgNVBAoMBkJl
cmxpbjESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIyMDgxNTEzMDA0NFoXDTIzMDgx
NTEzMDA0NFowVDELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UE
BwwGQmVybGluMQ8wDQYDVQQKDAZCZXJsaW4xEjAQBgNVBAMMCWxvY2FsaG9zdDCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK9VUkEY9A+aM9AXwWIS0MTQ
oiFS5p4rFlSH4UNuqRfWP7F4n+/QF/Zaky6lX7drkLGFWT7qde2ePum90YMhx/9V
WZK05PRkqER83Cv+v4YAsBmxvcvTISLczNv6yfsuQ5tggUC7dupl6Fn/yOyEuhkP
5Opon1H0SBJxALEvHnOALItdDNwqhnD+j5yCUIKG47LqKTgNp/XTTb3O8p3OSHGi
Td5DzNQQWJFNjdBfbI14+kcuHg9vrhTfaf3Wb2VMEXR3zIoZo6n7IV39rvFcnUeT
pQL9ogSLFkSbwUtCOuLhzTrm6HiHun69hBMxGli6w9AvEhEI0VvhxesNOjEbRzEh
f9ZRU3CtbAl+KC/+WHtTVG+Q6dd4CdGvIYc15SUKQw5EtbLo126oqQyumZYswMdo
KtkRPgjBXSfl01ORCIhpgqr3efxiL4mLw0sqlrixkd3GqpJ5a5+eAUYbfT4SnbB3
4x0N1eVO0bnSSdR1AxNe5giuVCdOPNk65LIErT4ZzKGpyp+aCu1CoSgEcwzLmmbS
b8xoBViQWtow1ZZbssEAxsdN2tFbpSGhPcDgPae1qFM8lPX2wBAwD6zTSwqbhDHU
CaIMFMNX3xntzxzDmczpCuGXnY986HwLLHVOCjyxLfhAyCwSb0bP0wqVeeKoDZ4L
vFHZbFKLG99F/oq1+vQfAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAEmfSUPfvlDy
Ts2yDVQTSpilXcCtM+KeidLil17DiKUyeyHgR6Bwtw88fIXanMjh0oniAvq3pd0m
KFHARp2Jdx0MBb9IsnG2aP60s41vxumpSq4TD0FLudIkdWXYQEDpe+nh8izxBeSE
gGjfC1y8fL9BxHYOGNj6ZnscaSsK+ncEafmd3Dc500mWbT/4Z6fpui586RhS3gkf
RVh1eiPY59M9UhpROLhPSddX6deKIVKhKDhX1ot/cEDDXJwjQa8wFmlKTj14Dd+9
U5IGUZyhSywPgqy27IB0sCn6boU+MRZiQX2yBTMe6ZzbOfnDeXll+qLz4/657VBA
ka+FPuLdJ1UgEatfM2KcLPlz8WZ5W0NIeyaaRIDsoDy9I1iSEg165ujaY028jAY6
q4kIM8Jncfwd/5owto9WS/9A1Zs6vyVekAO3gpzzw8TZcj5RcGc5qK/rg9Esz1Ye
MnVg1gykHJlhdG9EJHh3JbdfBDbSoW6f46UU1STD0x63Jp+r+xVmF/bRmvu07BBS
0KwdD7H6Qd2zJA3Cqn0oFqrkTdf1dxrOT80wiXOnlrb8eaUvldd/LtB1qY7WcqgN
/68p0t3upZJ0OsIjky8DxAzoDz/wNDle8qojsln9La1Ykyf2BtpLX5Qw1aP2eHgI
naZCOb+gpYVf3/0d/ohxYpn66iFX/lut
-----END CERTIFICATE-----

52
nginx/setup/ckan-local.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJRQIBADANBgkqhkiG9w0BAQEFAASCCS8wggkrAgEAAoICAQCvVVJBGPQPmjPQ
F8FiEtDE0KIhUuaeKxZUh+FDbqkX1j+xeJ/v0Bf2WpMupV+3a5CxhVk+6nXtnj7p
vdGDIcf/VVmStOT0ZKhEfNwr/r+GALAZsb3L0yEi3Mzb+sn7LkObYIFAu3bqZehZ
/8jshLoZD+TqaJ9R9EgScQCxLx5zgCyLXQzcKoZw/o+cglCChuOy6ik4Daf10029
zvKdzkhxok3eQ8zUEFiRTY3QX2yNePpHLh4Pb64U32n91m9lTBF0d8yKGaOp+yFd
/a7xXJ1Hk6UC/aIEixZEm8FLQjri4c065uh4h7p+vYQTMRpYusPQLxIRCNFb4cXr
DToxG0cxIX/WUVNwrWwJfigv/lh7U1RvkOnXeAnRryGHNeUlCkMORLWy6NduqKkM
rpmWLMDHaCrZET4IwV0n5dNTkQiIaYKq93n8Yi+Ji8NLKpa4sZHdxqqSeWufngFG
G30+Ep2wd+MdDdXlTtG50knUdQMTXuYIrlQnTjzZOuSyBK0+GcyhqcqfmgrtQqEo
BHMMy5pm0m/MaAVYkFraMNWWW7LBAMbHTdrRW6UhoT3A4D2ntahTPJT19sAQMA+s
00sKm4Qx1AmiDBTDV98Z7c8cw5nM6Qrhl52PfOh8Cyx1Tgo8sS34QMgsEm9Gz9MK
lXniqA2eC7xR2WxSixvfRf6Ktfr0HwIDAQABAoICAQCadogoYVtiA29x+/uZ8wmI
2mR7BxW0cjER90M0rOC65zzllGcSVjlGBzVy+q4AYPrv6ZJeIyARXj/+nANfivsu
rnpjDIpH5AV5kKZG+/6uhxydBkE2t6GRnQO9KIuYhYF5+OLlrEFu7qhr4TOZarSo
L6B0AgeZo6N626LIdcJV7q1PeYJC1BPsp9bNAuD6nOssS65Ue3Nk1eq/NPn4nCqm
MV54WTKyAFSGbdRppidz2whifPZukuzB5rDxt2Ab1Y/rEz9Wyo+syFj0/PCKIhVN
YX0VzWxWpFHRz4XST16hUlwDcDmNNcXOshcQ8UlMsfygA1ffOe13DMfX86c4a9ei
skC9mM7ET0si/VkSRAbbwhfrYS0NNUht/kKK+2myvAl+0WKWySKzBk3UG87XgE7K
mYZ9Apsvyc/l1cWhR90Tsete74jttM0EYhZH8jF/aPSYiVDfc6Qiw6T3whc1wzIL
WOdi0jce7ZR69cUpXzTHkWGNgKZ0nmAM00LK+6AvRA1fxNzOn3lQprVtSw6pavuh
DFnGu6IR3cBjQfJEedqnRpYHupTKfYHFmQZBKou/Ss79cIBKQ/rvvUjHI3XG3tJC
NqHNHuURcUQB3fvsMf6KC5xm8envxV0GTohb70PGf8UiJ3xQB0aT1utol6Wjy9dO
hyRd/ZU2uY7whEGou9eAwQKCAQEA5sF+gi6DC2F2yNPxbcEo9dM9annt9s6sSWbi
hmgn9ekqO3NBCCycO9d6OmVPi2Tl12+yb503eNVE3P+UnlSfHVWv/oFsjLAJPmV/
nWzFwq7wKTm7lQfO3Gr8vBx39Jx3ENMEYU1y9/hTFci+HmzqwoYnnIYO3bHOj8Uy
JkXecPfzNYu9HHZ7N4eDmuwhsHFpL7b9swsKWrVWkTFDuorpFowEmljc0VCFGRlf
WaqVms/LjczLpG6Avp+Zre/oCBtjSFeooOtmnpwwpX8f9pAiU1Gs3OrMKT/kumYu
BVkjl+73awltRwyeXf/nv3my6TiTZ605JZz/HIQzMIJ7ih3MawKCAQEAwoOsXfhI
M3pn0h06thRuhpCQ/zQUD4TXiuaxmzaMwBY7vsM066gtuZx+3cFVJF0lLFdN5M+Y
Hbe9aMNTnxpfos1PIl3863p+kWzKagpWIww184ZL5MOhwc0TUVX0pUJ2nSUvgr0U
69DQkwBvUU84cH2uMXa9ky2qazRdXJky4BNFsii8IGVNivL10V71EP4ojn2OTTgb
xPpkycsZtudZxZBKYM2F7dhyRcHdtXteDnA00qdpnqqT+4b4T3mGKQZC9c8dj7AV
JiK5dSiaqOE+/UXE9xFAncX7Hg5GeELBU15H5mNfQMSL3Y5SrIGtxSr6r3fSbJF6
vX37Pik+9oNkHQKCAQEAlFfhzyi9f8x5Q2PU+hzKCzZwbgnSa+6zHUDx8Tv2LIVn
a+6M6QdcrK+6WN4WQ+NqSpP43v3v0lMwQO5hCWQXIhGa4X8sXEkyuBUh8/8gJya1
J5uAtq7dUh/JN9kJWIxZksxFLZRPi4/tQbzaU87rIICD6IDZ/7U1uIEp2ybheDg9
9rdNrIWScsFAXpDcm4Rc/Zqi/73iOywGabKE+uAgNilvMBZeZoVf+yGvhYI/SNW6
4v68D4omY+VQM1xeCxAoRDJuKn0KbH62Wz4dOzGvj2abPS4Ib6Aul5HmlfOXCS5L
ilj2Ek3PZViFEDfZR0rioCzg5whFjHyEN/Q6HTFI3wKCAQEAgaI5lOLsU4qHeKvM
Ph79zia4y6xMlk8lS0gWI+hGA5qNtMPqGAgceTBICMhZUwPUy2lf21dS/LNAw3ox
174+8IQ98hyLe/BGO+syN1uuLmtr5WGiYNLUkhF3h2RuyFi0LmTi9hHHyKWA7AeF
KL5QUgAgwIxvKZBsnEfo1Naw5k9RyruFLV32QN1NYH0VfH62Tsh0txfmwe9Sjn4S
JCipVpakS0GNuYbgGYdrmBChDaRQP/gc1wa92wsHoAfQlrS6mZGwFNv4LFNGIEOw
V07OqQL/kt1nn/6bLlu7MVjj+QjDiFK/361dvYmlpZxDUD0llx2XGo4WLAWzFKlu
ceH9LQKCAQEA2gzqZpZHtZQCN8spL5McTCY+uDdkyCHF8DE9e2Pd8DR6uACIGm5a
+29d5yXZEJPmWqxhMNoGAJI7XA+xkALYcKchrpLKqUBPBRzzH3jmUFcB3kRNbLek
cohLTWGcqkP8KAhpTtIGVgFAJ1Gsu5DWnwolVaC3TqdtbUSUCoDI9iI/UYQHBot9
FAbXKJ3SUtKZdpOmCoMnErn+KXj5B2CHyHXVH5QMp7mX6MZHpuXb/jtI/Cp/HQ/R
COnLAucndNeLWZ08NNIs3tfXStav6YnA1KLWBA0SEA8taXEgTGGB0KZoTG4+czri
3NZYHoZNqp79Kl0T6Y0VWI/CpXCS7kgT9A==
-----END PRIVATE KEY-----

4
nginx/setup/default.conf
View File

@ -1,7 +1,11 @@
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost; server_name localhost;
ssl_certificate /etc/nginx/certs/ckan-local.crt;
ssl_certificate_key /etc/nginx/certs/ckan-local.key;
#access_log /var/log/nginx/host.access.log main; #access_log /var/log/nginx/host.access.log main;