From 067ef4fd7f2343c1d12a59be5e5bdd4b85c9b613 Mon Sep 17 00:00:00 2001 From: Vivek Santayana Date: Fri, 17 Jun 2022 12:58:46 +0100 Subject: [PATCH] Production debug --- README.md | 25 ++++++++++++++++++++++--- docker-compose.yml | 4 ++-- install-script.sh | 15 ++++++++++++--- nginx/conf.d/ref-test-app.conf | 6 +++--- 4 files changed, 39 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index ed85976..a014457 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ Also make sure that the various entries for usernames and passwords match. #### Input Specific Values for Your Installation -There are some values in the following three files you will need to configure to reflect the domain you are installing this app. +There are some values in the following four files you will need to configure to reflect the domain you are installing this app. ``` # .env @@ -85,7 +85,17 @@ domains=(example.org www.example.org) email="" # Adding a valid address is strongly recommended ``` -And four locations in the following file, two for the regular version of the domain and two for the www version: +Substitute the domain name `domain_name` in the two file paths in the following file: + +``` +# nginx/ssl.conf + +ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem; +... +``` + +And **six** locations in the following file, two for the regular version of the domain and two for the www version: ``` # nginx/conf.d/ref-test-app.conf @@ -105,13 +115,20 @@ server { server { server_name www.domain_name; listen 80; - ... + listen [::]:80; + # Redirect to non-www + return 301 $scheme://domain_name$request_uri; ... } server { server_name www.domain_name; listen 443 ssl http2; + listen [::]:443 ssl http2; + ... + + # Redirect to non-www + return 301 $scheme://domain_name$request_uri; } ``` @@ -127,6 +144,8 @@ $ chmod +x install-script.sh $ sudo ./install-script.sh ``` +This will take a long time to run the first time because it will try and generate a fairly sizeable cypher. + When we later run the server, Certbot will check for renewals of the SSL certificates every 12 hours, and Nginx will reload the configurations every 6 hours, to make sure everything runs smoothly and stays live. #### Run the Stack diff --git a/docker-compose.yml b/docker-compose.yml index a2873c3..d370902 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,7 +18,7 @@ services: networks: - frontend depends_on: - - ref_test_app + - app command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" app: @@ -36,7 +36,7 @@ services: - frontend - backend depends_on: - - ref_test_postfix + - postfix postfix: container_name: ref_test_postfix diff --git a/install-script.sh b/install-script.sh index 2bcea7d..5d89054 100644 --- a/install-script.sh +++ b/install-script.sh @@ -23,13 +23,13 @@ fi if [ ! -e "$data_path/ssl-dhparams.pem" ]; then echo "### Generating ssl-dhparams.pem ..." docker compose run --rm --entrypoint "\ - openssl dhparam 4096 -out /etc/letsencrypt/ssl-dhparams.pem" certbot + openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 4096" certbot echo fi echo "### Creating dummy certificate for $domains ..." path="/etc/letsencrypt/live/$domains" -mkdir -p "$data_path/conf/live/$domains" +mkdir -p "$data_path/live/$domains" docker compose run --rm --entrypoint "\ openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ -keyout '$path/privkey.pem' \ @@ -37,6 +37,15 @@ docker compose run --rm --entrypoint "\ -subj '/CN=localhost'" certbot echo +if [ ! -e "$data_path/lets-encrypt-x3-cross-signed.pem" ]; then + echo "### Downloading lets-encrypt-x3-cross-signed.pem ..." + wget -O $data_path/lets-encrypt-x3-cross-signed.pem \ + "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" + docker compose run --rm --entrypoint "\ + openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 4096" certbot + echo +fi + echo "### Starting nginx ..." docker compose up --force-recreate -d nginx echo @@ -65,7 +74,7 @@ esac if [ $staging != "0" ]; then staging_arg="--staging"; fi docker compose run --rm --entrypoint "\ - certbot certonly --webroot -w /var/www/certbot \ + certbot certonly --webroot -w /var/www/html \ $staging_arg \ $email_arg \ $domain_args \ diff --git a/nginx/conf.d/ref-test-app.conf b/nginx/conf.d/ref-test-app.conf index 7aa37ed..b92bca4 100644 --- a/nginx/conf.d/ref-test-app.conf +++ b/nginx/conf.d/ref-test-app.conf @@ -30,7 +30,7 @@ server { } location / { - include /etc/nginx/conf.d/common-location.conf; + include /etc/nginx/conf.d/proxy_headers.conf; proxy_pass http://reftest; } } @@ -40,7 +40,7 @@ server { listen 80; listen [::]:80; # Redirect to non-www - return 301 $scheme://example.com$request_uri; + return 301 $scheme://domain_name$request_uri; } server { @@ -53,5 +53,5 @@ server { include /etc/nginx/certbot-challenge.conf; # Redirect to non-www - return 301 $scheme://example.com$request_uri; + return 301 $scheme://domain_name$request_uri; } \ No newline at end of file