Production debug

2022-06-17 12:58:46 +01:00
parent 73f31016fd
commit 067ef4fd7f
4 changed files with 39 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -70,7 +70,7 @@ Also make sure that the various entries for usernames and passwords match.

 #### Input Specific Values for Your Installation

-There are some values in the following three files you will need to configure to reflect the domain you are installing this app.
+There are some values in the following four files you will need to configure to reflect the domain you are installing this app.

 ```
 # .env
@@ -85,7 +85,17 @@ domains=(example.org www.example.org)
 email="" # Adding a valid address is strongly recommended
 ```

-And four locations in the following file, two for the regular version of the domain and two for the www version:
+Substitute the domain name `domain_name` in the two file paths in the following file:
+
+```
+# nginx/ssl.conf
+
+ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
+...
+```
+
+And **six** locations in the following file, two for the regular version of the domain and two for the www version:

 ```
 # nginx/conf.d/ref-test-app.conf
@@ -105,13 +115,20 @@ server {
 server {
    server_name www.domain_name;
    listen 80;
-    ...
+    listen [::]:80;
+    # Redirect to non-www
+    return 301 $scheme://domain_name$request_uri;    ...
 }

 server {
    server_name www.domain_name;
    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
    ...
+
+    # Redirect to non-www
+    return 301 $scheme://domain_name$request_uri;
 }
 ```

@@ -127,6 +144,8 @@ $ chmod +x install-script.sh
 $ sudo ./install-script.sh
 ```

+This will take a long time to run the first time because it will try and generate a fairly sizeable cypher.
+
 When we later run the server, Certbot will check for renewals of the SSL certificates every 12 hours, and Nginx will reload the configurations every 6 hours, to make sure everything runs smoothly and stays live.

 #### Run the Stack
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,7 +18,7 @@ services:
    networks:
      - frontend
    depends_on:
-      - ref_test_app
+      - app
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
  
  app:
@@ -36,7 +36,7 @@ services:
      - frontend
      - backend
    depends_on:
-      - ref_test_postfix
+      - postfix

  postfix:
    container_name: ref_test_postfix
--- a/install-script.sh
+++ b/install-script.sh
@@ -23,13 +23,13 @@ fi
 if [ ! -e "$data_path/ssl-dhparams.pem" ]; then
  echo "### Generating ssl-dhparams.pem ..."
  docker compose run --rm --entrypoint "\
-    openssl dhparam 4096 -out /etc/letsencrypt/ssl-dhparams.pem" certbot
+    openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 4096" certbot
  echo
 fi

 echo "### Creating dummy certificate for $domains ..."
 path="/etc/letsencrypt/live/$domains"
-mkdir -p "$data_path/conf/live/$domains"
+mkdir -p "$data_path/live/$domains"
 docker compose run --rm --entrypoint "\
  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
    -keyout '$path/privkey.pem' \
@@ -37,6 +37,15 @@ docker compose run --rm --entrypoint "\
    -subj '/CN=localhost'" certbot
 echo

+if [ ! -e "$data_path/lets-encrypt-x3-cross-signed.pem" ]; then
+  echo "### Downloading lets-encrypt-x3-cross-signed.pem ..."
+  wget -O $data_path/lets-encrypt-x3-cross-signed.pem \
+  "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
+  docker compose run --rm --entrypoint "\
+    openssl dhparam -out /etc/letsencrypt/ssl-dhparams.pem 4096" certbot
+  echo
+fi
+
 echo "### Starting nginx ..."
 docker compose up --force-recreate -d nginx
 echo
@@ -65,7 +74,7 @@ esac
 if [ $staging != "0" ]; then staging_arg="--staging"; fi

 docker compose run --rm --entrypoint "\
-  certbot certonly --webroot -w /var/www/certbot \
+  certbot certonly --webroot -w /var/www/html \
    $staging_arg \
    $email_arg \
    $domain_args \
--- a/nginx/conf.d/ref-test-app.conf
+++ b/nginx/conf.d/ref-test-app.conf
@@ -30,7 +30,7 @@ server {
    }

    location / {
-        include /etc/nginx/conf.d/common-location.conf;
+        include /etc/nginx/conf.d/proxy_headers.conf;
        proxy_pass http://reftest;
    }
 }
@@ -40,7 +40,7 @@ server {
    listen 80;
    listen [::]:80;
    # Redirect to non-www
-    return 301 $scheme://example.com$request_uri;
+    return 301 $scheme://domain_name$request_uri;
 }

 server {
@@ -53,5 +53,5 @@ server {
    include	/etc/nginx/certbot-challenge.conf;

    # Redirect to non-www
-    return 301 $scheme://example.com$request_uri;
+    return 301 $scheme://domain_name$request_uri;
 }