mirror of
https://github.com/getlago/lago.git
synced 2024-12-22 22:23:23 +07:00
misc: add ssl support (#75)
* misc: add SSL support for docker config * add extra files * feat: Add support for LAGO_DISABLE_SIGNUP env var (#73) * chore: remove .DS_Store file * misc: add SSL support for docker config * fix rebase issue * fix review Co-authored-by: Vincent Pochet <vincent@getlago.com>
This commit is contained in:
parent
efb1a61eb5
commit
7e2d2cd944
3
.gitignore
vendored
3
.gitignore
vendored
@ -2,3 +2,6 @@
|
||||
*.code-workspace
|
||||
.env
|
||||
.DS_Store
|
||||
/extra/ssl/certbot
|
||||
/extra/ssl/nginx*
|
||||
/extra/ssl/dhparam.pem
|
||||
|
2
api
2
api
@ -1 +1 @@
|
||||
Subproject commit 61bdb2fc295f68ce8a859e317c42f8627d2f63cb
|
||||
Subproject commit b3fd218b2be30f8e6eccee494bf67f0a259b7883
|
@ -64,6 +64,8 @@ services:
|
||||
container_name: lago-front
|
||||
image: getlago/front:v0.4.0-alpha
|
||||
restart: unless-stopped
|
||||
# Use this command if you want to use SSL with Let's Encrypt
|
||||
# command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
|
||||
depends_on:
|
||||
- api
|
||||
environment:
|
||||
@ -73,6 +75,26 @@ services:
|
||||
- LAGO_DISABLE_SIGNUP=${LAGO_DISABLE_SIGNUP}
|
||||
ports:
|
||||
- ${FRONT_PORT:-80}:80
|
||||
- 443:443
|
||||
# Using SSL with Let's Encrypt
|
||||
# volumes:
|
||||
# - ./extra/nginx-letsencrypt.conf:/etc/nginx/conf.d/default.conf
|
||||
# - ./extra/certbot/conf:/etc/letsencrypt
|
||||
# - ./extra/certbot/www:/var/www/certbot
|
||||
# Using SSL with self signed certificates
|
||||
# volumes:
|
||||
# - ./extra/nginx-selfsigned.conf:/etc/nginx/conf.d/default.conf
|
||||
# - ./extra/ssl/nginx-selfsigned.crt:/etc/ssl/certs/nginx-selfsigned.crt
|
||||
# - ./extra/ssl/nginx-selfsigned.key:/etc/ssl/private/nginx-selfsigned.key
|
||||
# - ./extra/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem
|
||||
|
||||
# Only used for SSL support with Let's Encrypt
|
||||
certbot:
|
||||
image: certbot/certbot
|
||||
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
|
||||
volumes:
|
||||
- ./extra/certbot/conf:/etc/letsencrypt
|
||||
- ./extra/certbot/www:/var/www/certbot
|
||||
|
||||
api-worker:
|
||||
container_name: lago-worker
|
||||
|
80
extra/init-letsencrypt.sh
Executable file
80
extra/init-letsencrypt.sh
Executable file
@ -0,0 +1,80 @@
|
||||
#!/bin/bash
|
||||
|
||||
if ! [ -x "$(command -v docker-compose)" ]; then
|
||||
echo 'Error: docker-compose is not installed.' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
domains=(lago.example www.lago.example)
|
||||
rsa_key_size=4096
|
||||
data_path="./extra/ssl/certbot"
|
||||
email="jeremy@getlago.com" # Adding a valid address is strongly recommended
|
||||
staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
|
||||
|
||||
if [ -d "$data_path" ]; then
|
||||
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
|
||||
if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
|
||||
exit
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
|
||||
echo "### Downloading recommended TLS parameters ..."
|
||||
mkdir -p "$data_path/conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
|
||||
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
|
||||
echo
|
||||
fi
|
||||
|
||||
echo "### Creating dummy certificate for $domains ..."
|
||||
path="/etc/letsencrypt/live/$domains"
|
||||
mkdir -p "$data_path/conf/live/$domains"
|
||||
docker-compose run --rm --entrypoint "\
|
||||
openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
|
||||
-keyout '$path/privkey.pem' \
|
||||
-out '$path/fullchain.pem' \
|
||||
-subj '/CN=localhost'" certbot
|
||||
echo
|
||||
|
||||
|
||||
echo "### Starting front ..."
|
||||
docker-compose up --force-recreate -d front
|
||||
echo
|
||||
|
||||
echo "### Deleting dummy certificate for $domains ..."
|
||||
docker-compose run --rm --entrypoint "\
|
||||
rm -Rf /etc/letsencrypt/live/$domains && \
|
||||
rm -Rf /etc/letsencrypt/archive/$domains && \
|
||||
rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
|
||||
echo
|
||||
|
||||
|
||||
echo "### Requesting Let's Encrypt certificate for $domains ..."
|
||||
#Join $domains to -d args
|
||||
domain_args=""
|
||||
for domain in "${domains[@]}"; do
|
||||
domain_args="$domain_args -d $domain"
|
||||
done
|
||||
|
||||
# Select appropriate email arg
|
||||
case "$email" in
|
||||
"") email_arg="--register-unsafely-without-email" ;;
|
||||
*) email_arg="--email $email" ;;
|
||||
esac
|
||||
|
||||
# Enable staging mode if needed
|
||||
if [ $staging != "0" ]; then staging_arg="--staging"; fi
|
||||
|
||||
docker-compose run --rm --entrypoint "\
|
||||
certbot certonly --webroot -w /var/www/certbot \
|
||||
$staging_arg \
|
||||
$email_arg \
|
||||
$domain_args \
|
||||
--rsa-key-size $rsa_key_size \
|
||||
--agree-tos \
|
||||
--force-renewal" certbot
|
||||
echo
|
||||
|
||||
echo "### Reloading nginx ..."
|
||||
docker-compose exec front nginx -s reload
|
4
extra/init-selfsigned.sh
Executable file
4
extra/init-selfsigned.sh
Executable file
@ -0,0 +1,4 @@
|
||||
#!/bin/bash
|
||||
|
||||
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./extra/ssl/nginx-selfsigned.key -out ./extra/ssl/nginx-selfsigned.crt
|
||||
sudo openssl dhparam -out ./extra/ssl/dhparam.pem 2048
|
30
extra/nginx-letsencrypt.conf
Normal file
30
extra/nginx-letsencrypt.conf
Normal file
@ -0,0 +1,30 @@
|
||||
server {
|
||||
listen 80;
|
||||
server_name lago.example;
|
||||
|
||||
location / {
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
try_files $uri $uri/ /index.html =404;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name lago.example;
|
||||
|
||||
location / {
|
||||
proxy_pass http://lago.example;
|
||||
}
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/lago.example/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/lago.example/privkey.pem;
|
||||
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
}
|
19
extra/nginx-selfsigned.conf
Normal file
19
extra/nginx-selfsigned.conf
Normal file
@ -0,0 +1,19 @@
|
||||
server {
|
||||
listen 80;
|
||||
|
||||
location / {
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
try_files $uri $uri/ /index.html =404;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
|
||||
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
|
||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||
}
|
0
extra/ssl/.keep
Normal file
0
extra/ssl/.keep
Normal file
2
front
2
front
@ -1 +1 @@
|
||||
Subproject commit 91886a01ac38a4c30c7f08ffe9f4f6100a815bf4
|
||||
Subproject commit 9ff36b4540d8cbe1100b1eae198c88cb7b2b6bb1
|
Loading…
Reference in New Issue
Block a user