Create an m1.small
VM with the Jetstream OpenStack API. Work with Unidata system administrator staff to have this VM's IP address resolve to science-gateway.unidata.ucar.edu
.
We will be making heavy use of the Unidata/science-gateway
git repository.
git clone https://github.com/Unidata/science-gateway ~/science-gateway
From the ~/science-gateway/vms/science-gateway
directory:
docker build -t unidata/science-gateway:latest .
With the help of Docker and docker-compose
, starting a VM containing an IDD archiver is relatively simple. See here to install Docker and docker-compose.
Create the following nginx log directory:
mkdir -p /logs/nginx
Open ports 80
, and 443
on the Science Gateway VM via OpenStack.
Work with Unidata sys admin staff to have the IP address of this VM point to science-gateway.unidata.ucar.edu.
Work with system admin staff to obtain an HTTPS key and certificate from a certificate authority such as InCommon. Put them in /etc/ssl/science-gateway/
, e.g., science-gateway.unidata.ucar.edu.key
and science-gateway.unidata.ucar.edu.crt
. Ensure these are owned by root and set to read only. The certificate must include intermediate certificates for security purposes. You can test the security quality of the website with ssllabs test.
OCSP (Online Certificate Status Protocol) stapling is recommended for web server communication privacy and efficiency. To enable this feature in an nginx server, have a file containing the intermediate and root certificates. Simply take the full chain certificate file described above and remove the base certificate leaving the intermediate and root certificates only. Call this file ca-certs.pem
and put it in the /etc/ssl/
directory along side the key
and crt
file described above. It will be mounted into the container with docker-compose.yml and referred to in nginx.conf
with
ssl_trusted_certificate /etc/nginx/ca-certs.pem
Once you have done the work of setting up nginx related directories,
docker-compose up -d
to start the web server.