Create an m1.small VM with the Jetstream OpenStack API. Work with Unidata system administrator staff to have this VM's IP address resolve to science-gateway.unidata.ucar.edu.
We will be making heavy use of the Unidata/science-gateway git repository.
git clone https://github.com/Unidata/science-gateway ~/science-gatewayFrom the ~/science-gateway/vms/science-gateway directory:
docker build -t unidata/science-gateway:latest .With the help of Docker and docker-compose, starting a VM containing an IDD archiver is relatively simple. See here to install Docker and docker-compose.
Create the following nginx log directory:
mkdir -p /logs/nginxOpen ports 80, and 443 on the Science Gateway VM via OpenStack.
Work with Unidata sys admin staff to have the IP address of this VM point to science-gateway.unidata.ucar.edu.
Work with system admin staff to obtain an HTTPS key and certificate from a certificate authority such as InCommon. Put them in /etc/ssl/science-gateway/, e.g., science-gateway.unidata.ucar.edu.key and science-gateway.unidata.ucar.edu.crt. Ensure these are owned by root and set to read only. The certificate must include intermediate certificates for security purposes. You can test the security quality of the website with ssllabs test.
OCSP (Online Certificate Status Protocol) stapling is recommended for web server communication privacy and efficiency. To enable this feature in an nginx server, have a file containing the intermediate and root certificates. Simply take the full chain certificate file described above and remove the base certificate leaving the intermediate and root certificates only. Call this file ca-certs.pem and put it in the /etc/ssl/ directory along side the key and crt file described above. It will be mounted into the container with docker-compose.yml and referred to in nginx.conf with
ssl_trusted_certificate /etc/nginx/ca-certs.pem
Once you have done the work of setting up nginx related directories,
docker-compose up -dto start the web server.