Merge pull request #1 from pdurandfr/simple-docker-compose-+-https-ng…

…inx-reverse Simple docker compose + https nginx reverse
dbarzin · Sep 11, 2023 · 9cfdb20 · 9cfdb20
2 parents eedbc71 + 11fd6d5
commit 9cfdb20
Show file tree

Hide file tree

Showing 7 changed files with 271 additions and 0 deletions.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -22,6 +22,7 @@ class Kernel extends HttpKernel
             \App\Http\Middleware\AuthGates::class,
         ],
         'web' => [
+            \App\Http\Middleware\ForceXForwardedProto::class,
             \App\Http\Middleware\EncryptCookies::class,
             \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
             \Illuminate\Session\Middleware\StartSession::class,

diff --git a/app/Http/Middleware/ForceXForwardedProto.php b/app/Http/Middleware/ForceXForwardedProto.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ForceXForwardedProto
+{
+    public function handle($request, Closure $next)
+    {
+        if ($request->header('X-Forwarded-Proto') === 'https') {
+            $request->server->set('HTTPS', 'on');
+        } else {
+            $request->server->set('HTTPS', 'off');
+        }
+
+        return $next($request);
+    }
+}
diff --git a/docker-compose/PV/nginx/nginx.conf b/docker-compose/PV/nginx/nginx.conf
@@ -0,0 +1,70 @@
+events {
+
+}
+
+http {
+
+	client_max_body_size 0;
+
+	#################################
+	## redirect http -> https
+	#################################
+	server {
+		listen 80 default_server;
+		server_name _;
+
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
+	#################################
+	## common to all sites
+	#################################
+	include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+    sendfile        on;
+    keepalive_timeout  65;
+
+	#################################
+	## mercator.mycompany.com
+	#################################
+	server {
+		listen 443 ssl;
+
+		##########################################
+		# CONFIG : change host name to match your server name
+        server_name mercator.mycompany.com;
+		##########################################
+
+		##########################################
+		# CONFIG : modify with your own certificate and key name here. They are mapped in the docker-compose file.
+        ssl_certificate /etc/nginx/certs/mercator.mycompany.com.crt;
+		ssl_certificate_key /etc/nginx/certs/mercator.mycompany.com.key;
+		##########################################
+
+		client_max_body_size 25m;
+
+		location / {
+		    proxy_pass http://mercator:80;
+
+			##########################################
+            # CONFIG : change host name to match server_name
+			proxy_set_header Host mercator.mycompany.com;
+			##########################################
+
+		    proxy_set_header X-Forwarded-Host $http_host;
+		    proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-NginX-Proxy true;
+		}
+	}
+
+}
diff --git a/docker-compose/PV/nginx/update-ca-certificates.sh b/docker-compose/PV/nginx/update-ca-certificates.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+update-ca-certificates --fresh
diff --git a/docker-compose/docker-compose.md b/docker-compose/docker-compose.md
@@ -0,0 +1,42 @@
+This docker-compose folder is intented to launch a SIMPLE & PERSISTENT mercator instance behind nginx reverse https proxy.
+
+# Pre-requisite
+## Obtain a valid certificate and key files from your organisation. If you don't have you can generate self-signed with these commands (replace with your own domain name) :
+```
+
+```
+
+# Initialize your personal files
+## Create persistent sqlite database
+```
+touch ./PV/mercator/db.sqlite && chmod a+w ./PV/mercator/db.sqlite
+```
+
+## Put your mercator's https certificates in the nginx PV folder
+```
+cp <source .crt and .key files> ./PV/nginx/certs
+```
+If you need to generate your own certificates :
+```
+openssl genpkey -algorithm RSA -out ./PV/nginx/certs/mercator.mycompany.com.key
+openssl req -new -x509 -key ./PV/nginx/certs/mercator.mycompany.com.key -out ./PV/nginx/certs/mercator.mycompany.com.crt
+```
+
+## If you need your company's ca root certificate in Nginx because you want to also reverse proxy an https site
+Put certificates in ./PV/nginx/certs
+
+Then, uncomment associated volumes in docker-compose.yml, under nginx service section
+
+
+# Modify the configuration to match your domain name
+Check all CONFIG lines in the following files, and adapt it to your domain name
+```
+./docker-compose.yml
+./env/mercator.env
+./PV/nginx/nginx.conf
+```
+
+# There we go!
+```
+docker-compose up -d
+```
diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
@@ -0,0 +1,59 @@
+version: '3.7'
+services:
+  reverse-proxy:
+    image: nginx:latest
+    volumes:
+      - ./PV/nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./PV/nginx/certs:/etc/nginx/certs
+      ##########################################
+      # uncomment if you need your company's CA root certificate (don't forget to change the certificate name)
+      # - ./PV/nginx/myCompany.crt:/usr/local/share/ca-certificates/myCompagny.crt
+      # - ./PV/nginx/update-ca-certificates.sh:/docker-entrypoint.d/1000-update-ca-certificates.sh
+      ##########################################
+
+    ports:
+      - 443:443
+    depends_on:
+      - mercator
+
+  mercator:
+    image: ghcr.io/dbarzin/mercator:latest
+    restart: unless-stopped
+    container_name: mercator
+    volumes:
+      - ./PV/mercator/db.sqlite/:/var/www/mercator/sql/db.sqlite
+      - ./env/mercator.env:/var/www/mercator/.env
+    expose:
+      - 80
+    environment:
+      ##########################################
+      # CONFIG set to your company's domain name
+      - APP_URL=https://mercator.mycompany.com/
+      - ASSET_URL=https://mercator.mycompany.com/
+      ##########################################
+
+      ##########################################
+      # uncomment if you want to load demo data
+      # - USE_DEMO_DATA=1
+      ##########################################
+
+      # - Plusieurs types possibles : AD, OpenLDAP, FreeIPA, DirectoryServer
+      # - LDAP_TYPE="AD"
+      # - # If true, LDAP actions will be written to the application's default log file
+      # - LDAP_LOGGING=true
+      # - LDAP_CONNECTION=default
+      # - LDAP_HOST=127.0.0.1
+      # - # Identifiers of the user who will connect to the LDAP in order to perform queries
+      # - LDAP_USERNAME="cn=user,dc=local,dc=com"
+      # - LDAP_PASSWORD=secret
+      # - LDAP_PORT=389
+      # - LDAP_BASE_DN="dc=local,dc=com"
+      # - LDAP_TIMEOUT=5
+      # - LDAP_SSL=false
+      # - LDAP_TLS=false
+      # - # Allows you to restrict access to a tree structure
+      # - LDAP_SCOPE="ou=Accounting,ou=Groups,dc=planetexpress,dc=com"
+      # - # Allows you to restrict access to groups
+      # - LDAP_GROUPS="Delivering,Help Desk"
+
+
diff --git a/docker-compose/env/mercator.env b/docker-compose/env/mercator.env
@@ -0,0 +1,78 @@
+## APP_NAME=Mercator
+APP_ENV=production
+## APP_KEY=
+## APP_DEBUG=false
+
+##########################################
+# CONFIG set to your own domain name
+APP_URL=https://mercator.mycompany.com
+##########################################
+
+## ASSET_URL=https://mercator.mycompany.com
+## LOG_CHANNEL=stack
+## 
+## DB_CONNECTION=mysql
+## DB_HOST=db
+## DB_PORT=3306
+## DB_DATABASE=mercator
+## DB_USERNAME=mercator_user
+## DB_PASSWORD=1ù_-qeeRH21!8zA1~
+## DB_ROOT_PASSWORD=2ù_-qeeYT21!8zA2~
+## 
+## #################################################################
+## # Uncomment to user LDAP authentication
+## #
+## # Availables Types : OpenLDAP | AD | FreeIPA | DirectoryServer
+## # LDAP_TYPE="AD"
+## # LDAP_LOGGING=true
+## # LDAP_CONNECTION=default
+## # LDAP_HOST=127.0.0.1
+## # LDAP_USERNAME="cn=user,dc=local,dc=com"
+## # LDAP_PASSWORD=secret
+## # LDAP_PORT=389
+## # LDAP_BASE_DN="dc=local,dc=com"
+## # LDAP_TIMEOUT=5
+## # LDAP_SSL=false
+## # LDAP_TLS=false
+## # LDAP_SCOPE="ou=Accounting,ou=Groups,dc=planetexpress,dc=com"
+## # LDAP_GROUPS="Delivering,Help Desk"
+## #################################################################
+## 
+## BROADCAST_DRIVER=log
+## CACHE_DRIVER=file
+## QUEUE_CONNECTION=sync
+## SESSION_DRIVER=file
+## SESSION_LIFETIME=120
+## 
+## REDIS_HOST=127.0.0.1
+## REDIS_PASSWORD=null
+## REDIS_PORT=6379
+## 
+## MAIL_MAILER=smtp
+## MAIL_HOST=smtp.mailtrap.io
+## MAIL_PORT=2525
+## MAIL_USERNAME=null
+## MAIL_PASSWORD=null
+## MAIL_ENCRYPTION=null
+## MAIL_FROM_ADDRESS=null
+## MAIL_FROM_NAME="${APP_NAME}"
+## 
+## AWS_ACCESS_KEY_ID=
+## AWS_SECRET_ACCESS_KEY=
+## AWS_DEFAULT_REGION=us-east-1
+## AWS_BUCKET=
+## 
+## PUSHER_APP_ID=
+## PUSHER_APP_KEY=
+## PUSHER_APP_SECRET=
+## PUSHER_APP_CLUSTER=mt1
+## 
+## MIX_PUSHER_APP_KEY="${PUSHER_APP_KEY}"
+## MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
+## 
+## # Uncomment this line if you want to use the Cartographers
+## #
+## # Cartographers are attached to applications, and, when this enabled, only them (and admins) can modify their own apps
+## # and what is attach to (under the application view). Documentation here :
+## # CARTOGRAPHERS=true
+##