Move django_ssl.conf into django.conf (single HTTP/HTTPS server)

README.md

@@ -97,15 +97,12 @@ the conf file will be mounted into docker container at runtime to PGSERVICEFILE
 
 To active https with LetsEncrypt just follow the following instructions:
 
-- move `config/_nginx/django_ssl.conf` to `config/nginx/django_ssl.conf`
-- check the domain name in the `.env` file and in `config/nginx/django_ssl.conf`
-- run: `docker pull certbot/certbot`
-- launch `./run_certbot.sh`
-- activate 301 redirect into `config/nginx/django.conf`
-- restart compose
-- make sure the certs are renewed by adding a cron job with `crontab -e` and add the following line:
+- uncomment ssl section within `config/nginx/django.conf.template`
+- update `WEBGIS_PUBLIC_HOSTNAME` environment variable within the `.env` file
+- launch `sudo ./run_certbot.sh`
+- restart compose: `docker compose down && docker compose up -d`
+- make sure the certs are renewed by adding a cron job with `sudo crontab -e` and add the following line:
   `0 3 * * * /<path_to_your_docker_files>/run_certbot.sh`
-- if you disabled HTTPS, you can move `config/nginx/django_ssl.conf` back to its original location now, and restart the Docker compose to finally enable HTTPS
 
 
 ### Volumes
@@ -119,7 +116,7 @@ This can be done by modifying the `.env` file.
 
 ### First time setup
 
-- log into the application web administation panel using default credentials (_admin/admin_)
+- log into the application web administration panel using default credentials (_admin/admin_)
 - change the password for the admin user and for any other example user that may be present
 
 ### Caching
@@ -209,3 +206,5 @@ Plese refer to the [Add new stack](https://docs.portainer.io/v/ce-2.9/user/docke
 * Walter Lorenzetti - Gis3W ([@wlorenzetti](https://github.com/wlorenzetti))
 * Alessandro Pasotti - ItOpen ([@elpaso](https://github.com/elpaso))
 * Mazano - Kartoza ([@NyakudyaA](https://github.com/NyakudyaA))
+* Matteo Tosi - Gis3W ([@Raruto](https://github.com/Raruto))
+* Eric Schirardin ([@rikamusik](https://github.com/rikamusik))

config/nginx/django.conf.template

@@ -0,0 +1,76 @@
+client_max_body_size $NGINX_CLIENT_MAX_BODY_SIZE;
+client_body_timeout  600;
+
+upstream web {
+  ip_hash;
+  server g3w-suite:8000;
+}
+
+# portal
+server {
+
+  # Block *.php
+  location ~\.php$ {
+      return 404;
+  }
+
+  # Secure project's folder
+  location /static/projects/ {
+      return 403;
+  }
+
+  location /static/ {
+      root /shared-volume/;
+  }
+
+  location /media/ {
+      root /shared-volume/;
+  }
+
+  location /media_user/ {
+      root /shared-volume/project_data/;
+  }
+
+  # Certbot configuration
+  location /.well-known/acme-challenge/ {
+      root /var/www;
+  }
+
+  location / {
+      keepalive_timeout                  500;
+      proxy_connect_timeout              600;
+      proxy_send_timeout                 600;
+      send_timeout                       600;
+      fastcgi_read_timeout               300;
+      # proxy_read_timeout                 600;
+      proxy_read_timeout                 120;
+      proxy_set_header Host              $host;
+      proxy_set_header X-Forwarded-For   $remote_addr;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_pass http://web/;
+  }
+
+  server_name $WEBGIS_PUBLIC_HOSTNAME;
+
+  # Listen
+  listen 8080;
+
+  # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+  # Uncomment the following lines if you want activate https
+
+  # listen 443 default ssl;
+
+  # ssl_certificate /etc/letsencrypt/live/$WEBGIS_PUBLIC_HOSTNAME/fullchain.pem;
+  # ssl_certificate_key /etc/letsencrypt/live/$WEBGIS_PUBLIC_HOSTNAME/privkey.pem;
+
+  # include /etc/letsencrypt/options-ssl-nginx.conf;
+  # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  # resolver 8.8.8.8;
+
+  # if ($scheme = http) {
+  #     return 301 https://$server_name$request_uri;
+  # }
+  # -----------------------------------------------------
+
+}

docker-compose-consumer.yml

@@ -127,12 +127,16 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME
+      - NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-200M}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d:ro
+      - ./config/nginx:/etc/nginx/templates
     logging:
       driver: "json-file"
       options:
@@ -142,13 +146,6 @@ services:
     networks:
       internal:
 
-  # Letsencrypt certs
-  certbot:
-    image: certbot/certbot
-    volumes:
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/certbot:/var/www/certbot
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt
-
 volumes:
   shared-volume:
   g3wsuite-pg-data:

docker-compose.yml

@@ -77,12 +77,16 @@ services:
       - "443:443"
     expose:
       - "8080"
+    environment:
+      - WEBGIS_PUBLIC_HOSTNAME
+      - NGINX_CLIENT_MAX_BODY_SIZE=${NGINX_CLIENT_MAX_BODY_SIZE:-200M}
+      - NGINX_ENVSUBST_TEMPLATE_SUFFIX=.template
     volumes:
       - ${WEBGIS_DOCKER_SHARED_VOLUME}:/shared-volume
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known
       - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt:ro
       - ./config/g3w-suite/overrides/static:/shared-volume/static/overrides:ro
-      - ./config/nginx:/etc/nginx/conf.d:ro
+      - ./config/nginx:/etc/nginx/templates
     logging:
       driver: "json-file"
       options:
@@ -92,13 +96,6 @@ services:
     networks:
       internal:
 
-  # Letsencrypt certs
-  certbot:
-    image: certbot/certbot
-    volumes:
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/certbot:/var/www/certbot
-      - ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt
-
 volumes:
   shared-volume:
   g3wsuite-pg-data:

run_certbot.sh

@@ -16,16 +16,25 @@ if [ "${WEBGIS_DOCKER_SHARED_VOLUME}" = "" ]; then
     exit 1
 fi
 
-mkdir -p "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/"
+certs_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt"
+acme_folder="${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known"
+default_ssl_conf="https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf"
+default_ssl_pem="https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem"
+domain="$WEBGIS_PUBLIC_HOSTNAME"
 
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/options-ssl-nginx.conf"
-curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt/ssl-dhparams.pem"
+# STEP 1
+echo "### Downloading recommended TLS parameters ..."
+mkdir -p "$certs_folder"
+curl -s "$default_ssl_conf" > "${certs_folder}/options-ssl-nginx.conf"
+curl -s "$default_ssl_pem"  > "${certs_folder}/ssl-dhparams.pem"
 
-docker run -it --rm --name certbot \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/certs/letsencrypt:/etc/letsencrypt \
-  -v ${WEBGIS_DOCKER_SHARED_VOLUME}/var/www/.well-known:/var/www/.well-known \
+# STEP 2
+echo "### Requesting Let's Encrypt certificate for $domain ..."
+docker run -it --rm --name certbot --pull=missing \
+  -v ${certs_folder}:/etc/letsencrypt \
+  -v ${acme_folder}:/var/www/.well-known \
   certbot/certbot -t certonly \
   --agree-tos --renew-by-default \
   --no-eff-email \
   --webroot -w /var/www \
-  -d ${WEBGIS_PUBLIC_HOSTNAME}
+  -d ${domain}