-
Notifications
You must be signed in to change notification settings - Fork 555
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update local nginx to use mkcert #21455
Conversation
I think this means we can remove the need for |
Thought: does this work the same for a fresh install as over the top of an existing nginx setup? |
Yes 🎉 . The slightly contentious part is we're now symlinking the nginx site config to
|
767aa14
to
aaf47b2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @akash1810
echo "Restarting Nginx" | ||
sudo nginx -s stop | ||
echo -e "🚀 ${YELLOW}Restarting nginx, Requires sudo - enter password when prompted.${NC}" | ||
if pgrep 'nginx' > /dev/null; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nicl we're now restarting nginx more gracefully - if running, stop, finally start.
use latest ssl directive
Currently we require `Identity` credentials to setup nginx as we're storing the certificate in S3. This is problematic in a few ways: - A reliance on S3 to setup nginx - A reliance on having the correct Janus credentials - We need to update the certificate once a year as it expires - Certificate renewal is handled by another team - Every machine is using the same certificate; if its compromised once, its compromised everywhere mkcert provides: - Security as each machine acts as their own CA - No reliance on S3 or Identity Janus credentials - Frictionless certificate renewal - we just re-run the script Also writes nginx site config to `/usr/local/etc/nginx/servers/` directory as is preferred with latest version of nginx.
trying to stop nginx when it is not running fails...
Overdue on PROD (merged by @akash1810 30 minutes and 9 seconds ago) What's gone wrong? |
Seen on PROD (merged by @akash1810 2 hours, 19 minutes and 48 seconds ago)
|
What does this change?
Currently we require
Identity
credentials to setup nginx as we're storing the certificate in S3. This is problematic in a few ways:mkcert provides:
Also writes nginx site config to
/usr/local/etc/nginx/servers/
directory as is preferred with latest version of nginx.Related to https://github.com/guardian/dev-nginx-old/pull/37. Ideally the
dev-nginx
scripts would be shared rather than copy pasted, however that repo is private at the moment - once it's public we can migrate.Screenshots
What is the value of this and can you measure success?
Identity
credentialsChecklist
Does this affect other platforms?
Does this affect GLabs Paid Content Pages? Should it have support for Paid Content?
Does this change break ad-free?
Does this change update the version of CAPI we're using?
Accessibility test checklist
Tested