Merge pull request #5894 from FinnStutzenstein/caddyHttps

add optional https for caddy
This commit is contained in:
Finn Stutzenstein 2021-02-17 08:56:20 +01:00 committed by GitHub
commit 085ada3dc4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 99 additions and 18 deletions

View File

@ -12,3 +12,5 @@ stop-dev:
get-server-shell:
docker-compose -f docker/docker-compose.dev.yml run server bash
reload-proxy:
docker-compose -f docker/docker-compose.dev.yml exec -w /etc/caddy proxy caddy reload

View File

@ -36,10 +36,11 @@ first and initialize all submodules::
Setup Docker images
-------------------
You need to build the Docker images for the client and server and have to setup some
configuration.
You need to build the Docker images and have to setup some configuration. First,
configure HTTPS by checking the `Using HTTPS`_ section. In this section are
reasons why HTTPS is required for large deployments.
First go to ``docker`` subdirectory::
Go to ``docker`` subdirectory::
cd docker
@ -67,7 +68,7 @@ Finally, you can start the instance using ``docker-compose``::
docker-compose up
OpenSlides runs on https://localhost:8000/.
OpenSlides is accessible on http://localhost:8000/ (or https, if configured).
Use can also use daemonized instance::
@ -75,6 +76,40 @@ Use can also use daemonized instance::
docker-compose logs
docker-compose down
Using HTTPS
-----------
The main reason (next to obviously security ones) HTTPS is required originates
from the need of HTTP/2. OpenSlides uses streaming responses to asynchronously
send data to the client. With HTTP/1.1 one TCP-Connection per request is opened.
Browsers limit the amount of concurrent connections
(`reference<https://docs.pushtechnology.com/cloud/latest/manual/html/designguide/solution/support/connection_limitations.html>`_),
so you are limited in opening tabs. HTTPS/2 just uses one connection per browser
and eliminates these restrictions. The main point to use HTTPS is that browsers
only use HTTP/2 if HTTPS is enabled.
Setting up HTTPS
""""""""""""""""
Use common providers for retrieving a certificate and private key for your
deployment. Place the certificate and private key in ``caddy/certs/cert.pem``
and ``caddy/certs/key.pem``. To use a self-signed localhost certificate, you can
execute ``caddy/make-localhost-cert.sh``.
The certificate and key are put into the docker image into ``/certs/``, so
setting up these files needs to be done before calling ``./build.sh``. When you
update the files, you must run ``./build.sh proxy`` again. If you want to have a
more flexible setup without the files in the image, you can also mount the
folder or the certificate and key into the running containers if you wish to do
so.
If both files are not present, OpenSlides will be configured to run with HTTP
only. When mounting the files make sure, that they are present during the
container startup.
Caddy, the proxy used, wants the user to persist the ``/data`` directory. If you
are going to use HTTPS add a volume in your ``docker-compose.yml`` /
``docker-stack.yml`` persisting the ``/data`` directory.
More settings
-------------

View File

@ -1,16 +1,17 @@
:8000
import endpoint
reverse_proxy /system/* autoupdate:8002 {
reverse_proxy /system/* autoupdate:8002 {
flush_interval -1
}
}
@server {
@server {
path /apps/*
path /rest/*
path /server-version.txt
}
reverse_proxy @server server:8000
reverse_proxy /media/* media:8000
reverse_proxy client:4200
}
reverse_proxy @server server:8000
reverse_proxy /media/* media:8000
reverse_proxy client:4200

View File

@ -1,3 +1,8 @@
FROM caddy:2.3.0-alpine
COPY Caddyfile /etc/caddy/Caddyfile
COPY entrypoint /entrypoint
COPY certs /certs
ENTRYPOINT ["/entrypoint"]
CMD ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"]

0
caddy/certs/.keep Normal file
View File

16
caddy/entrypoint Executable file
View File

@ -0,0 +1,16 @@
#!/bin/sh
set -e
if [[ -f "/certs/key.pem" ]] && [[ -f "/certs/cert.pem" ]]; then
cat <<EOF >> /etc/caddy/endpoint
https://:8000 {
tls /certs/cert.pem /certs/key.pem
EOF
echo "Configured https"
else
echo "http://:8000 {" > /etc/caddy/endpoint
echo "Configured http"
fi
exec "$@"

22
caddy/make-localhost-cert.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
set -e
cd "$(dirname "$0")"
if [[ -f "certs/key.pem" ]] || [[ -f "certs/cert.pem" ]]; then
echo >&2 "Error: Certificate already exists."
exit 1
fi
if ! type 2>&1 >/dev/null openssl ; then
echo >&2 "Error: openssl not found!"
exit 1
fi
echo "Creating certificates..."
echo "You will need to accept an security exception for the"
echo "generated certificate in your browser manually."
openssl req -x509 -newkey rsa:4096 -nodes -days 3650 \
-subj "/C=DE/O=Selfsigned Test/CN=localhost" \
-keyout certs/key.pem -out certs/cert.pem
echo "done"