ag-admin/OpenSlides
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #6275 from peb-adr/https

Browse Source 
make local cert file location adjustable
This commit is contained in:
Sean 2021-11-11 15:46:36 +01:00 committed by GitHub
commit 3b798b8ce8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
proxy/README.md
View File

@ -18,8 +18,9 @@ be set to avoid hitting rate limits.
Importantly, port 80 on the host must be forwarded to port 8001 on which caddy
will answer the ACME-challenge during certificate retrieval.
Alternatively a locally generated certificate can be used by executing
`make-localhost-cert.sh` before building the docker image (!) and setting
`ENABLE_LOCAL_HTTPS=1`. This is mostly for dev setup purposes and is not useful
for a public domain as the cert is not issued by a trusted CA and therefore
not trusted by browsers. If set, this overrules `ENABLE_AUTO_HTTPS`.
Alternatively a locally generated certificate can be used by setting
`ENABLE_LOCAL_HTTPS=1 HTTPS_CERT_FILE=path/to/crt HTTPS_CERT_FILE=path/to/key`
and providing cert and key files at the specified location. This is mostly for
dev and testing setups and is not useful for a public domain as the cert is not
issued by a trusted CA and therefore not trusted by browsers. If set, this
overrules `ENABLE_AUTO_HTTPS`.

6
proxy/entrypoint
View File

@ -4,6 +4,8 @@ set -e
config=/etc/caddy/config.json
base=/caddy_base.json
HTTPS_CERT_FILE="${HTTPS_CERT_FILE:-/certs/cert.pem}"
HTTPS_KEY_FILE="${HTTPS_KEY_FILE:-/certs/key.pem}"
# set defaults in base
ACTION_HOST="${ACTION_HOST:-backend}" ACTION_PORT="${ACTION_PORT:-9002}" \
@ -23,12 +25,12 @@ jq_write() {
### HTTPS ###
if [ -n "$ENABLE_LOCAL_HTTPS" ]; then
[ -f /certs/cert.pem ] && [ -f /certs/key.pem ] || {
[ -f "$HTTPS_CERT_FILE" ] && [ -f "$HTTPS_KEY_FILE" ] || {
echo "ERROR: no local cert-files provided. Did you run make-localhost-cert.sh?"
exit 1
}
jq_write ".apps.http.servers.srv0.tls_connection_policies = [{ certificate_selection: { any_tag: [ \"cert0\" ] }}]"
jq_write ".apps.tls = { certificates: { load_files: [{ certificate: \"/certs/cert.pem\", key: \"/certs/key.pem\", tags: [ \"cert0\" ] }] }}"
jq_write ".apps.tls = { certificates: { load_files: [{ certificate: \"$HTTPS_CERT_FILE\", key: \"$HTTPS_KEY_FILE\", tags: [ \"cert0\" ] }] }}"
else
if [ -n "$ENABLE_AUTO_HTTPS" ]; then
if [ -n "$EXTERNAL_ADDRESS" ]; then