Commit 9b3617dc authored by Stefano Alberto Russo's avatar Stefano Alberto Russo
Browse files

Moved to obtaining SSL certificates with Let's Encrypt. Minor fixes.

parent fe2c9175

README.md

+43 −5
Original line number Diff line number Diff line
@@ -77,7 +77,26 @@ Proxy service configuraion parameters and their defaults: 


      - SAFEMODE=false

      - ROSETTA_HOST=localhost

      - ROSETTA_TASKS_PROXY_HOST=$ROSETTA_HOST





### Certificates for the proxy



Certificates can be automatically handled with Letsencrypt. By default, a snakeoil certificate is used. To set up letsencrypt, first of all run inside the proxy (only once in its lifetime):



	$ sudo rm -rf /etc/letsencrypt/live/YOUR_ROSETTA_HOST (or ROSETTA_TASKS_PROXY_HOST)



Then, edit the `/etc/apache2/sites-available/proxy-global.conf` file and change the certificates for the domain that you want to enable with Letsencrypt to use snakeoils (otherwise nex comamnd will fail), then:



	$  sudo apache2ctl -k graceful



Now:



    $ sudo certbot certonly --apache --register-unsafely-without-email --agree-tos -d YOUR_ROSETTA_HOST (or ROSETTA_TASKS_PROXY_HOST)

    

...or for the domain that you want to enable with Letsencrypt. This will initialize the certificate in /etc/letsencypt, which is stored on the host in `./data/proxy/letsencrypt`



Finally, re-change the `/etc/apache2/sites-available/proxy-global.conf` file to use the correct certificates for the domain (or just restart the proxy service but wiht clean and then run).



### User types 

In Rosetta there are two user types: standard users and power users. Their type is set in their user profile, and only power users can:
@@ -124,17 +143,36 @@ Note that when you edit the Django ORM model, you need to make migrations and ap 




    

### Logs and testing

### Testing



Run Web App unit tests (with Rosetta running)

    

    $ rosetta/logs webapp

    $ rosetta/test



    $ rosetta/logs webapp startup



    $ rosetta/logs webapp server

### Logs





Chek out logs for Docker containers (including entrypoints):





    $ rosetta/logs web



    $ rosetta/logs proxy





Chek out logs for supervisord services:



        

    $ rosetta/logs web startup

    

    $ rosetta/logs web server



    $ rosetta/logs proxy apache

    

    $ rosetta/logs proxy certbot

    

    

    $ rosetta/test

    

    

### Computing resources requirements

docker-compose-dev.yml

+4 −2
Original line number Diff line number Diff line
@@ -85,6 +85,7 @@ services: 
    environment:

      - SAFEMODE=False

      - ROSETTA_HOST=localhost

      - ROSETTA_TASKS_PROXY_HOST=localhost

    ports:

      - "80:80"

      - "443:443"
@@ -92,7 +93,8 @@ services: 
      - "5000:5000"

    volumes:

      - ./data/shared:/shared



      - ./data/proxy/letsencrypt:/etc/letsencrypt

      - ./data/proxy/log:/var/log/proxy

rosetta/clean

+1 −1
Original line number Diff line number Diff line
@@ -9,5 +9,5 @@ fi 
if [[ $# -eq 0 ]] ; then

    docker-compose down

else

    docker-compose down $@

    docker-compose rm -s -v -f $@

fi

rosetta/setup

+0 −9
Original line number Diff line number Diff line
@@ -9,15 +9,6 @@ else 
fi





# Use dev certificates if not already set up

if [ ! -d services/proxy/certificates ]; then

    echo "Using dev certificates."

    cp -a services/proxy/certificates-dev  services/proxy/certificates

else

    echo "Not using dev certificates as certificates are already present."

fi





# Use dev docker-compose.yml if not already set up

if [ ! -f docker-compose.yml ]; then

    echo "Using dev docker-compose.yml"

services/proxy/Dockerfile

+19 −12
Original line number Diff line number Diff line
@@ -10,10 +10,17 @@ RUN apt-get update 
RUN apt-get install -y apache2

RUN apt-get install apache2-utils



# Copy conf

# Install Certbot

RUN apt-get install certbot python3-certbot-apache -y



# Supervisord scripts

COPY supervisord_apache.conf /etc/supervisor/conf.d/

COPY run_Apache.sh /etc/supervisor/conf.d/

RUN chmod 755 /etc/supervisor/conf.d/run_Apache.sh

COPY run_apache.sh /etc/supervisor/conf.d/

RUN chmod 755 /etc/supervisor/conf.d/run_apache.sh



COPY supervisord_certbot.conf /etc/supervisor/conf.d/

COPY run_certbot.sh /etc/supervisor/conf.d/

RUN chmod 755 /etc/supervisor/conf.d/run_certbot.sh



# Enable mod_proxy and SSL

RUN a2enmod proxy
@@ -29,14 +36,14 @@ RUN rm /etc/apache2/sites-enabled/000-default.conf 
RUN rm /etc/apache2/sites-available/default-ssl.conf

#RUN rm /etc/apache2/sites-enabled/default-ssl.conf



# Copy certificates (snakeoil or real)

RUN mkdir /certificates

COPY certificates/rosetta_platform.crt /root/certificates/rosetta_platform/rosetta_platform.crt

COPY certificates/rosetta_platform.key /root/certificates/rosetta_platform/rosetta_platform.key

COPY certificates/rosetta_platform.ca-bundle /root/certificates/rosetta_platform/rosetta_platform.ca-bundle

COPY certificates/rosetta_tasks.crt /root/certificates/rosetta_platform/rosetta_tasks.crt

COPY certificates/rosetta_tasks.key /root/certificates/rosetta_platform/rosetta_tasks.key

COPY certificates/rosetta_tasks.ca-bundle /root/certificates/rosetta_platform/rosetta_tasks.ca-bundle

# Apache conf

COPY apache2.conf /etc/apache2/apache2.conf 



# Copy self-signed (snakeoil) certificates

RUN mkdir /root/certificates

COPY certificates/selfsigned.crt /root/certificates/selfsigned.crt

COPY certificates/selfsigned.key /root/certificates/selfsigned.key

COPY certificates/selfsigned.ca-bundle /root/certificates/selfsigned.ca-bundle



# Copy index and norobots.txt

COPY index.html /var/www/html/