Started working on running carto in https/production mode using env var

Refs #52 Refs #22
2018-10-12 13:57:17 +02:00 · 2018-10-12 13:57:17 +02:00 · e1af195315
commit e1af195315
parent 5af3fe24e1
5 changed files with 116 additions and 2 deletions
--- a/5
+++ b/5
@ -214,16 +214,21 @@ RUN cd / && git clone --recursive https://github.com/CartoDB/observatory-extensi
  git checkout $OBSERVATORY_VERSION && \
  PGUSER=postgres make deploy

+# Certbot
+RUN add-apt-repository -y ppa:certbot/certbot && apt-get install -y python-certbot-nginx
+
 # Copy confs
 ADD ./config/CartoDB-dev.js \
      /CartoDB-SQL-API/config/environments/development.js
 ADD ./config/WS-dev.js \
      /Windshaft-cartodb/config/environments/development.js
+# TODO create production.js for SQL and Windshaft
 ADD ./config/app_config.yml /cartodb/config/app_config.yml
 ADD ./config/database.yml /cartodb/config/database.yml
 ADD ./create_dev_user /cartodb/script/create_dev_user
 ADD ./setup_organization.sh /cartodb/script/setup_organization.sh
 ADD ./config/cartodb.nginx.proxy.conf /etc/nginx/sites-enabled/default
+ADD ./config/cartodb.nginx.https.proxy.conf /etc/nginx/sites-enabled/https
 ADD ./config/varnish.vcl /etc/varnish.vcl
 ADD ./geocoder.sh /cartodb/script/geocoder.sh
 ADD ./geocoder_server.sql /cartodb/script/geocoder_server.sql
--- a/README.md
+++ b/README.md
@ -48,6 +48,38 @@ Instead of setting hostname with `-h` you can also use the `CARTO_HOSTNAME` envi
 docker run -d -p 80:80 -e CARTO_HOSTNAME=<hostname> sverhoeven/cartodb
 ```

+HTTPS encryption
+----------------
+
+By default the Docker container runs unencrypted on port 80 and redirects to itself on port 80.
+
+There are 2 ways to enable https encryption:
+
+1. Use loadbalancer or reverse proxy to map https to http
+2. Use embedded NGINX web server to perform encryption with automatic [Let's encrypt](https://letsencrypt.org/) certificate [deployment](https://certbot.eff.org/).
+
+### 1. With load balancer or reverse proxy
+
+Run container with
+```bash
+docker run -d -p 80:80 -e CARTO_HOSTNAME=<hostname> -e HTTPS=1 sverhoeven/cartodb
+```
+
+Configure load balancer or reverse proxy to accept traffic on https://<hostname>:443 and forward it to port 80 of the Docker container.
+
+### 2. With automatic deployment
+
+Run container with
+```bash
+docker run -d -p 443:443 -e CARTO_HOSTNAME=<hostname> -e HTTPS=1 -e LETSENCRYPT_EMAIL=<email adress> sverhoeven/cartodb
+```
+
+The `<email adress>` is used by Certbot as the account to register the domain at Let's Encrypt.
+
+Let's encrypt has a [rate limit](https://letsencrypt.org/docs/rate-limits/) of a few generated certificates per domain per month, so you cannot just generate new certificates every time the container is restarted. So you should keep the generated certificates by mounting `/etc/letsencrypt`.
+
+A cron job will try to renew the certificate each week.
+
 Persistent data
 ---------------

--- a/config/cartodb.nginx.https.proxy.conf
+++ b/config/cartodb.nginx.https.proxy.conf
@ -0,0 +1,58 @@
+server {
+  listen 443 default_server;
+  listen [::]:443 default_server;
+
+  server_name _;
+  
+  client_max_body_size 0;
+
+  ssl on;
+  ssl_certificate /etc/letsencrypt/live/cartodb.localhost/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/cartodb.localhost/privkey.pem;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
+
+  location ~* /(user/.*/)?api/v1/maps {
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_pass http://127.0.0.1:3000;
+  }
+
+  location ~* /(user/.*/)?api/v1/map {
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_pass http://127.0.0.1:8181;
+  }
+
+  location ~* /(user/.*)?/api/v2/sql {
+    # RedHog: Hack to work around bug in cartodb local hosting but using cdn for js libs
+    rewrite /(user/.*)?/api/v2/sql(.*) /$1/api/v2/sql$2  break;
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_pass http://127.0.0.1:8080;
+  }
+
+  location ^~ /assets {
+    root /cartodb/public;
+  }
+
+  location / {
+    proxy_set_header        Host $host;
+    proxy_set_header        X-Real-IP $remote_addr;
+    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto $scheme;
+    proxy_pass http://127.0.0.1:3000;
+  }
+
+  error_log /var/log/nginx/cartodb_error.log;
+  access_log /var/log/nginx/cartodb_access.log;
+}
--- a/config/database.yml
+++ b/config/database.yml
@ -4,7 +4,7 @@ production:
  host: localhost
  port: 5432
  direct_port: 5432
-  database: carto_db_production
+  database: carto_db_development
  username: postgres
  password:
  conn_validator_timeout: 900
--- a/startup.sh
+++ b/startup.sh
@ -2,7 +2,7 @@

 export CARTO_HOSTNAME=${CARTO_HOSTNAME:=$HOSTNAME}

-perl -pi -e 's/cartodb\.localhost/$ENV{"CARTO_HOSTNAME"}/g' /etc/nginx/sites-enabled/default /cartodb/config/app_config.yml /Windshaft-cartodb/config/environments/development.js
+perl -pi -e 's/cartodb\.localhost/$ENV{"CARTO_HOSTNAME"}/g' /etc/nginx/sites-enabled/default /cartodb/config/app_config.yml /Windshaft-cartodb/config/environments/development.js /etc/nginx/sites-available/https

 PGDATA=/var/lib/postgresql
 if [ "$(stat -c %U $PGDATA)" != "postgres" ]; then
@ -14,6 +14,24 @@ fi
 service postgresql start
 service redis-server start
 /opt/varnish/sbin/varnishd -a :6081 -T localhost:6082 -s malloc,256m -f /etc/varnish.vcl
+
+if [ "$HTTPS" == "1" ]; then
+# TODO Configure carto for https
+
+cd /Windshaft-cartodb
+node app.js production &
+
+cd /CartoDB-SQL-API
+node app.js production &
+
+if [ "$LETSENCRYPT_EMAIL" != "" ]; then
+# Request cert
+certbot certonly --standalone --preferred-challenges tls-sni -d $CARTO_HOSTNAME --email $LETSENCRYPT_EMAIL --agree-tos 
+# TODO test it
+# TODO Config nginx
+service nginx start
+fi
+else
 service nginx start

 cd /Windshaft-cartodb
@ -21,6 +39,7 @@ node app.js development &

 cd /CartoDB-SQL-API
 node app.js development &
+fi

 cd /cartodb
 bundle exec script/restore_redis