cartodb/docker-cartojw
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Started working on running carto in https/production mode using env var

Browse Source 
Refs #52
Refs #22
This commit is contained in:
Stefan Verhoeven 2018-10-12 13:57:17 +02:00
parent 5af3fe24e1
commit e1af195315
5 changed files with 116 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Dockerfile
View File

@ -214,16 +214,21 @@ RUN cd / && git clone --recursive https://github.com/CartoDB/observatory-extensi
git checkout $OBSERVATORY_VERSION && \ git checkout $OBSERVATORY_VERSION && \
PGUSER=postgres make deploy PGUSER=postgres make deploy
# Certbot
RUN add-apt-repository -y ppa:certbot/certbot && apt-get install -y python-certbot-nginx
# Copy confs # Copy confs
ADD ./config/CartoDB-dev.js \ ADD ./config/CartoDB-dev.js \
/CartoDB-SQL-API/config/environments/development.js /CartoDB-SQL-API/config/environments/development.js
ADD ./config/WS-dev.js \ ADD ./config/WS-dev.js \
/Windshaft-cartodb/config/environments/development.js /Windshaft-cartodb/config/environments/development.js
# TODO create production.js for SQL and Windshaft
ADD ./config/app_config.yml /cartodb/config/app_config.yml ADD ./config/app_config.yml /cartodb/config/app_config.yml
ADD ./config/database.yml /cartodb/config/database.yml ADD ./config/database.yml /cartodb/config/database.yml
ADD ./create_dev_user /cartodb/script/create_dev_user ADD ./create_dev_user /cartodb/script/create_dev_user
ADD ./setup_organization.sh /cartodb/script/setup_organization.sh ADD ./setup_organization.sh /cartodb/script/setup_organization.sh
ADD ./config/cartodb.nginx.proxy.conf /etc/nginx/sites-enabled/default ADD ./config/cartodb.nginx.proxy.conf /etc/nginx/sites-enabled/default
ADD ./config/cartodb.nginx.https.proxy.conf /etc/nginx/sites-enabled/https
ADD ./config/varnish.vcl /etc/varnish.vcl ADD ./config/varnish.vcl /etc/varnish.vcl
ADD ./geocoder.sh /cartodb/script/geocoder.sh ADD ./geocoder.sh /cartodb/script/geocoder.sh
ADD ./geocoder_server.sql /cartodb/script/geocoder_server.sql ADD ./geocoder_server.sql /cartodb/script/geocoder_server.sql

32
README.md
View File

@ -48,6 +48,38 @@ Instead of setting hostname with `-h` you can also use the `CARTO_HOSTNAME` envi
docker run -d -p 80:80 -e CARTO_HOSTNAME=<hostname> sverhoeven/cartodb docker run -d -p 80:80 -e CARTO_HOSTNAME=<hostname> sverhoeven/cartodb
``` ```
HTTPS encryption
----------------
By default the Docker container runs unencrypted on port 80 and redirects to itself on port 80.
There are 2 ways to enable https encryption:
1. Use loadbalancer or reverse proxy to map https to http
2. Use embedded NGINX web server to perform encryption with automatic [Let's encrypt](https://letsencrypt.org/) certificate [deployment](https://certbot.eff.org/).
### 1. With load balancer or reverse proxy
Run container with
```bash
docker run -d -p 80:80 -e CARTO_HOSTNAME=<hostname> -e HTTPS=1 sverhoeven/cartodb
```
Configure load balancer or reverse proxy to accept traffic on https://<hostname>:443 and forward it to port 80 of the Docker container.
### 2. With automatic deployment
Run container with
```bash
docker run -d -p 443:443 -e CARTO_HOSTNAME=<hostname> -e HTTPS=1 -e LETSENCRYPT_EMAIL=<email adress> sverhoeven/cartodb
```
The `<email adress>` is used by Certbot as the account to register the domain at Let's Encrypt.
Let's encrypt has a [rate limit](https://letsencrypt.org/docs/rate-limits/) of a few generated certificates per domain per month, so you cannot just generate new certificates every time the container is restarted. So you should keep the generated certificates by mounting `/etc/letsencrypt`.
A cron job will try to renew the certificate each week.
Persistent data Persistent data
--------------- ---------------

58
config/cartodb.nginx.https.proxy.conf Normal file
View File

@ -0,0 +1,58 @@
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name _;
client_max_body_size 0;
ssl on;
ssl_certificate /etc/letsencrypt/live/cartodb.localhost/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cartodb.localhost/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
location ~* /(user/.*/)?api/v1/maps {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:3000;
}
location ~* /(user/.*/)?api/v1/map {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8181;
}
location ~* /(user/.*)?/api/v2/sql {
# RedHog: Hack to work around bug in cartodb local hosting but using cdn for js libs
rewrite /(user/.*)?/api/v2/sql(.*) /$1/api/v2/sql$2 break;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8080;
}
location ^~ /assets {
root /cartodb/public;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:3000;
}
error_log /var/log/nginx/cartodb_error.log;
access_log /var/log/nginx/cartodb_access.log;
}

2
config/database.yml
View File

@ -4,7 +4,7 @@ production:
host: localhost host: localhost
port: 5432 port: 5432
direct_port: 5432 direct_port: 5432
database: carto_db_production database: carto_db_development
username: postgres username: postgres
password: password:
conn_validator_timeout: 900 conn_validator_timeout: 900

21
startup.sh
View File

@ -2,7 +2,7 @@
export CARTO_HOSTNAME=${CARTO_HOSTNAME:=$HOSTNAME} export CARTO_HOSTNAME=${CARTO_HOSTNAME:=$HOSTNAME}
perl -pi -e 's/cartodb\.localhost/$ENV{"CARTO_HOSTNAME"}/g' /etc/nginx/sites-enabled/default /cartodb/config/app_config.yml /Windshaft-cartodb/config/environments/development.js perl -pi -e 's/cartodb\.localhost/$ENV{"CARTO_HOSTNAME"}/g' /etc/nginx/sites-enabled/default /cartodb/config/app_config.yml /Windshaft-cartodb/config/environments/development.js /etc/nginx/sites-available/https
PGDATA=/var/lib/postgresql PGDATA=/var/lib/postgresql
if [ "$(stat -c %U $PGDATA)" != "postgres" ]; then if [ "$(stat -c %U $PGDATA)" != "postgres" ]; then
@ -14,6 +14,24 @@ fi
service postgresql start service postgresql start
service redis-server start service redis-server start
/opt/varnish/sbin/varnishd -a :6081 -T localhost:6082 -s malloc,256m -f /etc/varnish.vcl /opt/varnish/sbin/varnishd -a :6081 -T localhost:6082 -s malloc,256m -f /etc/varnish.vcl
if [ "$HTTPS" == "1" ]; then
# TODO Configure carto for https
cd /Windshaft-cartodb
node app.js production &
cd /CartoDB-SQL-API
node app.js production &
if [ "$LETSENCRYPT_EMAIL" != "" ]; then
# Request cert
certbot certonly --standalone --preferred-challenges tls-sni -d $CARTO_HOSTNAME --email $LETSENCRYPT_EMAIL --agree-tos
# TODO test it
# TODO Config nginx
service nginx start
fi
else
service nginx start service nginx start
cd /Windshaft-cartodb cd /Windshaft-cartodb
@ -21,6 +39,7 @@ node app.js development &
cd /CartoDB-SQL-API cd /CartoDB-SQL-API
node app.js development & node app.js development &
fi
cd /cartodb cd /cartodb
bundle exec script/restore_redis bundle exec script/restore_redis