From 535f08cb5d2385b6e6d0aa0e314998a723f896ba Mon Sep 17 00:00:00 2001 From: Giovanni Allegri Date: Wed, 10 Jan 2024 09:59:47 +0100 Subject: [PATCH] [Fixes #11817] Drop Nginx and Letsencrypt Dockerfiles (#11818) * Drop Nginx and Letsencrypt Dockerfiles * align compose files * algin compose filew (2) --- docker-compose-dev.yml | 9 +- docker-compose-geoserver-server.yml | 4 +- docker-compose-test.yml | 10 +- docker-compose.yml | 10 +- scripts/docker/letsencrypt/Dockerfile | 18 --- scripts/docker/letsencrypt/README.md | 15 -- scripts/docker/letsencrypt/crontab | 8 -- .../docker/letsencrypt/docker-entrypoint.sh | 52 ------- scripts/docker/nginx/Dockerfile | 18 --- scripts/docker/nginx/docker-autoreload.sh | 37 ----- scripts/docker/nginx/docker-entrypoint.sh | 67 --------- scripts/docker/nginx/geonode.conf.envsubst | 134 ------------------ scripts/docker/nginx/nginx.conf.envsubst | 39 ----- .../nginx/nginx.https.available.conf.envsubst | 37 ----- 14 files changed, 14 insertions(+), 444 deletions(-) delete mode 100644 scripts/docker/letsencrypt/Dockerfile delete mode 100644 scripts/docker/letsencrypt/README.md delete mode 100644 scripts/docker/letsencrypt/crontab delete mode 100644 scripts/docker/letsencrypt/docker-entrypoint.sh delete mode 100644 scripts/docker/nginx/Dockerfile delete mode 100644 scripts/docker/nginx/docker-autoreload.sh delete mode 100644 scripts/docker/nginx/docker-entrypoint.sh delete mode 100644 scripts/docker/nginx/geonode.conf.envsubst delete mode 100644 scripts/docker/nginx/nginx.conf.envsubst delete mode 100644 scripts/docker/nginx/nginx.https.available.conf.envsubst diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 0ac801a9621..7c21d3ec374 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -52,7 +52,7 @@ services: # Nginx is serving django static and media files and proxies to django and geonode geonode: - image: geonode/nginx:1.25.1 + image: geonode/nginx:latest build: ./scripts/docker/nginx/ container_name: nginx4${COMPOSE_PROJECT_NAME} env_file: @@ -71,7 +71,6 @@ services: # Gets and installs letsencrypt certificates letsencrypt: image: geonode/letsencrypt:latest - build: ./scripts/docker/letsencrypt/ container_name: letsencrypt4${COMPOSE_PROJECT_NAME} env_file: - .env @@ -81,7 +80,7 @@ services: # Geoserver backend geoserver: - image: geonode/geoserver:2.23.0 + image: geonode/geoserver:latest container_name: geoserver4${COMPOSE_PROJECT_NAME} healthcheck: test: "curl -m 10 --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null http://geoserver:8080/geoserver/ows" @@ -107,7 +106,7 @@ services: condition: service_healthy data-dir-conf: - image: geonode/geoserver_data:2.23.0 + image: geonode/geoserver_data:latest container_name: gsconf4${COMPOSE_PROJECT_NAME} entrypoint: sleep infinity volumes: @@ -119,7 +118,7 @@ services: # PostGIS database. db: # use geonode official postgis 15 image - image: geonode/postgis:15 + image: geonode/postgis:latest command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" container_name: db4${COMPOSE_PROJECT_NAME} env_file: diff --git a/docker-compose-geoserver-server.yml b/docker-compose-geoserver-server.yml index 10785a5794a..5a83f79b7c7 100644 --- a/docker-compose-geoserver-server.yml +++ b/docker-compose-geoserver-server.yml @@ -2,7 +2,7 @@ version: '2.2' services: data-dir-conf: - image: geonode/geoserver_data:2.23.0 + image: geonode/geoserver_data:latest restart: on-failure container_name: gsconf4${COMPOSE_PROJECT_NAME} labels: @@ -13,7 +13,7 @@ services: - geoserver-data-dir:/geoserver_data/data geoserver: - image: geonode/geoserver:2.23.0 + image: geonode/geoserver:latest restart: unless-stopped container_name: geoserver4${COMPOSE_PROJECT_NAME} stdin_open: true diff --git a/docker-compose-test.yml b/docker-compose-test.yml index 9bd764f8da3..22ac6dd0093 100644 --- a/docker-compose-test.yml +++ b/docker-compose-test.yml @@ -52,8 +52,7 @@ services: # Nginx is serving django static and media files and proxies to django and geonode geonode: - image: geonode/nginx:1.25.1 - build: ./scripts/docker/nginx/ + image: geonode/nginx:latest container_name: nginx4${COMPOSE_PROJECT_NAME} env_file: - .env_test @@ -84,7 +83,6 @@ services: # Gets and installs letsencrypt certificates letsencrypt: image: geonode/letsencrypt:latest - build: ./scripts/docker/letsencrypt/ container_name: letsencrypt4${COMPOSE_PROJECT_NAME} env_file: - .env_test @@ -94,7 +92,7 @@ services: # Geoserver backend geoserver: - image: geonode/geoserver:2.23.0 + image: geonode/geoserver:latest container_name: geoserver4${COMPOSE_PROJECT_NAME} healthcheck: test: "curl -m 10 --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null http://geoserver:8080/geoserver/ows" @@ -120,7 +118,7 @@ services: condition: service_healthy data-dir-conf: - image: geonode/geoserver_data:2.23.0 + image: geonode/geoserver_data:latest container_name: gsconf4${COMPOSE_PROJECT_NAME} entrypoint: sleep infinity volumes: @@ -132,7 +130,7 @@ services: # PostGIS database. db: # use geonode official postgis 15 image - image: geonode/postgis:15 + image: geonode/postgis:latest command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" container_name: db4${COMPOSE_PROJECT_NAME} env_file: diff --git a/docker-compose.yml b/docker-compose.yml index 7cc150f129c..61b85d10503 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -61,8 +61,7 @@ services: # Nginx is serving django static and media files and proxies to django and geonode geonode: - image: geonode/nginx:1.25.1 - build: ./scripts/docker/nginx/ + image: geonode/nginx:latest container_name: nginx4${COMPOSE_PROJECT_NAME} env_file: - .env @@ -80,7 +79,6 @@ services: # Gets and installs letsencrypt certificates letsencrypt: image: geonode/letsencrypt:latest - build: ./scripts/docker/letsencrypt/ container_name: letsencrypt4${COMPOSE_PROJECT_NAME} env_file: - .env @@ -90,7 +88,7 @@ services: # Geoserver backend geoserver: - image: geonode/geoserver:2.23.0 + image: geonode/geoserver:latest container_name: geoserver4${COMPOSE_PROJECT_NAME} healthcheck: test: "curl -m 10 --fail --silent --write-out 'HTTP CODE : %{http_code}\n' --output /dev/null http://geoserver:8080/geoserver/ows" @@ -116,7 +114,7 @@ services: condition: service_healthy data-dir-conf: - image: geonode/geoserver_data:2.23.0 + image: geonode/geoserver_data:latest container_name: gsconf4${COMPOSE_PROJECT_NAME} entrypoint: sleep infinity volumes: @@ -128,7 +126,7 @@ services: # PostGIS database. db: # use geonode official postgis 15 image - image: geonode/postgis:15 + image: geonode/postgis:latest command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}" container_name: db4${COMPOSE_PROJECT_NAME} env_file: diff --git a/scripts/docker/letsencrypt/Dockerfile b/scripts/docker/letsencrypt/Dockerfile deleted file mode 100644 index 1480342e8f1..00000000000 --- a/scripts/docker/letsencrypt/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM alpine:latest - -RUN apk add --no-cache certbot - -# Installing scripts -ADD docker-entrypoint.sh /docker-entrypoint.sh -RUN chmod +x /docker-entrypoint.sh - -# Installing cronjobs -ADD crontab /crontab -RUN /usr/bin/crontab /crontab && \ - rm /crontab - -# Setup the entrypoint -ENTRYPOINT ["./docker-entrypoint.sh"] - -# We run cron in foreground to update the certificates -CMD /usr/sbin/crond -f diff --git a/scripts/docker/letsencrypt/README.md b/scripts/docker/letsencrypt/README.md deleted file mode 100644 index d6b1ec2247e..00000000000 --- a/scripts/docker/letsencrypt/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# Letsencrypt service for Geonode - -This service generates SSL certificates to be used by Nginx. - -## Let's Encrypt - -Upon startup, it generates one SSL certificate from Let's Encrypt using Certbot. It then starts cron (in foreground) to renew the certificates using Certbot renew. - -If for some reason getting the certificate fails, a placeholder certificate is generated. This certificate is invalid, but still allows to encrypt the data and to start the webserver. - -To avoid hitting Let's Encrypt very low rate limits when developping or doing tests, LETSENCRYPT_MODE env var can be set to "disabled" (which will completely bypass Let'sEncrypt, simulating a failure) or to "staging" (using Let'sEncrypt test certificates with higher rates). - -## Autoissued - -An auto-issued certificate is also generate to be used on the LAN if needed. It is also renewed every now and then using the same cron process than above. diff --git a/scripts/docker/letsencrypt/crontab b/scripts/docker/letsencrypt/crontab deleted file mode 100644 index 7ea7203b8f8..00000000000 --- a/scripts/docker/letsencrypt/crontab +++ /dev/null @@ -1,8 +0,0 @@ -# +------------- minute (0 - 59) -# ¦ +------------- hour (0 - 23) -# ¦ ¦ +------------- day of month (1 - 31) -# ¦ ¦ ¦ +------------- month (1 - 12) -# ¦ ¦ ¦ ¦ +------------- day of week (0 - 6) (Sunday to Saturday; 7 is also Sunday on some systems) -# ¦ ¦ ¦ ¦ ¦ - - 0 0,12 * * * date && echo "daily " && /docker-entrypoint.sh diff --git a/scripts/docker/letsencrypt/docker-entrypoint.sh b/scripts/docker/letsencrypt/docker-entrypoint.sh deleted file mode 100644 index d1c4541b075..00000000000 --- a/scripts/docker/letsencrypt/docker-entrypoint.sh +++ /dev/null @@ -1,52 +0,0 @@ -#!/bin/sh - -# Exit script in case of error -set -e - -echo $"\n\n\n" -echo "-----------------------------------------------------" -echo "STARTING LETSENCRYPT ENTRYPOINT ---------------------" -date - -# We make the config dir -mkdir -p "/geonode-certificates/$LETSENCRYPT_MODE" - -# Do not exit script in case of error -set +e - -# We run the command -if [ "$LETSENCRYPT_MODE" == "staging" ]; then - printf "\nTrying to get STAGING certificate\n" - certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --test-cert -elif [ "$LETSENCRYPT_MODE" == "production" ]; then - printf "\nTrying to get PRODUCTION certificate\n" - certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory -elif [ "$LETSENCRYPT_MODE" == "disabled" ]; then - printf "\nNot trying to get certificate (because LETSENCRYPT_MODE variable is set to disabled) - and stop container\n" - exit 0 -else - printf "\nNot trying to get certificate (simulating failure, because LETSENCRYPT_MODE variable was neither staging nor production\n" - /bin/false -fi - -# If the certbot comand failed, we will create a placeholder certificate -if [ ! $? -eq 0 ]; then - # Exit script in case of error - set -e - - printf "\nFailed to get the certificates !\n" - - printf "\nWaiting 30s to avoid hitting Letsencrypt rate limits before it's even possible to react\n" - sleep 30 - - exit 1 -fi - -printf "\nCertificate have been created/renewed successfully\n" - -echo "-----------------------------------------------------" -echo "FINISHED LETSENCRYPT ENTRYPOINT ---------------------" -echo "-----------------------------------------------------" - -# Run the CMD -exec "$@" diff --git a/scripts/docker/nginx/Dockerfile b/scripts/docker/nginx/Dockerfile deleted file mode 100644 index 9b0fe5b4f30..00000000000 --- a/scripts/docker/nginx/Dockerfile +++ /dev/null @@ -1,18 +0,0 @@ -FROM nginx:1.25.3-alpine - -RUN apk add --no-cache openssl inotify-tools vim - -WORKDIR /etc/nginx/ - -RUN mkdir -p /etc/nginx/html -RUN touch /etc/nginx/html/index.html - -ADD nginx.conf.envsubst nginx.https.available.conf.envsubst ./ -ADD geonode.conf.envsubst ./sites-enabled/ - -ADD docker-autoreload.sh docker-entrypoint.sh / -ENTRYPOINT ["/docker-entrypoint.sh"] -RUN chmod +x /docker-autoreload.sh -RUN chmod +x /docker-entrypoint.sh - -CMD ["nginx", "-g", "daemon off;"] diff --git a/scripts/docker/nginx/docker-autoreload.sh b/scripts/docker/nginx/docker-autoreload.sh deleted file mode 100644 index 812cc76d723..00000000000 --- a/scripts/docker/nginx/docker-autoreload.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh - -# This will watch the /geonode-certificates folder and run nginx -s reload whenever there are some changes. -# We use this to reload nginx config when certificates changed. - -# inspired/copied from https://github.com/kubernetes/kubernetes/blob/master/examples/https-nginx/auto-reload-nginx.sh - -while true -do - inotifywait -e create -e modify -e delete -e move -r --exclude "\\.certbot\\.lock|\\.well-known" "/geonode-certificates/$LETSENCRYPT_MODE" - echo "Changes noticed in /geonode-certificates" - - echo "Waiting 5s for additionnal changes" - sleep 5 - - echo "Creating symbolic link for WAN host" - # for some reason, the ln -f flag doesn't work below... - rm -f /certificate_symlink - if [ -f "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST/fullchain.pem" ] && [ -f "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST/privkey.pem" ]; then - echo "Certbot certificate exists, we symlink to the live cert" - ln -sf "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST" /certificate_symlink - else - echo "Certbot certificate does not exist, we symlink to autoissued" - ln -sf "/geonode-certificates/autoissued" /certificate_symlink - fi - - # Test nginx configuration - nginx -t - # If it passes, we reload - if [ $? -eq 0 ] - then - echo "Configuration valid, we reload..." - nginx -s reload - else - echo "Configuration not valid, we do not reload." - fi -done diff --git a/scripts/docker/nginx/docker-entrypoint.sh b/scripts/docker/nginx/docker-entrypoint.sh deleted file mode 100644 index e6bec7a1db2..00000000000 --- a/scripts/docker/nginx/docker-entrypoint.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh - -# Exit script in case of error -set -e - -echo $"\n\n\n" -echo "-----------------------------------------------------" -echo "STARTING NGINX ENTRYPOINT ---------------------------" -date - -# We make the config dir -mkdir -p "/geonode-certificates/$LETSENCRYPT_MODE" - -echo "Creating autoissued certificates for HTTP host" -if [ ! -f "/geonode-certificates/autoissued/privkey.pem" ] || [[ $(find /geonode-certificates/autoissued/privkey.pem -mtime +365 -print) ]]; then - echo "Autoissued certificate does not exist or is too old, we generate one" - mkdir -p "/geonode-certificates/autoissued/" - openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout "/geonode-certificates/autoissued/privkey.pem" -out "/geonode-certificates/autoissued/fullchain.pem" -subj "/CN=${HTTP_HOST:-HTTPS_HOST}" -else - echo "Autoissued certificate already exists" -fi - -echo "Creating symbolic link for HTTPS certificate" -# for some reason, the ln -f flag doesn't work below... -# TODO : not DRY (reuse same scripts as docker-autoreload.sh) -rm -f /certificate_symlink -if [ -f "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST/fullchain.pem" ] && [ -f "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST/privkey.pem" ]; then - echo "Certbot certificate exists, we symlink to the live cert" - ln -sf "/geonode-certificates/$LETSENCRYPT_MODE/live/$HTTPS_HOST" /certificate_symlink -else - echo "Certbot certificate does not exist, we symlink to autoissued" - ln -sf "/geonode-certificates/autoissued" /certificate_symlink -fi - -if [ -z "${HTTPS_HOST}" ]; then - HTTP_SCHEME="http" -else - HTTP_SCHEME="https" -fi - -export HTTP_SCHEME=${HTTP_SCHEME:-http} -export GEONODE_LB_HOST_IP=${GEONODE_LB_HOST_IP:-django} -export GEONODE_LB_PORT=${GEONODE_LB_PORT:-8000} -export GEOSERVER_LB_HOST_IP=${GEOSERVER_LB_HOST_IP:-geoserver} -export GEOSERVER_LB_PORT=${GEOSERVER_LB_PORT:-8080} - -echo "Replacing environement variables" -envsubst '\$HTTP_HOST \$HTTPS_HOST \$HTTP_SCHEME \$GEONODE_LB_HOST_IP \$GEONODE_LB_PORT \$GEOSERVER_LB_HOST_IP \$GEOSERVER_LB_PORT \$RESOLVER' < /etc/nginx/nginx.conf.envsubst > /etc/nginx/nginx.conf -envsubst '\$HTTP_HOST \$HTTPS_HOST \$HTTP_SCHEME \$GEONODE_LB_HOST_IP \$GEONODE_LB_PORT \$GEOSERVER_LB_HOST_IP \$GEOSERVER_LB_PORT \$RESOLVER' < /etc/nginx/nginx.https.available.conf.envsubst > /etc/nginx/nginx.https.available.conf -envsubst '\$HTTP_HOST \$HTTPS_HOST \$HTTP_SCHEME \$GEONODE_LB_HOST_IP \$GEONODE_LB_PORT \$GEOSERVER_LB_HOST_IP \$GEOSERVER_LB_PORT' < /etc/nginx/sites-enabled/geonode.conf.envsubst > /etc/nginx/sites-enabled/geonode.conf - -echo "Enabling or not https configuration" -if [ -z "${HTTPS_HOST}" ]; then - echo "" > /etc/nginx/nginx.https.enabled.conf -else - ln -sf /etc/nginx/nginx.https.available.conf /etc/nginx/nginx.https.enabled.conf -fi - -echo "Loading nginx autoreloader" -sh /docker-autoreload.sh & - -echo "-----------------------------------------------------" -echo "FINISHED NGINX ENTRYPOINT ---------------------------" -echo "-----------------------------------------------------" - -# Run the CMD -exec "$@" diff --git a/scripts/docker/nginx/geonode.conf.envsubst b/scripts/docker/nginx/geonode.conf.envsubst deleted file mode 100644 index 1176ce2cc2b..00000000000 --- a/scripts/docker/nginx/geonode.conf.envsubst +++ /dev/null @@ -1,134 +0,0 @@ -include /etc/nginx/mime.types; - -# This is the main geonode conf -charset utf-8; - -# max upload size -client_max_body_size 100G; -client_body_buffer_size 256K; -client_body_timeout 600s; -large_client_header_buffers 4 64k; - -proxy_connect_timeout 600; -proxy_send_timeout 600; -proxy_read_timeout 600; -uwsgi_read_timeout 600; -send_timeout 600; - -fastcgi_hide_header Set-Cookie; - -etag on; - -# compression -gzip on; -gzip_vary on; -gzip_proxied any; -gzip_http_version 1.1; -gzip_disable "MSIE [1-6]\."; -gzip_buffers 16 8k; -gzip_min_length 1100; -gzip_comp_level 6; -gzip_types - text/css - text/javascript - text/xml - text/plain - application/xml - application/xml+rss - application/javascript - application/x-javascript - application/json; - -# GeoServer -location /geoserver { - # Using a variable is a trick to let Nginx start even if upstream host is not up yet - # (see https://sandro-keil.de/blog/2017/07/24/let-nginx-start-if-upstream-host-is-unavailable-or-down/) - set $upstream $GEOSERVER_LB_HOST_IP:$GEOSERVER_LB_PORT; - - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $HTTP_SCHEME; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_hide_header X-Frame-Options; - proxy_pass http://$upstream; - proxy_http_version 1.1; - proxy_redirect http://$upstream $HTTP_SCHEME://$HTTP_HOST; - proxy_request_buffering off; - client_max_body_size 0; -} - -# GeoNode -location /static/ { - alias /mnt/volumes/statics/static/; - - location ~* \.(?:html|js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|ttf|rtf|swf|ico|flv|txt|woff|woff2|svg|xml)$ { - gzip_static always; - expires 30d; - access_log off; - add_header Pragma "public"; - add_header Cache-Control "max-age=31536000, public"; - } -} - -location /uploaded/ { - alias /mnt/volumes/statics/uploaded/; - - location ~* \.(?:html|js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|ttf|rtf|swf|ico|flv|txt|woff|woff2|svg|xml)$ { - gzip_static always; - expires 30d; - access_log off; - add_header Pragma "public"; - add_header Cache-Control "max-age=31536000, public"; - } -} - -location / { - # Using a variable is a trick to let Nginx start even if upstream host is not up yet - # (see https://sandro-keil.de/blog/2017/07/24/let-nginx-start-if-upstream-host-is-unavailable-or-down/) - set $upstream $GEONODE_LB_HOST_IP:$GEONODE_LB_PORT; - - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS"; - add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept"; - add_header Access-Control-Allow-Credentials true; - add_header Content-Length 0; - add_header Content-Type text/plain; - add_header Access-Control-Max-Age 1728000; - return 200; - } - - add_header Access-Control-Allow-Credentials false; - add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization, Origin, User-Agent"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS"; - - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header Origin $HTTP_SCHEME://$host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $HTTP_SCHEME; - proxy_hide_header X-Frame-Options; - proxy_request_buffering off; - - # uwsgi_params - include /etc/nginx/uwsgi_params; - - proxy_pass http://$upstream; - # uwsgi_pass $upstream; - - # when a client closes the connection then keep the channel to uwsgi open. Otherwise uwsgi throws an IOError - uwsgi_ignore_client_abort on; - uwsgi_request_buffering off; - - location ~* \.(?:js|jpg|jpeg|gif|png|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|ttf|rtf|swf|ico|flv|woff|woff2|svg|xml)$ { - gzip_static always; - expires 30d; - access_log off; - add_header Pragma "public"; - add_header Cache-Control "max-age=31536000, public"; - } -} diff --git a/scripts/docker/nginx/nginx.conf.envsubst b/scripts/docker/nginx/nginx.conf.envsubst deleted file mode 100644 index b6065209d51..00000000000 --- a/scripts/docker/nginx/nginx.conf.envsubst +++ /dev/null @@ -1,39 +0,0 @@ -# NOTE : $VARIABLES are env variables replaced by entrypoint.sh using envsubst -# not to be mistaken for nginx variables (also starting with $, but usually lowercase) - -worker_processes auto; - -events { - -} - -http { - server_names_hash_bucket_size 64; - - # Allow Nginx to resolve Docker host names (see https://sandro-keil.de/blog/2017/07/24/let-nginx-start-if-upstream-host-is-unavailable-or-down/) - resolver $RESOLVER; # it seems rancher uses 169.254.169.250 instead of 127.0.0.11 which works well in docker-compose (see /etc/resolv.conf) - - # https - listens on specific name - this uses letsencrypt cert - # this includes a symlink that links either to nginx.https.available.conf if https in enabled - # or to an empty file if https is disabled. - include nginx.https.enabled.conf; - - # http - listens to specific HTTP_HOST only - this is not encrypted (not ideal but admissible on LAN for instance) - # even if not used (HTTP_HOST empty), we must keep it as it's used for internal API calls between django and geoserver - # TODO : do not use unencrypted connection even on LAN, but is it possible to have browser not complaining about unknown authority ? - server { - listen 80; - server_name $HTTP_HOST 127.0.0.1; - - include sites-enabled/*.conf; - } - - # Default server closes the connection (we can connect only using HTTP_HOST and HTTPS_HOST) - server { - listen 80 default_server; - listen 443; - server_name _; - return 444; - } - -} diff --git a/scripts/docker/nginx/nginx.https.available.conf.envsubst b/scripts/docker/nginx/nginx.https.available.conf.envsubst deleted file mode 100644 index fcd1cb34367..00000000000 --- a/scripts/docker/nginx/nginx.https.available.conf.envsubst +++ /dev/null @@ -1,37 +0,0 @@ -# NOTE : $VARIABLES are env variables replaced by entrypoint.sh using envsubst -# not to be mistaken for nginx variables (also starting with $, but usually lowercase) - -# This file is to be included in the main nginx.conf configuration if HTTPS_HOST is set -ssl_session_cache shared:SSL:10m; -ssl_session_timeout 10m; - -# this is the actual HTTPS host -server { - listen 443 ssl; - server_name $HTTPS_HOST; - keepalive_timeout 70; - - ssl_certificate /certificate_symlink/fullchain.pem; - ssl_certificate_key /certificate_symlink/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - - include sites-enabled/*.conf; -} - -# if we try to connect from http, we redirect to https -server { - listen 80; - server_name $HTTPS_HOST $HTTP_HOST; # TODO : once geoserver supports relative urls, we should allow access though both HTTP and HTTPS at the same time and hence remove HTTP_HOST from this line - - # Except for let's encrypt challenge - location /.well-known { - alias /geonode-certificates/.well-known; - include /etc/nginx/mime.types; - } - - # Redirect to https - location / { - return 302 https://$HTTPS_HOST$request_uri; # TODO : we should use 301 (permanent redirect, but not practical for debug) - } -}