Add container-based HTTPS configuration documentation

Fixes #407
This commit is contained in:
Christopher C. Wells 2022-02-28 07:18:51 -08:00
parent a5042f2660
commit 428a515c38
2 changed files with 79 additions and 17 deletions

View File

@ -29,6 +29,8 @@ services:
restart: unless-stopped
```
See [HTTPS/SSL configuration](ssl.md) for information on how to secure Baby Buddy.
For doing administrative work within the LSIO container, setting an environment variable may be necessary.
For example:
@ -191,3 +193,5 @@ and any number of children).
sudo service nginx restart
15. That's it (hopefully)!
See [HTTPS/SSL configuration](ssl.md) for information on how to secure Baby Buddy.

View File

@ -3,12 +3,30 @@
The example Docker and manual deployment methods do not include HTTPS/SSL by default.
Additional tools and configuration are required to add HTTPS support.
The information here assumes Baby Buddy has been deployed to a Debian-like system with
[snapd installed](https://snapcraft.io/docs/installing-snapd) for Certbot support with
Let's Encrypt. These requirements can skipped if SSL certificates are obtained by some
other way.
## Configuration requirements
## Install NGINX
For either approach (host- or container-based) Baby Buddy's configuration will need to
be updated to account for the proxy. For details on these settings see [Proxy configuration](proxy.md).
After configuring the proxy set the following two environment variables and then restart
necessary services:
```ini
CSRF_TRUSTED_ORIGINS=https://babybuddy.example.com
SECURE_PROXY_SSL_HEADER=True
```
## Host-based proxy
This guide assumes Baby Buddy has been deployed to a Debian-like system with
[snapd installed](https://snapcraft.io/docs/installing-snapd) using the [example deployment](deployment.md#example-deployment)
however this approach can also be used with a Docker deployment if having the proxy
in the host is desired (otherwise see [Container-based proxy](#container-based-proxy)).
If the example deployment with uWSGI and NGINX is already used skip to [Install Certbot](#install-certbot)
and [Obtain and install certificate](#obtain-and-install-certificate).
### Install NGINX
If NGINX is not already installed on the host system install it with a package manager.
@ -20,7 +38,7 @@ NGINX will be used to proxy HTTPS traffic to Baby Buddy. There are many other pr
available for this (often with Let's Encrypt support, as well) so a different one can
be used if desired.
### Configure NGINX
#### Configure NGINX
If Baby Buddy is running from Docker a new NGINX site will need to be created to send
traffic to Docker. The configuration below uses the example domain `babybuddy.example.com`
@ -57,7 +75,7 @@ Confirm the site is not accessible at `http://babybuddy.example.com`. Note: Atte
to log in will result in a CSRF error! This will be addressed after HTTPS has been
established.
## Install Certbot
### Install Certbot
This example uses [Let's Encrypt's](https://letsencrypt.org/) free service for obtaining
SSL certificates. Other methods can be used to obtain and install a certificate as
@ -72,7 +90,7 @@ snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
```
## Obtain and install certificate
### Obtain and install certificate
The following command will ask for an email address to register with Let's Encrypt and
then prompt a service agreement and which NGINX host to obtain a certificate for. The
@ -120,17 +138,57 @@ server {
If the certificate was obtained by some other means the configuration about should be
instructive for how to add it to the NGINX site configuration.
## Update Baby Buddy configuration
## Container-based proxy
Lastly Baby Buddy's configuration will need to updated to account for the proxy. For
details on these settings see [Proxy configuration](proxy.md).
If Baby Buddy is already hosted in a Docker container the proxy (NGINX) can be hosted
there as well. The configuration provided here assumes the `docker-compose.yml` example
from the [Docker deployment method](deployment.md#docker) is used.
Add the following two environment variables via the Docker or uWSGI configuration (if
using the [example deployment](deployment.md#example-deployment)):
### Add NGINX service
```ini
CSRF_TRUSTED_ORIGINS=https://babybuddy.example.com
SECURE_PROXY_SSL_HEADER=True
Add the following `services` entry to `docker-compose.yml`:
```yaml
babybuddy-nginx:
image: nginx
container_name: babybuddy-nginx
volumes:
- /path/to/appdata/nginx.conf:/etc/nginx/conf.d/default.conf
- /path/to/appdata/logs:/var/log/nginx
- /path/to/appdata/certs:/certs
ports:
- 80:80
- 443:443
depends_on:
- babybuddy
```
That's it! Restart Docker or uWSGI and Baby Buddy should not be accessible from HTTPS!
Set the contents of `/path/to/appdata/nginx.conf` to:
```nginx
server {
server_name babybuddy.example.com;
listen 443 ssl;
ssl_certificate /certs/babybuddy.example.com.crt;
ssl_certificate_key /certs/babybuddy.example.com.key;
location / {
proxy_pass http://babybuddy:8000;
proxy_set_header Host $host;
}
}
server {
if ($host = babybuddy.example.com) {
return 301 https://$host$request_uri;
}
server_name babybuddy.example.com;
listen 80;
return 404;
}
```
### Add certificates
Place certificates in `/path/to/appdata/certs` using the files name of `ssl_certificate`
and `ssl_ceritifcate_key` in the NGINX configuration.