Add HTTPS/SSL documentation

Fixes #406
This commit is contained in:
Christopher C. Wells 2022-02-27 15:04:18 -08:00
parent f258124f6e
commit a5042f2660
3 changed files with 138 additions and 5 deletions

View File

@ -18,7 +18,7 @@ configuration as a template to get started quickly:
version: "2.1"
services:
babybuddy:
image: ghcr.io/linuxserver/babybuddy
image: lscr.io/linuxserver/babybuddy
container_name: babybuddy
environment:
- TZ=UTC
@ -29,10 +29,6 @@ services:
restart: unless-stopped
```
:warning: Baby Buddy v1.7.0 was the final version deployed to
[babybuddy/babybuddy](https://hub.docker.com/r/babybuddy/babybuddy) on Docker Hub
Future versions of Baby Buddy will use the LSIO container.
For doing administrative work within the LSIO container, setting an environment variable may be necessary.
For example:

136
docs/setup/ssl.md Normal file
View File

@ -0,0 +1,136 @@
# HTTPS/SSL configuration
The example Docker and manual deployment methods do not include HTTPS/SSL by default.
Additional tools and configuration are required to add HTTPS support.
The information here assumes Baby Buddy has been deployed to a Debian-like system with
[snapd installed](https://snapcraft.io/docs/installing-snapd) for Certbot support with
Let's Encrypt. These requirements can skipped if SSL certificates are obtained by some
other way.
## Install NGINX
If NGINX is not already installed on the host system install it with a package manager.
```shell
apt-get -y install nginx
```
NGINX will be used to proxy HTTPS traffic to Baby Buddy. There are many other proxies
available for this (often with Let's Encrypt support, as well) so a different one can
be used if desired.
### Configure NGINX
If Baby Buddy is running from Docker a new NGINX site will need to be created to send
traffic to Docker. The configuration below uses the example domain `babybuddy.example.com`
and assumes Docker has exposed Baby Buddy on port `8000` (the default configuration).
```shell
editor /etc/nginx/sites-available/babybuddy
```
Initial configuration:
```nginx
server_tokens off;
access_log /var/log/nginx/babybuddy.access.log;
error_log /var/log/nginx/babybuddy.error.log;
server {
server_name babybuddy.example.com;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
}
}
```
Enable the new site:
```shell
ln -s /etc/nginx/sites-available/babybuddy /etc/nginx/sites-enabled/babybuddy
service nginx restart
```
Confirm the site is not accessible at `http://babybuddy.example.com`. Note: Attempting
to log in will result in a CSRF error! This will be addressed after HTTPS has been
established.
## Install Certbot
This example uses [Let's Encrypt's](https://letsencrypt.org/) free service for obtaining
SSL certificates. Other methods can be used to obtain and install a certificate as
desired.
[Certbot](https://certbot.eff.org/instructions) is used to obtain free SSL certificates
from Let's Encrypt.
```shell
snap install core && snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot
```
## Obtain and install certificate
The following command will ask for an email address to register with Let's Encrypt and
then prompt a service agreement and which NGINX host to obtain a certificate for. The
certificate will be installed and activated automatically.
```shell
certbot --nginx
[answers prompts as required]
service nginx restart
```
Certbot should have updated the NGINX site configuration (`/etc/nginx/sites-available/babybuddy`)
to look something like this:
```nginx
server_tokens off;
access_log /var/log/nginx/babybuddy.access.log;
error_log /var/log/nginx/babybuddy.error.log;
server {
server_name babybuddy.example.com;
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/babybuddy.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/babybuddy.example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = babybuddy.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name babybuddy.example.com;
listen 80;
return 404; # managed by Certbot
}
```
If the certificate was obtained by some other means the configuration about should be
instructive for how to add it to the NGINX site configuration.
## Update Baby Buddy configuration
Lastly Baby Buddy's configuration will need to updated to account for the proxy. For
details on these settings see [Proxy configuration](proxy.md).
Add the following two environment variables via the Docker or uWSGI configuration (if
using the [example deployment](deployment.md#example-deployment)):
```ini
CSRF_TRUSTED_ORIGINS=https://babybuddy.example.com
SECURE_PROXY_SSL_HEADER=True
```
That's it! Restart Docker or uWSGI and Baby Buddy should not be accessible from HTTPS!

View File

@ -10,6 +10,7 @@ nav:
- 'Setup':
- 'setup/deployment.md'
- 'setup/configuration.md'
- 'setup/ssl.md'
- 'setup/subdirectory.md'
- 'setup/proxy.md'
- 'User Guide':