From 9107baeae49db1a21e3dc7fb5d5e180ed00902ea Mon Sep 17 00:00:00 2001 From: Maciej Pesko Date: Tue, 25 Sep 2018 09:14:44 +0000 Subject: [PATCH] Add SSL cert configuration --- docker-compose-prod.yml | 5 ++++- nginx.conf | 22 ++++++++++++++++++---- prepare_setup.sh | 4 ++++ 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/docker-compose-prod.yml b/docker-compose-prod.yml index 16a36f3..704d274 100644 --- a/docker-compose-prod.yml +++ b/docker-compose-prod.yml @@ -31,10 +31,13 @@ services: image: nginx ports: - 80:80 + - 443:443 volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf - static_volume:/comixify/static - media_volume:/comixify/media + - /etc/certs-data/:/data/letsencrypt/ + - /etc/letsencrypt/:/etc/letsencrypt/ depends_on: - web networks: @@ -49,4 +52,4 @@ networks: volumes: db_volume: static_volume: - media_volume: \ No newline at end of file + media_volume: diff --git a/nginx.conf b/nginx.conf index dcb7907..e380fb1 100644 --- a/nginx.conf +++ b/nginx.conf @@ -2,10 +2,20 @@ upstream hello_server { server web:8008; } + server { - listen 80; - server_name localhost; - client_max_body_size 50M; + listen 80; + server_name localhost; + return 301 https://$host$request_uri; + } + +server { + listen 443; + server_name localhost; + client_max_body_size 50M; + ssl on; + ssl_certificate /etc/letsencrypt/live/comixify.ii.pw.edu.pl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/comixify.ii.pw.edu.pl/privkey.pem; location / { # everything is passed to Gunicorn proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -13,6 +23,10 @@ server { proxy_redirect off; proxy_pass http://hello_server; } + location ^~ /.well-known { + allow all; + root /data/letsencrypt/; + } location /static/ { alias /comixify/static/; } @@ -20,4 +34,4 @@ server { location /media/ { alias /comixify/media/; } -} \ No newline at end of file +} diff --git a/prepare_setup.sh b/prepare_setup.sh index 653f411..c34709d 100644 --- a/prepare_setup.sh +++ b/prepare_setup.sh @@ -96,3 +96,7 @@ sudo docker-compose up -d # ASSURE THAT PORT 80 is open sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT + +# GET CERTIFICATES (SECOND COMMAND SHOULD BE RUN AFTER IAMGES ARE BUILD AND CONTAINERS RUN) +sudo mkdir /etc/certs-data/ +sudo certbot certonly --webroot -w /etc/certs-data/ -d comixify.ii.pw.edu.pl