From e4366f235e9eaca565bd0e4ac567dd4cd7a3c652 Mon Sep 17 00:00:00 2001 From: Patrick Delcroix Date: Wed, 1 Dec 2021 18:33:43 +0100 Subject: [PATCH 1/2] add nginx reverse proxy --- README.md | 9 ++- conf/console/default.json | 14 ++++ conf/core/default.json | 154 ++++++++++++++++++++++++++++++++++++ conf/nginx/openhim.template | 61 ++++++++++++++ docker-compose.yml | 61 ++++++++++---- 5 files changed, 282 insertions(+), 17 deletions(-) create mode 100644 conf/console/default.json create mode 100644 conf/core/default.json create mode 100644 conf/nginx/openhim.template diff --git a/README.md b/README.md index 9a12a92..68d3ad6 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,15 @@ 2. Spin up the OpenHIM core and console easily with docker compose: +3. Generate the cert files and update the cert files path in conf/nginx/openhim.template + +4. start the compose ``` docker-compose build && docker-compose up -d ``` -3. Access on localhost:9000 or at :9000 +5. Access on https://localhost or at https:// + +6. Access API on https://localhost/api or at https:///api + +7. Send traffic to mediator https://localhost/queue or at https:///queue diff --git a/conf/console/default.json b/conf/console/default.json new file mode 100644 index 0000000..136e03a --- /dev/null +++ b/conf/console/default.json @@ -0,0 +1,14 @@ +{ + "version": "1.10.0", + "minimumCoreVersion": "3.4.0", + "protocol": "https", + "host": "him.s1.openimis.org", + "hostPath":"api", + "port": 443, + "title": "Admin Console", + "footerTitle": "OpenHIM Administration Console", + "footerPoweredBy": "Powered by OpenHIM", + "loginBanner": "", + "mediatorLastHeartbeatWarningSeconds": 60, + "mediatorLastHeartbeatDangerSeconds": 120 +} diff --git a/conf/core/default.json b/conf/core/default.json new file mode 100644 index 0000000..acf99aa --- /dev/null +++ b/conf/core/default.json @@ -0,0 +1,154 @@ + +{ + "bindAddress": "0.0.0.0", + "mongo": { + "url": "mongodb://localhost/openhim-development", + "atnaUrl": "mongodb://localhost/openhim-development", + "connectionOptions": {}, + "openHIMApiReadPreference": "primaryPreferred", + "openHIMApiWriteConcern": 1, + "openHIMApiReadConcern": "local" + }, + "logger": { + "level": "info", + "logToDB": true, + "capDBLogs": true, + "capSize": 10000000 + }, + "mongoLogger": { + "options": { + "w": 0, + "useNewUrlParser": true + } + }, + "router": { + "externalHostname": "$DOMAIN", + "httpPort": 5001, + "httpsPort": 5000, + "timeout": 60000 + }, + "bodyCull":{ + "enabled":true, + "pollPeriodMins": 60 + }, + "api": { + "enabled": true, + "protocol": "https", + "port": 8080, + "authWindowSeconds": 10, + "maxBodiesSizeMB": 15, + "maxPayloadSizeMB": 50, + "truncateSize": 15000, + "truncateAppend": "\n[truncated ...]", + "authenticationTypes": ["token"] + }, + "rerun": { + "httpPort": 7786, + "host": "localhost", + "processor": { + "enabled": true, + "pollPeriodMillis": 2000 + } + }, + "tcpAdapter": { + "httpReceiver": { + "httpPort": 7787, + "host": "localhost" + } + }, + "polling": { + "enabled": true, + "pollingPort": 7788, + "host": "localhost" + }, + "authentication": { + "enableMutualTLSAuthentication": true, + "enableBasicAuthentication": true, + "enableCustomTokenAuthentication": false, + "enableJWTAuthentication": false, + "jwt": { + "secretOrPublicKey": "", + "algorithms": "", + "audience": "", + "issuer": "" + } + }, + "email": { + "fromAddress": "address@example.com", + "nodemailer": { + "service": "Gmail", + "auth": { + "user": "user@gmail.com", + "pass": "password" + } + } + }, + "smsGateway": { + "provider": "clickatell", + "config": { + "user": "user", + "pass": "pass", + "apiID": "apiID" + } + }, + "alerts": { + "enableAlerts": true, + "pollPeriodMinutes": 1, + "himInstance": "Local OpenHIM", + "consoleURL": "https://$DOMAIN" + }, + "reports": { + "enableReports": true, + "dailyReportAt": "0 7 * * *", + "weeklyReportAt": "0 7 * * 1", + "utcOffset": null + }, + "events": { + "enableTSNormalization": true + }, + "newUserExpiry": { + "duration": 7, + "durationType": "days" + }, + "userPasswordResetExpiry": { + "duration": 1, + "durationType": "hours" + }, + "auditing": { + "servers": { + "udp": { + "enabled": false, + "port": 5050 + }, + "tls": { + "enabled": false, + "port": 5051 + }, + "tcp": { + "enabled": false, + "port": 5052 + } + }, + "auditEvents": { + "interface": "internal", + "host": "localhost", + "port": 5051, + "auditSourceID": "OpenHIM" + } + }, + "caching": { + "enabled": true, + "refreshMillis": 1000 + }, + "tlsClientLookup": { + "type": "strict" + }, + "agenda": { + "startupDelay": 500 + }, + "certificateManagement": { + "watchFSForCert": true, + "certPath": "/etc/letsencrypt/live/$DOMAIN/fullchain.pem", + "keyPath": "/etc/letsencrypt/live/$DOMAIN/privkey.pem" + } +} diff --git a/conf/nginx/openhim.template b/conf/nginx/openhim.template new file mode 100644 index 0000000..6aec1a6 --- /dev/null +++ b/conf/nginx/openhim.template @@ -0,0 +1,61 @@ +server { + listen 80 default_server; + server_name ${NGINX_HOST}; + return 301 https://$host$request_uri; +} +server { + listen 443 ssl; + server_name ${NGINX_HOST}; + ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; + include mime.types; + default_type application/octet-stream; + gzip on; # Enables compression, incl Web API content-types + gzip_types + "application/json;charset=utf-8" application/json + "application/javascript;charset=utf-8" application/javascript text/javascript + "application/xml;charset=utf-8" application/xml text/xml + "text/css;charset=utf-8" text/css + "text/plain;charset=utf-8" text/plain; + + # Disallow Search Engine Crawling + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + + + location / { + proxy_pass http://console; + proxy_set_header Host ${NGINX_HOST}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + + location /api/ { + proxy_pass https://core:8080/; + proxy_set_header Host ${NGINX_HOST}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + + location /queue/ { + proxy_pass http://core:5001/; + proxy_set_header Host ${NGINX_HOST}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + } + + location /auditing/ { + proxy_pass http://core:5050/; + proxy_set_header Host ${NGINX_HOST}; + proxy_set_header X-Environment legacy; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + +} diff --git a/docker-compose.yml b/docker-compose.yml index bcfadc2..d6061d0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,32 +3,61 @@ version: '3' services: mongo: container_name: openhim-mongo - ports: - - "27017:27017" image: mongo:3.4 - + networks: + - openhim-net + restart: always + volumes: + - "mongo-data:/data/db" core: container_name: openhim-core image: jembi/openhim-core environment: - mongo_url=mongodb://mongo/openhim - mongo_atnaUrl=mongodb://mongo/openhim - ports: - - "8080:8080" - - "5000:5000" - - "5001:5001" - - "5050:5050" - - "5051:5051" - - "5052:5052" - - "7788:7788" depends_on: - mongo - + networks: + - openhim-net + volumes: + - ./conf/core:/usr/src/app/config + restart: always + healthcheck: + test: "curl -sSk https://openhim-core:8080/heartbeat || exit 1" + interval: 30s + timeout: 30s + retries: 3 + console: container_name: openhim-console image: jembi/openhim-console - ports: - - "9000:80" volumes: - - ./default.json:/usr/share/nginx/html/config/default.json - \ No newline at end of file + - ./conf/console:/usr/share/nginx/html/config/ + networks: + - openhim-net + restart: always + healthcheck: + test: "curl -sS http://openhim-console || exit 1" + interval: 30s + timeout: 30s + retries: 3 + nginx: + image: nginx + volumes: + - ./conf/nginx:/etc/nginx/conf.d + ports: + - "80:80" + - "443:443" + environment: + - NGINX_HOST='him.s1.openimis.org' + command: /bin/bash -c "export NGINX_HOST && envsubst '$$NGINX_HOST' < /etc/nginx/conf.d/openhim.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" + networks: + - openhim-net + depends_on: + - console + - core + restart: always +networks: + openhim-net: +volumes: + mongo-data: \ No newline at end of file From c1685e43d0343e0ffbb10d238376a8fa4e7b6f39 Mon Sep 17 00:00:00 2001 From: Patrick Delcroix Date: Thu, 17 Feb 2022 10:37:43 +0100 Subject: [PATCH 2/2] Update openhim.template --- conf/nginx/openhim.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/nginx/openhim.template b/conf/nginx/openhim.template index 6aec1a6..47768ac 100644 --- a/conf/nginx/openhim.template +++ b/conf/nginx/openhim.template @@ -41,7 +41,7 @@ server { proxy_set_header X-Forwarded-Host $server_name; } - location /queue/ { + location /channel/ { proxy_pass http://core:5001/; proxy_set_header Host ${NGINX_HOST}; proxy_set_header X-Real-IP $remote_addr;