jembi · delcroip · Dec 1, 2021 · Feb 17, 2022
diff --git a/README.md b/README.md
@@ -4,8 +4,15 @@
 
 2. Spin up the OpenHIM core and console easily with docker compose:
 
+3. Generate the cert files and update the cert files path in conf/nginx/openhim.template  
+
+4. start the compose
 ```
 docker-compose build && docker-compose up -d
 ```
 
-3. Access on localhost:9000 or at <your_server>:9000
+5. Access on https://localhost or at https://<your_server>
+
+6. Access API on https://localhost/api or at https://<your_server>/api
+
+7. Send traffic to mediator https://localhost/queue or at https://<your_server>/queue
diff --git a/conf/console/default.json b/conf/console/default.json
@@ -0,0 +1,14 @@
+{
+  "version": "1.10.0",
+  "minimumCoreVersion": "3.4.0",
+  "protocol": "https",
+  "host": "him.s1.openimis.org",
+  "hostPath":"api",
+  "port": 443,
+  "title": "Admin Console",
+  "footerTitle": "OpenHIM Administration Console",
+  "footerPoweredBy": "<a href='http://openhim.org/' target='_blank'>Powered by OpenHIM</a>",
+  "loginBanner": "",
+  "mediatorLastHeartbeatWarningSeconds": 60,
+  "mediatorLastHeartbeatDangerSeconds": 120
+}
diff --git a/conf/core/default.json b/conf/core/default.json
@@ -0,0 +1,154 @@
+
+{
+  "bindAddress": "0.0.0.0",
+  "mongo": {
+    "url": "mongodb://localhost/openhim-development",
+    "atnaUrl": "mongodb://localhost/openhim-development",
+    "connectionOptions": {},
+    "openHIMApiReadPreference": "primaryPreferred",
+    "openHIMApiWriteConcern": 1,
+    "openHIMApiReadConcern": "local"
+  },
+  "logger": {
+    "level": "info",
+    "logToDB": true,
+    "capDBLogs": true,
+    "capSize": 10000000
+  },
+  "mongoLogger": {
+    "options": {
+      "w": 0,
+      "useNewUrlParser": true
+    }
+  },
+  "router": {
+    "externalHostname": "$DOMAIN",
+    "httpPort": 5001,
+    "httpsPort": 5000,
+    "timeout": 60000
+  },
+  "bodyCull":{
+    "enabled":true,
+    "pollPeriodMins": 60
+  },
+  "api": {
+    "enabled": true,
+    "protocol": "https",
+    "port": 8080,
+    "authWindowSeconds": 10,
+    "maxBodiesSizeMB": 15,
+    "maxPayloadSizeMB": 50,
+    "truncateSize": 15000,
+    "truncateAppend": "\n[truncated ...]",
+    "authenticationTypes": ["token"]
+  },
+  "rerun": {
+    "httpPort": 7786,
+    "host": "localhost",
+    "processor": {
+      "enabled": true,
+      "pollPeriodMillis": 2000
+    }
+  },
+  "tcpAdapter": {
+    "httpReceiver": {
+      "httpPort": 7787,
+      "host": "localhost"
+    }
+  },
+  "polling": {
+    "enabled": true,
+    "pollingPort": 7788,
+    "host": "localhost"
+  },
+  "authentication": {
+    "enableMutualTLSAuthentication": true,
+    "enableBasicAuthentication": true,
+    "enableCustomTokenAuthentication": false,
+    "enableJWTAuthentication": false,
+    "jwt": {
+      "secretOrPublicKey": "",
+      "algorithms": "",
+      "audience": "",
+      "issuer": ""
+    }
+  },
+  "email": {
+    "fromAddress": "address@example.com",
+    "nodemailer": {
+      "service": "Gmail",
+      "auth": {
+        "user": "user@gmail.com",
+        "pass": "password"
+      }
+    }
+  },
+  "smsGateway": {
+    "provider": "clickatell",
+    "config": {
+      "user": "user",
+      "pass": "pass",
+      "apiID": "apiID"
+    }
+  },
+  "alerts": {
+    "enableAlerts": true,
+    "pollPeriodMinutes": 1,
+    "himInstance": "Local OpenHIM",
+    "consoleURL": "https://$DOMAIN"
+  },
+  "reports": {
+    "enableReports": true,
+    "dailyReportAt": "0 7 * * *",
+    "weeklyReportAt": "0 7 * * 1",
+    "utcOffset": null
+  },
+  "events": {
+    "enableTSNormalization": true
+  },
+  "newUserExpiry": {
+    "duration": 7,
+    "durationType": "days"
+  },
+  "userPasswordResetExpiry": {
+    "duration": 1,
+    "durationType": "hours"
+  },
+  "auditing": {
+    "servers": {
+      "udp": {
+        "enabled": false,
+        "port": 5050
+      },
+      "tls": {
+        "enabled": false,
+        "port": 5051
+      },
+      "tcp": {
+        "enabled": false,
+        "port": 5052
+      }
+    },
+    "auditEvents": {
+      "interface": "internal",
+      "host": "localhost",
+      "port": 5051,
+      "auditSourceID": "OpenHIM"
+    }
+  },
+  "caching": {
+    "enabled": true,
+    "refreshMillis": 1000
+  },
+  "tlsClientLookup": {
+    "type": "strict"
+  },
+  "agenda": {
+    "startupDelay": 500
+  },
+  "certificateManagement": {
+    "watchFSForCert": true,
+    "certPath": "/etc/letsencrypt/live/$DOMAIN/fullchain.pem",
+    "keyPath": "/etc/letsencrypt/live/$DOMAIN/privkey.pem"
+  }
+}
diff --git a/conf/nginx/openhim.template b/conf/nginx/openhim.template
@@ -0,0 +1,61 @@
+server {
+        listen 80 default_server;
+        server_name ${NGINX_HOST};
+        return 301 https://$host$request_uri;
+}
+server {
+        listen       443 ssl;
+        server_name ${NGINX_HOST};
+        ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
+		include       mime.types;
+		default_type  application/octet-stream;
+		gzip on; # Enables compression, incl Web API content-types
+		gzip_types
+			"application/json;charset=utf-8" application/json
+			"application/javascript;charset=utf-8" application/javascript text/javascript
+			"application/xml;charset=utf-8" application/xml text/xml
+			"text/css;charset=utf-8" text/css
+			"text/plain;charset=utf-8" text/plain;
+
+		# Disallow Search Engine Crawling
+		location = /robots.txt {
+		  add_header  Content-Type  text/plain;
+		  return 200 "User-agent: *\nDisallow: /\n";
+		}
+
+
+        location / {
+                proxy_pass http://console;
+                proxy_set_header   Host ${NGINX_HOST};
+                proxy_set_header   X-Real-IP $remote_addr;
+                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header   X-Forwarded-Host $server_name;
+        }
+
+        location /api/ {
+                proxy_pass https://core:8080/;
+                proxy_set_header   Host ${NGINX_HOST};
+                proxy_set_header   X-Real-IP $remote_addr;
+                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header   X-Forwarded-Host $server_name;
+        }
+
+        location /channel/ {
+                proxy_pass http://core:5001/;
+                proxy_set_header   Host ${NGINX_HOST};
+                proxy_set_header   X-Real-IP $remote_addr;
+                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header   X-Forwarded-Host $server_name;
+        }
+
+        location /auditing/ {
+                proxy_pass http://core:5050/;
+                proxy_set_header   Host ${NGINX_HOST};
+                proxy_set_header   X-Environment legacy;
+                proxy_set_header   X-Real-IP $remote_addr;
+                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header   X-Forwarded-Host $host;
+        }
+
+}
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -3,32 +3,61 @@ version: '3'
 services:
   mongo:
     container_name: openhim-mongo
-    ports:
-      - "27017:27017"
     image: mongo:3.4
-
+    networks:
+      - openhim-net
+    restart: always
+    volumes:
+      - "mongo-data:/data/db"
   core:
     container_name: openhim-core
     image: jembi/openhim-core
     environment:
       - mongo_url=mongodb://mongo/openhim
       - mongo_atnaUrl=mongodb://mongo/openhim
-    ports:
-      - "8080:8080"
-      - "5000:5000"
-      - "5001:5001"
-      - "5050:5050"
-      - "5051:5051"
-      - "5052:5052"
-      - "7788:7788"
     depends_on:
       - mongo
-
+    networks:
+      - openhim-net
+    volumes:
+      - ./conf/core:/usr/src/app/config
+    restart: always
+    healthcheck:
+      test: "curl -sSk https://openhim-core:8080/heartbeat || exit 1"
+      interval: 30s
+      timeout: 30s
+      retries: 3
+
   console:
     container_name: openhim-console
     image: jembi/openhim-console
-    ports:
-        - "9000:80"
     volumes:
-      - ./default.json:/usr/share/nginx/html/config/default.json
-
+      - ./conf/console:/usr/share/nginx/html/config/
+    networks:
+      - openhim-net
+    restart: always
+    healthcheck:
+      test: "curl -sS http://openhim-console || exit 1"
+      interval: 30s
+      timeout: 30s
+      retries: 3
+  nginx:
+    image: nginx
+    volumes:
+      - ./conf/nginx:/etc/nginx/conf.d
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - NGINX_HOST='him.s1.openimis.org'
+    command: /bin/bash -c "export NGINX_HOST &&  envsubst  '$$NGINX_HOST' < /etc/nginx/conf.d/openhim.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
+    networks:
+      - openhim-net
+    depends_on:
+      - console
+      - core
+    restart: always
+networks:
+  openhim-net:
+volumes:
+  mongo-data: