Updated example Docker & .env files

gwu-libraries · Jul 22, 2024 · c6ffd1a · c6ffd1a
1 parent 92cae79
commit c6ffd1a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 27 deletions.
diff --git a/README.md b/README.md
@@ -9,7 +9,11 @@ ORCID middleware to enable our researchers to designate GW as a trusted partner
 3. Copy the example Flask configuration file and edit it to provide sensitive keys, including the SERVER_KEY, ORCID client ID and ORCID client secret. The `SERVER_KEY` should be the key used to encrypt the Flask session objects, as described [here](https://flask.palletsprojects.com/en/2.2.x/config/).
  `cp example.config.py config.py`
 4. Copy `example.docker-compose.yml` to `docker-compose.yml` and `example.env` to `.env`. 
-5. Bring up the Docker container(s): `docker-compose up -d`. This will install all necessary dependencies and launch the Flask app with gunicorn on port `8080`. For development, comment out the first three lines under the `volumes` section of the `flask-app` service and uncomment the line `.:/opt/orcid_integration`. This will use the local copy of the Python code.
+5. Add the hostname of your server to the `VIRTUAL_HOST` environment variable in `.env`.
+  - If using SSL, see the additional instructions below for configuring the Nginx Docker container.
+  - If not using SSL, comment out the volume mapping in the `docker-compose.yml` file under the `nginx-proxy` service. 
+6. Bring up the Docker container(s): `docker-compose up -d`. This will install all necessary dependencies and launch the Flask app with gunicorn on port `8080`, and it will start an Nginx server to proxy port `8080` to `80`/`443`.
+  - For development, comment out the first three lines under the `volumes` section of the `flask-app` service and uncomment the line `.:/opt/orcid_integration`. This will use the local copy of the Python code.
 6. When the Flask app starts up, it will check for the presence of a database encryption key file (as specified in `example.env`). If the file is not present, it will create a new database encryption key. **Be careful with this key.** Once the data has been encrypted using it, the key is necessary to decrypt the data again. Loss of the key means loss of the data.
 7. The postgres container will store data outside of the container, in the `./data` directory.
     - When first run, postgres will set the permissions on this directory to a system user.
@@ -23,33 +27,15 @@ ORCID middleware to enable our researchers to designate GW as a trusted partner
     python generate_saml_metadata.py
     ```
     The SAML metadata file should be written to the `orcidflask/saml` directory (bind-mounted outside the container).
-9. For SSL, use gunicorn with nginx:
+
+### SSL with Nginx proxy
+
     1. Create SSL key and cert (either self-signed or using a certificate authority)
-    2. Install nginx: `sudo apt-get install nginx`
-    3. Remove the defaul SSL configuration: 
-         `cd /etc/nginx/sites-enabled`
-        `sudo rm default`
-    4. Create a new nginx configuration to proxy to the Flask app as follows:
-            ```
-            server {
-                listen 80;
-                listen [::]:80;
-                server_name gworcid-dev.wrlc.org;
-                return 302 https://$server_name$request_uri;
-             }
-            server {
-                listen 443 ssl;
-                listen [::]:443 ssl;
-                ssl_certificate /etc/ssl/certs/server.crt;
-                ssl_certificate_key /etc/ssl/private/server.key;
-                location / {
-                    proxy_set_header X-Real-IP $remote_addr;
-                    proxy_set_header HOST $http_host;
-                    proxy_pass http://127.0.0.1:8080;
-                    proxy_redirect off;
-                 }
-            }```
-10. To quickly serialize the database as a JSON file, you can run the following command (if outside the container), providing the path to a file in a mounted volume:
+    2. Follow the name conventions in the [nginx-proxy documentation](https://github.com/nginx-proxy/nginx-proxy/tree/main/docs#ssl-support), ensuring that the key and certificate files are placed in the same directory, which should be mapped to the `/etc/nginx/certs` directory in the `docker-compose.yml` file.
+
+### Serializing the database
+
+To quickly serialize the database as a JSON file, you can run the following command (if outside the container), providing the path to a file in a mounted volume:
     ```
     docker exec -it orcid-integration_flask-app_1 flask serialize-db ./data/token-dump.json
     ```
diff --git a/example.docker-compose.yml b/example.docker-compose.yml
@@ -29,3 +29,17 @@ services:
       - ./config.py:/opt/orcid_integration/config.py
       - ./orcidflask/db:/opt/orcid_integration/orcidflask/db
       #- .:/opt/orcid_integration
+    restart: always
+  nginx-proxy:
+    image: nginxproxy/nginx-proxy:1.5
+    environment:
+      - LOG_JSON=true
+    ports:
+      - "443:443"
+      - "80:80"
+    volumes:
+      - /var/run/docker.sock:/tmp/docker.sock:ro
+      # Note that the nginxproxy image require cert & key to reside in the same directory
+      # And to follow certain naming conventions
+      - /etc/ssl/certs:/etc/nginx/certs
+    restart: always
diff --git a/example.env b/example.env
@@ -6,3 +6,4 @@ POSTGRES_PORT=5432
 DB_ENCRYPTION_FILE=/opt/orcid_integration/orcidflask/db/db-encrypt.key
 # Values are sandbox or prod
 ORCID_SERVER=sandbox
+VIRTUAL_HOST=