Prepare for https (#47)

* Add HTTPs support * Fix acme challenge path
IEEE-NITK · Dec 13, 2023 · 6c41fbe · 6c41fbe
1 parent c271c52
commit 6c41fbe
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 2 deletions.
diff --git a/corpus/corpus/settings.py b/corpus/corpus/settings.py
@@ -167,3 +167,5 @@
 LOGIN_REDIRECT_URL = "/"
 LOGOUT_URL = ""
 LOGOUT_REDIRECT_URL = "/"
+
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,4 +1,6 @@
 FROM nginx:stable-alpine
 
+RUN apk --no-cache add certbot
+
 COPY default.conf /etc/nginx
 COPY default.conf /etc/nginx/conf.d
diff --git a/nginx/default.conf b/nginx/default.conf
@@ -1,11 +1,28 @@
 server {
     listen 80;
-    server_name corpus_server;
+    server_name ieee.nitk.ac.in;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name ieee.nitk.ac.in;
+
+    ssl_certificate /etc/letsencrypt/live/ieee.nitk.ac.in/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ieee.nitk.ac.in/privkey.pem;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
 
     location / {
         proxy_pass http://corpus:8000;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_redirect off;
     }
 

diff --git a/prod-docker-compose.yml b/prod-docker-compose.yml
@@ -9,7 +9,7 @@ services:
     expose:
       - ${POSTGRES_PORT}
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready", "-U corpus"]
+      test: [ "CMD-SHELL", "pg_isready", "-U corpus" ]
       interval: 30s
       timeout: 30s
       retries: 5
@@ -57,14 +57,36 @@ services:
       - corpus_network
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - static_files:/etc/nginx/staticfiles
+      - certbot_etc:/etc/letsencrypt
+      - certbot_var:/var/lib/letsencrypt
+      - certbot_www:/var/www/certbot
     env_file:
       - .env
 
+  certbot:
+    image: certbot/certbot
+    environment:
+      - [email protected]
+      - CERTBOT_AGREE=true
+    volumes:
+      - certbot_etc:/etc/letsencrypt
+      - certbot_var:/var/lib/letsencrypt
+      - certbot_www:/var/www/certbot
+    depends_on:
+      - nginx
+    networks:
+      - corpus_network
+    command: certonly --webroot --webroot-path=/var/www/certbot -d ieee.nitk.ac.in --agree-tos --email [email protected]  --non-interactive
+
 networks:
   corpus_network:
 
 volumes:
   static_files:
   postgres_data:
+  certbot_etc:
+  certbot_var:
+  certbot_www: