From ea8662a4e17cc87920d791531ec7fe696f76684b Mon Sep 17 00:00:00 2001 From: starbirdtech383 Date: Fri, 26 Jan 2024 15:26:51 +0530 Subject: [PATCH] full-install: add letsencrypt cert gen script --- docker-compose/full-install/.env | 3 +- docker-compose/full-install/advanced.md | 23 +++++++++++ .../full-install/bin/nginx_start.sh | 2 +- .../full-install/docker-compose.yml | 10 ++++- .../conf-templates/certbot_conf.template | 15 +++++++ .../ssl_server_name_conf.template | 41 +++++++++++++++++++ .../full-install/nginx/conf.d/default.conf | 5 --- .../full-install/nginx/conf/nginx.conf | 3 +- docker-compose/full-install/prepare_env.sh | 6 +-- .../full-install/sbin/gen_letsencrypt_cert.sh | 32 +++++++++++++++ .../full-install/sbin/install_vars.sh | 6 ++- docker-compose/full-install/security.md | 1 + 12 files changed, 134 insertions(+), 13 deletions(-) create mode 100644 docker-compose/full-install/advanced.md create mode 100644 docker-compose/full-install/nginx/conf-templates/certbot_conf.template create mode 100644 docker-compose/full-install/nginx/conf-templates/ssl_server_name_conf.template create mode 100755 docker-compose/full-install/sbin/gen_letsencrypt_cert.sh create mode 100644 docker-compose/full-install/security.md diff --git a/docker-compose/full-install/.env b/docker-compose/full-install/.env index 1123d935eb..e992e1f60e 100644 --- a/docker-compose/full-install/.env +++ b/docker-compose/full-install/.env @@ -1 +1,2 @@ -NC_INSTALL_ROOT=./ \ No newline at end of file +NC_INSTALL_ROOT=./ +NO_COLOR=NEST_JS_LOG_MESSAGE_NO_COLOR_SET_NON_NULL_VALUE \ No newline at end of file diff --git a/docker-compose/full-install/advanced.md b/docker-compose/full-install/advanced.md new file mode 100644 index 0000000000..f6cd5120dd --- /dev/null +++ b/docker-compose/full-install/advanced.md @@ -0,0 +1,23 @@ +# Advanced operations + + +## Restarting containers + +## Upgrade nocodb instance + +## Enable SSL +In order to enable SSL for incoming https requests, you will need to have certs which is +private-key public-key pair +### letsencrypt for generating certificates +### Bring your own certificates +### self signed certificates + +## Database pasword rotation + +## nginx configurations + +## Add Node + +## Minio integration for resources + +## Enable scheduled backups to run nightly on all your instances. \ No newline at end of file diff --git a/docker-compose/full-install/bin/nginx_start.sh b/docker-compose/full-install/bin/nginx_start.sh index fda4984120..24b2292837 100755 --- a/docker-compose/full-install/bin/nginx_start.sh +++ b/docker-compose/full-install/bin/nginx_start.sh @@ -5,7 +5,7 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) COMPONENT_DIR=${SCRIPT_DIR}/../ -cd ${COMPONENT_DIR}/docker +cd ${COMPONENT_DIR} mkdir -p ${COMPONENT_DIR}/data chmod -R 777 ${COMPONENT_DIR}/data docker-compose restart nginx diff --git a/docker-compose/full-install/docker-compose.yml b/docker-compose/full-install/docker-compose.yml index d266ec4007..5ba5593488 100644 --- a/docker-compose/full-install/docker-compose.yml +++ b/docker-compose/full-install/docker-compose.yml @@ -72,9 +72,12 @@ services: - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nc_properties.env volumes: - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf.d:/etc/nginx/conf.d:ro + - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/conf.d:/etc/nginx/custom-conf.d:ro - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf:/opt/nocohub/nginx/conf - ${NC_INSTALL_ROOT:-/opt/nocodb}/nginx/conf/nginx.conf:/etc/nginx/nginx.conf:ro - ${NC_INSTALL_ROOT:-/opt/nocodb}/data/nginx:/opt/nocohub/nginx/data + - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/www:/var/www/certbot/:ro + - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/conf/:/etc/nginx/ssl/:ro # - ../nginx/conf/ssl:/etc/nginx/ssl/:ro expose: - "80" @@ -88,4 +91,9 @@ services: resources: limits: cpus: '1' - memory: 1000M + memory: 1000M + certbot: + image: certbot/certbot:latest + volumes: + - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/www:/var/www/certbot/:rw + - ${NC_INSTALL_ROOT:-/opt/nocodb}/conf/nginx/certbot/conf/:/etc/letsencrypt/:rw diff --git a/docker-compose/full-install/nginx/conf-templates/certbot_conf.template b/docker-compose/full-install/nginx/conf-templates/certbot_conf.template new file mode 100644 index 0000000000..63b8609c96 --- /dev/null +++ b/docker-compose/full-install/nginx/conf-templates/certbot_conf.template @@ -0,0 +1,15 @@ +server { + listen 80; + listen [::]:80; + + # chantge server_name while generating cert + server_name ; + + #access_log /var/log/nginx/host.access.log main; + + # this is required for cert generation. + # change server_name as well with cname of required cert + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } +} \ No newline at end of file diff --git a/docker-compose/full-install/nginx/conf-templates/ssl_server_name_conf.template b/docker-compose/full-install/nginx/conf-templates/ssl_server_name_conf.template new file mode 100644 index 0000000000..9caa19d950 --- /dev/null +++ b/docker-compose/full-install/nginx/conf-templates/ssl_server_name_conf.template @@ -0,0 +1,41 @@ +server { + listen 80; + listen [::]:80 ; + listen 443 default_server ssl; + listen [::]:443 ssl ; + # chantge server_name while generating cert + server_name ; + + # force https-redirects + if ($scheme = http) { + return 301 https://$server_name$request_uri; + } + + ssl_certificate /etc/nginx/ssl/live//fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/live//privkey.pem; + + #access_log /var/log/nginx/host.access.log main; + location / { + include /etc/nginx/mime.types; + root /opt/nocohub/nginx/data//; + index index.html index.htm; + auth_basic "Restricted Access"; + auth_basic_user_file /opt/nocohub/nginx/conf/.htpasswd; + } + + location /proxy { + proxy_pass http://nocohub-001:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + auth_basic "Restricted Access"; + auth_basic_user_file /opt/nocohub/nginx/conf/.htpasswd; + } + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + location ~ /\.ht { + deny all; + } +} \ No newline at end of file diff --git a/docker-compose/full-install/nginx/conf.d/default.conf b/docker-compose/full-install/nginx/conf.d/default.conf index 992b1cbc81..f9a78f3a6c 100644 --- a/docker-compose/full-install/nginx/conf.d/default.conf +++ b/docker-compose/full-install/nginx/conf.d/default.conf @@ -3,11 +3,6 @@ server { listen 80; listen [::]:80; server_name localhost; - # server_name my.nocodb.com; - # listen 443 default_server ssl; - # listen [::]:443 ssl ; - # ssl_certificate /etc/nginx/ssl/live/status.nocodb.com/fullchain.pem; - # ssl_certificate_key /etc/nginx/ssl/live/status.nocodb.com/privkey.pem; location / { proxy_pass http://nocodb_backend; diff --git a/docker-compose/full-install/nginx/conf/nginx.conf b/docker-compose/full-install/nginx/conf/nginx.conf index 2809470ffb..f6a3a2da04 100644 --- a/docker-compose/full-install/nginx/conf/nginx.conf +++ b/docker-compose/full-install/nginx/conf/nginx.conf @@ -4,4 +4,5 @@ events { http { include /etc/nginx/conf.d/*.conf; - } \ No newline at end of file + include /etc/nginx/custom-conf.d/*.conf; +} \ No newline at end of file diff --git a/docker-compose/full-install/prepare_env.sh b/docker-compose/full-install/prepare_env.sh index d8b51e9c48..d725642b0c 100755 --- a/docker-compose/full-install/prepare_env.sh +++ b/docker-compose/full-install/prepare_env.sh @@ -4,6 +4,9 @@ # -- main line code starts here -- SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +source ${SCRIPT_DIR}/sbin/util.sh +source ${SCRIPT_DIR}/sbin/install_vars.sh + ENV_FILE=${SCRIPT_DIR}/conf/nc_properties.env bkp_file=${ENV_FILE}-$(date +%s).bak # Source existing nc_envs.env file to get current values @@ -13,9 +16,6 @@ if [ -f ${ENV_FILE} ]; then cp ${ENV_FILE} ${bkp_file} fi -# Array of properties with default values -properties=("NC_INSTALL_ROOT=${SCRIPT_DIR}" "MINIO_ROOT_USER=minioadmin" "MINIO_ROOT_PASSWORD=minioadmin" "POSTGRES_USER=postgres" "POSTGRES_PASSWORD=test123" "POSTGRES_DB=nocodb" "NC_REDIS_URL=redis://redis:6379/4" 'NC_DB=pg://postgres:5432?u=postgres&password=${POSTGRES_PASSWORD:-nocodb}&d=postgres' "NO_COLOR=NEST_JS_LOG_MESSAGE_NO_COLOR_SET_NON_NULL_VALUE" "LOKI_ENDPOINT=http://localhost:3100") - echo "Update or confirm the values to be set" # Iterate over the properties array and prompt user for input for prop in "${properties[@]}"; do diff --git a/docker-compose/full-install/sbin/gen_letsencrypt_cert.sh b/docker-compose/full-install/sbin/gen_letsencrypt_cert.sh new file mode 100755 index 0000000000..5959cd8cac --- /dev/null +++ b/docker-compose/full-install/sbin/gen_letsencrypt_cert.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# expects nginx to be up and running with conf.d/certbot.conf +# dns to be mapped to the machine where cert is generated +# + +SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +SERVER_NAME=${1} +if [[ -z "$SERVER_NAME" ]] +then + echo "required argument servername" + echo "usage ex: ./gen_certs my.nocodb.com" + exit 1 +fi + +echo "Creating configs for SERVER_NAME: ${SERVER_NAME}" +cd ${SCRIPT_DIR}/../conf/nginx/conf.d +sed "s,,${SERVER_NAME},g" ${SCRIPT_DIR}/../nginx/conf-templates/certbot_conf.template > certbot.conf + +cd ${SCRIPT_DIR}/../bin +./nginx_start.sh +./nginx_reload.sh + +echo "Triggering certbot to create ssl configs: ${SERVER_NAME}" +cd ${SCRIPT_DIR}/.. +docker-compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d ${SERVER_NAME} + + +echo "Now reload nginx with new ssl configs for your site : ${SERVER_NAME}" +cd ${SCRIPT_DIR}/../conf/nginx/conf.d +sed "s,,${SERVER_NAME},g" ${SCRIPT_DIR}/../nginx/conf-templates/ssl_server_name_conf.template > ${SERVER_NAME}.conf +${SCRIPT_DIR}/../bin/nginx_reload.sh diff --git a/docker-compose/full-install/sbin/install_vars.sh b/docker-compose/full-install/sbin/install_vars.sh index a4709b286f..17135fefb7 100644 --- a/docker-compose/full-install/sbin/install_vars.sh +++ b/docker-compose/full-install/sbin/install_vars.sh @@ -1,3 +1,7 @@ nocodb_install_version="1.0.0" # Replace with actual version REQUIRED_PORTS=(80 443) -DOCKER_IMAGES=("redis:latest" "postgres:14.7" "nocodb/nocodb:latest" "nginx") \ No newline at end of file +DOCKER_IMAGES=("redis:latest" "postgres:14.7" "nocodb/nocodb:latest" "nginx" "certbot/certbot:latest" ) + +# Array of properties with default values +properties=( "POSTGRES_USER=postgres" "POSTGRES_PASSWORD=test123" "POSTGRES_DB=nocodb" "NC_REDIS_URL=redis://redis:6379/4" 'NC_DB=pg://postgres:5432?u=postgres&password=${POSTGRES_PASSWORD:-nocodb}&d=postgres' ) +# "NC_INSTALL_ROOT=${SCRIPT_DIR}" "MINIO_ROOT_USER=minioadmin" "MINIO_ROOT_PASSWORD=minioadmin" \ No newline at end of file diff --git a/docker-compose/full-install/security.md b/docker-compose/full-install/security.md new file mode 100644 index 0000000000..2afe829dfb --- /dev/null +++ b/docker-compose/full-install/security.md @@ -0,0 +1 @@ +Security \ No newline at end of file