search

DOMjudge / domjudge-packaging

DOMjudge packaging for (Linux) distributions and live image
31 stars 37 forks source link

How to deploy with HTTPS/SSL? #67

Closed penut85420 closed 3 years ago

penut85420 commented 3 years ago

I deploy domserver and judgehost seperately using docker, but when I try to put my ssl cert into container, it just doesn't work. I use the following dockerfile

FROM domjudge/domserver:latest
COPY default /etc/nginx/sites-enabled/
COPY default /etc/nginx/sites-available/
COPY default /home
EXPOSE 80
EXPOSE 443

and the content of default is

# Generated from 'nginx-conf.in' on Sat Jun 27 08:38:51 UTC 2020.

# nginx configuration for DOMjudge

### upstream ###
#
# always include this and make sure it points to the socket of PHP-FPM
upstream domjudge {
    server unix:/var/run/php-fpm-domjudge.sock; # if using with etc/domjudge-fpm.conf
    #server unix:/run/php/php7.0-fpm.sock; # default on ubuntu servers
}

### http host config ###
#

# server {
#   listen 80;
#   listen [::]:80;
# 
#   include /opt/domjudge/domserver/etc/nginx-conf-inner;
# }

# Alternatively, use HTTPS and redirect HTTP to HTTPS:

# server {
#   listen   80;
#   listen   [::]:80;
#   server_name _default_;
#   return 308 https://$host$request_uri;  # enforce https
# }

# Or block all cleartext HTTP requests
server {
    listen   80;
    listen   [::]:80;
    server_name _default_;
    return 426;  # do not allow plain HTTP
}

server {
    listen   443;
    listen   [::]:443;

    ssl on;
    ssl_certificate /cert/conf/live/my.domain/fullchain.pem;
    ssl_certificate_key /cert/conf/live/my.domain/privkey.pem;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;

      # Strict-Transport-Security is not set by default since it will break
      # instalations without a valid TLS certificate. Enable it if your
      # DOMjudge installation only runs with a valid TLS certificate.
    add_header Strict-Transport-Security max-age=31556952;

    include /opt/domjudge/domserver/etc/nginx-conf-inner;
}

Then i docker exec -it domserver /bin/bash in to container, i see the default in /home but the default in /etc/nginx/sites-enabled/ is the original config file. I overwrite the default and reload nginx using service nginx reload but the website i see is the default website of nginx.

What step did i miss?

penut85420 commented 3 years ago

I temporarily sovle this problem by re-packing the docker image with my nginx config file, but i'm still wondering a more flexible solution

nickygerritsen commented 3 years ago

I would highly recommend to use an nginx on the host machine as a proxy and proxy_pass to the docker container, so that you don't have to modify the container.

Would that work for you?

penut85420 commented 3 years ago

Thanks! I am not really familiar with these things actually, I'll try it.