geosolutions-it / C195-azure-workspace

1 stars 2 forks source link

Add https rev proxy #11

Closed etj closed 3 years ago

etj commented 3 years ago

At the moment the access is on port 5000 exposed by CKAN.

Allow only access to 80 (or 443).

lpasquali commented 3 years ago

@simboss @etj @randomorder

As Simone asked I am presenting the result of investigation, I limited the research to two solutions:

Solution 1 Addition to existing docker-compose of an nginx+letsencrypt proxy

With this addition to here and somem more addition to provisioning script I made for provisioning nginx configuration:

  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - URL=${CKAN_SITE_URL}
      - SUBDOMAINS=www,
      - VALIDATION=http
      - EMAIL=admin@${CKAN_SITE_URL} #optional
      - ONLY_SUBDOMAINS=false #optional
      - EXTRA_DOMAINS= #optional
      - STAGING=false #optional
    volumes:
      - $HOME/nginx/config:/config
    ports:
      - 443:443
      - 80:80 #optional
    restart: unless-stopped

I could start http and https on the ckan-vm using everything that comes with it (fqdn, public address) this would should be not long, and I probably do it in a couple of hours

Solution 2 Azure application Gateway

This solution would use a managed service, but even if managed there would be needed more effort tha namagin a few bash scripts and the docker composition as in Solutions 1, also this solution comes with no https by default and must be handled and automated, it probably would require one day to be implemented: https://docs.microsoft.com/en-us/azure/application-gateway/overview

considered costs of 1 (almost none as vm is already up for ckan) and time of producing a good implementation of 2 I'd endorse Solution 1

etj commented 3 years ago

@lpasquali pls keep in mind that next step is to have the whole architecture in HA. An external service would be the way to go, since it could dispatch the incoming requests to the various replicated CKAN instances.

Also note that if we are going to move to k8s, the whole implementation will need to be completely reworked, so in that scenario it wouldn't matter which solution we're adopting in this stage. In this case, solution 1 would have my +1.

lpasquali commented 3 years ago

@etj I'm ready to make a PR, but I'd need that PR https://github.com/geosolutions-it/C195-azure-workspace/pull/18 is merged before

lpasquali commented 3 years ago

pr done @etj https://github.com/geosolutions-it/C195-azure-workspace/pull/20

lpasquali commented 3 years ago

@etj can we close this?