Closed etj closed 3 years ago
@simboss @etj @randomorder
As Simone asked I am presenting the result of investigation, I limited the research to two solutions:
With this addition to here and somem more addition to provisioning script I made for provisioning nginx configuration:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- URL=${CKAN_SITE_URL}
- SUBDOMAINS=www,
- VALIDATION=http
- EMAIL=admin@${CKAN_SITE_URL} #optional
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
volumes:
- $HOME/nginx/config:/config
ports:
- 443:443
- 80:80 #optional
restart: unless-stopped
I could start http and https on the ckan-vm using everything that comes with it (fqdn, public address) this would should be not long, and I probably do it in a couple of hours
This solution would use a managed service, but even if managed there would be needed more effort tha namagin a few bash scripts and the docker composition as in Solutions 1, also this solution comes with no https by default and must be handled and automated, it probably would require one day to be implemented: https://docs.microsoft.com/en-us/azure/application-gateway/overview
considered costs of 1 (almost none as vm is already up for ckan) and time of producing a good implementation of 2 I'd endorse Solution 1
@lpasquali pls keep in mind that next step is to have the whole architecture in HA. An external service would be the way to go, since it could dispatch the incoming requests to the various replicated CKAN instances.
Also note that if we are going to move to k8s, the whole implementation will need to be completely reworked, so in that scenario it wouldn't matter which solution we're adopting in this stage. In this case, solution 1 would have my +1.
@etj I'm ready to make a PR, but I'd need that PR https://github.com/geosolutions-it/C195-azure-workspace/pull/18 is merged before
@etj can we close this?
At the moment the access is on port 5000 exposed by CKAN.
Allow only access to 80 (or 443).