Enable HTTPS

[cuducos]

I've never done that — is letsencrypt.org a good idea? I feel like I'd like to pair with someone else to get that up and running because all this is new to me.

[ghost]

Let's encrypt is a great idea, I'll help if you like. I've never implemented it either but feel confident about it.

[cuducos]

AFAIK we need to get the keys from Let's Encrypt and them config the server… this second part, the server part is where I have no idea where to start. Would you like to get together to tackle this issue? We can set up a pair programming to check what we can get…

[ghost]

Do you control the server? Having ssh access is best but we can do it manually if we need to.

[cuducos]

Yep, I have root access to our server (a droplet at Digital Ocean). The nginx config file I'm using is in the repo here for reference (just in case)…

[ghost]

Ok, I'm at work ATM. For another 6hrs unfortunately. I can be of more help when I get home. Have you seen the custom instructions here https://certbot.eff.org ? Select nginx and then your operating system to get a head start.

[ghost]

I read over the ones for debian real quick and think after that you will just have auto renewing certificates installed. Then it's just a matter of setting up nginx.

[cuducos]

Many thanks for the reference, @robjloranger! And don't worry about being available, we can talk asynchronously ; )

I read the nginx Certbot docs you sent and that clarified a bit… but I still have doubts when they say $ letsencrypt certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is.

How does that work when nginx is used as a proxy for a gunicorn (Django) application? I mean where should I place files that are supposed to be in the root of the server when the root requests are handled by a gunicorn (or uwsgi) application?

Maybe the answer is the standalone version of the command (but that bit still unclear for me).

[pedrommone]

LetsEncrypt its a awesome option but CloudFlare is not enough?

[cuducos]

I don't know the difference between encrypting stuff via Let's Encrypt and CloudFare (and TBH I just know CloudFare because of their CDN service).

My concern here is that people can browse documents from Brazilian government behind a HTTPS protocol to keep their privacy. This is what really matters.

[pedrommone]

@cuducos if you want to enable end-to-end HTTPS you need to enable it directly into server's nginx and its can be done with #12 when we deploy the new infra.

Anyway, I think CloudFlare is a good option to hide the servers in case of DDoS.

[cuducos]

CloudFlare is a good option to hide the servers in case of DDoS

That's important too. Do they offer this for free?

enable end-to-end HTTPS you need to enable it directly into server's nginx and its can be done with #12 when we deploy the new infra.

Awesome, gonna wait for #12 then!

[pedrommone]

Yep, they offer it on free but if you apply as an ONG we should get the ultimate master blaster hyper plan for free.

[cuducos]

Yep, they offer it on free but if you apply as an ONG we should get the ultimate master blaster hyper plan for free.

Great, gonna get started then!

[leomeloxp]

Just a quick note on this. On #18 I started a discussion about splitting the front-end and backend of Jarbas into (potentially) their own repository. @cuducos agreed to discuss that further after other issues on the repo got sorted (specially #12 ). If we were to host the front-end on Firebase, they give HTTPS free by default.

I'm not able to help much with the backend though, as all I ever did was buying certs and setting them up with Apache. But if we were to pair up for something, I'd be keen to actually get some hands on with lets encrypt or at least follow this issue and learn a bit more about it from what you guys manage to achieve 😉 (I'm not that sharp with Python or nginx, unfortunately).

[cuducos]

Many thanks @leomeloxp.

If we were to host the front-end on Firebase, they give HTTPS free by default.

We got free droplets as a kind of sponsorship from Digital Ocean, so we're sticking with them.

But if we were to pair up for something, I'd be keen to actually get some hands on

Yay! I like that. As @pedrommone pointed out probably this issue is strictly related to #12, so I'll wait for it before spending time studying how to config nginx for HTTPS. But let's get back to that in a week maybe ; )

[ghost]

@cuducos let me know when you get there, I'll be happy to help

[gwmoura]

How Shared SSL Certificate for Cloud Flare Works? He delivery a domain like: someone.cloudflare.com or we can config mydomain.com to use https?

[luiz-simples]

the only downside of letsencrypt, is that it does not support wildcards. It supports unlimited number of domains and sub-domains. But the sub-domains can not be dynamics.

[pedrommone]

@gwmoura they offer a full and customized SSL for you domain :)

[gwmoura]

excellent @pedrommone, I gonna test the service :smile:

[gomex]

Cloud Flare is non Tor friendly :(

[cuducos]

I think CloudFlare was on the table just as a measure to protect ourselves from DDoS as raised by @pedrommone. I wasn't aware CloudFlare wasn't Tor friendly. But to be honest we might be too much worried with things that might happen, or might not happen (DDoS). I think privacy is a must (then HTTPS) and that Tor might help with privacy. So if I had to choose I'd leave the DDoS shield for later.

We're fully open source, if we're down anyone could serve the same thing with a few clicks — distributed systems are more reliable than centralized ones (that's one reason why we do open source with open data).

[danizavtz]

hello @cuducos i would like to help, i configured a https with a self signed certificate in my cloud service. I too aplied to a letsencrypt.org certificate but as i do not had a domain, (I use IP only for access). I could not use in my server. We can do it (in pair) and make some tests to see if it work. I'm confident in trying to make a deploy with https protocol.

[cuducos]

Many thanks, @danizavtz! In fact @gomex, @gwmoura and others are advancing with a Docker infrastructure for deploy. I think that you could coordinate to work with them there (we're using extract-nodejs branch) instead of thinking of the architecture currently in use at master — does that make sense to you?

[danizavtz]

Yes no problem. I was not aware of what was happening on that branch, latter I saw the discussion about docker integration. I will try to coordinate better with them. First I will try to make it run on my machine. Thanks.

[cuducos]

Many thanks @danizavtz! Soon (maybe later today) Docker stuff will me merged to master ; )

[cuducos]

UPDATE: Docker stuff is already on master branch.

[gwmoura]

@danizavtz are you working on it? What are you did? In my mind we can automate the generation of the certificate to be used by nginx and update the jarbas nginx image with the new certificate.

[danizavtz]

Hello, yesterday i tried run the jarbas locally on my machine, but i could not run this docker.... It gave me an error. When i run the project with succes I will start a branch and do this job. At night will try again.

[cuducos]

@danizavtz What was the error? Share it and we might fix it or help you get started ; )

[danizavtz]

It occur when i run the command: sudo docker-compose up -d Here is the error: Removing intermediate container d8653fc3d5b4 Step 6 : COPY .env /code/.env ERROR: Service 'jarbas' failed to build: lstat .env: no such file or directory

this directory [.env] does not exist in my jarbas folder.

[cuducos]

Yay, you just helped us figuring out something wrong in nour documentation. The Settings is relevant to Docker users too, whe should reorganize that in the README.md. Thanks ; )

[danizavtz]

Hey @cuducos shall we create a new issue, with this error? I should follow the rules for the local install to succeed?

[pedrommone]

@danizavtz its already created: #59

[danizavtz]

Now I copied the .env config and I could build the project using docker with success.

Now it gives me an error when i run the command: docker-compose run --rm jarbas python manage.py loaddatasets

Here is the error: return self.cursor.execute(sql, params) django.db.utils.ProgrammingError: relation "core_document" does not exist LINE 1: SELECT COUNT(*) AS "__count" FROM "core_document"

But i didn't run the command migrate, or make migrations, to create the tables in the database.

[pedrommone]

@danizavtz can you open an issue about the problem you're facing? Let's maintain the discussion here about the HTTPS. Thank you :)

[cuducos]

But i didn't run the command migrate, or make migrations, to create the tables in the database.

No need to run makemigrations and migrate is aleeady in ran by the Dockerfile. Is your .env overriding docker-compose.yml's DATABASE_URL by any chance?

Please, let's follow @pedrommone's excellent suggestion: report that in a new issue to make it easier for the community ; )