Merge pull request #51 from jembi/plat-224-reverse-proxy-improvements

PLAT-224 - reverse proxy improvements

Author: tumbledwyer

.env.dev

@@ -1,12 +1,12 @@
 # General
 
-STATEFUL_NODES=cluster
+STATEFUL_NODES=single
 
 # Interoperability Layer - OpenHIM
 
 OPENHIM_CORE_INSTANCES=1
 OPENHIM_CONSOLE_INSTANCES=1
-OPENHIM_CORE_MEDIATOR_HOSTNAME=localhost
+OPENHIM_CORE_MEDIATOR_HOSTNAME=127.0.0.1
 OPENHIM_MEDIATOR_API_PORT=8080
 MONGO_SET_COUNT=3
 
@@ -44,9 +44,9 @@ HF_POSTGRES_MEMORY_RESERVE=500M
 
 # Reverse Proxy - Nginx
 
-REVERSE_PROXY_INSTANCES=3
-INSECURE=false
-INSECURE_PORTS=-5001:5001-80:80-8080:8080
+REVERSE_PROXY_INSTANCES=1
+INSECURE=true
+INSECURE_PORTS=5001:5001-80:80-8080:8080
 DOMAIN_NAME=domain
 SUBDOMAINS=openhimcomms.domain,openhimcore.domain,openhimconsole.domain
 RENEWAL_EMAIL=dummy@jembi.org

interoperability-layer-openhim/config/http-openhim-insecure.conf

@@ -0,0 +1,18 @@
+# OpenHIM Core HTTP server config
+server {
+    listen 5001;
+    client_max_body_size 10M;
+
+    location / {
+        proxy_pass http://openhim-core:5001;
+    }
+}
+
+# OpenHIM Console
+server {
+    listen 80;
+
+    location / {
+        proxy_pass http://openhim-console:80;
+    }
+}

interoperability-layer-openhim/config/http-openhim-secure.conf

@@ -0,0 +1,93 @@
+# OpenHIM Core API server config
+server {
+    listen 80;
+    server_name openhimcomms.*;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name openhimcomms.*;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        proxy_pass https://openhim-core:8080;
+    }
+}
+
+# OpenHIM Core HTTP server config
+server {
+    listen 80;
+    server_name openhimcore.*;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name openhimcore.*;
+    client_max_body_size 10M;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        proxy_pass https://openhim-core:5000;
+    }
+}
+
+# OpenHIM Console
+server {
+    listen 80;
+    server_name openhimconsole.*;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name openhimconsole.*;
+
+    location /.well-known/acme-challenge/ {
+        resolver 127.0.0.11 valid=30s;
+        set $upstream_certbot certbot;
+        proxy_pass http://$upstream_certbot$request_uri;
+    }
+
+    location / {
+        proxy_pass http://openhim-console:80;
+    }
+}

interoperability-layer-openhim/config/stream-openhim-insecure.conf

@@ -0,0 +1,5 @@
+# use a stream so don't terminate ssl here
+server {
+    listen 8080;
+    proxy_pass openhim-core:8080;
+}

interoperability-layer-openhim/docker-compose.yml

@@ -24,7 +24,7 @@ services:
     depends_on:
       - openhim-core
     configs:
-      - source: console.config
+      - source: console-default.json
         target: /usr/share/nginx/html/config/default.json
     deploy:
       placement:
@@ -38,7 +38,7 @@ services:
           memory: ${OPENHIM_CONSOLE_MEMORY_RESERVE:-500M}
 
 configs:
-  console.config:
+  console-default.json:
     file: ./importer/volume/default.json
     name: console.config-${console_config_DIGEST:?err}
     labels:

interoperability-layer-openhim/initiateReplicaSet.sh

@@ -39,6 +39,9 @@ done
 # This sleep ensures that the replica sets are reachable
 sleep 10
 
+# TODO (PLAT-256): only works if deploying to node-1 labeled node
+# With docker swarm any manager can be the target but this bit of code only work if we target node-1 specifically.
+# Which is generally what we do, but if node-1 is down or we choose to target another node this won't work.
 ContainerName=""
 if [[ "$(docker ps -f name=instant_mongo-1 --format "{{.ID}}")" ]]; then
     ContainerName="$(docker ps -f name=instant_mongo-1 --format "{{.ID}}")"

interoperability-layer-openhim/package-metadata.json

@@ -3,6 +3,7 @@
   "name": "Interoperability Layer Package - Openhim",
   "description": "This is the interoperability layer that enables simpler data exchange between the different systems. It is also the security layer for the other systems",
   "version": "1.0.0",
+  "dependencies": ["reverse-proxy-nginx"],
   "environmentVariables": {
     "mongo_url": "mongodb://mongo-1:27017,mongo-2:27017,mongo-3:27017/openhim?replicaSet=mongo-set",
     "mongo_atnaUrl": "mongodb://mongo-1:27017,mongo-2:27017,mongo-3:27017/openhim?replicaSet=mongo-set",