Commit 34bc2760 authored by Jacob Priddy's avatar Jacob Priddy 👌

modify config for production saml

parent c8e16ed7
Pipeline #10623 passed with stages
in 3 minutes and 6 seconds
......@@ -30,7 +30,7 @@ services:
- "8080:443"
volumes:
- ./src:/var/www
- ./nginx/conf.d/:/etc/nginx/conf.d
- ./nginx/conf.d/app.conf:/etc/nginx/conf.d/app.conf
- ./nginx/dhparam/:/run/dhparam
# Saml config
- ./simplesamlphp-1.18.5:/var/simplesamlphp
......
......@@ -32,17 +32,13 @@ services:
- "80:80"
volumes:
- ./src:/var/www
- ./nginx/conf.d/:/etc/nginx/conf.d
- ./nginx/conf.d/prod.conf:/etc/nginx/conf.d/prod.conf
- ./nginx/dhparam/:/run/dhparam
# Saml config
- ./simplesamlphp-1.18.5:/var/simplesamlphp
- ./simple-saml/cert:/var/simplesamlphp/cert
- ./simple-saml/config:/var/simplesamlphp/config
- ./simple-saml/metadata:/var/simplesamlphp/metadata
- ./simplesamlphp-1.18.5:/var/simplesamlphp-idp
- ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
- ./simple-saml-idp/config:/var/simplesamlphp-idp/config
- ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
- ./simple-saml-prod/cert:/var/simplesamlphp/cert
- ./simple-saml-prod/config:/var/simplesamlphp/config
- ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
networks:
- doorcode
postgres:
......@@ -83,12 +79,8 @@ services:
- ./php/prod.ini:/usr/local/etc/php/conf.d/local.ini
# Map saml files to the php-fpm server so it has access to them as well
- ./simplesamlphp-1.18.5:/var/simplesamlphp
- ./simple-saml/cert:/var/simplesamlphp/cert
- ./simple-saml/config:/var/simplesamlphp/config
- ./simple-saml/metadata:/var/simplesamlphp/metadata
- ./simplesamlphp-1.18.5:/var/simplesamlphp-idp
- ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
- ./simple-saml-idp/config:/var/simplesamlphp-idp/config
- ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
- ./simple-saml-prod/cert:/var/simplesamlphp/cert
- ./simple-saml-prod/config:/var/simplesamlphp/config
- ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
networks:
- doorcode
# Only difference between this file and the dev file is the saml config. For prod there is no IDP and the url is changed
# to just saml
# Thers a stupid bug in nginx that's been around for years that makes it so we can't easily put both front and backend
# on the same server. So we'll just do a proxy pass...
# Checkout https://ssl-config.mozilla.org/ for ocnfiguring secure ssl
upstream localhost.api {
server 127.0.0.1:443;
}
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name localhost;
listen 443 ssl;
index index.php index.html;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /run/dhparam/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/frontend/dist;
location ^~ /saml {
alias /var/simplesamlphp/www;
location ~ \.php(/|$) {
include fastcgi_params;
fastcgi_pass api:9000;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
}
}
location /pgadmin4 {
proxy_set_header X-Script-Name /pgadmin4/;
proxy_set_header X-Scheme $scheme;
proxy_set_header Host $http_host;
proxy_pass http://dbadmin/;
proxy_redirect off;
}
location /api {
proxy_pass https://localhost.api;
}
location / {
try_files $uri $uri/ /index.html;
}
}
server {
server_name localhost.api;
listen 443 ssl;
index index.php index.html;
ssl_certificate /run/secrets/webserver_cert;
ssl_certificate_key /run/secrets/webserver_key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /run/dhparam/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /run/secrets/root_cert;
error_log /var/log/nginx/error.log;
access_log /var/log/nginx/access.log;
root /var/www/backend/public;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass api:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
}
*
!.gitignore
\ No newline at end of file
*
!.gitignore
\ No newline at end of file
*
!.gitignore
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment