Skip to content

Commit 494ffd1

Browse files
committed
Introduce sso ssl proxy
- disable INTERNAL_URL in templates - move internal_url to init script - removed some readme parts as it will be in docs
1 parent 3100ca8 commit 494ffd1

6 files changed

Lines changed: 127 additions & 72 deletions

File tree

deployment/common/ssl-proxy.conf

Lines changed: 59 additions & 59 deletions
Original file line numberDiff line numberDiff line change
@@ -1,63 +1,63 @@
11

2-
server {
3-
listen 80;
4-
server_name merginmaps.company.com; # FIXME
2+
server {
3+
listen 80;
4+
server_name merginmaps.company.com; # FIXME
55

6-
if ($scheme != "https") {
7-
return 301 https://$host$request_uri;
8-
}
6+
if ($scheme != "https") {
7+
return 301 https://$host$request_uri;
98
}
10-
11-
upstream app_server {
12-
# route to the application proxy
13-
server 127.0.0.1:8080 fail_timeout=0;
14-
}
15-
16-
server {
17-
listen 443 ssl;
18-
server_name merginmaps.company.com; # FIXME
19-
client_max_body_size 4G;
20-
21-
ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
22-
ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
23-
24-
# Don't show version information
25-
server_tokens off;
26-
27-
# Enable gzip compression
28-
gzip on;
29-
gzip_min_length 10240;
30-
gzip_comp_level 1;
31-
gzip_vary on;
32-
gzip_proxied any;
33-
gzip_types
34-
text/css
35-
text/javascript
36-
application/javascript
37-
application/x-javascript;
38-
39-
# Prevent crawlers from indexing and following links for all content served from the mergin app
40-
add_header X-Robots-Tag "none";
41-
42-
# Protect against clickjacking iframe
43-
add_header Content-Security-Policy "frame-ancestors 'self';" always;
44-
45-
# Add a HSTS policy to prevent plain http from browser
46-
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
47-
48-
# Set cookies security flags
49-
proxy_cookie_flags ~ secure httponly samesite=strict;
50-
51-
location / {
52-
root /var/www/html;
53-
54-
# The lines below were copied from application proxy
55-
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
56-
proxy_set_header X-Forwarded-Proto $scheme;
57-
proxy_set_header Host $http_host;
58-
# we don't want nginx trying to do something clever with
59-
# redirects, we set the Host: header above already.
60-
proxy_redirect off;
61-
proxy_pass http://app_server;
62-
}
9+
}
10+
11+
upstream app_server {
12+
# route to the application proxy
13+
server 127.0.0.1:8080 fail_timeout=0;
14+
}
15+
16+
server {
17+
listen 443 ssl;
18+
server_name merginmaps.company.com; # FIXME
19+
client_max_body_size 4G;
20+
21+
ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
22+
ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
23+
24+
# Don't show version information
25+
server_tokens off;
26+
27+
# Enable gzip compression
28+
gzip on;
29+
gzip_min_length 10240;
30+
gzip_comp_level 1;
31+
gzip_vary on;
32+
gzip_proxied any;
33+
gzip_types
34+
text/css
35+
text/javascript
36+
application/javascript
37+
application/x-javascript;
38+
39+
# Prevent crawlers from indexing and following links for all content served from the mergin app
40+
add_header X-Robots-Tag "none";
41+
42+
# Protect against clickjacking iframe
43+
add_header Content-Security-Policy "frame-ancestors 'self';" always;
44+
45+
# Add a HSTS policy to prevent plain http from browser
46+
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
47+
48+
# Set cookies security flags
49+
proxy_cookie_flags ~ secure httponly samesite=strict;
50+
51+
location / {
52+
root /var/www/html;
53+
54+
# The lines below were copied from application proxy
55+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
56+
proxy_set_header X-Forwarded-Proto $scheme;
57+
proxy_set_header Host $http_host;
58+
# we don't want nginx trying to do something clever with
59+
# redirects, we set the Host: header above already.
60+
proxy_redirect off;
61+
proxy_pass http://app_server;
6362
}
63+
}
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
2+
server {
3+
listen 80;
4+
server_name sso.company.com; # FIXME
5+
6+
if ($scheme != "https") {
7+
return 301 https://$host$request_uri;
8+
}
9+
}
10+
11+
upstream sso_server {
12+
# route to the application proxy
13+
server 127.0.0.1:5225 fail_timeout=0;
14+
}
15+
16+
server {
17+
listen 443 ssl;
18+
server_name sso.company.com; # FIXME
19+
client_max_body_size 4G;
20+
21+
ssl_certificate_key /etc/letsencrypt/live/sso.company.com/privkey.pem; # FIXME
22+
ssl_certificate /etc/letsencrypt/live/sso.company.com/fullchain.pem; # FIXME
23+
24+
# Don't show version information
25+
server_tokens off;
26+
27+
# Enable gzip compression
28+
gzip on;
29+
gzip_min_length 10240;
30+
gzip_comp_level 1;
31+
gzip_vary on;
32+
gzip_proxied any;
33+
gzip_types
34+
text/css
35+
text/javascript
36+
application/javascript
37+
application/x-javascript;
38+
39+
# Prevent crawlers from indexing and following links for all content served from the mergin app
40+
add_header X-Robots-Tag "none";
41+
42+
# Protect against clickjacking iframe
43+
add_header Content-Security-Policy "frame-ancestors 'self';" always;
44+
45+
# Add a HSTS policy to prevent plain http from browser
46+
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
47+
48+
# Set cookies security flags
49+
proxy_cookie_flags ~ secure httponly samesite=strict;
50+
51+
location / {
52+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
53+
proxy_set_header X-Forwarded-Proto $scheme;
54+
proxy_set_header Host $http_host;
55+
# we don't want nginx trying to do something clever with
56+
# redirects, we set the Host: header above already.
57+
proxy_redirect off;
58+
proxy_pass http://sso_server:5225;
59+
}
60+
}

deployment/enterprise/.env.template

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -223,14 +223,14 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json
223223
SSO_SERVER_URL=http://localhost:8081
224224

225225
# internal URL of the api server, used for internal calls to polis API
226-
SSO_SERVER_API_URL=http://merginmaps-proxy:8081
226+
# SSO_SERVER_API_URL=http://merginmaps-proxy:8081
227227

228228
# internal URL of the SSO server, used for internal calls to polis API
229-
SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081
229+
# SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081
230230

231231
# by default token is alive for 14 days (use seconds as unit
232232
# SSO_SESSION_EXPIRATION=14 * 24 * 3600
233233

234234
# This should be the same as SSO connection Product field in admin panel.
235235
# Default value is mergin-maps-product string
236-
# SSO_SERVER_PRODUCT_ID=
236+
# SSO_SERVER_PRODUCT_ID=mergin-maps-product

deployment/enterprise/README.md

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -43,18 +43,11 @@ bash ./sso/sso-init.sh`.
4343
This will generate a ready-to-use file with some pre-generated secrets needed for the SSO backend.
4444
Alternatively, and most recommended, you can manually create `.sso.env` from the provided `.sso.env.template` and generate your own secret keys as well as other relevant configurations.
4545

46-
Pay close attention to these environment variables and change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS`, `RETRACED_ADMIN_ROOT_TOKEN`, `NEXTAUTH_ACL`). To set up your connection with a SAML application, fill in `SAML_AUDIENCE` with a domain. [More details here](https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience).
46+
Make sure if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file.
4747

48-
Before deployment, ensure that the SSO-related environment variables in the main `.prod.env` file (`SSO_ENABLED=True`) are set. If you used `sso-init.sh`, variable `SSO_SERVER_API_KEY` is set properly. On the other hand, if you created `.sso.env` manually, you need to set it manually to be the same as one of `JACKSON_API_KEYS`.
49-
Please follow the Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic.
48+
Please follow the Mergin Maps [documentation](http://localhost:5173/docs/server/install/#deployment-of-single-sign-on-sso) on this topic.
5049

51-
Also, check if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file.
5250

53-
If you want to configure the Polis server to run on different domain in production (for example, `sso.example.com`), you need to add this domain to the following variables:
54-
55-
* `EXTERNAL_URL=https://sso.example.com`
56-
* `NEXTAUTH_URL=https://sso.example.com`
57-
* `SSO_SERVER_URL=https://sso.example.com`
5851

5952
### Configure WebMaps (Optional)
6053

deployment/enterprise/docker-compose.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ services:
4242
- ./data:/data # map data dir to host
4343
- ../common/nginx.conf:/etc/nginx/templates/default.conf.template
4444
# If using sso, uncomment the next line
45-
- ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template
45+
# - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template
4646
networks:
4747
- mergin
4848
depends_on:

deployment/enterprise/sso/sso-init.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,3 +21,5 @@ echo PRIVATE_KEY=$(cat key.pem | base64 | tr -d '\n') >> ../.sso.env
2121

2222
# mergin maps related env variables
2323
echo SSO_SERVER_API_KEY=$API_KEY >> ../.prod.env
24+
echo SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 >> ../.prod.env
25+
echo SSO_SERVER_API_URL=http://merginmaps-proxy:8081 >> ../.prod.env

0 commit comments

Comments
 (0)