-
Notifications
You must be signed in to change notification settings - Fork 58
Server deployment
As discussed in the Readium #lcp Slack channel: https://readium.slack.com/messages/C0B702M0B/
- HTTPS reverse proxy (SSL layer on top of the unsecure localhost Go server instances, i.e. LCP, LSD, frontend, etc. running on different ports)
- HTTP route for static file hosting (i.e. repository of encrypted publications, without injected LCP license
META-INF/license.lcpl) - HTTP port number redirection (optional URL path syntax)
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
Example config:
/etc/nginx/sites-enabled/my.domain.org
HTTPS reverse proxy (SSL layer on top of the unsecure localhost Go server instances, i.e. LCP, LSD, frontend, etc. running on different ports):
server {
listen 80;
server_name my.domain.org;
# http ==> https
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name my.domain.org;
ssl_certificate /etc/ssl/certs/_.domain.org.pem;
ssl_certificate_key /etc/ssl/private/_.domain.org.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 10M;
root /var/www/html;
index index.nginx-debian.html;
location ~* /([0-9]+)/(.*) {
#add_header Cache-Control "public, must-revalidate";
#add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
proxy_pass http://127.0.0.1:$1/$2$is_args$query_string;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
HTTP route for static file hosting (i.e. repository of encrypted publications, without injected LCP license META-INF/license.lcpl):
location ~ /files/([0-9a-f-]*) {
alias /PATH_TO_FILES_REPOSITORY/$1;
}
This route corresponds to the publication: "http://127.0.0.1:8989/contents/{publication_id}" field in the YAML configuration, see: https://github.com/readium/readium-lcp-server/blob/master/README.md#configuration
HTTP port number redirection (optional URL path syntax):
location /url-path {
# extract port number and redirect:
if ($http_referer ~* /([0-9]+)/(.*)) {
set $port $1;
rewrite ^(.*)$ /$port$1 last;
}
}
This redirects the port number expressed as a URL path segment (e.g. domain.org/8801/rest/of/the/url/path) to the actual IP+port address). The /url-path location for the URL rewrite is ficticious. In a real-world example based on the README ( https://github.com/readium/readium-lcp-server/blob/master/README.md ), the location would more likely be /api, e.g. license_link_url: "http://127.0.0.1:8991/api/v1/licenses/{license_id}"
(lcpserver and lsdserver all run from the same machine)
<VirtualHost *:80>
ServerName backend.example.com
Redirect permanent / https://backend.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName backend.example.com
ServerAdmin webmaster@localhost
SSLEngine on
SSLProtocol TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateChainFile "/var/www/ssl/cert-chain.crt"
SSLCertificateFile "/var/www/ssl/cert.crt"
SSLCertificateKeyFile "/var/www/ssl/cert-key.key"
ProxyPreserveHost On
# lcpserver - https://backend.example.com/license/
ProxyPass /license/ http://127.0.0.1:8989/
ProxyPassReverse /license/ http://127.0.0.1:8989/
# lsdserver - https://backend.example.com/status/
ProxyPass /status/ http://127.0.0.1:8990/
ProxyPassReverse /status/ http://127.0.0.1:8990/
# Access to lcpserver is possible only from allowed IP addresses
<Location /license/>
Order deny,allow
Deny from all
Allow from 65.65.65.65
</Location>
</VirtualHost>
Optionally, to block external access to the ports using iptables:
iptables -A INPUT -p tcp --dport 8989 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8089 -j DROP
iptables -A INPUT -p tcp --dport 8990 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8090 -j DROP