-
-
Save alanivey/82cebd2b121be6df877e690c3046dd05 to your computer and use it in GitHub Desktop.
OpenLMIS and TLS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Not shown: FQDN set as hostname | |
# Not shown: SELinux to permissive | |
######## | |
yum install \ | |
--assumeyes \ | |
yum-utils \ | |
device-mapper-persistent-data \ | |
lvm2 | |
yum-config-manager \ | |
--add-repo \ | |
https://download.docker.com/linux/centos/docker-ce.repo | |
yum install \ | |
--assumeyes \ | |
docker-ce \ | |
docker-ce-cli \ | |
containerd.io | |
systemctl enable docker | |
systemctl start docker | |
######## | |
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose | |
chmod +x /usr/local/sbin/docker-compose | |
######## | |
yum install \ | |
--assumeyes \ | |
git | |
git clone \ | |
--branch 'master' \ | |
--depth 1 \ | |
https://github.com/OpenLMIS/openlmis-ref-distro.git \ | |
/opt/openlmis/distro/ | |
cd /opt/openlmis/distro/ | |
sed \ | |
-r \ | |
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \ | |
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \ | |
-e 's/^(spring_profiles_active\s*=)/# \1/g' \ | |
-e 's/^# (spring_profiles_active=production).*/\1/' \ | |
settings-sample.env > settings.env | |
echo -e '\nOL_HTTP_PORT=8080' | tee -a .env | |
sed \ | |
-r \ | |
-e '/^REQUIRE_SSL=/ s/=.*/=true/' \ | |
-i \ | |
settings.env | |
######## | |
export spring_profiles_active='production' | |
docker-compose pull --include-deps | |
docker-compose up --detach | |
docker-compose logs --follow --timestamps --tail="10" | |
######## | |
docker-compose exec db \ | |
psql \ | |
--username='postgres' \ | |
--dbname='open_lmis' \ | |
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid) | |
SELECT true, 'mail@example.com', true, id | |
FROM referencedata.users | |
WHERE username = 'admin';" | |
######## | |
yum install \ | |
--assumeyes \ | |
haproxy \ | |
openssl-libs \ | |
openssl | |
mkdir -v /etc/haproxy/certs.d/ | |
openssl req \ | |
-new \ | |
-sha256 \ | |
-newkey rsa:2048 \ | |
-nodes \ | |
-subj "/CN=${FQDN:-$( hostname --long )}" \ | |
-days 3650 \ | |
-x509 \ | |
-keyout /etc/haproxy/certs.d/server.key \ | |
-out /etc/haproxy/certs.d/server.crt | |
cat /etc/haproxy/certs.d/server.crt /etc/haproxy/certs.d/server.key > /etc/haproxy/certs.d/server.pem | |
cat > /etc/haproxy/haproxy.cfg <<'EOF' | |
global | |
log 127.0.0.1 local2 | |
chroot /var/lib/haproxy | |
pidfile /var/run/haproxy.pid | |
maxconn 4000 | |
user haproxy | |
group haproxy | |
daemon | |
defaults | |
mode http | |
log global | |
option httplog | |
option dontlognull | |
option http-server-close | |
option forwardfor except 127.0.0.0/8 | |
retries 3 | |
timeout http-request 10s | |
timeout queue 1m | |
timeout connect 10s | |
timeout client 1m | |
timeout server 1m | |
timeout http-keep-alive 10s | |
timeout check 10s | |
maxconn 3000 | |
frontend www | |
bind *:80 | |
bind *:443 ssl crt /etc/haproxy/certs.d/server.pem no-sslv3 | |
default_backend openlmis | |
backend openlmis | |
server openlmis0 127.0.0.1:8080 | |
http-request set-header X-Forwarded-Port %[dst_port] | |
http-request add-header X-Forwarded-Proto https if { ssl_fc } | |
EOF | |
systemctl start haproxy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Not shown: FQDN set as hostname | |
# Not shown: SELinux to permissive | |
######## | |
yum install \ | |
--assumeyes \ | |
yum-utils \ | |
device-mapper-persistent-data \ | |
lvm2 | |
yum-config-manager \ | |
--add-repo \ | |
https://download.docker.com/linux/centos/docker-ce.repo | |
yum install \ | |
--assumeyes \ | |
docker-ce \ | |
docker-ce-cli \ | |
containerd.io | |
systemctl enable docker | |
systemctl start docker | |
######## | |
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose | |
chmod +x /usr/local/sbin/docker-compose | |
######## | |
yum install \ | |
--assumeyes \ | |
git | |
git clone \ | |
--branch 'master' \ | |
--depth 1 \ | |
https://github.com/OpenLMIS/openlmis-ref-distro.git \ | |
/opt/openlmis/distro/ | |
cd /opt/openlmis/distro/ | |
sed \ | |
-r \ | |
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \ | |
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \ | |
-e 's/^(spring_profiles_active\s*=)/# \1/g' \ | |
-e 's/^# (spring_profiles_active=production).*/\1/' \ | |
settings-sample.env > settings.env | |
# "true" causes the browser to enter a redirect loop, "false" results in 404 accessing both http and https | |
#sed \ | |
# -r \ | |
# -e '/^REQUIRE_SSL=/ s/=.*/=false/' \ | |
# -i \ | |
# settings.env | |
######## | |
yum install \ | |
--assumeyes \ | |
openssl | |
mkdir -pv /opt/openlmis/files | |
openssl req \ | |
-new \ | |
-sha256 \ | |
-newkey rsa:2048 \ | |
-nodes \ | |
-subj "/CN=${FQDN:-$( hostname --long )}" \ | |
-days 3650 \ | |
-x509 \ | |
-keyout /opt/openlmis/files/server.key \ | |
-out /opt/openlmis/files/server.crt | |
( source .env | |
docker pull "openlmis/nginx:${OL_NGINX_VERSION}" | |
TMP_CONTAINER="$( docker create "openlmis/nginx:${OL_NGINX_VERSION}" )" | |
docker cp "$TMP_CONTAINER:/etc/consul-template/openlmis.conf" /opt/openlmis/files/openlmis.conf | |
docker rm -v "$TMP_CONTAINER" ) | |
sed \ | |
-e '/^server {/a \ listen 443 ssl;\n ssl_certificate_key /etc/nginx/server.key;\n ssl_certificate /etc/nginx/server.crt;\n' \ | |
-i /opt/openlmis/files/openlmis.conf | |
# Edit the docker-compose.yml file: | |
${EDITOR:-vi} docker-compose.yml | |
# The 'nginx' section should look like this (added port, three added volumes): | |
# nginx: | |
# image: openlmis/nginx:${OL_NGINX_VERSION} | |
# ports: | |
# - "${OL_HTTP_PORT:-80}:80" | |
# - "443:443" | |
# env_file: settings.env | |
# environment: | |
# NGINX_LOG_DIR: '/var/log/nginx/log' | |
# volumes: | |
# - 'nginx-log:/var/log/nginx/log' | |
# - 'consul-template-log:/var/log/consul-template' | |
# - '/opt/openlmis/files/openlmis.conf:/etc/consul-template/openlmis.conf:ro' | |
# - '/opt/openlmis/files/server.crt:/etc/nginx/server.crt:ro' | |
# - '/opt/openlmis/files/server.key:/etc/nginx/server.key:ro' | |
# depends_on: [consul] | |
######## | |
export spring_profiles_active='production' | |
docker-compose pull --include-deps | |
docker-compose up --detach | |
docker-compose logs --follow --timestamps --tail="10" | |
######## | |
docker-compose exec db \ | |
psql \ | |
--username='postgres' \ | |
--dbname='open_lmis' \ | |
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid) | |
SELECT true, 'mail@example.com', true, id | |
FROM referencedata.users | |
WHERE username = 'admin';" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# CentOS 7, OpenLMIS master/head, Nginx on system host | |
######## | |
# Not shown: FQDN set as hostname | |
# Not shown: SELinux to permissive | |
######## | |
yum install \ | |
--assumeyes \ | |
yum-utils \ | |
device-mapper-persistent-data \ | |
lvm2 | |
yum-config-manager \ | |
--add-repo \ | |
https://download.docker.com/linux/centos/docker-ce.repo | |
yum install \ | |
--assumeyes \ | |
docker-ce \ | |
docker-ce-cli \ | |
containerd.io | |
systemctl enable docker | |
systemctl start docker | |
######## | |
curl -L https://github.com/docker/compose/releases/download/1.23.2/docker-compose-`uname -s`-`uname -m` -o /usr/local/sbin/docker-compose | |
chmod +x /usr/local/sbin/docker-compose | |
######## | |
yum install \ | |
--assumeyes \ | |
git | |
git clone \ | |
--branch 'master' \ | |
--depth 1 \ | |
https://github.com/OpenLMIS/openlmis-ref-distro.git \ | |
/opt/openlmis/distro/ | |
cd /opt/openlmis/distro/ | |
sed \ | |
-r \ | |
-e "s#^VIRTUAL_HOST.*#VIRTUAL_HOST=$( hostname --long )#" \ | |
-e "s#^BASE_URL.*#BASE_URL=http://$( hostname --long )#" \ | |
-e 's/^(spring_profiles_active\s*=)/# \1/g' \ | |
-e 's/^# (spring_profiles_active=production).*/\1/' \ | |
settings-sample.env > settings.env | |
echo -e '\nOL_HTTP_PORT=8080' | tee -a .env | |
sed \ | |
-r \ | |
-e '/^REQUIRE_SSL=/ s/=.*/=true/' \ | |
-i \ | |
settings.env | |
######## | |
export spring_profiles_active='production' | |
docker-compose pull --include-deps | |
docker-compose up --detach | |
docker-compose logs --follow --timestamps --tail="10" | |
######## | |
docker-compose exec db \ | |
psql \ | |
--username='postgres' \ | |
--dbname='open_lmis' \ | |
--command="INSERT INTO notification.user_contact_details (allownotify, email, emailverified, referencedatauserid) | |
SELECT true, 'mail@example.com', true, id | |
FROM referencedata.users | |
WHERE username = 'admin';" | |
######## | |
yum install \ | |
--assumeyes \ | |
http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm \ | |
openssl \ | |
yum-utils | |
yum-config-manager \ | |
--setopt='nginx.gpgcheck=1' \ | |
--save | |
rpm \ | |
--import \ | |
/etc/pki/rpm-gpg/RPM-GPG-KEY-nginx | |
yum install \ | |
--assumeyes \ | |
nginx | |
systemctl start nginx | |
mkdir -v /etc/nginx/ssl/ | |
openssl req \ | |
-new \ | |
-sha256 \ | |
-newkey rsa:2048 \ | |
-nodes \ | |
-subj "/CN=${FQDN:-$( hostname --long )}" \ | |
-days 3650 \ | |
-x509 \ | |
-keyout /etc/nginx/ssl/server.key \ | |
-out /etc/nginx/ssl/server.crt | |
cat > /etc/nginx/conf.d/default.conf <<'EOF' | |
server { | |
listen 80; | |
listen 443 ssl; | |
ssl_certificate_key ssl/server.key; | |
ssl_certificate ssl/server.crt; | |
server_name _; | |
location / { | |
proxy_pass http://localhost:8080/; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
} | |
} | |
EOF | |
nginx -t && systemctl reload-or-try-restart nginx |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment