Get GeoNode on 3.1 working with HTTPS, custom certs.

README.md

1. Put certs in /etc/ssl/: maps.company.com.pem and maps.company.com.key.
2. Put nginx.conf in the root of the project.
3. Apply the diff for docker-compose.yml.
4. Add your .env file.
5. Run project with docker-compose up -d.

docker-compose.yml.diff

diff --git a/docker-compose.yml b/docker-compose.yml
index d5fd22f..41499fc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,6 +15,7 @@ services:
       - dbbackups:/pg_backups
     env_file:
       - ./scripts/docker/env/${SET_DOCKER_ENV}/db.env
+      - ./.env

   rabbitmq:
     image: rabbitmq
@@ -65,6 +66,7 @@ services:
       - backup-restore:/backup_restore
     env_file:
       - ./scripts/docker/env/${SET_DOCKER_ENV}/django.env
+      - ./.env
     environment:
       - IS_CELERY=false
       - UWSGI_CMD=uwsgi --ini /usr/src/app/uwsgi.ini
@@ -89,6 +91,7 @@ services:
       - backup-restore:/backup_restore
     env_file:
       - ./scripts/docker/env/${SET_DOCKER_ENV}/django.env
+      - ./.env
     environment:
       - IS_CELERY=true
       - CELERY_CMD=celery -A geonode.celery_app:app worker -B -E --statedb=/mnt/volumes/statics/worker.state -s /mnt/volumes/statics/celerybeat-schedule --loglevel=INFO --concurrency=10 -n worker1@%h -f /var/log/celery.log
@@ -107,8 +110,11 @@ services:
       - geoserver
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - statics:/mnt/volumes/statics
+      - /etc/ssl:/etc/ssl
+      - ./nginx.conf:/etc/nginx/nginx.conf

   data-dir-conf:
     image: geonode/geoserver_data:2.17.2

nginx.conf

# nginx.conf
user  nginx;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

worker_processes  auto;
worker_rlimit_nofile 4096;
events {
        worker_connections 4096;
        multi_accept on;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    error_log /var/log/nginx/error.log;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout           600;
    proxy_connect_timeout       600;
    proxy_send_timeout          600;
    send_timeout                600;
    uwsgi_read_timeout          600;

    # This is the main geonode conf
    charset     utf-8;

    # max upload size
    client_max_body_size 100G;
    client_body_buffer_size 256K;
    large_client_header_buffers 4 64k;
    proxy_read_timeout 600s;

    fastcgi_hide_header Set-Cookie;

    etag on;

    # compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_http_version 1.1;
    gzip_disable "MSIE [1-6]\.";
    gzip_buffers 16 8k;
    gzip_min_length 1100;
    gzip_comp_level 6;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    # http - listens to specific HTTP_HOST only - this is not encrypted (not ideal but admissible on LAN for instance)
    # even if not used (HTTP_HOST empty), we must keep it as it's used for internal API calls between django and geoserver
    # TODO : do not use unencrypted connection even on LAN, but is it possible to have browser not complaining about unknown authority ?
    server {
        listen              80;
        server_name          127.0.0.1 geonode;

        include sites-enabled/*.conf;
    }

    # Default server closes the connection (we can connect only using HTTP_HOST and HTTPS_HOST)

    server {
        listen 80;
        index index.html index.htm;
        root   /mnt/volumes/statics/;
    }

    server {
        listen              443 ssl;
        server_name         maps.company.com;
        keepalive_timeout   70;
        index index.html index.htm;
        root   /mnt/volumes/statics/;

        ssl_certificate     /etc/ssl/maps.company.com.pem;
        ssl_certificate_key /etc/ssl/maps.company.com.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            if ($request_method = OPTIONS) {
                add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS";
                add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept";
                add_header Access-Control-Allow-Credentials true;
                add_header Content-Length 0;
                add_header Content-Type text/plain;
                add_header Access-Control-Max-Age 1728000;
                return 200;
            }
            try_files $uri @django;
        }

        location @django {
            include uwsgi_params;
            uwsgi_pass uwsgi://django:8000;

            add_header Access-Control-Allow-Credentials false;
            add_header Access-Control-Allow-Headers "Content-Type, Accept, Authorization, Origin, User-Agent";
            add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, OPTIONS";
        }

        location /geoserver {
            proxy_redirect              off;
            proxy_set_header            Host $host;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Host $server_name;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header            X-Forwarded-Proto $scheme;

            proxy_pass http://geoserver:8080/geoserver;
        }
    }

}

way to few lines of diff. 10k is the way to go :P

Happy to see you´ve got it running 👍