From c421c8aa7a80c6fd2ccce1dad03dd50ebe116ebf Mon Sep 17 00:00:00 2001 From: Hans Bakker Date: Sun, 30 Jun 2024 09:20:12 +0700 Subject: [PATCH] added ssl example --- docker-compose.yml | 8 +++- gateway/ssl.conf | 93 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 gateway/ssl.conf diff --git a/docker-compose.yml b/docker-compose.yml index 670e20ac5..30afd959d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,6 +9,10 @@ services: - backend ports: - "80:80" + # add these lines for https + # - "443:443" + # volumes: + # - ./nginx:/etc/nginx/conf.d frontend: image: openmrs/openmrs-reference-application-3-frontend:${TAG:-qa} @@ -19,7 +23,7 @@ services: SPA_CONFIG_URLS: /openmrs/spa/config-core_demo.json SPA_DEFAULT_LOCALE: healthcheck: - test: ["CMD", "curl", "-f", "http://localhost/"] + test: [ "CMD", "curl", "-f", "http://localhost/" ] timeout: 5s depends_on: - backend @@ -38,7 +42,7 @@ services: OMRS_CONFIG_CONNECTION_USERNAME: ${OPENMRS_DB_USER:-openmrs} OMRS_CONFIG_CONNECTION_PASSWORD: ${OPENMRS_DB_PASSWORD:-openmrs} healthcheck: - test: ["CMD", "curl", "-f", "http://localhost:8080/openmrs"] + test: [ "CMD", "curl", "-f", "http://localhost:8080/openmrs" ] timeout: 5s volumes: - openmrs-data:/openmrs/data diff --git a/gateway/ssl.conf b/gateway/ssl.conf new file mode 100644 index 000000000..3ebdb1172 --- /dev/null +++ b/gateway/ssl.conf @@ -0,0 +1,93 @@ +# to run the openmrs application using ssl certificates +# modify the 'your.server.name' to your domainname in this file +# create a 'nginx' directory where your docker.compose.yaml file is located +# copy into this directory: +# 1. this file +# 2. certificate.crt +# 3. private.key +# +# un-comment the lines in docker.compose under the gateway service +# restart with: docker compose up + +server { + listen 80; + server_name your.server.name; + + location / { + return 301 https://$host$request_uri; + } + } + +server { + listen 443 ssl; + server_name your.server.name; + + ssl_certificate /etc/nginx/conf.d/certificate.crt; + ssl_certificate_key /etc/nginx/conf.d/private.key; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy $csp_header; + add_header X-Content-Type-Options nosniff; + + proxy_set_header HOST $host; + proxy_set_header X-Forwarded-Proto $forwarded_proto; + proxy_set_header X-Real-IP $forwarded_ip; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # if serving this via HTTPS, the following is recommended + # proxy_cookie_flags $var_proxy_cookie_flags; + proxy_http_version 1.1; + + gzip on; + gzip_vary on; + # 1 KiB + gzip_min_length 1024; + gzip_proxied any; + gzip_http_version 1.0; + gzip_types font/eot + font/otf + font/ttf + image/svg+xml + text/css + text/html + text/javascript + text/plain + text/xml + application/atom+xml + application/geo+json + application/importmap+json + application/javascript + application/x-javascript + application/json + application/ld+json + application/fhir+json + application/fhir+xml + application/manifest+json + application/rdf+xml + application/rss+xml + application/xhtml+xml + application/xml; + + # all redirects are relative to the gateway + absolute_redirect off; + + location = /openmrs/spa { + return 301 /openmrs/spa/; + } + + location /openmrs/spa/ { + proxy_pass http://frontend/; + proxy_redirect http://$host/ /openmrs/spa/; + } + + location /openmrs { + proxy_pass http://backend; + } + + location = / { + return 301 /openmrs/spa/; + } +}