How to use https in pulp compose way

Support
#1

Problem:
Following the doc https://github.com/pulp/pulp-oci-images/tree/latest/images/compose , the pulp is using http. How can I set up https?

1 Like
Pulp compose signing_key_service" didn't complete successfully
Pulp compose signing_key_service" didn't complete successfully
#2

Here some info about how do compose.yml with https:
β†’ need to modify assets/nginx/nginx.conf.template, I copy the one from images/s6_assets/ssl_nginx.conf

β†’ generate self-sign certificate, and copy to images/compose/assets/certs/pulp_webserver.crt and images/compose/assets/certs/pulp_webserver.key

β†’ modify compose.yml,

 pulp_web:
    image: "pulp/pulp-web:latest"
    command: ['/usr/bin/nginx.sh']
    depends_on:
      pulp_api:
        condition: service_healthy
      pulp_content:
        condition: service_healthy
    ports:
      - "80:80"
      - "443:443"
    hostname: pulp
    user: root
    volumes:
      - "./assets/bin/nginx.sh:/usr/bin/nginx.sh:Z"
      - "./assets/nginx/nginx.conf.template:/etc/opt/rh/rh-nginx116/nginx/nginx.conf.template:Z"
      - "./assets/certs:/etc/pulp/certs:z"
    restart: always

note, the two ports 80 and 443 and the volume of asset/certs/

Before I only published one port either 80 or 443, so it was not correct :frowning:

1 Like
#3

Just for memory, copy from images/s6_assets/ssl_nginx.conf is not enough. in fact it needs some changes. After refering the conf of all_in_one container conf, here is the example of images/compose/assets/nginx/nginx.conf.template which works , it listens on 443, and redirect 80 to 443.

images/compose/assets/nginx/nginx.conf.template

error_log /dev/stdout info;
worker_processes 1;
events {
worker_connections 1024; # increase if you have lots of clients
accept_mutex off; # set to β€˜on’ if nginx worker_processes > 1
}

http {
access_log /dev/stdout;
include mime.types;
# fallback in case we can’t determine a type
default_type application/octet-stream;
sendfile on;

# If left at the default of 1024, nginx emits a warning about being unable
# to build optimal hash types.
types_hash_max_size 4096;

server {
    # This logic enables us to have multiple servers, and check to see
    # if they are scaled every 10 seconds.
    # https://www.nginx.com/blog/dns-service-discovery-nginx-plus#domain-name-variable
    # https://serverfault.com/a/821625/189494
    resolver $NAMESERVER valid=10s;
    set $pulp_api pulp_api;
    set $pulp_content pulp_content;

    # Gunicorn docs suggest the use of the "deferred" directive on Linux.
    #listen 8080 default_server deferred;
    #listen [::]:8080 default_server deferred;
    listen 443 default_server deferred ssl;
    listen [::]:443 default_server deferred ssl;
    ssl_certificate /etc/pulp/certs/pulp_webserver.crt;
    ssl_certificate_key /etc/pulp/certs/pulp_webserver.key;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;


    # If you have a domain name, this is where to add it
    server_name $hostname;

    # The default client_max_body_size is 1m. Clients uploading
    # files larger than this will need to chunk said files.
    client_max_body_size 10m;

    # Gunicorn docs suggest this value.
    keepalive_timeout 5;

    # static files that can change dynamically, or are needed for TLS
    # purposes are served through the webserver.
    root /opt/app-root/src;

    location /pulp/content/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;
        proxy_pass http://$pulp_content:24816;
    }

    location /pulp/api/v3/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;
        proxy_pass http://$pulp_api:24817;
    }

    location /auth/login/ {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;
        proxy_pass http://$pulp_api:24817;
    }

    include /opt/app-root/etc/nginx.default.d/*.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        # we don't want nginx trying to do something clever with
        # redirects, we set the Host: header above already.
        proxy_redirect off;
        proxy_pass http://$pulp_api:24817;
        # static files are served through whitenoise - http://whitenoise.evans.io/en/stable/
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

}

2 Likes