IlyaSobolev/DocSpace-client
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add webroot when creating a certificate and use letsencrypt.conf for all installations

Browse Source
This commit is contained in:
Evgeniy Antonyuk 2023-09-06 17:49:13 +05:00
parent 0313e835b0
commit 42d996a60d
13 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
build/install/OneClickInstall/install-Docker.sh
View File

@ -1336,19 +1336,17 @@ install_product () {
reconfigure APP_URL_PORTAL "${APP_URL_PORTAL:-"http://${PACKAGE_SYSNAME}-router:8092"}"
reconfigure EXTERNAL_PORT ${EXTERNAL_PORT}
if [ ! -z "${CERTIFICATE_PATH}" ] && [ ! -z "${CERTIFICATE_KEY_PATH}" ]; then
bash $BASE_DIR/config/${PRODUCT}-ssl-setup -f "${CERTIFICATE_PATH}" "${CERTIFICATE_KEY_PATH}"
PROXY_YML="${BASE_DIR}/proxy-ssl.yml"
elif [ ! -z "${LETS_ENCRYPT_DOMAIN}" ] && [ ! -z "${LETS_ENCRYPT_MAIL}" ]; then
bash $BASE_DIR/config/${PRODUCT}-ssl-setup "${LETS_ENCRYPT_MAIL}" "${LETS_ENCRYPT_DOMAIN}"
PROXY_YML="${BASE_DIR}/proxy-ssl.yml"
fi
docker-compose -f $BASE_DIR/migration-runner.yml up -d
docker-compose -f $BASE_DIR/${PRODUCT}.yml up -d
docker-compose -f ${PROXY_YML} up -d
docker-compose -f $BASE_DIR/notify.yml up -d
docker-compose -f $BASE_DIR/healthchecks.yml up -d
if [ ! -z "${CERTIFICATE_PATH}" ] && [ ! -z "${CERTIFICATE_KEY_PATH}" ]; then
bash $BASE_DIR/config/${PRODUCT}-ssl-setup -f "${CERTIFICATE_PATH}" "${CERTIFICATE_KEY_PATH}"
elif [ ! -z "${LETS_ENCRYPT_DOMAIN}" ] && [ ! -z "${LETS_ENCRYPT_MAIL}" ]; then
bash $BASE_DIR/config/${PRODUCT}-ssl-setup "${LETS_ENCRYPT_MAIL}" "${LETS_ENCRYPT_DOMAIN}"
fi
}
make_swap () {

9
build/install/common/product-ssl-setup
View File

@ -7,6 +7,7 @@ DIR="/usr/bin"
LETSENCRYPT="/etc/letsencrypt/live";
NGINX="/etc/nginx/conf.d"
DHPARAM_FILE="/etc/ssl/certs/dhparam.pem"
WEBROOT_PATH="/var/www/${PRODUCT}"
if [ "$#" -ge "2" ]; then
if [ "$1" != "-f" ]; then
@ -27,8 +28,8 @@ if [ "$#" -ge "2" ]; then
echo "Generating Let's Encrypt SSL Certificates..."
# Request and generate Let's Encrypt SSL certificate
echo certbot certonly --expand --webroot --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-start.log
certbot certonly --expand --webroot --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-new.log
echo certbot certonly --expand --webroot -w ${WEBROOT_PATH} --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-start.log
certbot certonly --expand --webroot -w ${WEBROOT_PATH} --cert-name ${PRODUCT} --noninteractive --agree-tos --email ${MAIL} -d ${DOMAIN} > /var/log/le-new.log
else
echo "Using specified files to configure SSL..."
@ -38,8 +39,8 @@ if [ "$#" -ge "2" ]; then
[[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 4096
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${DOMAIN}/fullchain.pem"}"
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${DOMAIN}/privkey.pem"}"
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}"
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}"
if [ -f "${CERTIFICATE_FILE}" -a -f ${PRIVATEKEY_FILE} ]; then
if [ -f "${NGINX}/onlyoffice-proxy-ssl.conf.template" ]; then

1
build/install/deb/debian/product-proxy.install
View File

@ -3,6 +3,7 @@
../../../build/install/docker/config/nginx/templates/*.template etc/onlyoffice/{{product}}/nginx
../../../build/install/docker/config/nginx/onlyoffice* etc/nginx/conf.d
../../../config/nginx/onlyoffice*.conf etc/nginx/conf.d
../../../build/install/docker/config/nginx/letsencrypt* etc/nginx/includes
../../../config/nginx/includes/onlyoffice*.conf etc/nginx/includes
../../../build/deploy/public/* var/www/{{product}}/public
../../../build/deploy/client/* var/www/{{product}}/client

3
build/install/deb/debian/rules
View File

@ -50,7 +50,8 @@ override_dh_auto_build:
sed 's_\(minlevel=\)".*"_\1"Warn"_g' -i ${SRC_PATH}/config/nlog.config
sed 's/teamlab.info/onlyoffice.com/g' -i ${SRC_PATH}/config/autofac.consumers.json
sed -e 's/$$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -i ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy*.conf
sed -e 's/$$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -e 's|includes|/etc/nginx/includes|g' -i ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy*.conf
sed "s|\(.*root\).*;|\1 \"/var/www/${PRODUCT}";|g" -i ${SRC_PATH}/build/install/docker/config/nginx/letsencrypt.conf
sed -e '/.pid/d' -e '/temp_path/d' -i ${SRC_PATH}/build/install/docker/config/nginx/templates/nginx.conf.template
mv -f ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf ${SRC_PATH}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf.template

22
build/install/docker/config/docspace-ssl-setup
View File

@ -7,6 +7,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
DOCKERCOMPOSE=$(dirname "$DIR")
LETSENCRYPT="/etc/letsencrypt/live";
DHPARAM_FILE="/etc/ssl/certs/dhparam.pem"
WEBROOT_PATH="/letsencrypt"
if [ "$#" -ge "2" ]; then
if [ "$1" != "-f" ]; then
@ -15,7 +16,7 @@ if [ "$#" -ge "2" ]; then
LETSENCRYPT_ENABLE="true"
if [ -f "${DOCKERCOMPOSE}/proxy.yml" ]; then
docker-compose -f ${DOCKERCOMPOSE}/proxy.yml down
:
elif [ -f "/app/onlyoffice/proxy.yml" ]; then
DOCKERCOMPOSE="/app/onlyoffice"
DIR="/app/onlyoffice/config"
@ -23,14 +24,25 @@ if [ "$#" -ge "2" ]; then
echo "Error: proxy configuration file not found." && exit 1
fi
if ! docker ps -f "name=onlyoffice-proxy" --format '{{.Names}}' | grep -q "onlyoffice-proxy"; then
echo "Error: the proxy container is not running" && exit 1
fi
if ! docker volume inspect "onlyoffice_webroot_path" &> /dev/null; then
echo "Error: missing webroot_path volume" && exit 1
fi
echo "Generating Let's Encrypt SSL Certificates..."
# Request and generate Let's Encrypt SSL certificate
docker run -it --rm \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
-v /var/log:/var/log \
-v onlyoffice_webroot_path:${WEBROOT_PATH} \
certbot/certbot certonly \
--webroot --non-interactive --agree-tos --email ${MAIL} -d ${DOMAIN}
--expand --webroot -w ${WEBROOT_PATH} \
--cert-name ${PRODUCT} --non-interactive --agree-tos --email ${MAIL} -d ${DOMAIN}
else
echo "Using specified files to configure SSL..."
@ -40,11 +52,13 @@ if [ "$#" -ge "2" ]; then
[[ ! -f "${DHPARAM_FILE}" ]] && openssl dhparam -out ${DHPARAM_FILE} 4096
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${DOMAIN}/fullchain.pem"}"
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${DOMAIN}/privkey.pem"}"
CERTIFICATE_FILE="${CERTIFICATE_FILE:-"${LETSENCRYPT}/${PRODUCT}/fullchain.pem"}"
PRIVATEKEY_FILE="${PRIVATEKEY_FILE:-"${LETSENCRYPT}/${PRODUCT}/privkey.pem"}"
if [ -f "${CERTIFICATE_FILE}" -a -f ${PRIVATEKEY_FILE} ]; then
if [ -f ${DOCKERCOMPOSE}/.env -a -f ${DOCKERCOMPOSE}/proxy-ssl.yml ]; then
docker-compose -f ${DOCKERCOMPOSE}/proxy.yml down
sed -i "s~\(APP_URL_PORTAL=\).*~\1\"https://${DOMAIN:-$(hostname --fqdn)}\"~g" ${DOCKERCOMPOSE}/.env
sed -i "s~\(CERTIFICATE_PATH=\).*~\1\"${CERTIFICATE_FILE}\"~g" ${DOCKERCOMPOSE}/.env
sed -i "s~\(CERTIFICATE_KEY_PATH=\).*~\1\"${PRIVATEKEY_FILE}\"~g" ${DOCKERCOMPOSE}/.env

4
build/install/docker/config/nginx/letsencrypt.conf
View File

@ -1,4 +1,4 @@
location ~ /.well-known/acme-challenge {
root "{APPDIR}letsencrypt";
root "/letsencrypt";
allow all;
}
}

4
build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf
View File

@ -57,6 +57,6 @@ server {
location / {
proxy_pass http://$router_host:8092;
}
# The letsencrypt.conf is used for SSL configuration on Windows
# include includes/letsencrypt.conf;
include includes/letsencrypt.conf;
}

4
build/install/docker/config/nginx/onlyoffice-proxy.conf
View File

@ -12,6 +12,6 @@ server {
location / {
proxy_pass http://$router_host:8092;
}
# The letsencrypt.conf is used for SSL configuration on Windows
# include includes/letsencrypt.conf;
include includes/letsencrypt.conf;
}

3
build/install/docker/proxy-ssl.yml
View File

@ -21,8 +21,10 @@ services:
environment:
- ROUTER_HOST=${ROUTER_HOST}
volumes:
- webroot_path:/letsencrypt
- proxy_log:/var/log/nginx
- ./config/nginx/templates/nginx.conf.template:/etc/nginx/nginx.conf
- ./config/nginx/letsencrypt.conf:/etc/nginx/includes/letsencrypt.conf
- ./config/nginx/templates/proxy.upstream.conf.template:/etc/nginx/templates/proxy.upstream.conf.template:ro
- ./config/nginx/onlyoffice-proxy-ssl.conf:/etc/nginx/conf.d/default.conf
- ${CERTIFICATE_PATH}:/usr/local/share/ca-certificates/tls.crt
@ -36,3 +38,4 @@ networks:
volumes:
proxy_log:
webroot_path:

3
build/install/docker/proxy.yml
View File

@ -20,8 +20,10 @@ services:
environment:
- ROUTER_HOST=${ROUTER_HOST}
volumes:
- webroot_path:/letsencrypt
- proxy_log:/var/log/nginx
- ./config/nginx/templates/nginx.conf.template:/etc/nginx/nginx.conf
- ./config/nginx/letsencrypt.conf:/etc/nginx/includes/letsencrypt.conf
- ./config/nginx/templates/proxy.upstream.conf.template:/etc/nginx/templates/proxy.upstream.conf.template:ro
- ./config/nginx/onlyoffice-proxy.conf:/etc/nginx/conf.d/default.conf
@ -32,3 +34,4 @@ networks:
volumes:
proxy_log:
webroot_path:

3
build/install/rpm/SPECS/build.spec
View File

@ -21,8 +21,9 @@ json -I -f %{_builddir}/%{sourcename}/config/apisystem.json -e "this.core.notify
sed 's_\(minlevel=\)".*"_\1"Warn"_g' -i %{_builddir}/%{sourcename}/config/nlog.config
sed 's/teamlab.info/onlyoffice.com/g' -i %{_builddir}/%{sourcename}/config/autofac.consumers.json
sed -e 's/$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy*.conf
sed -e 's/$router_host/127.0.0.1/g' -e '/proxy_set_header/d' -e 's|includes|/etc/nginx/includes|g' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy*.conf
sed -e '/.pid/d' -e '/temp_path/d' -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/templates/nginx.conf.template
sed -i "s|\(.*root\).*;|\1 \"/var/www/%{product}";|g" -i %{_builddir}/%{sourcename}/build/install/docker/config/nginx/letsencrypt.conf
find %{_builddir}/%{sourcename}/publish/ \
%{_builddir}/%{sourcename}/ASC.Migration.Runner \

1
build/install/rpm/SPECS/install.spec
View File

@ -62,5 +62,6 @@ cp -rf %{_builddir}/%{sourcename}/publish/services/ASC.Web.HealthChecks.UI/servi
cp -rf %{_builddir}/%{sourcename}/publish/services/ASC.Web.Studio/service/* "%{buildroot}%{buildpath}/studio/ASC.Web.Studio/"
cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy.conf "%{buildroot}%{_sysconfdir}/nginx/conf.d/onlyoffice-proxy.conf"
cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/onlyoffice-proxy-ssl.conf "%{buildroot}%{_sysconfdir}/nginx/conf.d/onlyoffice-proxy-ssl.conf.template"
cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/letsencrypt.conf "%{buildroot}%{_sysconfdir}/nginx/includes/letsencrypt.conf"
cp -rf %{_builddir}/%{sourcename}/build/install/docker/config/nginx/templates/nginx.conf.template "%{buildroot}%{_sysconfdir}/onlyoffice/%{product}/nginx/nginx.conf.template"
cp -rf %{_builddir}/%{sourcename}/build/install/common/%{product}-ssl-setup "%{buildroot}%{_bindir}/%{product}-ssl-setup"

2
build/install/win/build-batch.bat
View File

@ -41,7 +41,7 @@ REM echo ######## SSL configs ########
%sed% -i "s/the_host/host/g" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl
%sed% -i "s/the_scheme/scheme/g" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl
%sed% -i "s/ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;/#ssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;/" build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl
%sed% -i "s/# include includes\/letsencrypt.conf/include includes\/letsencrypt.conf/" build\install\win\Files\nginx\conf\onlyoffice-proxy.conf build\install\win\Files\nginx\conf\onlyoffice-proxy-ssl.conf.tmpl
%sed% -i "s|\(.*root\).*;|\1 \"{APPDIR}letsencrypt\";|g" -i build\install\win\Files\nginx\conf\includes\letsencrypt.conf
REM echo ######## Delete test and dev configs ########
del /f /q build\install\win\Files\config\*.test.json