certbot wip

orthanc-team · Jun 26, 2024 · 9058ab3 · 9058ab3
1 parent 3b2f77b
commit 9058ab3
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 80 deletions.
diff --git a/sources/nginx/Dockerfile.orthanc-nginx b/sources/nginx/Dockerfile.orthanc-nginx
@@ -13,6 +13,7 @@ ADD nginx/reverse-proxy.* /etc/nginx/disabled-reverse-proxies/
 ADD nginx/orthanc-nginx-*.conf /etc/nginx/disabled-conf/
 
 COPY nginx/docker-entrypoint.sh /scripts/
+COPY nginx/copy-conf-files.sh /scripts/
 
 RUN ls -al /etc/nginx/disabled-reverse-proxies/
 

diff --git a/sources/nginx/Dockerfile.orthanc-nginx-cerbot b/sources/nginx/Dockerfile.orthanc-nginx-cerbot
@@ -6,13 +6,16 @@ FROM jonasal/nginx-certbot
 
 RUN mkdir /etc/nginx/enabled-reverse-proxies
 RUN mkdir /scripts-ot
+ADD nginx/nginx-common.conf /etc/nginx/includes
 
 ADD nginx/reverse-proxy.* /etc/nginx/disabled-reverse-proxies/
 
 ADD nginx/orthanc-nginx-https-certbot.conf /etc/nginx/user_conf.d/
 
+COPY nginx/docker-entrypoint-certbot.sh /scripts-ot/
 COPY nginx/copy-conf-files.sh /scripts-ot/
 
 RUN ls -al /etc/nginx/disabled-reverse-proxies/
 
-CMD ["/bin/bash", "-c", "/scripts-ot/copy-conf-files.sh && /scripts/start_nginx_certbot.sh" ]
+ENTRYPOINT ["./scripts-ot/docker-entrypoint-certbot.sh"]
+
diff --git a/sources/nginx/copy-conf-files.sh b/sources/nginx/copy-conf-files.sh
@@ -4,9 +4,21 @@
 #
 # SPDX-License-Identifier: CC0-1.0
 
-# set -o xtrace
+## configuration files management
+
+# first (and only) arg should be a boolean:
+# 'true' --> https
+# 'false'--> http
+
 set -o errexit
 
+# get https
+if [ "$1" == true ]; then
+  https=true
+else
+  https=false
+fi
+
 enableOrthanc="${ENABLE_ORTHANC:-false}"
 enableOrthancForApi="${ENABLE_ORTHANC_FOR_API:-false}"
 enableOrthancForShares="${ENABLE_ORTHANC_FOR_SHARES:-false}"
@@ -33,8 +45,13 @@ if [[ $enableOrthancForShares == "true" ]]; then
 fi
 
 if [[ $enableKeycloak == "true" ]]; then
-  echo "ENABLE_KEYCLOAK is true -> enable /keycloak/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-https.conf /etc/nginx/enabled-reverse-proxies/
+  if [[ $https == "true" ]]; then
+    echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is true -> enable /keycloak/ reverse proxy in https version"
+    cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-https.conf /etc/nginx/enabled-reverse-proxies/
+  else
+    echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is false -> enable /keycloak/ reverse proxy in http version"
+    cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-http.conf /etc/nginx/enabled-reverse-proxies/
+  fi
 fi
 
 if [[ $enableOrthancTokenService == "true" ]]; then
@@ -50,4 +67,4 @@ fi
 if [[ $enableOhif == "true" ]]; then
   echo "ENABLE_OHIF is true -> enable /ohif/ reverse proxy"
   cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.ohif.conf /etc/nginx/enabled-reverse-proxies/
-fi
+fi
diff --git a/sources/nginx/docker-entrypoint-certbot.sh b/sources/nginx/docker-entrypoint-certbot.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# set -o xtrace
+set -o errexit
+
+# configuration files management (true for https)
+
+./scripts/copy-conf-files.sh true
+
+# domain name management
+
+if [ -z "${DOMAIN_NAME}" ]; then
+  echo "Error: DOMAIN_NAME is not set or is empty."
+  exit 1
+fi
+domainName="${DOMAIN_NAME}"
+
+sed -i "s/domain-name-placeholder/${domainName}/g" /etc/nginx/enabled-reverse-proxies/orthanc-nginx-https-certbot.conf
+
+# run ngix-certbot original entrypoint
+./scripts/start_nginx_certbot.sh
diff --git a/sources/nginx/docker-entrypoint.sh b/sources/nginx/docker-entrypoint.sh
@@ -7,14 +7,7 @@
 # set -o xtrace
 set -o errexit
 
-enableOrthanc="${ENABLE_ORTHANC:-false}"
-enableOrthancForApi="${ENABLE_ORTHANC_FOR_API:-false}"
-enableOrthancForShares="${ENABLE_ORTHANC_FOR_SHARES:-false}"
-enableKeycloak="${ENABLE_KEYCLOAK:-false}"
-enableOrthancTokenService="${ENABLE_ORTHANC_TOKEN_SERVICE:-false}"
-enableOhif="${ENABLE_OHIF:-false}"
 enableHttps="${ENABLE_HTTPS:-false}"
-enableMedDream="${ENABLE_MEDDREAM:-false}"
 
 ls -al /etc/nginx/disabled-conf/
 
@@ -26,47 +19,7 @@ else
   cp -f /etc/nginx/disabled-conf/orthanc-nginx-http.conf /etc/nginx/conf.d/default.conf
 fi
 
-ls -al /etc/nginx/disabled-reverse-proxies/
-
-if [[ $enableOrthanc == "true" ]]; then
-  echo "ENABLE_ORTHANC is true -> enable /orthanc/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc.conf /etc/nginx/enabled-reverse-proxies/
-fi
-
-if [[ $enableOrthancForApi == "true" ]]; then
-  echo "ENABLE_ORTHANC_FOR_API is true -> enable /orthanc-api/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc-api.conf /etc/nginx/enabled-reverse-proxies/
-fi
-
-if [[ $enableOrthancForShares == "true" ]]; then
-  echo "ENABLE_ORTHANC_FOR_SHARES is true -> enable /shares/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.shares.conf /etc/nginx/enabled-reverse-proxies/
-fi
-
-if [[ $enableKeycloak == "true" ]]; then
-  if [[ $enableHttps == "true" ]]; then
-    echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is true -> enable /keycloak/ reverse proxy in https version"
-    cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-https.conf /etc/nginx/enabled-reverse-proxies/
-  else
-    echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is false -> enable /keycloak/ reverse proxy in http version"
-    cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-http.conf /etc/nginx/enabled-reverse-proxies/
-  fi
-fi
-
-if [[ $enableOrthancTokenService == "true" ]]; then
-  echo "ENABLE_ORTHANC_TOKEN_SERVICE is true -> enable /token-service/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.token-service.conf /etc/nginx/enabled-reverse-proxies/
-fi
-
-if [[ $enableMedDream == "true" ]]; then
-  echo "ENABLE_MEDDREAM is true -> enable /meddream/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.meddream.conf /etc/nginx/enabled-reverse-proxies/
-fi
-
-if [[ $enableOhif == "true" ]]; then
-  echo "ENABLE_OHIF is true -> enable /ohif/ reverse proxy"
-  cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.ohif.conf /etc/nginx/enabled-reverse-proxies/
-fi
+./scripts/copy-conf-files.sh $enableHttps
 
 # call the default nginx entrypoint
 /docker-entrypoint.sh "$@"
diff --git a/sources/nginx/orthanc-nginx-https-certbot.conf b/sources/nginx/orthanc-nginx-https-certbot.conf
@@ -6,37 +6,16 @@ server {
 
 	listen 443 ssl;
 
-	server_name orthanc-con-2023.orthanc.team;
+	server_name domain-name-placeholder;
 
     # Load the certificate files.
-    ssl_certificate         /etc/letsencrypt/live/orthanc-con-2023.orthanc.team/fullchain.pem;
-    ssl_certificate_key     /etc/letsencrypt/live/orthanc-con-2023.orthanc.team/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/orthanc-con-2023.orthanc.team/chain.pem;
+    ssl_certificate         /etc/letsencrypt/live/domain-name-placeholder/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/domain-name-placeholder/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/domain-name-placeholder/chain.pem;
 
-
-	# To avoid 504 error
-	proxy_read_timeout 120s;
-
-	# To avoid "too big header... / 502 Bad Gateway" error (inspired from https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx)
-	proxy_buffer_size   32k;
-	proxy_buffers   64 8k;
-	proxy_busy_buffers_size   48k;
-
-	# To avoid "414 Request-URI Too Large" whant opening 15(!) studies in OHIF
-    large_client_header_buffers 8 16k;
+	# include buffers/timeout parameters
+	include /etc/nginx/includes/nginx-common.conf
 
     # include all reverse proxies that have been enabled through env var (check docker-entrypoint.sh)
 	include /etc/nginx/enabled-reverse-proxies/*.conf;
-}
-
-server {
-
-    listen 80 default_server;
-
-
-    server_name orthanc-con-2023.orthanc.team;
-
-
-    return 301 https://$host$request_uri;
-
 }