diff --git a/.travis.yml b/.travis.yml index 322ea11..64910ed 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,6 @@ services: - docker before_install: - - ln -s docker-compose-nossl.yml docker-compose.yml - docker-compose up -d - sleep 10 @@ -12,4 +11,4 @@ script: - curl -sSf http://localhost > /dev/null after_failure: - - timeout 3s docker-compose logs app db + - timeout 3s docker-compose logs app db web diff --git a/README.md b/README.md index f47cceb..12d2f2e 100644 --- a/README.md +++ b/README.md @@ -13,12 +13,13 @@ See [README.aws.md](./README.aws.md) if you want to install it on AWS Elastic Be ### Install with SSL certificate -1. Create a symbolic link `docker-compose.yml` to `docker-compose-ssl.yml`: +1. Open docker-compose.yml and set `MATTERMOST_ENABLE_SSL` to true. - ln -s docker-compose-ssl.yml docker-compose.yml + environment: + - MATTERMOST_ENABLE_SSL=true -2. Put your SSL certificate as `web/cert/cert.pem` and the private key that has - no password as `web/cert/private/key-no-password.pem`. If you don't have +2. Put your SSL certificate as `./volumes/cert/cert.pem` and the private key that has + no password as `./volumes/cert/key-no-password.pem`. If you don't have them you may generate a self-signed SSL certificate. 3. Build and run mattermost @@ -29,9 +30,10 @@ See [README.aws.md](./README.aws.md) if you want to install it on AWS Elastic Be ### Install without SSL certificate -1. Create a symbolic link `docker-compose.yml` to `docker-compose-nossl.yml`: +1. Open docker-compose.yml and set `MATTERMOST_ENABLE_SSL` to false. - ln -s docker-compose-nossl.yml docker-compose.yml + environment: + - MATTERMOST_ENABLE_SSL=false 2. Build and run mattermost diff --git a/docker-compose-ssl.yml b/docker-compose.yml similarity index 88% rename from docker-compose-ssl.yml rename to docker-compose.yml index 992adf6..b34d249 100644 --- a/docker-compose-ssl.yml +++ b/docker-compose.yml @@ -23,8 +23,11 @@ web: - "80:80" - "443:443" links: - - app:platform + - app:app volumes: # This directory must have cert files - ./volumes/web/cert:/cert:ro - /etc/localtime:/etc/localtime:ro + environment: + - MATTERMOST_ENABLE_SSL=false + - PLATFORM_PORT_80_TCP_PORT=80 diff --git a/web/Dockerfile b/web/Dockerfile index 5de6e85..af26369 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -3,9 +3,9 @@ FROM ubuntu:14.04 RUN apt-get update && apt-get install -y nginx RUN rm /etc/nginx/sites-enabled/default -RUN ln -s /etc/nginx/sites-available/mattermost /etc/nginx/sites-enabled/mattermost -ADD mattermost /etc/nginx/sites-available/ +COPY mattermost /etc/nginx/sites-available/ +COPY mattermost-ssl /etc/nginx/sites-available/ ADD docker-entry.sh / RUN chmod +x /docker-entry.sh @@ -14,9 +14,6 @@ RUN chmod +x /docker-entry.sh RUN ln -sf /dev/stdout /var/log/nginx/access.log RUN ln -sf /dev/stderr /var/log/nginx/error.log -# Define mountable directories. -VOLUME ["/etc/nginx/sites-enabled", "/etc/nginx/certs", "/etc/nginx/conf.d", "/var/log/nginx", "/var/www/html"] - # Define working directory. WORKDIR /etc/nginx diff --git a/web/docker-entry.sh b/web/docker-entry.sh index e43ddda..4f90a5b 100644 --- a/web/docker-entry.sh +++ b/web/docker-entry.sh @@ -1,4 +1,9 @@ #!/bin/bash echo Starting Nginx -sed -Ei "s/PLATFORM_PORT/$PLATFORM_PORT_80_TCP_PORT/" /etc/nginx/sites-available/mattermost +sed -Ei "s/APP_PORT/$PLATFORM_PORT_80_TCP_PORT/" /etc/nginx/sites-available/mattermost +sed -Ei "s/APP_PORT/$PLATFORM_PORT_80_TCP_PORT/" /etc/nginx/sites-available/mattermost-ssl +if [ "$MATTERMOST_ENABLE_SSL" = true ]; then + ssl="-ssl" +fi +ln -s /etc/nginx/sites-available/mattermost$ssl /etc/nginx/sites-enabled/mattermost nginx -g 'daemon off;' diff --git a/web/mattermost b/web/mattermost index 8145902..ff2d363 100644 --- a/web/mattermost +++ b/web/mattermost @@ -1,26 +1,8 @@ -# Uncomment the below configuration and set the server_name correctly if you -# want to redirect http to https -# -# server { -# listen 80; -# server_name mattermost.example.com; -# return 301 https://$server_name$request_uri; -# } - server { - listen 443; - - ssl on; - ssl_certificate /cert/cert.pem; - ssl_certificate_key /cert/key-no-password.pem; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH; - ssl_prefer_server_ciphers on; + listen 80; location / { gzip off; - proxy_set_header X-Forwarded-Ssl on; client_max_body_size 50M; proxy_set_header Upgrade $http_upgrade; @@ -29,9 +11,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Frame-Options SAMEORIGIN; - proxy_pass http://app:PLATFORM_PORT; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://app:APP_PORT; } } - -# See https://github.com/mattermost/platform/blob/master/doc/install/Production-Ubuntu.md for the SSL configuration diff --git a/web/mattermost-ssl b/web/mattermost-ssl new file mode 100644 index 0000000..7138661 --- /dev/null +++ b/web/mattermost-ssl @@ -0,0 +1,34 @@ +# server { +# listen 80; +# server_name mattermost.example.com; +# return 301 https://$server_name$request_uri; +# } + +server { + listen 443; + + ssl on; + ssl_certificate /cert/cert.pem; + ssl_certificate_key /cert/key-no-password.pem; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH; + ssl_prefer_server_ciphers on; + + location / { + gzip off; + proxy_set_header X-Forwarded-Ssl on; + + client_max_body_size 50M; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Frame-Options SAMEORIGIN; + proxy_pass http://app:APP_PORT; + } +} + +# See https://github.com/mattermost/docs/blob/master/source/install/prod-ubuntu.rst for the SSL configuration