Compare commits
46 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
c3ecd245be | ||
|
|
5b52f713bd | ||
|
|
d8c52f8d74 | ||
|
|
2b12534f90 | ||
|
|
6f8c34c0f3 | ||
|
|
ad76445269 | ||
|
|
bb1e8066c4 | ||
|
|
43501880ff | ||
|
|
a758c2c52b | ||
|
|
7647cce8c1 | ||
|
|
c8b5a40f99 | ||
|
|
124a8ba340 | ||
|
|
8d916d82fa | ||
|
|
1f5c1b24f1 | ||
|
|
66ab03e4fe | ||
|
|
bccdcd527d | ||
|
|
689a8f88db | ||
|
|
6a4ab2bd12 | ||
|
|
7c80c1fdb5 | ||
|
|
85375bfcfd | ||
|
|
8553ee32aa | ||
|
|
9eb10f5cf3 | ||
|
|
189bc354fe | ||
|
|
0f0612f484 | ||
|
|
0d5ff88269 | ||
|
|
8a288119d9 | ||
|
|
8f81794e44 | ||
|
|
5f86258eed | ||
|
|
6ba3e35ea0 | ||
|
|
50921a7313 | ||
|
|
4f0087ebac | ||
|
|
a685cc24e5 | ||
|
|
8e796ba46e | ||
|
|
69169f73ee | ||
|
|
7fd2eb47a9 | ||
|
|
1bfa69db5c | ||
|
|
068e654249 | ||
|
|
b4482771f7 | ||
|
|
ed682904c0 | ||
|
|
e56bfe8a35 | ||
|
|
07b368de41 | ||
|
|
1427315ef9 | ||
|
|
492ecd5ca3 | ||
|
|
87fd37fc6f | ||
|
|
0f5428aa0d | ||
|
|
8c8894ea15 |
@ -1,5 +1,3 @@
|
||||
sudo: required
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
|
||||
@ -20,7 +20,7 @@ The following people help to maintain this open source project:
|
||||
|:--------------------------------------|:--------------|
|
||||
| Carlos Tadeu Panato Junior - @cpanato | Feb 18 2018 |
|
||||
|
||||
In case something happens where no maintainers are able to complete their responsibilies, the following sponsoring organization can help find a new maintainer:
|
||||
In case something happens where no maintainers are able to complete their responsibilities, the following sponsoring organization can help find a new maintainer:
|
||||
|
||||
| Sponsoring Organization | Start Date |
|
||||
|:-------------------------------|:--------------|
|
||||
|
||||
25
README.md
25
README.md
@ -1,6 +1,12 @@
|
||||
# Production Docker deployment for Mattermost
|
||||
|
||||
This project enables deployment of a Mattermost server in a multi-node production configuration using Docker.
|
||||
## WARNING:
|
||||
|
||||
The current state of this repository doesn't work out-of-the box since Mattermost server v5.31+ requires PostgreSQL versions of 10 or higher.
|
||||
|
||||
We're actively working on a fix to this repository. Until then, please refer to these upgrade instructions: https://github.com/mattermost/mattermost-docker/issues/489#issuecomment-790277661
|
||||
|
||||
This project enables a deployment of a Mattermost server in a multi-node production configuration using Docker.
|
||||
|
||||
[](https://travis-ci.org/mattermost/mattermost-docker)
|
||||
|
||||
@ -67,6 +73,13 @@ If your database use some custom host and port, it is also possible to configure
|
||||
* `DB_HOST`: database host address
|
||||
* `DB_PORT_NUMBER`: database port
|
||||
|
||||
Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider). See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
|
||||
* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
|
||||
|
||||
PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings. However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
|
||||
* `PGSSLROOTCERT` specifies the location of CA file
|
||||
* `PGSSLCRL` specifies the location of a certificate revocation list file
|
||||
|
||||
If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
|
||||
* `MM_CONFIG`: configuration file location inside the container.
|
||||
|
||||
@ -108,6 +121,14 @@ Put your SSL certificate as `./volumes/web/cert/cert.pem` and the private key th
|
||||
no password as `./volumes/web/cert/key-no-password.pem`. If you don't have
|
||||
them you may generate a self-signed SSL certificate.
|
||||
|
||||
#### Configure SSO with GitLab
|
||||
If you are looking for SSO with GitLab and you use self signed certificate you have to add the PKI chain of your authority in app because Alpine doesn't know him. This is required to avoid **Token request failed: certificate signed by unknown authority**
|
||||
|
||||
For that uncomment this line and replace with the correct path of your PKI chain:
|
||||
```
|
||||
# - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
|
||||
```
|
||||
|
||||
### Starting/Stopping Docker
|
||||
|
||||
#### Start
|
||||
@ -181,7 +202,7 @@ docker-compose build app
|
||||
docker-compose run app -upgrade_db_30
|
||||
docker-compose up -d
|
||||
```
|
||||
See the [offical Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
|
||||
See the [official Upgrade Guide](http://docs.mattermost.com/administration/upgrade.html) for more details.
|
||||
|
||||
## Installation using Docker Swarm Mode
|
||||
|
||||
|
||||
@ -2,13 +2,14 @@ FROM alpine:3.10
|
||||
|
||||
# Some ENV variables
|
||||
ENV PATH="/mattermost/bin:${PATH}"
|
||||
ENV MM_VERSION=5.19.0
|
||||
ENV MM_INSTALL_TYPE=docker
|
||||
|
||||
# Build argument to set Mattermost edition
|
||||
ARG edition=enterprise
|
||||
ARG PUID=2000
|
||||
ARG PGID=2000
|
||||
ARG MM_BINARY=
|
||||
ARG MM_VERSION=5.31.0
|
||||
|
||||
|
||||
# Install some needed packages
|
||||
@ -18,7 +19,7 @@ RUN apk add --no-cache \
|
||||
jq \
|
||||
libc6-compat \
|
||||
libffi-dev \
|
||||
libcap \
|
||||
libcap \
|
||||
linux-headers \
|
||||
mailcap \
|
||||
netcat-openbsd \
|
||||
@ -28,15 +29,15 @@ RUN apk add --no-cache \
|
||||
|
||||
# Get Mattermost
|
||||
RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
|
||||
&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
|
||||
elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; \
|
||||
else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz | tar -xvz ; fi \
|
||||
&& cp /mattermost/config/config.json /config.json.save \
|
||||
&& rm -rf /mattermost/config/config.json \
|
||||
&& addgroup -g ${PGID} mattermost \
|
||||
&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
|
||||
&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
|
||||
&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
|
||||
&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
|
||||
elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
|
||||
else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
|
||||
&& cp /mattermost/config/config.json /config.json.save \
|
||||
&& rm -rf /mattermost/config/config.json \
|
||||
&& addgroup -g ${PGID} mattermost \
|
||||
&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
|
||||
&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
|
||||
&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
|
||||
|
||||
USER mattermost
|
||||
|
||||
|
||||
@ -2,65 +2,72 @@
|
||||
|
||||
# Function to generate a random salt
|
||||
generate_salt() {
|
||||
tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
|
||||
tr -dc 'a-zA-Z0-9' </dev/urandom | fold -w 48 | head -n 1
|
||||
}
|
||||
|
||||
# Read environment variables or set default values
|
||||
DB_HOST=${DB_HOST:-db}
|
||||
DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
|
||||
# see https://www.postgresql.org/docs/current/libpq-ssl.html
|
||||
# for usage when database connection requires encryption
|
||||
# filenames should be escaped if they contain spaces
|
||||
# i.e. $(printf %s ${MY_ENV_VAR:-''} | jq -s -R -r @uri)
|
||||
# the location of the CA file can be set using environment var PGSSLROOTCERT
|
||||
# the location of the CRL file can be set using PGSSLCRL
|
||||
# The URL syntax for connection string does not support the parameters
|
||||
# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
|
||||
# to set names if using a location other than default
|
||||
DB_USE_SSL=${DB_USE_SSL:-disable}
|
||||
MM_DBNAME=${MM_DBNAME:-mattermost}
|
||||
MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
|
||||
|
||||
if [ "${1:0:1}" = '-' ]; then
|
||||
set -- mattermost "$@"
|
||||
_1=$(echo "$1" | awk '{ s=substr($0, 0, 1); print s; }')
|
||||
if [ "$_1" = '-' ]; then
|
||||
set -- mattermost "$@"
|
||||
fi
|
||||
|
||||
if [ "$1" = 'mattermost' ]; then
|
||||
# Check CLI args for a -config option
|
||||
for ARG in $@;
|
||||
do
|
||||
case "$ARG" in
|
||||
-config=*)
|
||||
MM_CONFIG=${ARG#*=};;
|
||||
esac
|
||||
for ARG in "$@"; do
|
||||
case "$ARG" in
|
||||
-config=*) MM_CONFIG=${ARG#*=} ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ ! -f $MM_CONFIG ]
|
||||
then
|
||||
if [ ! -f "$MM_CONFIG" ]; then
|
||||
# If there is no configuration file, create it with some default values
|
||||
echo "No configuration file" $MM_CONFIG
|
||||
echo "No configuration file $MM_CONFIG"
|
||||
echo "Creating a new one"
|
||||
# Copy default configuration file
|
||||
cp /config.json.save $MM_CONFIG
|
||||
# Substitue some parameters with jq
|
||||
jq '.ServiceSettings.ListenAddress = ":8000"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.LogSettings.EnableConsole = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.LogSettings.ConsoleLevel = "ERROR"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.Directory = "/mattermost/data/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.EnablePublicLink = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.FileSettings.PublicLinkSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SendEmailNotifications = false' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.FeedbackEmail = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SMTPServer = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.SMTPPort = ""' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.InviteSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.EmailSettings.PasswordResetSalt = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.RateLimitSettings.Enable = true' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.SqlSettings.DriverName = "postgres"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.SqlSettings.AtRestEncryptKey = "'$(generate_salt)'"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
jq '.PluginSettings.Directory = "/mattermost/plugins/"' $MM_CONFIG > $MM_CONFIG.tmp && mv $MM_CONFIG.tmp $MM_CONFIG
|
||||
cp /config.json.save "$MM_CONFIG"
|
||||
# Substitute some parameters with jq
|
||||
jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" >"$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
|
||||
else
|
||||
echo "Using existing config file" $MM_CONFIG
|
||||
echo "Using existing config file $MM_CONFIG"
|
||||
fi
|
||||
|
||||
# Configure database access
|
||||
if [[ -z "$MM_SQLSETTINGS_DATASOURCE" && ! -z "$MM_USERNAME" && ! -z "$MM_PASSWORD" ]]
|
||||
then
|
||||
echo -ne "Configure database connection..."
|
||||
if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
|
||||
echo "Configure database connection..."
|
||||
# URLEncode the password, allowing for special characters
|
||||
ENCODED_PASSWORD=$(printf %s $MM_PASSWORD | jq -s -R -r @uri)
|
||||
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10"
|
||||
echo OK
|
||||
ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
|
||||
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
|
||||
echo "OK"
|
||||
else
|
||||
echo "Using existing database connection"
|
||||
fi
|
||||
|
||||
@ -3,6 +3,7 @@ FROM postgres:9.4-alpine
|
||||
ENV DEFAULT_TIMEZONE UTC
|
||||
|
||||
# Install some packages to use WAL
|
||||
RUN echo "azure<5.0.0" > pip-constraints.txt
|
||||
RUN apk add --no-cache \
|
||||
build-base \
|
||||
curl \
|
||||
@ -13,7 +14,9 @@ RUN apk add --no-cache \
|
||||
py-pip \
|
||||
py-cryptography \
|
||||
pv \
|
||||
&& pip --no-cache-dir install 'wal-e<1.0.0' envdir \
|
||||
libressl-dev \
|
||||
&& pip install --upgrade pip \
|
||||
&& pip --no-cache-dir install -c pip-constraints.txt 'wal-e<1.0.0' envdir \
|
||||
&& rm -rf /var/cache/apk/* /tmp/* /var/tmp/*
|
||||
|
||||
# Add wale script
|
||||
|
||||
@ -5,7 +5,7 @@ export WAL_LEVEL=${WAL_LEVEL:-minimal}
|
||||
export ARCHIVE_MODE=${ARCHIVE_MODE:-off}
|
||||
export ARCHIVE_TIMEOUT=${ARCHIVE_TIMEOUT:-60}
|
||||
|
||||
function update_conf () {
|
||||
function update_conf() {
|
||||
wal=$1
|
||||
# PGDATA is defined in upstream postgres dockerfile
|
||||
config_file=$PGDATA/postgresql.conf
|
||||
@ -23,11 +23,11 @@ function update_conf () {
|
||||
sed -i "s/archive_command =.*$//g" $config_file
|
||||
|
||||
# Configure wal-e
|
||||
if [ "$wal" = true ] ; then
|
||||
if [ "$wal" = true ]; then
|
||||
/docker-entrypoint-initdb.d/setup-wale.sh
|
||||
fi
|
||||
echo "log_timezone = $DEFAULT_TIMEZONE" >> $config_file
|
||||
echo "timezone = $DEFAULT_TIMEZONE" >> $config_file
|
||||
echo "log_timezone = $DEFAULT_TIMEZONE" >>$config_file
|
||||
echo "timezone = $DEFAULT_TIMEZONE" >>$config_file
|
||||
}
|
||||
|
||||
if [ "${1:0:1}" = '-' ]; then
|
||||
@ -46,7 +46,7 @@ if [ "$1" = 'postgres' ]; then
|
||||
done
|
||||
|
||||
# Setup wal-e env variables
|
||||
if [ "$wal_enable" = true ] ; then
|
||||
if [ "$wal_enable" = true ]; then
|
||||
for v in ${VARS[@]}; do
|
||||
export $v="${!v}"
|
||||
done
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/bash
|
||||
|
||||
# wal-e specific configuration
|
||||
echo "wal_level = $WAL_LEVEL" >> $PGDATA/postgresql.conf
|
||||
echo "archive_mode = $ARCHIVE_MODE" >> $PGDATA/postgresql.conf
|
||||
echo "archive_command = '/usr/bin/wal-e wal-push %p'" >> $PGDATA/postgresql.conf
|
||||
echo "archive_timeout = $ARCHIVE_TIMEOUT" >> $PGDATA/postgresql.conf
|
||||
echo "wal_level = $WAL_LEVEL" >>$PGDATA/postgresql.conf
|
||||
echo "archive_mode = $ARCHIVE_MODE" >>$PGDATA/postgresql.conf
|
||||
echo "archive_command = '/usr/bin/wal-e wal-push %p'" >>$PGDATA/postgresql.conf
|
||||
echo "archive_timeout = $ARCHIVE_TIMEOUT" >>$PGDATA/postgresql.conf
|
||||
|
||||
@ -20,13 +20,14 @@ services:
|
||||
# - AWS_REGION=us-east-1
|
||||
|
||||
app:
|
||||
build: app
|
||||
# change `build:app` to `build:` and uncomment following lines for team edition or change UID/GID
|
||||
# context: app
|
||||
build:
|
||||
context: app
|
||||
# uncomment following lines for team edition or change UID/GID
|
||||
# args:
|
||||
# - edition=team
|
||||
# - PUID=1000
|
||||
# - PGID=1000
|
||||
# - MM_VERSION=5.31
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./volumes/app/mattermost/config:/mattermost/config:rw
|
||||
@ -35,6 +36,9 @@ services:
|
||||
- ./volumes/app/mattermost/plugins:/mattermost/plugins:rw
|
||||
- ./volumes/app/mattermost/client-plugins:/mattermost/client/plugins:rw
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
# When you want to use SSO with GitLab, you have to add the cert pki chain of GitLab inside Alpine
|
||||
# to avoid Token request failed: certificate signed by unknown authority (link: https://github.com/mattermost/mattermost-server/issues/13059)
|
||||
# - <path_to_your_gitlab_pki>/pki_chain.pem:/etc/ssl/certs/pki_chain.pem:ro
|
||||
environment:
|
||||
# set same as db credentials and dbname
|
||||
- MM_USERNAME=mmuser
|
||||
@ -51,14 +55,13 @@ services:
|
||||
web:
|
||||
build: web
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "80:8080"
|
||||
- "443:8443"
|
||||
read_only: true
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
# This directory must have cert files if you want to enable SSL
|
||||
- ./volumes/web/cert:/cert:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
# Uncomment for SSL
|
||||
# environment:
|
||||
# - MATTERMOST_ENABLE_SSL=true
|
||||
cap_drop:
|
||||
- ALL
|
||||
|
||||
@ -1,17 +1,38 @@
|
||||
FROM nginx:mainline-alpine
|
||||
FROM nginxinc/nginx-unprivileged:mainline-alpine
|
||||
|
||||
USER root
|
||||
|
||||
# Remove default configuration and add our custom Nginx configuration files
|
||||
RUN rm /etc/nginx/conf.d/default.conf \
|
||||
&& apk add --no-cache curl
|
||||
|
||||
COPY ["./mattermost", "./mattermost-ssl", "/etc/nginx/sites-available/"]
|
||||
COPY ./security.conf /etc/nginx/conf.d/
|
||||
|
||||
# Add and setup entrypoint
|
||||
COPY entrypoint.sh /
|
||||
|
||||
RUN chown -R nginx:nginx /etc/nginx/sites-available && \
|
||||
chown -R nginx:nginx /var/cache/nginx && \
|
||||
chown -R nginx:nginx /var/log/nginx && \
|
||||
chown -R nginx:nginx /etc/nginx/conf.d && \
|
||||
chown nginx:nginx entrypoint.sh
|
||||
RUN touch /var/run/nginx.pid && \
|
||||
chown -R nginx:nginx /var/run/nginx.pid
|
||||
|
||||
COPY ./security.conf /etc/nginx/conf.d/
|
||||
|
||||
RUN chown -R nginx:nginx /etc/nginx/conf.d/security.conf
|
||||
|
||||
RUN chmod u+x /entrypoint.sh
|
||||
|
||||
RUN sed -i "/^http {/a \ proxy_buffering off;\n" /etc/nginx/nginx.conf
|
||||
RUN sed -i '/temp_path/d' /etc/nginx/nginx.conf \
|
||||
&& sed -i 's!/tmp/nginx.pid!/var/run/nginx.pid!g' /etc/nginx/nginx.conf
|
||||
|
||||
USER nginx
|
||||
|
||||
#Healthcheck to make sure container is ready
|
||||
HEALTHCHECK CMD curl --fail http://localhost:80 || exit 1
|
||||
HEALTHCHECK CMD curl --fail http://localhost:8080 || exit 1
|
||||
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
|
||||
|
||||
@ -11,8 +11,10 @@ if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
|
||||
else
|
||||
echo "linking plain config"
|
||||
fi
|
||||
# Ensure that the configuration file is not present before linking.
|
||||
test -w /etc/nginx/conf.d/mattermost.conf && rm /etc/nginx/conf.d/mattermost.conf
|
||||
# Linking Nginx configuration file
|
||||
ln -s /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
|
||||
ln -s -f /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
|
||||
|
||||
# Setup app host and port on configuration file
|
||||
sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf
|
||||
|
||||
@ -4,7 +4,7 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen 8080;
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
|
||||
21
web/mattermost-ssl
Normal file → Executable file
21
web/mattermost-ssl
Normal file → Executable file
@ -1,7 +1,7 @@
|
||||
server {
|
||||
listen 80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
listen 8080 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
@ -10,15 +10,16 @@ map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen 8443 ssl http2;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /cert/cert.pem;
|
||||
ssl_certificate_key /cert/key-no-password.pem;
|
||||
ssl_session_timeout 5m;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers HIGH:MEDIUM:!SSLv2:!PSK:!SRP:!ADH:!AECDH;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# Please update the ciphers in this file every 6 months.
|
||||
# https://ssl-config.mozilla.org/
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
location ~ /api/v[0-9]+/(users/)?websocket$ {
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
@ -34,7 +35,7 @@ server {
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
}
|
||||
|
||||
location / {
|
||||
@ -51,7 +52,7 @@ server {
|
||||
proxy_buffers 256 16k;
|
||||
proxy_buffer_size 16k;
|
||||
proxy_read_timeout 600s;
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user