Adds deployment example for ocis behind traefik

2026-03-04 07:17:16 -05:00 · 2020-10-12 15:21:02 +02:00
parent d1b4b3e97b
commit 9428c3e4b4
4 changed files with 183 additions and 0 deletions
--- a/deployments/examples/ocis_traefik/.env
+++ b/deployments/examples/ocis_traefik/.env
@@ -0,0 +1 @@
+OCIS_DOMAIN=ocis.domain.com
--- a/deployments/examples/ocis_traefik/config/identifier-registration.yml
+++ b/deployments/examples/ocis_traefik/config/identifier-registration.yml
@@ -0,0 +1,16 @@
+---
+# OpenID Connect client registry.
+clients:
+  - id: phoenix
+    name: OCIS
+    application_type: web
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - http://your.domain.com/oidc-callback.html
+      - http://your.domain.com/
+      - https://your.domain.com/
+      - https://your.domain.com/oidc-callback.html
+    origins:
+      - http://your.domain.com
+      - https://your.domain.com
--- a/deployments/examples/ocis_traefik/docker-compose.yml
+++ b/deployments/examples/ocis_traefik/docker-compose.yml
@@ -0,0 +1,64 @@
+version: "3.7"
+
+services:
+
+  traefik:
+    image: "traefik:v2.2"
+    container_name: "traefik"
+    networks:
+      - ocisnet
+    command:
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.ocis.acme.tlschallenge=true"
+      - "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}"
+      - "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme.json"
+    ports:
+      - "443:443"
+      - "8080:8080"
+    volumes:
+      - "~/letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+
+  ocis:
+    container_name: ocis
+    image: owncloud/ocis:latest
+    ports:
+      - 9200:9200
+    hostname: ocis
+    networks:
+      - ocisnet
+    volumes:
+      - ./config:/etc/ocis
+    environment:
+      OCIS_DOMAIN: ${OCIS_DOMAIN}
+      PROXY_TLS: "false"
+      PROXY_HTTP_ADDR: 0.0.0.0:9200
+      PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN}
+      PROXY_OIDC_INSECURE: "true"
+      KONNECTD_ISS: https://${OCIS_DOMAIN}
+      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
+      KONNECTD_TLS: 1
+      GRAPH_OIDC_ENDPOINT: https://${OCIS_DOMAIN}
+      PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN}
+      PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration
+      PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN}
+      STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN}
+      STORAGE_TRANSFER_EXPIRES: 86400
+      STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN}
+      STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data
+      STORAGE_LDAP_IDP: https://${OCIS_DOMAIN}
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
+      - "traefik.http.routers.ocis.entrypoints=websecure"
+      - "traefik.http.routers.ocis.tls.certresolver=ocis"
+      - "traefik.http.services.ocis.loadbalancer.server.port=9200"
+      - "traefik.docker.network=ocisnet"
+      - "traefik.protocol=https"
+
+networks:
+  ocisnet:
--- a/docs/ocis/deployment/ocis_traefik.md
+++ b/docs/ocis/deployment/ocis_traefik.md
@@ -0,0 +1,102 @@
+---
+title: "ocis with traefik deployment scenario"
+date: 2020-10-12T14:04:00+01:00
+weight: 24
+geekdocRepo: https://github.com/owncloud/ocis
+geekdocEditPath: edit/master/docs/ocis/deployment
+geekdocFilePath: ocis_traefik.md
+---
+
+{{< toc >}}
+
+
+# ocis traefik deployment scenario
+
+## Overview
+ocis running on a hcloud node behind traefik as reverse proxy
+* Cloudflare DNS is resolving the domain
+* Letsencrypt is providing a valid ssl certificate for the domain
+* Traefik docker container terminates ssl and forwards http requests to ocis
+* ocis docker container serves owncloud backend and delivers phoenix client
+
+## Node
+
+### Requirements
+* Server running Ubuntu 20.04 is public availible with a static ip address
+* An A-record for domain is pointing on the servers ip address
+* Create user `$sudo adduser username`
+* Add user to sudo group `$sudo usermod -aG sudo username`
+* Add users pub key to `~/.ssh/authorized_keys`
+* Setup sshd to forbid root access and permit authorisation only by ssh key
+* Install docker `$sudo apt install docker.io`
+* Add user to docker group `$sudo usermod -aG docker username`
+* Install docker-compose via `$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose` (docker compose version 1.27.4 as of today)
+* Make docker-compose executable `$ sudo chmod +x /usr/local/bin/docker-compose`
+* Environment variables for OCIS Stack are provided by .env file
+
+### Stack
+The application stack contains two containers. The first one is a traefik proxy which is terminating ssl and forwards the requests to the internal docker network. Additional, traefik is creating a certificate that is stored in `acme.json` in the folder `letsencrypt` inside the users home directory.
+The second one is th ocis server which is exposing the webservice on port 9200 to traefic.
+
+### Config
+Edit docker-compose.yml file to fit your domain setup
+```
+...
+  traefik:
+    image: "traefik:v2.2"
+    ...
+    labels:
+      ...
+      # Email address is neccesary for certificate creation
+      - "--certificatesresolvers.ocisresolver.acme.email=username@${OCIS_DOMAIN}"
+...
+```
+
+```
+  ocis:
+    container_name: ocis
+    ...
+    labels:
+      ...
+      # This is the domain for which traefik is creating the certificate from letsencrypt
+      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)"
+      ...
+```
+
+A folder for letsencypt to store the certificate needs to be created
+`$ mkdir ~/letsencrypt`
+This folder is bind to the docker container and the certificate is persistently stored into it.
+
+In this example, ssl is terminated from traefik and inside of the docker network, the services are comunicating via http. For this `PROXY_TLS: "false"` as environment parameter for ocis has to be set.
+
+For ocis to work properly it's neccesary to provide one config file.
+Changes need to be done in identifier-registration.yml to match your domain
+
+```
+---
+# OpenID Connect client registry.
+clients:
+  - id: phoenix
+    name: OCIS
+    application_type: web
+    insecure: yes
+    trusted: yes
+    redirect_uris:
+      - http://your.domain.com
+      - http://your.domain.com/oidc-callback.html
+      - https://your.domain.com/
+      - https://your.domain.com/oidc-callback.html
+    origins:
+      - http://your.domain.com
+      - https://your.domain.com
+```
+To provide the file to ocis container the following two lines are needed in the compose file.
+```
+    ...
+    volumes:
+      - ./config:/etc/ocis
+    environment:
+      ...
+      KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml"
+      ...
+```