diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env new file mode 100644 index 0000000000..5f0189368d --- /dev/null +++ b/deployments/examples/ocis_traefik/.env @@ -0,0 +1 @@ +OCIS_DOMAIN=ocis.domain.com diff --git a/deployments/examples/ocis_traefik/config/identifier-registration.yml b/deployments/examples/ocis_traefik/config/identifier-registration.yml new file mode 100644 index 0000000000..6bbe133e5d --- /dev/null +++ b/deployments/examples/ocis_traefik/config/identifier-registration.yml @@ -0,0 +1,16 @@ +--- +# OpenID Connect client registry. +clients: + - id: phoenix + name: OCIS + application_type: web + insecure: yes + trusted: yes + redirect_uris: + - http://your.domain.com/oidc-callback.html + - http://your.domain.com/ + - https://your.domain.com/ + - https://your.domain.com/oidc-callback.html + origins: + - http://your.domain.com + - https://your.domain.com diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml new file mode 100644 index 0000000000..9e16ff585f --- /dev/null +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -0,0 +1,64 @@ +version: "3.7" + +services: + + traefik: + image: "traefik:v2.2" + container_name: "traefik" + networks: + - ocisnet + command: + - "--api.insecure=true" + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--entrypoints.websecure.address=:443" + - "--certificatesresolvers.ocis.acme.tlschallenge=true" + - "--certificatesresolvers.ocis.acme.caserver=https://acme-v02.api.letsencrypt.org/directory" + - "--certificatesresolvers.ocis.acme.email=user@${OCIS_DOMAIN}" + - "--certificatesresolvers.ocis.acme.storage=/letsencrypt/acme.json" + ports: + - "443:443" + - "8080:8080" + volumes: + - "~/letsencrypt:/letsencrypt" + - "/var/run/docker.sock:/var/run/docker.sock:ro" + + ocis: + container_name: ocis + image: owncloud/ocis:latest + ports: + - 9200:9200 + hostname: ocis + networks: + - ocisnet + volumes: + - ./config:/etc/ocis + environment: + OCIS_DOMAIN: ${OCIS_DOMAIN} + PROXY_TLS: "false" + PROXY_HTTP_ADDR: 0.0.0.0:9200 + PROXY_OIDC_ISSUER: https://${OCIS_DOMAIN} + PROXY_OIDC_INSECURE: "true" + KONNECTD_ISS: https://${OCIS_DOMAIN} + KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml" + KONNECTD_TLS: 1 + GRAPH_OIDC_ENDPOINT: https://${OCIS_DOMAIN} + PHOENIX_OIDC_AUTHORITY: https://${OCIS_DOMAIN} + PHOENIX_OIDC_METADATA_URL: https://${OCIS_DOMAIN}/.well-known/openid-configuration + PHOENIX_WEB_CONFIG_SERVER: https://${OCIS_DOMAIN} + STORAGE_OIDC_ISSUER: https://${OCIS_DOMAIN} + STORAGE_TRANSFER_EXPIRES: 86400 + STORAGE_FRONTEND_URL: https://${OCIS_DOMAIN} + STORAGE_DATAGATEWAY_URL: https://${OCIS_DOMAIN}/data + STORAGE_LDAP_IDP: https://${OCIS_DOMAIN} + labels: + - "traefik.enable=true" + - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)" + - "traefik.http.routers.ocis.entrypoints=websecure" + - "traefik.http.routers.ocis.tls.certresolver=ocis" + - "traefik.http.services.ocis.loadbalancer.server.port=9200" + - "traefik.docker.network=ocisnet" + - "traefik.protocol=https" + +networks: + ocisnet: diff --git a/docs/ocis/deployment/ocis_traefik.md b/docs/ocis/deployment/ocis_traefik.md new file mode 100644 index 0000000000..e7a5679bda --- /dev/null +++ b/docs/ocis/deployment/ocis_traefik.md @@ -0,0 +1,102 @@ +--- +title: "ocis with traefik deployment scenario" +date: 2020-10-12T14:04:00+01:00 +weight: 24 +geekdocRepo: https://github.com/owncloud/ocis +geekdocEditPath: edit/master/docs/ocis/deployment +geekdocFilePath: ocis_traefik.md +--- + +{{< toc >}} + + +# ocis traefik deployment scenario + +## Overview +ocis running on a hcloud node behind traefik as reverse proxy +* Cloudflare DNS is resolving the domain +* Letsencrypt is providing a valid ssl certificate for the domain +* Traefik docker container terminates ssl and forwards http requests to ocis +* ocis docker container serves owncloud backend and delivers phoenix client + +## Node + +### Requirements +* Server running Ubuntu 20.04 is public availible with a static ip address +* An A-record for domain is pointing on the servers ip address +* Create user `$sudo adduser username` +* Add user to sudo group `$sudo usermod -aG sudo username` +* Add users pub key to `~/.ssh/authorized_keys` +* Setup sshd to forbid root access and permit authorisation only by ssh key +* Install docker `$sudo apt install docker.io` +* Add user to docker group `$sudo usermod -aG docker username` +* Install docker-compose via `$ sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose` (docker compose version 1.27.4 as of today) +* Make docker-compose executable `$ sudo chmod +x /usr/local/bin/docker-compose` +* Environment variables for OCIS Stack are provided by .env file + +### Stack +The application stack contains two containers. The first one is a traefik proxy which is terminating ssl and forwards the requests to the internal docker network. Additional, traefik is creating a certificate that is stored in `acme.json` in the folder `letsencrypt` inside the users home directory. +The second one is th ocis server which is exposing the webservice on port 9200 to traefic. + +### Config +Edit docker-compose.yml file to fit your domain setup +``` +... + traefik: + image: "traefik:v2.2" + ... + labels: + ... + # Email address is neccesary for certificate creation + - "--certificatesresolvers.ocisresolver.acme.email=username@${OCIS_DOMAIN}" +... +``` + +``` + ocis: + container_name: ocis + ... + labels: + ... + # This is the domain for which traefik is creating the certificate from letsencrypt + - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN}`)" + ... +``` + +A folder for letsencypt to store the certificate needs to be created +`$ mkdir ~/letsencrypt` +This folder is bind to the docker container and the certificate is persistently stored into it. + +In this example, ssl is terminated from traefik and inside of the docker network, the services are comunicating via http. For this `PROXY_TLS: "false"` as environment parameter for ocis has to be set. + +For ocis to work properly it's neccesary to provide one config file. +Changes need to be done in identifier-registration.yml to match your domain + +``` +--- +# OpenID Connect client registry. +clients: + - id: phoenix + name: OCIS + application_type: web + insecure: yes + trusted: yes + redirect_uris: + - http://your.domain.com + - http://your.domain.com/oidc-callback.html + - https://your.domain.com/ + - https://your.domain.com/oidc-callback.html + origins: + - http://your.domain.com + - https://your.domain.com +``` +To provide the file to ocis container the following two lines are needed in the compose file. +``` + ... + volumes: + - ./config:/etc/ocis + environment: + ... + KONNECTD_IDENTIFIER_REGISTRATION_CONF: "/etc/ocis/identifier-registration.yml" + ... +```