Merge pull request #1200 from NASA-AMMOS/feature/add-reverse-proxy

add HTTPS-enabled reverse proxy deployment example
NASA-AMMOS · Oct 19, 2023 · 5f8ee22 · 5f8ee22
2 parents 3fe22d7 + 01c32a5
commit 5f8ee22
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 0 deletions.
diff --git a/deployment/.env b/deployment/.env
@@ -11,3 +11,7 @@ HASURA_GRAPHQL_JWT_SECRET=
 
 POSTGRES_USER=
 POSTGRES_PASSWORD=
+
+# Optionally define the host Aerie will run on, if you need HTTPS / TLS
+# See the deployment/proxy folder for more info
+# AERIE_HOST=
diff --git a/deployment/docker-compose.yml b/deployment/docker-compose.yml
@@ -20,6 +20,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/app/files
+    networks:
+      - aerie_net
   aerie_merlin:
     container_name: aerie_merlin
     depends_on: ["postgres"]
@@ -42,6 +44,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/usr/src/app/merlin_file_store
+    networks:
+      - aerie_net
   aerie_merlin_worker_1:
     container_name: aerie_merlin_worker
     depends_on: ["postgres"]
@@ -63,6 +67,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/usr/src/app/merlin_file_store:ro
+    networks:
+      - aerie_net
   aerie_scheduler:
     container_name: aerie_scheduler
     depends_on: ["aerie_merlin", "postgres"]
@@ -83,6 +89,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/usr/src/app/merlin_file_store
+    networks:
+      - aerie_net
   aerie_scheduler_worker_1:
     container_name: aerie_scheduler_worker_1
     depends_on: ["postgres"]
@@ -105,6 +113,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/usr/src/app/merlin_file_store:ro
+    networks:
+      - aerie_net
   aerie_sequencing:
     container_name: aerie_sequencing
     depends_on: ["postgres"]
@@ -125,6 +135,8 @@ services:
     restart: always
     volumes:
       - aerie_file_store:/usr/src/app/sequencing_file_store
+    networks:
+      - aerie_net
   aerie_ui:
     container_name: aerie_ui
     depends_on: ["postgres"]
@@ -139,6 +151,8 @@ services:
     image: "${REPOSITORY_DOCKER_URL}/aerie-ui:${DOCKER_TAG}"
     ports: ["80:80"]
     restart: always
+    networks:
+      - aerie_net
   hasura:
     container_name: hasura
     depends_on: ["postgres"]
@@ -163,6 +177,8 @@ services:
     restart: always
     volumes:
       - ./hasura/metadata:/hasura-metadata
+    networks:
+      - aerie_net
   postgres:
     container_name: postgres
     environment:
@@ -177,8 +193,13 @@ services:
     volumes:
       - postgres_data:/var/lib/postgresql/data
       - ./postgres-init-db:/docker-entrypoint-initdb.d
+    networks:
+      - aerie_net
 
 volumes:
   aerie_file_store:
   mission_file_store:
   postgres_data:
+
+networks:
+  aerie_net:
diff --git a/deployment/proxy/Dockerfile b/deployment/proxy/Dockerfile
@@ -0,0 +1,7 @@
+from docker.io/nginx:alpine3.18
+
+# inject AERIE_HOST into nginx.conf
+copy ./nginx.conf.template /etc/nginx/templates/default.conf.template
+
+copy ./cert.pem /cert.pem
+copy ./key.pem /key.pem
diff --git a/deployment/proxy/docker-compose-proxy.yml b/deployment/proxy/docker-compose-proxy.yml
@@ -0,0 +1,44 @@
+services:
+  aerie_proxy:
+    container_name: aerie_proxy
+    depends_on:
+     - "aerie_ui"
+     - "hasura"
+     - "aerie_gateway"
+    build:
+      context: proxy
+    ports:
+     - "80:80"
+     - "443:443"
+     - "8080:8080"
+     - "9000:9000"
+    environment:
+        NGINX_ENVSUBST_TEMPLATE_SUFFIX: ".template"
+        AERIE_HOST: ${AERIE_HOST}
+    networks:
+      - aerie_net
+  aerie_gateway:
+    ports: !reset []
+    environment:
+      GQL_API_URL: http://hasura:8080/v1/graphql
+  aerie_merlin:
+    ports: !reset []
+  aerie_merlin_worker_1:
+    ports: !reset []
+  aerie_scheduler:
+    ports: !reset []
+  aerie_scheduler_worker_1:
+    ports: !reset []
+  aerie_sequencing:
+    ports: !reset []
+  aerie_ui:
+    ports: !reset []
+    environment:
+      ORIGIN: https://${AERIE_HOST}
+      PUBLIC_GATEWAY_CLIENT_URL: https://${AERIE_HOST}:9000
+      PUBLIC_HASURA_CLIENT_URL: https://${AERIE_HOST}:8080/v1/graphql
+      PUBLIC_HASURA_WEB_SOCKET_URL: wss://${AERIE_HOST}:8080/v1/graphql
+  hasura:
+    ports: !reset []
+  postgres:
+    ports: !reset []
diff --git a/deployment/proxy/nginx.conf.template b/deployment/proxy/nginx.conf.template
@@ -0,0 +1,51 @@
+# increase max body size for model uploads
+client_max_body_size 100M;
+
+# redirect HTTP to HTTPS (80 -> 443)
+server {
+    listen 80;
+    server_name _;
+    return 301 https://$host$request_uri;
+}
+
+# terminate TLS and proxy pass UI
+server {
+    listen              443 ssl;
+    server_name         ${AERIE_HOST};
+    ssl_certificate     /cert.pem;
+    ssl_certificate_key /key.pem;
+    ssl_protocols       TLSv1.3;
+
+    location / {
+        proxy_pass http://aerie_ui;
+    }
+}
+
+# terminate TLS and proxy pass hasura
+server {
+    listen              8080 ssl;
+    server_name         ${AERIE_HOST};
+    ssl_certificate     /cert.pem;
+    ssl_certificate_key /key.pem;
+    ssl_protocols       TLSv1.3;
+
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "Upgrade";
+
+    location / {
+        proxy_pass http://hasura:8080;
+    }
+}
+
+# terminate TLS and proxy pass gateway
+server {
+    listen              9000 ssl;
+    server_name         ${AERIE_HOST};
+    ssl_certificate     /cert.pem;
+    ssl_certificate_key /key.pem;
+    ssl_protocols       TLSv1.3;
+
+    location / {
+        proxy_pass http://aerie_gateway:9000;
+    }
+}