Configure SSL connection (#30)

Atleta-network · Apr 24, 2024 · a4ca776 · a4ca776
2 parents 3fdcb77 + 54dad8b
commit a4ca776
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 17 deletions.
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -73,11 +73,19 @@ services:
       file: ./services/stats.yml
       service: stats
 
+  certbot:
+    depends_on:
+      - backend
+    extends:
+      file: ./services/certbot.yml
+      service: certbot
+
   proxy:
     depends_on:
       - backend
       - frontend
       - stats
+      - certbot
     extends:
       file: ./services/nginx.yml
       service: proxy
diff --git a/deploy/proxy/default.conf.template b/deploy/proxy/default.conf.template
@@ -5,10 +5,13 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
-    listen       80;
-    server_name  localhost;
+    listen       443 ssl;
+    server_name  blockscout.atleta.network;
     proxy_http_version 1.1;
 
+    ssl_certificate /etc/letsencrypt/live/blockscout.atleta.network/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/blockscout.atleta.network/privkey.pem;
+
     location ~ ^/(api|socket|sitemap.xml|auth/auth0|auth/auth0/callback|auth/logout) {
         proxy_pass            ${BACK_PROXY_PASS};
         proxy_http_version    1.1;
@@ -33,12 +36,16 @@ server {
     }
 }
 server {
-    listen       8080;
-    server_name  localhost;
+    listen       8080 ssl;
+    server_name  blockscout.atleta.network;
+
+    ssl_certificate /etc/letsencrypt/live/blockscout.atleta.network/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/blockscout.atleta.network/privkey.pem;
+
     proxy_http_version 1.1;
     proxy_hide_header Access-Control-Allow-Origin;
     proxy_hide_header Access-Control-Allow-Methods;
-    add_header 'Access-Control-Allow-Origin' 'http://localhost' always;
+    add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
 
@@ -55,12 +62,16 @@ server {
     }
 }
 server {
-    listen       8081;
-    server_name  localhost;
+    listen       8081 ssl;
+    server_name  blockscout.atleta.network;
+
+    ssl_certificate /etc/letsencrypt/live/blockscout.atleta.network/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/blockscout.atleta.network/privkey.pem;
+
     proxy_http_version 1.1;
     proxy_hide_header Access-Control-Allow-Origin;
     proxy_hide_header Access-Control-Allow-Methods;
-    add_header 'Access-Control-Allow-Origin' 'http://localhost' always;
+    add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
     add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,x-csrf-token' always;
@@ -80,7 +91,7 @@ server {
         proxy_set_header      Connection $connection_upgrade;
         proxy_cache_bypass    $http_upgrade;
         if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost' always;
+            add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network' always;
             add_header 'Access-Control-Allow-Credentials' 'true' always;
             add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
             add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,x-csrf-token' always;

diff --git a/deploy/proxy/microservices.conf.template b/deploy/proxy/microservices.conf.template
@@ -5,12 +5,16 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
-    listen       8080;
-    server_name  localhost;
+    listen       8080 ssl;
+    server_name  blockscout.atleta.network;
+
+    ssl_certificate /etc/letsencrypt/live/blockscout.atleta.network/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/blockscout.atleta.network/privkey.pem;
+
     proxy_http_version 1.1;
     proxy_hide_header Access-Control-Allow-Origin;
     proxy_hide_header Access-Control-Allow-Methods;
-    add_header 'Access-Control-Allow-Origin' 'http://localhost:3000' always;
+    add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network:3000' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
 
@@ -27,12 +31,16 @@ server {
     }
 }
 server {
-    listen       8081;
-    server_name  localhost;
+    listen       8081 ssl;
+    server_name  blockscout.atleta.network;
+
+    ssl_certificate /etc/letsencrypt/live/blockscout.atleta.network/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/blockscout.atleta.network/privkey.pem;
+
     proxy_http_version 1.1;
     proxy_hide_header Access-Control-Allow-Origin;
     proxy_hide_header Access-Control-Allow-Methods;
-    add_header 'Access-Control-Allow-Origin' 'http://localhost:3000' always;
+    add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network:3000' always;
     add_header 'Access-Control-Allow-Credentials' 'true' always;
     add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
     add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,x-csrf-token' always;
@@ -52,7 +60,7 @@ server {
         proxy_set_header      Connection $connection_upgrade;
         proxy_cache_bypass    $http_upgrade;
         if ($request_method = 'OPTIONS') {
-            add_header 'Access-Control-Allow-Origin' 'http://localhost:3000' always;
+            add_header 'Access-Control-Allow-Origin' 'https://blockscout.atleta.network:3000' always;
             add_header 'Access-Control-Allow-Credentials' 'true' always;
             add_header 'Access-Control-Allow-Methods' 'PUT, GET, POST, OPTIONS, DELETE, PATCH' always;
             add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,x-csrf-token' always;

diff --git a/deploy/services/nginx.yml b/deploy/services/nginx.yml
@@ -8,10 +8,11 @@ services:
       - 'host.docker.internal:host-gateway'
     volumes:
       - "../proxy:/etc/nginx/templates"
+      - /etc/letsencrypt:/etc/letsencrypt
+      - /var/log/nginx/:/var/log/nginx
     environment:
       BACK_PROXY_PASS: ${BACK_PROXY_PASS:-http://backend:4000}
       FRONT_PROXY_PASS: ${FRONT_PROXY_PASS:-http://frontend:3000}
     ports:
-      - 80:80
       - 8080:8080
       - 8081:8081
diff --git a/letsencrypt.yml b/letsencrypt.yml
@@ -0,0 +1,15 @@
+version: '3.9'
+
+services:
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - /etc/letsencrypt:/etc/letsencrypt
+      - ./certbot/www:/var/www/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; certbot certonly --standalone --preferred-challenges http -d blockscout.atleta.network --email [email protected] --agree-tos --non-interactive --verbose; sleep 12h'"
+    ports:
+      - "0.0.0.0:80:80"
+      - "0.0.0.0:443:80"
+    environment:
+      - [email protected]
+      - CERTBOT_DOMAIN=blockscout.atleta.network