doc: nginx basic defintion + certbot SSL

jeremyfix · jeremyfix · commit 54659eacd59d · 2024-06-13T21:30:26.000+02:00
diff --git a/README.md b/README.md
@@ -43,9 +43,9 @@ to run the server.
 Deploying a website involves : 
 
 - cloning the repository and setting up the virtual environment,
+- wrapping the start/stop of the taipy server with a systemd service
 - configuring nginx with a base setup listening on port 80 and then adding https
   support with a SSL certificate
-- wrapping the start/stop of the taipy server with a systemd service
 
 ### Cloning and virtual environment
 
@@ -79,11 +79,138 @@ source .venv/bin/activate
 pip install uwsgi gevent
 ```
 
+### Systemd service file for running taipy
+
+
+
 ### Nginx setup
 
-TBD
+#### Basic configuration with http support
+
+For nginx, you can remove the default website :
+
+```
+cd /etc/nginx/sites-enabled
+sudo rm -rf default
+```
+
+Then add your website definition. The basic definition is almost the same
+whether you deploy the production or development website. In the template file
+below, you must replace the two variables `MY_SERVER_NAME` and `MY_PORT` as :
+
+- `MY_SERVER_NAME` with `www.taxplorer.eu` and `MY_PORT` with `5000` for the
+  production website,
+- `MY_SERVER_NAME` with `dev.taxplorer.eu` and `MY_PORT` with `5001` for the
+  development website,
+
+If you want to define both the production and development website, you can just
+consecutively define both.
+
+**File /etc/nginx/sites-enabled/d4g-dataviz** :
+```
+server {
+	listen 80;
+    server_name MY_SERVER_NAME;
+    add_header 'X-Frame-Options' 'SAMEORIGIN';
+    add_header 'X-XSS-Protection' '1; mode=block';
+    add_header 'X-Content-Type-Options' 'nosniff';
+    add_header 'Referrer-Policy' 'same-origin';
+    add_header 'Strict-Transport-Security' 'max-age=63072000';
+    ssl_certificate /etc/letsencrypt/live/www.taxplorer.eu/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/www.taxplorer.eu/privkey.pem;
+    location / {
+        proxy_pass http://127.0.0.1:MY_PORT;
+        #proxy_redirect off;
+        #keepalive_requests 100;
+        #proxy_read_timeout 75s;
+        #proxy_connect_timeout 75s;
+        #proxy_http_version 1.1;
+        #client_max_body_size 100M;
+        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header X-Forwarded-Proto $scheme;
+        #proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+    }
+}
+```
+
+You can test the definition with :
+
+```
+sudo nginx -t
+```
+
+If there is no error, you can enable and start/restart the nginx service :
+
+```
+sudo systemctl enable nginx
+sudo service nginx restart
+```
+
+You should now be able to navigate to `www.taxplorer.eu`. If you do not have yet
+a binding between the domain name `www.taxplorer.eu` and the IP of the server
+hosting the website, you can anyway test the connection by getting the IP of
+the server with `ip addr` and then going to `http://IP_OF_THE_SERVER`.
+
+### Adding the SSL support for https
+
+For adding the SSL support for secured connection, we will use [certbot](https://certbot.eff.org/). For example, on a debian + nginx configuration, the steps to follow are :
+
+```
+sudo apt update && sudo apt install -y snapd
+sudo snap install --classic certbot
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
+sudo certbot --nginx
+```
+
+From there, you will have to select the website for which you want to get and
+install a SSL certificate. Certbot will also modify your
+`/etc/nginx/sites-enabled/d4g-dataviz` file to 1) redirect any connection to
+port `80` to port `443` and adds the definition for using the certificate. For
+example, below is the definition for the development website :
+
+```
+server {
+    server_name dev.taxplorer.eu;
+
+    # SECURITY HEADERS
+    add_header 'X-Frame-Options' 'SAMEORIGIN';
+    add_header 'X-XSS-Protection' '1; mode=block';
+    add_header 'X-Content-Type-Options' 'nosniff';
+    add_header 'Referrer-Policy' 'same-origin';
+    add_header 'Strict-Transport-Security' 'max-age=63072000';
+
+    location / {
+        proxy_pass http://localhost:5001;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Host $http_host;   
+    }
+
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/dev.taxplorer.eu/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/dev.taxplorer.eu/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+    if ($host = dev.taxplorer.eu) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name dev.taxplorer.eu;
+    listen 80;
+    return 404; # managed by Certbot
+}
+
+```
+
 
-### Systemd service file
 
-TBD
 
