Skip to content

Commit

Permalink
add reverse proxy docs
Browse files Browse the repository at this point in the history
  • Loading branch information
skovati committed Jan 3, 2024
1 parent 64c10da commit 67dd904
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 0 deletions.
41 changes: 41 additions & 0 deletions docs/deployment/advanced-reverse-proxy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Advanced - Reverse Proxy

# Deploying with HTTPS / Behind a reverse proxy

The `./deployment/proxy` folder contains the following as a standard pattern for deploying Aerie with a reverse proxy:
```
- nginx.conf # nginx (reverse proxy) configuration file that terminates TLS and proxies traffic to internal containers
- Dockerfile # runs an nginx instance as configured above
- docker-compose-proxy.yml # docker-compose that runs the above Docker container within the Aerie stack, closing unneccesary ports
```

In this example, an [`nginx`](https://nginx.org) instance runs within the Aerie container stack, acting as the single ingress point for all network traffic, which strips TLS and forwards HTTP traffic to internal containers.

## Generating a self-signed TLS certificate for testing

Running the following command will generate a self-signed certificate for testing TLS. It will prompt you for several fields which can all be left blank (i.e. just press enter).

```
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 --nodes
```

Move these `key.pem` and `cert.pem` files into the `./deployment/proxy` folder, so `nginx` can read them.

## Define Aerie deployment host
When running a production deployment of Aerie, you can use DNS records to point a domain to your deployment server's IP address.

To emulate DNS on a local machine, you can edit `/etc/hosts` (on unix-based machines). Adding the following line will redirect `localhost.jpl.nasa.gov` to `127.0.0.1`, which will allow us to use a fake domain name for a local Aerie deployment. This can be any domain, but it's a best practice to use something that doesn't exist as a public site.

```
127.0.0.1 localhost.jpl.nasa.gov
```

## Run Aerie instance with reverse proxy
Edit your Aerie `./deployment/.env` file to define `AERIE_HOST=${whatever domain you put in your /etc/hosts or DNS}`.

Running the following command from the `./deployment` directory of the Aerie repo will now deploy the regular Aerie stack with `nginx` proxying all connections.
```
docker compose -f docker-compose.yml -f ./proxy/docker-compose-proxy.yml up -d --build
```

You can now visit `https://here-is-the-domain-you.set`, which will prompt you to trust a self-signed certificate, and then forward you to Aerie as usual!
1 change: 1 addition & 0 deletions sidebars.js
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ const sidebars = {
'deployment/advanced-database-migrations',
'deployment/advanced-authentication',
'deployment/advanced-permissions',
'deployment/advanced-reverse-proxy',
{
label: 'Environment Variables',
type: 'link',
Expand Down

0 comments on commit 67dd904

Please sign in to comment.