reactioncommerce / proxy-traefik Goto Github PK

View Code? Open in Web Editor NEW

35.0 35.0 24.0 145 KB

A reverse proxy powered by Traefik for deploying the Reaction Platform on Digital Ocean

License: Apache License 2.0

deployment deployment-automation digitalocean reaction reaction-platform reactioncommerce traefik

proxy-traefik's People

Contributors

Stargazers

Watchers

proxy-traefik's Issues

Missing Reaction env vars for reset password, verify email etc. routes on identity provider

The ansible playbook only sets ROOT_URL in the .env file in the reaction folder.
Reaction's api-plugin-accounts also uses the following env vars which are by default set to localhost and thus should be updated to the domain in this playbook. See file config.js of this plugin:

 REACTION_IDENTITY_PUBLIC_PASSWORD_RESET_URL: str({ devDefault: "http://localhost:4100/account/reset-password/TOKEN" }),
 REACTION_IDENTITY_PUBLIC_VERIFY_EMAIL_URL: str({ devDefault: "http://localhost:4100/#/verify-email/TOKEN" }),
 REACTION_ADMIN_PUBLIC_ACCOUNT_REGISTRATION_URL: str({ devDefault: "http://localhost:4080" })

Thus in the playbook:

    - name: "Set Reaction's environment variables"
      lineinfile:
        path: "{{ reaction_platform_path }}/reaction/.env"
        regexp: "^ROOT_URL"
        line: "ROOT_URL=https://api.{{ domain }}"

should be replaced with:

- name: "Set Reaction's environment variables"
      lineinfile:
        path: "{{ reaction_platform_path }}/reaction/.env"
        regexp: "^{{ item.variable }}"
        line: "{{ item.variable }}={{ item.value }}"
      loop:
        - {
            variable: "ROOT_URL",
            value: "https://api.{{ domain }}"
          }
        - {
            variable: "REACTION_IDENTITY_PUBLIC_PASSWORD_RESET_URL",
            value: "https://identity.{{ domain }}/account/reset-password/TOKEN"
          }
        - {
            variable: "REACTION_IDENTITY_PUBLIC_VERIFY_EMAIL_URL",
            value: "https://identity.{{ domain }}/#/verify-email/TOKEN"
          }
        - {
            variable: "REACTION_ADMIN_PUBLIC_ACCOUNT_REGISTRATION_URL",
            value: "https://admin.{{ domain }}"
          }

Does this work with other hosting services?

I looked through the code and found that DigitalOcean token is being used nowhere, so I wonder if the token is even required or necessary ?
Does this work with other hosts ?

Simple Deployment Guide Issues/Suggestions

I went through your Simple Deployment Guide and made a few notes on how it could be improved...

Requirements say “A Linux host with at least 2GB of RAM” but the first section states “create a new droplet using the Ubuntu 18.4 image with at least 1GB of RAM “.
Need to run apt-get update before apt get build-essentials
make has to be run as sudo otherwise docker connection fails (permission error), which then creates a whole heap of other issues. It's best to ensure docker permissions are set first - sudo usermod -a -G docker $USER
“Further, substitute REPLACE_WITH_PATH_TO_TRAEFIK_FOLDER with the path to the traefik folder” - this variable doesn’t exist, instead I had to update the paths under volumes manually.
docker create network should be docker network create
chmod 600 acme.json needs to be run
Docker-compose traefik.frontend.rule label must be set to proper domain otherwise it fails.

These were just quick notes I made while going through the process. Unfortunately, after getting through it, I then had a load of other errors (e.g. OAuth2 errors) and I had to abandon and go another direction.

Hope this helps 👍

Add proxy-traefik note to reaction-docs

This repo was hard to find for me, and also saved my day when trying to deploy with docker.

It would be great it to be mentioned on the docs, maybe it is and I didn't find it so easily?

Also, I understand docker-compose is not perfect for production, but since I'm launching a new website and expect 0 visits first day, I might go with it.

I'm guessing next steps would be to separate properly a mongodb cluster with shrading, replica_set, and what not.

And maybe the same for the hydra_postgresql instance.

I'm guessing kubernetes would be a next good step if one wanted to keep all in cloud services but controlling more the subjacent architecture or so.

Thanks for all your work, loving the framework, and can't wait for v3.0.0

Allow use of another DNS provider

It should be better if it can allow you to change the provider in the dnsChallenge to ones of the providers listed in traefik by setting a new environment variable

The requested OAuth 2.0 Client does not exist.

Hello!, I’m having trouble with hydra on my proxy-traefik deployment
Having found the repo is a godsend to deploy current 2.9.0 reaction-platform in a DO droplet, but I can’t get auth to work, and I’m not sure what I’m doing wrong. I found some issues from when the example-storefront repo was called next-starterkit, but I couldn’t debug it by myself!

I'm using all packages on v2.9

I get the following error when clicking on sign up or login in my storefront.

The OAuth2 request resulted in an error.
Error: invalid_client
Description: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)
Hint: The requested OAuth 2.0 Client does not exist.
Debug:
You are seeing this default error page because the administrator has not set a dedicated error URL (environment variable OAUTH2_ERROR_URL is not set). If you are an administrator, please read the guide to understand what you need to do. If you are a user, please contact the administrator.

reaction-hydra-hydra-1 logs

Creating reaction-hydra_hydra_1         ... done
Attaching to reaction-hydra_postgres_1, reaction-hydra_hydra-migrate_1, reaction-hydra_hydra_1
postgres_1       | 2019-11-18 14:04:24.956 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgres_1       | 2019-11-18 14:04:24.956 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgres_1       | 2019-11-18 14:04:24.959 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_1       | 2019-11-18 14:04:24.984 UTC [21] LOG:  database system was shut down at 2019-11-18 14:04:22 UTC
postgres_1       | 2019-11-18 14:04:25.009 UTC [1] LOG:  database system is ready to accept connections
hydra-migrate_1  | Applying `client` SQL migrations...
hydra-migrate_1  | Applied 0 `client` SQL migrations.
hydra-migrate_1  | Applying `oauth2` SQL migrations...
hydra-migrate_1  | Applied 0 `oauth2` SQL migrations.
hydra-migrate_1  | Applying `jwk` SQL migrations...
hydra-migrate_1  | Applied 0 `jwk` SQL migrations.
hydra-migrate_1  | Applying `consent` SQL migrations...
hydra-migrate_1  | Applied 0 `consent` SQL migrations.
hydra-migrate_1  | Migration successful! Applied a total of 0 SQL migrations.
hydra-migrate_1  | Migration successful!
reaction-hydra_hydra-migrate_1 exited with code 0
hydra_1          | Thank you for using ORY Hydra v1.0.0-beta.9!
hydra_1          | 
hydra_1          | Take security seriously and subscribe to the ORY Security Newsletter. Stay on top of new patches and security insights.                                                                                                
hydra_1          | 
hydra_1          | >> Subscribe now: http://eepurl.com/di390P <<
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Connecting with postgres://*:*@postgres:5432/hydra?sslmode=disable"
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Connected to SQL!"
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Setting up Prometheus middleware"
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Transmission of telemetry data is enabled, to learn more go to: https://www.ory.sh/docs/guides/latest/telemetry/"
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Setting up http server on :4445"
hydra_1          | time="2019-11-18T14:04:27Z" level=warning msg="HTTPS disabled. Never do this in production."
hydra_1          | time="2019-11-18T14:04:27Z" level=info msg="Setting up http server on :4444"
hydra_1          | time="2019-11-18T14:04:27Z" level=warning msg="HTTPS disabled. Never do this in production."
Creating reaction-hydra_hydra_1         ... done
Attaching to reaction-hydra_postgres_1, reaction-hydra_hydra-migrate_1, reaction-hydra_hydra_1
postgres_1       | 2019-11-18 14:04:24.956 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
postgres_1       | 2019-11-18 14:04:24.956 UTC [1] LOG:  listening on IPv6 address "::", port 5432
postgres_1       | 2019-11-18 14:04:24.959 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
postgres_1       | 2019-11-18 14:04:24.984 UTC [21] LOG:  database system was shut down at 2019-11-18 14:04:22 UTC
postgres_1       | 2019-11-18 14:04:25.009 UTC [1] LOG:  database system is ready to accept connections
hydra-migrate_1  | Applying `client` SQL migrations...
hydra-migrate_1  | Applied 0 `client` SQL migrations.
hydra-migrate_1  | Applying `oauth2` SQL migrations...
hydra-migrate_1  | Applied 0 `oauth2` SQL migrations.
hydra-migrate_1  | Applying `jwk` SQL migrations...
hydra-migrate_1  | Applied 0 `jwk` SQL migrations.

Some steps of video not described in README

HI,
excellent work to simplify the deploy of RC on DO.
I have this working BUT it requires the extra steps in your video:

apt update / apt upgrade
reboot
make start
optional: check w LazyDocker all services are up.

Also, the DNS (CAA and A records) need to be configured BEFORE you run the Ansible program as otherwise the certificate creation will fail.

I would suggest to add the above to the written tutorial.

We got this error when installing

Any ideas what cause this one?

failed: [reaction.server] (item=/home/reaction/reaction-development-platform/reaction-hydra/docker-compose.override.yml) => {"ansible_loop_var": "item", "changed": false, "item": "/home/reaction/reaction-development-platform/reaction-hydra/docker-compose.override.yml", "msg": "Path /home/reaction/reaction-development-platform/reaction-hydra/docker-compose.override.yml does not exist !", "rc": 257}
failed: [reaction.server] (item=/home/reaction/reaction-development-platform/reaction-identity/docker-compose.override.yml) => {"ansible_loop_var": "item", "changed": false, "item": "/home/reaction/reaction-development-platform/reaction-identity/docker-compose.override.yml", "msg": "Path /home/reaction/reaction-development-platform/reaction-identity/docker-compose.override.yml does not exist !", "rc": 257}

Volumes path in docker-compose.yml

Hi,

The reaction.yml script don't set the volumes path in docker-compose.yml according to {{create_user}} and {{proxy_dir}}

 - /home/reaction/proxy/traefik/traefik.yml:/traefik.yml:ro
 - /home/reaction/proxy/traefik/acme.json:/acme.jso

Upgrade to traefik v2

I've tried to use https://github.com/containous/traefik-migration-tool to upgrade both the acme.json and traefik.toml, acme works fine, but with TOML, since v2 is scraping the backends/frontends and going with middlewares and what not, needs to be manually rewritten I think.
traefik-migration-tool acme works fine, but

➜ traefik-migration-tool static
Redirect on entry point "http" must be converted manually. See https://docs.traefik.io/v2.0/middlewares/redirectscheme/
TLS on entry point "https" must be converted manually. See https://docs.traefik.io/v2.0/routing/routers/#tls
The domain (domain.com) defined in the Docker provider must be converted manually. See https://docs.traefik.io/v2.0/providers/docker/#defaultrule
The entry point (dashboard) defined in API must be converted manually. See https://docs.traefik.io/v2.0/operations/api/
The entry point (https) defined in the ACME configuration must be converted manually. See https://docs.traefik.io/v2.0/routing/routers/#certresolver

[Docs] Post-deployment Hardening Checklist

Opening this to make a place to jot down some basics for hardening the installation once deployed. Obviously these things are outside the scope of this project but this repo feels a timely place to communicate some basics. Nothing here should be misconstrued as security advice. Caveat lector.

Attempt to connect to your MongoDB using Compass with the connection string mongodb://api.example.com:27017 (update based on domain var). If you're able to access it without authenticating, shell into the droplet and change ports key in /home/reaction/reaction-development-platform/reaction/docker-compose.yml to expose, change the setting value to "27017" and restart the API with make stop-reaction && make start-reaction for settings to take effect.
Navigate a browser to admin.example.com (update based on domain var) and register a new user to assume the Owner role. Ownership is immediate and no service restarts are required.
Enable the BasicAuth middleware for traefik.domain.example. Detailed instructions here.
Review the .env files in each of the projects and modify PLACEHOLDERS necessary.

Please add additional suggestions below.

reactioncommerce / proxy-traefik Goto Github PK

proxy-traefik's People

Contributors

Stargazers

Watchers

Forkers

proxy-traefik's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs