Merge branch 'main' into ft-ldap

Author: Youssef-Harby

README.md

@@ -23,16 +23,36 @@ This project is a Dockerized application, and Docker Compose is used for the orc
 127.0.0.1       app.pygeoapi.local
 ```
 
-This step is necessary to resolve the local domains used in the Caddyfile.
+This step is necessary to resolve the local domains used in the Caddyfile or Nginx.
 
-1. **Start the Services:**
-   From the root directory of the project, start all the services using Docker Compose with the following command:
+2. **Start the Services :**
 
-```bash
-docker-compose up -d
-```
+   - ### Using Caddy
+
+     1. **Run the Services with Docker**:
+        From the root directory of the project, start all the services using Docker Compose with the following command:
+
+        ```bash
+        docker-compose up -d
+        ```
+
+   - ### Using Nginx
+
+   1. **Generate Self-Signed Certificates**:
+
+      > [!IMPORTANT]
+      > You must generate self-signed certificates for the local domains before starting the services.
+
+   Follow the provided instructions in [README.md](nginx/README.md) to generate self-signed certificates for the local domains or use your own certificates.
+
+   2. **Run the Services with Docker**:
+      From the root directory of the project, start all the services using Docker Compose with the following command:
+
+      ```bash
+      docker compose -f "docker-compose-nginx.yml" up -d
+      ```
 
-This command pulls the necessary Docker images and starts the services defined in docker-compose.yml.
+This command pulls the necessary Docker images and starts the services defined in docker-compose.yml (for Caddy) or docker-compose-nginx.yml (for Nginx).
 
 ## Testing Scenarios
 

authelia/configuration.yml

@@ -87,6 +87,7 @@ session:
   inactivity: 5m
   expiration: 1h
   remember_me: 5M
+<<<<<<< HEAD
   # Remove the `cookies` block if keeping `domain`, or vice versa
   domain: "pygeoapi.local"
   # cookies:
@@ -98,6 +99,17 @@ session:
   #     inactivity: "5m"
   #     expiration: "1h"
   #     remember_me: "1d"
+=======
+  cookies:
+    - domain: "pygeoapi.local"
+      authelia_url: "https://pygeoapi.local"
+      default_redirection_url: "https://app.pygeoapi.local/api"
+      name: "authelia_session"
+      same_site: "lax"
+      inactivity: "5m"
+      expiration: "1h"
+      remember_me: "1d"
+>>>>>>> main
 
   redis:
     host: redis

docker-compose-nginx.yml

@@ -0,0 +1,56 @@
+
+services:
+  nginx:
+    container_name: nginx
+    image: lscr.io/linuxserver/nginx
+    restart: unless-stopped
+    networks:
+      - nginx
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./nginx/site-confs:/config/nginx/site-confs
+      - ./nginx/snippets:/config/nginx/snippets
+      - ./nginx/certs:/config/ssl # see nginx/README.md to generate self signed certs in this directory
+    environment:
+      TZ: 'UTC'
+      DOCKER_MODS: 'linuxserver/mods:nginx-proxy-confs'
+
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38.9
+    restart: unless-stopped
+    networks:
+      - nginx
+    ports:
+      - 9091:9091
+    volumes:
+      - ./authelia:/config
+    depends_on:
+      - redis
+
+  redis:
+    container_name: redis
+    image: redis:7.0
+    restart: unless-stopped
+    networks:
+      - nginx
+
+  pygeoapi:
+    container_name: pygeoapi
+    image: geopython/pygeoapi:latest
+    volumes:
+      - ./pygeoapi-config.yml:/pygeoapi/local.config.yml
+    environment:
+      - SCRIPT_NAME=/api
+    depends_on:
+      - redis
+      - nginx
+      - authelia
+    networks:
+      - nginx
+
+networks:
+  nginx:
+    name: nginx

nginx/README.md

@@ -0,0 +1,23 @@
+## Generate SSL certificates for the Nginx
+
+```bash
+cd ./nginx/certs
+```
+
+### Generate a private key
+
+```bash
+openssl genpkey -algorithm RSA -out pygeoapi.key
+```
+
+### Generate a certificate signing request (CSR)
+
+```bash
+openssl req -new -key pygeoapi.key -out pygeoapi.csr -subj "/C=EG/ST=Cairo/L=Cairo/O=Pygeoapi/OU=IT Department/CN=\*.pygeoapi.local"
+```
+
+### Generate the self-signed certificate
+
+```bash
+openssl x509 -req -days 365 -in pygeoapi.csr -signkey pygeoapi.key -out pygeoapi.crt
+```

nginx/certs/.gitkeep

@@ -0,0 +1,85 @@
+server {
+    listen 80;
+    server_name pygeoapi.local app.pygeoapi.local;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name pygeoapi.local;
+
+    ssl_certificate /config/ssl/pygeoapi.crt;
+    ssl_certificate_key /config/ssl/pygeoapi.key;
+
+    location / {
+        proxy_pass http://authelia:9091;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name app.pygeoapi.local;
+
+    ssl_certificate /config/ssl/pygeoapi.crt;
+    ssl_certificate_key /config/ssl/pygeoapi.key;
+
+    location /authelia {
+        internal;
+        proxy_pass http://authelia:9091/api/verify;
+        proxy_set_header Content-Length "";
+        proxy_pass_request_body off;
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr; 
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Uri $request_uri;
+        proxy_set_header X-Forwarded-Ssl on;
+        proxy_set_header Proxy-Authorization $http_authorization;
+        proxy_redirect http:// $scheme://;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_cache_bypass $cookie_session;
+        proxy_no_cache $cookie_session;
+        proxy_buffers 4 32k;
+        client_body_buffer_size 128k;
+        send_timeout 5m;
+        proxy_read_timeout 240;
+        proxy_send_timeout 240;
+        proxy_connect_timeout 240;
+    }
+
+    location / {
+        auth_request /authelia;
+        auth_request_set $target_url $scheme://$http_host$request_uri;
+        auth_request_set $user $upstream_http_remote_user;
+        auth_request_set $groups $upstream_http_remote_groups;
+        proxy_set_header Remote-User $user;
+        proxy_set_header Remote-Groups $groups;
+        error_page 401 =302 https://pygeoapi.local/?rd=$target_url;
+
+        proxy_pass http://pygeoapi:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Uri $request_uri;
+        proxy_set_header X-Forwarded-Ssl on;
+        proxy_redirect http:// $scheme://;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_cache_bypass $cookie_session;
+        proxy_no_cache $cookie_session;
+        proxy_buffers 64 256k;
+        send_timeout 5m;
+        proxy_read_timeout 360;
+        proxy_send_timeout 360;
+        proxy_connect_timeout 360;
+    }
+}