HTTPS migration for repromon Web server.

.dockerignore

@@ -1,3 +1,4 @@
 venv
 .git
 dist
+certs

.env.local

@@ -9,10 +9,20 @@ ENV_NAME=local
 # WEB_PATH_AT_HOST=./services/web
 # DB_PATH_AT_HOST=./services/db
 
-
-WEB_HOST=127.0.0.1
+# public web server info
+WEB_HOST=localhost
 WEB_PORT=9095
 
+# internal web server socket bind address
+WEB_BIND_ADDRESS=127.0.0.1
+WEB_BIND_PORT=${WEB_PORT}
+
+# SSL certificate/key path
+WEB_SSL_KEY_PATH={@ROOT_PATH}/certs/${WEB_HOST}.key
+WEB_SSL_CERT_PATH={@ROOT_PATH}/certs/${WEB_HOST}.pem
+# WEB_SSL_KEY_PATH_AT_HOST=./certs/${WEB_HOST}.key
+# WEB_SSL_CERT_PATH_AT_HOST=./certs/${WEB_HOST}.pem
+
 # admin initial password
 INITIAL_ADMIN_PASSWORD=password
 

.gitignore

@@ -17,3 +17,4 @@ services
 .tox/
 venv
 venvs
+certs

README.md

@@ -10,6 +10,19 @@ separately.
 
 ## System Setup
 
+### SSL Certificates
+
+For development purposes should be created self-signed SSL certificate to be used for HTTPS/WSS
+communications under ./certs/ directory and named as '${WEB_HOST}.key' and '${WEB_HOST}.pem'. Below
+listed script to generate these files for "localhost" domain:
+
+    WEB_HOST=localhost && mkdir -p ./certs && openssl req -x509 -nodes -newkey rsa:4096 -keyout ./certs/$WEB_HOST.key -out ./certs/$WEB_HOST.crt -days 3650 -subj "/CN=$WEB_HOST" && openssl x509 -in ./certs/$WEB_HOST.crt -out ./certs/$WEB_HOST.pem -outform PEM
+
+In DEV/QA/UAT and other environments WEB_HOST should be specified to real DNS or IP address value
+end-user and backend clients will use to communicate with the repromon server. Also this value should
+be the same as WEB_HOST variable in '.env.*' file.
+
+For production deployment should be used SSL certificate from trusted authorities.
 
 ### Podman / Docker Environment
 There is a `template.env.dev` file with a configuration for a typical setup, but it has fields to fill in.

docker-compose.dev.yml

@@ -23,6 +23,8 @@ services:
     volumes:
       - ${WEB_PATH_AT_HOST}/instance:/app/instance
       - ./.env.dev:/app/.env.local
+      - ${WEB_SSL_KEY_PATH_AT_HOST}:${WEB_SSL_KEY_PATH}
+      - ${WEB_SSL_CERT_PATH_AT_HOST}:${WEB_SSL_CERT_PATH}
 
   db:
     image: docker.io/postgres:latest

repromon.ini

@@ -42,8 +42,10 @@ pool_recycle=3600
 
 [uvicorn]
 # fastapi uvicorn configuration
-host=${WEB_HOST}
-port=${WEB_PORT}
+host=${WEB_BIND_ADDRESS}
+port=${WEB_BIND_PORT}
+ssl_keyfile=${WEB_SSL_KEY_PATH}
+ssl_certfile=${WEB_SSL_CERT_PATH}
 #workers=4
 #reload=True
 #log_level=debug

repromon_app/config.py

@@ -63,8 +63,8 @@ class UvicornConfig(BaseSectionConfig):
     # timeout_keep_alive: Optional[int] = 5
     # limit_concurrency: Optional[int] = 100
     # limit_max_requests: Optional[int] = 0
-    # ssl_keyfile: Optional[str] = None
-    # ssl_certfile: Optional[str] = None
+    ssl_keyfile: Optional[str] = None
+    ssl_certfile: Optional[str] = None
 
 
 class AppConfig:

repromon_tools/test_send_message.py

@@ -3,9 +3,9 @@
 import copy
 import json
 import logging.config
+import os
 import random
 import time
-import os
 from datetime import datetime, timedelta
 
 import requests
@@ -18,7 +18,7 @@
 logger.debug(f"name={__name__}")
 
 
-API_BASE_URL = os.environ.get('REPROMON_API_URL', "http://localhost:9095/api/1")
+API_BASE_URL = os.environ.get('REPROMON_API_URL', "https://localhost:9095/api/1")
 ACCESS_TOKEN = os.environ.get('REPROMON_ACCESS_TOKEN')
 API_KEY = os.environ.get('REPROMON_API_KEY')
 

template.env.dev

@@ -9,9 +9,20 @@ ENV_NAME=dev
 WEB_PATH_AT_HOST=./services/web
 DB_PATH_AT_HOST=./services/db
 
-WEB_HOST=0.0.0.0
+# public web server info
+WEB_HOST=localhost
 WEB_PORT=9095
 
+# internal web server socket bind address
+WEB_BIND_ADDRESS=0.0.0.0
+WEB_BIND_PORT=$WEB_PORT
+
+# SSL certificate/key path
+WEB_SSL_KEY_PATH=/etc/repromon/certs/${WEB_HOST}.key
+WEB_SSL_CERT_PATH=/etc/repromon/certs/${WEB_HOST}.pem
+WEB_SSL_KEY_PATH_AT_HOST=./certs/${WEB_HOST}.key
+WEB_SSL_CERT_PATH_AT_HOST=./certs/${WEB_HOST}.key
+
 # admin initial password
 INITIAL_ADMIN_PASSWORD=TODO_initial_admin_password