Updating README and providing new configuration files for step by step comissioning.

README.md

@@ -12,4 +12,38 @@ bit `envProxy.sh` let's you set:
 to the network of the same name in respective compose files.
 - `DOCKERCOMPOSE`: which docker compose to use, legacy version came with a dash.
 
-- 
+## Building the configuration
+
+The configuration for nginx sites should be placed in `config/conf.d`, and `http.conf.off` is an example
+forserving a (trivial) http only site. For starters, change suffixes of all other files in `conf.d` to 
+`conf.off` and only enable `http.conf`, and start the server via:
+
+```bash
+bin/startRProxy.sh
+```
+
+Accessing `http://localhost` should show you the default landing page with some text attesting to the fact.
+
+EXPERT CORNER: The `rproxy` server out of the box provides a `nginx.conf` file, where a statement
+drives the proxy to include files ending in `.conf`. Changing suffix to `conf.off` discards such files from `nginx`
+consideration
+
+For SSL, you should obtain SSL certificate either through your own CA or a CA service like [certbot][]. Then
+update `https.conf.off` accordingly and activate it by changing suffix to `.conf`, and disable plain http by
+adding suffix `.off`. For the first test, disable client verification (set `ssl_verify_client` to `off`). Try 
+accessing the page again to validate for SSL access. If you have a client certificate matching the CA, you can 
+set verification to `on` and check client verification as well.
+
+For redirecting to embedded service like labkey, look at `labkey.conf.off` and adjust `proxy_pass` directive
+to reflect your setup. You may use directory based or server name based redirection to services, in the 
+later case `server_name` directive will drive service selection.
+
+## Starting, stopping and reloading
+
+Utility scripts in `bin` allow to start, `startRproxy.sh`, stop `stopRproxy.sh` and reload configuration, `reloadRproxy.sh`.
+
+EXPERT CORNER: There are also `startNetwork.sh` and `stopNetwork.sh` utility scripts, where range of IP addresses
+can be set, which can be useful in local IP clash avoidance.
+
+[certbot]: https://certbot.eff.org
+ 

config/conf.d/http.conf.off

@@ -0,0 +1,18 @@
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name localhost
+# for real application, put your server name here
+    #server_name your.server.name ie. merlin.fmf.uni-lj.si
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+    
+    location /{
+	root /var/www/landing;	
+    }
+ 
+}
+
+

config/conf.d/default.conf → config/conf.d/https.conf.off

@@ -2,13 +2,13 @@ upstream xlabkey{
   server labkey-web:8080;
 }
 
-#HTTP -> redirect
-#server {
-#    listen       80;
-#    listen  [::]:80;
-#    server_name merlin.fmf.uni-lj.si;
-#    return 301 https://$host$request_uri;
-#}
+HTTP -> redirect
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name localhost
+    return 301 https://$host$request_uri;
+}
 
 
 
@@ -18,17 +18,22 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl; 
     server_name localhost;
+#in production, real server name should be used, ie for merlin.fmf.uni-lj.si do
+#	server_name merlin.fmf.uni-lj.si
 
     charset utf-8;
     keepalive_timeout 5;
     
     #SSL
+#provide suitable SSL certificates (not shipped with container)
     ssl_certificate /var/www/localhostBundle.crt;
     ssl_certificate_key /var/www/localhost.key;
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
 
+#if you want to check for user certificates, also set verify_client to on
+#and provide a CA certificate (chain) to validate against
     ssl_verify_client on;
     ssl_client_certificate /var/www/NIXLJU-CA_chain.crt;
 
@@ -46,20 +51,9 @@ server {
         root   /usr/share/nginx/html;
     }
     
-#    location /{
-#	root /var/www/landing;	
-#    }
     location /{
-	proxy_pass http://labkey-web:8080/;
-#	proxy_redirect http://labkey-web:8080/ https://merlin.fmf.uni-lj.si/;
-#	proxy_redirect https://xlabkey/ https://merlin.fmf.uni-lj.si/;
-#	proxy_set_header Host $proxy_host;
-#	proxy_set_header X-Real-IP $remote_addr;
-#	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#	proxy_set_header X-Forwarded-Proto $scheme;
-	#client_max_body_size 0;
+	root /var/www/landing;	
     }
-    #
 
 }
 

config/conf.d/labkey.conf.off

@@ -1,39 +1,41 @@
-#Copy invenio stuff directly to rproxy to avoid multiple forwarding and associated confusion
-#In essence, rproxy replaces invenion frontend
-
-upstream labkey {
+upstream xlabkey{
   server labkey-web:8080;
-#could add more servers for load balancing
 }
 
 #HTTP -> redirect
-server {
-    listen       80;
-    listen  [::]:80;
-    server_name labkey-klimt-local.fmf.uni-lj.si;
-    return 301 https://$host$request_uri;
-}
+#server {
+#    listen       80;
+#    listen  [::]:80;
+#    server_name merlin.fmf.uni-lj.si;
+#    return 301 https://$host$request_uri;
+#}
+
+
 
 
 #HTTPS
 server {
     listen 443 ssl;
     listen [::]:443 ssl; 
-    server_name labkey-klimt-local.fmf.uni-lj.si;
+    server_name localhost;
 
     charset utf-8;
     keepalive_timeout 5;
     
     #SSL
-    ssl_certificate /var/www/labkey-klimt-localBundle.crt;
-    ssl_certificate_key /var/www/labkey-klimt-local.key;
+    ssl_certificate /var/www/localhostBundle.crt;
+    ssl_certificate_key /var/www/localhost.key;
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;
 
+    ssl_verify_client on;
+    ssl_client_certificate /var/www/NIXLJU-CA_chain.crt;
+
     #Hardening
     # Accepted protocols and ciphers
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_protocols TLSv1.2;
     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     ssl_prefer_server_ciphers on;
 
@@ -43,17 +45,21 @@ server {
     location = /50x.html {
         root   /usr/share/nginx/html;
     }
-
+    
+#    location /{
+#	root /var/www/landing;	
+#    }
     location /{
-	proxy_ssl_trusted_certificate /var/www/NIXLJU-CA_chainOld.crt;
-	proxy_pass http://labkey/;
-	#proxy_redirect http://labkey/ https://labkey-klimt-local.fmf.uni-lj.si/;
-	proxy_redirect http://labkey/ https://klimt.fmf.uni-lj.si/;
- 	#proxy_set_header Host $host;	
-	client_max_body_size 0;
+	proxy_pass http://labkey-web:8080/;
+#	proxy_redirect http://labkey-web:8080/ https://merlin.fmf.uni-lj.si/;
+#	proxy_redirect https://xlabkey/ https://merlin.fmf.uni-lj.si/;
+#	proxy_set_header Host $proxy_host;
+#	proxy_set_header X-Real-IP $remote_addr;
+#	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#	proxy_set_header X-Forwarded-Proto $scheme;
+	#client_max_body_size 0;
     }
-    #no heroics. Since frontend is a virtual server, use http
-    #I believe there is an https redirect as deep as the uiwsg web-ui engine, hence SSL must be maintained
+    #
 
 }