Initial commit of supervisord+apache approach for gracedb

Dockerfile

@@ -4,12 +4,9 @@ LABEL name="LIGO GraceDB Django application" \
       date="20181206"
 ARG SETTINGS_MODULE="config.settings.container.dev"
 
-COPY docker/SWITCHaai-swdistrib.gpg /etc/apt/trusted.gpg.d
-RUN echo 'deb http://pkg.switch.ch/switchaai/debian stretch main' > /etc/apt/sources.list.d/shibboleth.list
 RUN curl -sL https://deb.nodesource.com/setup_8.x | bash -
-# the previous command executes apt-get update; if it is removed
-# one must add RUN apt-get update
-RUN apt-get install --install-recommends --assume-yes \
+RUN apt-get update
+RUN apt-get install --no-install-recommends --assume-yes \
         apache2 \
         gcc \
         git \
@@ -36,11 +33,7 @@ RUN apt-get install --install-recommends --assume-yes \
 
 COPY docker/supervisord.conf /etc/supervisor/supervisord.conf
 COPY docker/supervisord-apache2.conf /etc/supervisor/conf.d/apache2.conf
-COPY docker/shibboleth-ds /etc/shibboleth-ds
 COPY docker/apache-config /etc/apache2/sites-available/gracedb.conf
-COPY docker/login.ligo.org.cert.LIGOCA.pem /etc/shibboleth/login.ligo.org.cert.LIGOCA.pem
-COPY docker/inc-md-cert.pem /etc/shibboleth/inc-md-cert.pem
-
 RUN a2dissite 000-default.conf && \
     a2ensite gracedb.conf && \
     a2enmod headers proxy proxy_http rewrite xsendfile
@@ -48,10 +41,12 @@ RUN a2dissite 000-default.conf && \
 # this line is unfortunate because "." updates for nearly any change to the
 # repository and therefore docker build rarely caches the steps below
 ADD . /app/gracedb_project
-
-# install gracedb application itself
 WORKDIR /app/gracedb_project
+
+# Set up bower components
 RUN bower install --allow-root
+
+# Install Python packages
 RUN pip install --upgrade setuptools wheel && \
     pip install -r requirements.txt
 

docker/apache-config

+ServerName ${DJANGO_PRIMARY_FQDN}
+
+<VirtualHost *:80>
+  ServerName ${DJANGO_PRIMARY_FQDN}
+  ServerSignature On
+  ErrorLog /dev/stderr
+  Transferlog /dev/stdout
+
+  ServerAdmin cgca-admins@uwm.edu
+
+  ## Vhost docroot
+  DocumentRoot "/var/www/html"
+
+  ## Directories, there should at least be a declaration for /var/www/html
+
+  <Directory "/var/www/html">
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Require all granted
+  </Directory>
+
+  ## Custom fragment
+  # gUnicorn edits
+  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
+  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
+  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
+  Alias /static/ "/home/gracedb/gracedb_project/static_root/"
+  # Aliases for docs and admin_docs
+  Alias /documentation/ "/home/gracedb/gracedb_project/docs/user_docs/build/"
+  Alias /admin_docs/ "/home/gracedb/gracedb_project/docs/admin_docs/build/"
+  ProxyPass "/robots.txt" "!"
+  ProxyPass "/shibboleth-ds" "!"
+  ProxyPass "/Shibboleth.sso" "!"
+  ProxyPass "/static" "!"
+  ProxyPass "/documentation" "!"
+  ProxyPass "/admin_docs" "!"
+  ProxyPass "/" "http://localhost:8080/"
+
+  # Unset certain headers to help prevent spoofing
+  RequestHeader unset REMOTE_USER
+  RequestHeader unset ISMEMBEROF
+  RequestHeader unset X_FORWARDED_FOR
+  RequestHeader unset REMOTE_ADDR
+  RequestHeader unset SSL_CLIENT_S_DN
+  RequestHeader unset SSL_CLIENT_I_DN
+  RequestHeader unset X_FORWARDED_PROTO
+
+  # Get a few of them from the environment
+  RequestHeader set X_FORWARDED_FOR "%{X_FORWARDED_FOR}e" env=X_FORWARDED_FOR
+  RequestHeader set REMOTE_ADDR "%{REMOTE_ADDR}e" env=REMOTE_ADDR
+
+  # Set X_FORWARDED_PROTO to https
+  RequestHeader set X_FORWARDED_PROTO "https"
+
+  # Set up mod_xsendfile for serving static event files as directed by Django
+  XSendFile On
+  XSendFilePath /opt/gracedb/data
+
+  Alias /shibboleth-ds/idpselect_config.js /etc/shibboleth-ds/idpselect_config.js
+  Alias /shibboleth-ds/idpselect.js /etc/shibboleth-ds/idpselect.js
+  Alias /shibboleth-ds/idpselect.css /etc/shibboleth-ds/idpselect.css
+
+  <Directory /etc/shibboleth-ds>
+      Require all granted
+  </Directory>
+
+  # Deny access to the DocumentRoot. This makes it possible to upload
+  # large files. See notes.
+  <Directory "/var/www/">
+      Require all denied
+  </Directory>
+
+  <Directory "/home/gracedb/gracedb_project/static_root/">
+      AllowOverride None
+      Options None
+      Require all granted
+  </Directory>
+
+  Alias /robots.txt /home/gracedb/gracedb_project/static_root/robots.txt
+
+</VirtualHost>

docker/supervisord-apache2.conf

+[program:apache2]
+command=/usr/sbin/apache2ctl -DFOREGROUND
+stdout_logfile=/dev/fd/1
+stdout_logfile_maxbytes=0
+redirect_stderr=true

docker/supervisord.conf

+; supervisor config file
+
+[unix_http_server]
+file=/var/run/supervisor.sock   ; (the path to the socket file)
+chmod=0700                       ; sockef file mode (default 0700)
+username=k7zsaqyt9vQZByiAXTpG4iyKUIKQxDQh
+password=k7zsaqyt9vQZByiAXTpG4iyKUIKQxDQh
+
+[supervisord]
+nodaemon=true
+user=root
+pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+logfile=/dev/null
+logfile_maxbytes=0
+
+; the below section must remain in the config file for RPC
+; (supervisorctl/web interface) to work, additional interfaces may be
+; added by defining them in separate rpcinterface: sections
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL  for a unix socket
+username=k7zsaqyt9vQZByiAXTpG4iyKUIKQxDQh
+password=k7zsaqyt9vQZByiAXTpG4iyKUIKQxDQh
+
+; The [include] section can just contain the "files" setting.  This
+; setting can list multiple files (separated by whitespace or
+; newlines).  It can also contain wildcards.  The filenames are
+; interpreted as relative to this file.  Included files *cannot*
+; include files themselves.
+
+[include]
+files = /etc/supervisor/conf.d/*.conf