Deployment¶
MARV’s frontend uses a service worker, which requires HTTPS for non-localhost access. You can either use a self-signed certificate or Let’s Encrypt. The latter only if your webserver is accessible from the internet.
For production usage we strongly recommend to use nginx as a reverse-proxy. The increased setup overhead is justified by greatly increased performance for serving large files.
Two deployments are described here in short:
Gunicorn with a self-signed certificate, and
nginx as a proper front-facing webserver with a Let’s Encrypt certificate
Gunicorn with self-signed certificate¶
Gunicorn supports HTTPS out of the box with the limitation that it cannot serve HTTP and HTTPS simultaneously. To activate HTTPS mode you only need to provide Gunicorn with a certificate and corresponding keyfile.
Generate self-signed certificate¶
openssl genrsa -out sites/example/gunicorn-ssl.key 2048
openssl req -new -key sites/example/gunicorn-ssl.key \
-out sites/example/gunicorn-ssl.csr
openssl x509 -req -days 3650 \
-in sites/example/gunicorn-ssl.csr \
-signkey sites/example/gunicorn-ssl.key \
-out sites/example/gunicorn-ssl.crt
Adjust gunicorn_cfg.py¶
Enable https in sites/example/gunicorn_cfg.py
by adding.
...
certfile = 'gunicorn-ssl.crt'
keyfile = 'gunicorn-ssl.key'
...
Restart Gunicorn.
(venv) $ gunicorn --config sites/example/gunicorn_cfg.py marv.app.wsgi:create_app
Errors¶
ValueError: certfile "gunicorn-ssl.crt" does not exist
This means Gunicorn could not find the SSL certificate which should be right
next to sites/example/gunicorn_cfg.py
(see above).
Gunicorn behind NGINX¶
References:
When working behind a revese proxy MARV’s default Gunicorn config will work without change.
nginx config¶
Nginx allows marv to offload serving data from disk which is especially useful for large files. Adjust the paths of the nested internal location block to point to your store, within the docker container and outside of the docker container, under the assumption, that nginx is running directly on your host system. In case you are running marv in a virtual environment also directly on the host system, the paths are identical. For a self-signed certificate create it as above, remove ssl_trusted_certificate
below and adjust ssl_certificate
and ssl_certificate_key
below accordingly.
server {
server_name example.com;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name example.com;
listen 443 ssl http2;
include /usr/lib/python3.7/site-packages/certbot_nginx/tls_configs/options-ssl-nginx.conf;
ssl_stapling_verify on;
ssl_stapling on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
location / {
location /docker/container/path/to/store {
internal;
alias /host/path/to/store;
}
location /scanroot {
internal;
alias /host/path/to/scanroot;
}
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass 127.0.0.1:8000;
}
location /other_instance {
location /other_instance/docker/container/path/to/store {
internal;
alias /host/path/to/store;
}
location /other_instance/scanroot {
internal;
alias /host/path/to/other/scanroot;
}
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass 127.0.0.1:8000;
}
}