Skip to content

Commit

Permalink
Merge branch 'cerbot'
Browse files Browse the repository at this point in the history
  • Loading branch information
bcrickboom committed Jun 27, 2024
2 parents 0e40c16 + 2638b9c commit 9b649e6
Show file tree
Hide file tree
Showing 11 changed files with 205 additions and 69 deletions.
27 changes: 27 additions & 0 deletions .github/workflows/build-orthanc-share.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,15 @@ jobs:
org.opencontainers.image.title=orthanc-nginx
org.opencontainers.image.vendor=Orthanc Team SRL
- name: Extract metadata (tags, labels) for Docker (orthanc-nginx-certbot)
id: meta-orthanc-nginx-certbot
uses: docker/metadata-action@v4
with:
images: orthancteam/orthanc-nginx-certbot
labels: |
org.opencontainers.image.title=orthanc-nginx-certbot
org.opencontainers.image.vendor=Orthanc Team SRL
- name: Extract metadata (tags, labels) for Docker (orthanc-auth-service)
id: meta-orthanc-auth-service
uses: docker/metadata-action@v4
Expand Down Expand Up @@ -97,6 +106,15 @@ jobs:
tags: ${{ steps.meta-orthanc-nginx.outputs.tags }}
labels: ${{ steps.meta-orthanc-nginx.outputs.labels }}

- name: Build and push orthanc-nginx-certbot Docker image
uses: docker/build-push-action@v4
with:
context: sources/
file: sources/nginx/Dockerfile.orthanc-nginx-certbot
push: true
tags: ${{ steps.meta-orthanc-nginx-certbot.outputs.tags }}
labels: ${{ steps.meta-orthanc-nginx-certbot.outputs.labels }}

- name: Build and push orthanc-auth-service Docker image
uses: docker/build-push-action@v4
with:
Expand Down Expand Up @@ -151,6 +169,15 @@ jobs:
short-description: Web service to run in front of Orthanc to handle sharing of studies & admin access
readme-filepath: sources/README-dockerhub-orthanc-nginx.md

- name: Docker Hub Description (orthanc-nginx-certbot)
uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
repository: orthancteam/orthanc-nginx-certbot
short-description: Web service to run in front of Orthanc to handle sharing of studies & admin access (including certbot)
readme-filepath: sources/README-dockerhub-orthanc-nginx-certbot.md

- name: Docker Hub Description (orthanc-auth-service)
uses: peter-evans/dockerhub-description@v3
with:
Expand Down
19 changes: 19 additions & 0 deletions sources/README-dockerhub-orthanc-nginx-certbot.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!--
SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
SPDX-License-Identifier: CC0-1.0
-->

# Orthanc-nginx-cerbot

Same as [orthancteam/orthanc-nginx](https://hub.docker.com/r/orthancteam/orthanc-nginx) with certbot included to handle tls thanks to let'encrypt.

On top of [orthancteam/orthanc-nginx](https://hub.docker.com/r/orthancteam/orthanc-nginx) env var, these have to be defined:


| Environment variables | Default value | Description |
|----------------------------|:-------------------------------------------|:----------------------------------------------------------------------------------------------------------------|
| DOMAIN_NAME | - | FQNA redirecting to the public IP of the server running Nginx. |
| CERTBOT_EMAIL | - | Email adress provided to lets'encrypt, could be used to send warnings about certificates about to expire. |

NB: `ENABLE_HTTPS` env var decribed in [orthancteam/orthanc-nginx](https://hub.docker.com/r/orthancteam/orthanc-nginx) is not applicable in this version of the orthanc-nginx.
4 changes: 3 additions & 1 deletion sources/nginx/Dockerfile.orthanc-nginx
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@ FROM nginx:1.23

RUN mkdir /etc/nginx/enabled-reverse-proxies
RUN mkdir /scripts
ADD nginx/nginx-common.conf /etc/nginx/includes/

ADD nginx/reverse-proxy.* /etc/nginx/disabled-reverse-proxies/

ADD nginx/orthanc-nginx-*.conf /etc/nginx/disabled-conf/
ADD nginx/orthanc-nginx-http*.conf /etc/nginx/disabled-conf/

COPY nginx/docker-entrypoint.sh /scripts/
COPY nginx/copy-conf-files.sh /scripts/

RUN ls -al /etc/nginx/disabled-reverse-proxies/

Expand Down
21 changes: 21 additions & 0 deletions sources/nginx/Dockerfile.orthanc-nginx-certbot
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

FROM jonasal/nginx-certbot

RUN mkdir /etc/nginx/enabled-reverse-proxies
RUN mkdir /scripts-ot
ADD nginx/nginx-common.conf /etc/nginx/includes/

ADD nginx/reverse-proxy.* /etc/nginx/disabled-reverse-proxies/

ADD nginx/orthanc-nginx-certbot.conf /etc/nginx/user_conf.d/

COPY nginx/docker-entrypoint-certbot.sh /scripts-ot/
COPY nginx/copy-conf-files.sh /scripts-ot/

RUN ls -al /etc/nginx/disabled-reverse-proxies/

ENTRYPOINT ["./scripts-ot/docker-entrypoint-certbot.sh"]

70 changes: 70 additions & 0 deletions sources/nginx/copy-conf-files.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
#!/bin/bash

# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

## configuration files management

# first (and only) arg should be a boolean:
# 'true' --> https
# 'false'--> http

set -o errexit

# get https
if [ "$1" == true ]; then
https=true
else
https=false
fi

enableOrthanc="${ENABLE_ORTHANC:-false}"
enableOrthancForApi="${ENABLE_ORTHANC_FOR_API:-false}"
enableOrthancForShares="${ENABLE_ORTHANC_FOR_SHARES:-false}"
enableKeycloak="${ENABLE_KEYCLOAK:-false}"
enableOrthancTokenService="${ENABLE_ORTHANC_TOKEN_SERVICE:-false}"
enableOhif="${ENABLE_OHIF:-false}"
enableMedDream="${ENABLE_MEDDREAM:-false}"

ls -al /etc/nginx/disabled-reverse-proxies/

if [[ $enableOrthanc == "true" ]]; then
echo "ENABLE_ORTHANC is true -> enable /orthanc/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOrthancForApi == "true" ]]; then
echo "ENABLE_ORTHANC_FOR_API is true -> enable /orthanc-api/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc-api.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOrthancForShares == "true" ]]; then
echo "ENABLE_ORTHANC_FOR_SHARES is true -> enable /shares/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.shares.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableKeycloak == "true" ]]; then
if [[ $https == "true" ]]; then
echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is true -> enable /keycloak/ reverse proxy in https version"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-https.conf /etc/nginx/enabled-reverse-proxies/
else
echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is false -> enable /keycloak/ reverse proxy in http version"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-http.conf /etc/nginx/enabled-reverse-proxies/
fi
fi

if [[ $enableOrthancTokenService == "true" ]]; then
echo "ENABLE_ORTHANC_TOKEN_SERVICE is true -> enable /token-service/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.token-service.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableMedDream == "true" ]]; then
echo "ENABLE_MEDDREAM is true -> enable /meddream/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.meddream.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOhif == "true" ]]; then
echo "ENABLE_OHIF is true -> enable /ohif/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.ohif.conf /etc/nginx/enabled-reverse-proxies/
fi
25 changes: 25 additions & 0 deletions sources/nginx/docker-entrypoint-certbot.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/bash

# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

# set -o xtrace
set -o errexit

# configuration files management (true for https)

./scripts-ot/copy-conf-files.sh true

# domain name management

if [ -z "${DOMAIN_NAME}" ]; then
echo "Error: DOMAIN_NAME is not set or is empty."
exit 1
fi
domainName="${DOMAIN_NAME}"

sed -i "s/domain-name-placeholder/${domainName}/g" /etc/nginx/user_conf.d/orthanc-nginx-certbot.conf

# run ngix-certbot original entrypoint
./scripts/start_nginx_certbot.sh
49 changes: 1 addition & 48 deletions sources/nginx/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,7 @@
# set -o xtrace
set -o errexit

enableOrthanc="${ENABLE_ORTHANC:-false}"
enableOrthancForApi="${ENABLE_ORTHANC_FOR_API:-false}"
enableOrthancForShares="${ENABLE_ORTHANC_FOR_SHARES:-false}"
enableKeycloak="${ENABLE_KEYCLOAK:-false}"
enableOrthancTokenService="${ENABLE_ORTHANC_TOKEN_SERVICE:-false}"
enableOhif="${ENABLE_OHIF:-false}"
enableHttps="${ENABLE_HTTPS:-false}"
enableMedDream="${ENABLE_MEDDREAM:-false}"

ls -al /etc/nginx/disabled-conf/

Expand All @@ -26,47 +19,7 @@ else
cp -f /etc/nginx/disabled-conf/orthanc-nginx-http.conf /etc/nginx/conf.d/default.conf
fi

ls -al /etc/nginx/disabled-reverse-proxies/

if [[ $enableOrthanc == "true" ]]; then
echo "ENABLE_ORTHANC is true -> enable /orthanc/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOrthancForApi == "true" ]]; then
echo "ENABLE_ORTHANC_FOR_API is true -> enable /orthanc-api/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.orthanc-api.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOrthancForShares == "true" ]]; then
echo "ENABLE_ORTHANC_FOR_SHARES is true -> enable /shares/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.shares.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableKeycloak == "true" ]]; then
if [[ $enableHttps == "true" ]]; then
echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is true -> enable /keycloak/ reverse proxy in https version"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-https.conf /etc/nginx/enabled-reverse-proxies/
else
echo "ENABLE_KEYCLOAK is true and ENABLE_HTTPS is false -> enable /keycloak/ reverse proxy in http version"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.keycloak-http.conf /etc/nginx/enabled-reverse-proxies/
fi
fi

if [[ $enableOrthancTokenService == "true" ]]; then
echo "ENABLE_ORTHANC_TOKEN_SERVICE is true -> enable /token-service/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.token-service.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableMedDream == "true" ]]; then
echo "ENABLE_MEDDREAM is true -> enable /meddream/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.meddream.conf /etc/nginx/enabled-reverse-proxies/
fi

if [[ $enableOhif == "true" ]]; then
echo "ENABLE_OHIF is true -> enable /ohif/ reverse proxy"
cp -f /etc/nginx/disabled-reverse-proxies/reverse-proxy.ohif.conf /etc/nginx/enabled-reverse-proxies/
fi
./scripts/copy-conf-files.sh $enableHttps

# call the default nginx entrypoint
/docker-entrypoint.sh "$@"
14 changes: 14 additions & 0 deletions sources/nginx/nginx-common.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

# To avoid 504 error
proxy_read_timeout 240s;

# To avoid "too big header... / 502 Bad Gateway" error (inspired from https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx)
proxy_buffer_size 32k;
proxy_buffers 64 8k;
proxy_busy_buffers_size 48k;

# To avoid "414 Request-URI Too Large" whant opening 15(!) studies in OHIF
large_client_header_buffers 8 16k;
21 changes: 21 additions & 0 deletions sources/nginx/orthanc-nginx-certbot.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2022 - 2024 Orthanc Team SRL <[email protected]>
#
# SPDX-License-Identifier: CC0-1.0

server {

listen 443 ssl;

server_name domain-name-placeholder;

# Load the certificate files.
ssl_certificate /etc/letsencrypt/live/domain-name-placeholder/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain-name-placeholder/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain-name-placeholder/chain.pem;

# include buffers/timeout parameters
include /etc/nginx/includes/nginx-common.conf;

# include all reverse proxies that have been enabled through env var (check docker-entrypoint.sh)
include /etc/nginx/enabled-reverse-proxies/*.conf;
}
12 changes: 2 additions & 10 deletions sources/nginx/orthanc-nginx-http.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,8 @@
server {
listen 80;

# To avoid 504 error
proxy_read_timeout 120s;

# To avoid "too big header... / 502 Bad Gateway" error (inspired from https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx)
proxy_buffer_size 32k;
proxy_buffers 64 8k;
proxy_busy_buffers_size 48k;

# To avoid "414 Request-URI Too Large" whant opening 15(!) studies in OHIF
large_client_header_buffers 8 16k;
# include buffers/timeout parameters
include /etc/nginx/includes/nginx-common.conf;

# include all reverse proxies that have been enabled through env var (check docker-entrypoint.sh)
include /etc/nginx/enabled-reverse-proxies/*.conf;
Expand Down
12 changes: 2 additions & 10 deletions sources/nginx/orthanc-nginx-https.conf
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,8 @@ server {

listen 443 ssl;

# To avoid 504 error
proxy_read_timeout 120s;

# To avoid "too big header... / 502 Bad Gateway" error (inspired from https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx)
proxy_buffer_size 32k;
proxy_buffers 64 8k;
proxy_busy_buffers_size 48k;

# To avoid "414 Request-URI Too Large" whant opening 15(!) studies in OHIF
large_client_header_buffers 8 16k;
# include buffers/timeout parameters
include /etc/nginx/includes/nginx-common.conf;

# include all reverse proxies that have been enabled through env var (check docker-entrypoint.sh)
include /etc/nginx/enabled-reverse-proxies/*.conf;
Expand Down

0 comments on commit 9b649e6

Please sign in to comment.