tea/browsertrix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

support signing in docker deployment: (#166)

Browse Source 
- add authsign to docker-compose.yml
- add signing.sample.yaml to be copied to signing.yaml for authsign
- add WACZ_SIGN_URL and WACZ_SIGN_TOKEN to config.sample.env
- signing enabled if WACZ_SIGN_URL is set
- add instructions on how to enable signing to Deployment
- update .gitignore, don't commit 'signing.yaml'
- update images to use public repo browsertrix images
This commit is contained in:
Ilya Kreymer 2022-02-28 14:32:19 -08:00 committed by GitHub
parent 83ded98081
commit 84a9079b1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 85 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
**/*.pyc **/*.pyc
**/node_modules/ **/node_modules/
**/config.env **/config.env
**/signing.yaml
.DS_Store .DS_Store

17
Deployment.md
View File

@ -18,10 +18,27 @@ To update/relaunch, use `./docker-restart.sh`.
The API should be available at: `http://localhost:8000/docs` The API should be available at: `http://localhost:8000/docs`
To allow downloading of WACZ files via the UI from a remote host, set the `STORE_ACCESS_ENDPOINT_URL` to use the domain of the host.
Otherwise, the files are accesible only through the default Minio service running on port 9000.
Note: When deployed in local Docker, failed crawls are not retried currently. Scheduling is handled by a subprocess, which stores active schedule in the DB. Note: When deployed in local Docker, failed crawls are not retried currently. Scheduling is handled by a subprocess, which stores active schedule in the DB.
### Enabling Signing
Browsertrix Cloud can optionally sign WACZ files with the same key used to generate an SSL cert.
To use this functionality, the machine running Browsertrix Cloud must be associated with a domain and must have port 80 available on that domain.
To enable signing in the Docker-based deployment:
1) Copy `configs/signing.sample.yaml` to `configs/signing.yaml` and set the domain and email fields in the config. Set `staging` to false to generate real certificates.
2) In `configs.config.env`, also uncomment `WACZ_SIGN_URL`.
WACZ files created on minio should now be signed! Be sure to also set `STORE_ACCESS_ENDPOINT_URL` to get downloadable links from the UI downloads view.
## Deploying to Kubernetes ## Deploying to Kubernetes

5
backend/dockerman.py
View File

@ -40,6 +40,9 @@ class DockerManager:
self.crawl_args = os.environ["CRAWL_ARGS"] self.crawl_args = os.environ["CRAWL_ARGS"]
self.wacz_sign_url = os.environ.get("WACZ_SIGN_URL", "")
self.wacz_sign_token = os.environ.get("WACZ_SIGN_TOKEN", "")
self.archive_ops = archive_ops self.archive_ops = archive_ops
self.crawl_ops = None self.crawl_ops = None
@ -505,6 +508,8 @@ class DockerManager:
f"STORE_PATH={storage_path}", f"STORE_PATH={storage_path}",
f"WEBHOOK_URL={self.redis_url}/{self.crawls_done_key}", f"WEBHOOK_URL={self.redis_url}/{self.crawls_done_key}",
f"CRAWL_ARGS={self.crawl_args}", f"CRAWL_ARGS={self.crawl_args}",
f"WACZ_SIGN_URL={self.wacz_sign_url}",
f"WACZ_SIGN_TOKEN={self.wacz_sign_token}",
] ]
labels["btrix.run.schedule"] = schedule labels["btrix.run.schedule"] = schedule

13
backend/storages.py
View File

@ -54,12 +54,15 @@ def init_storages_api(archive_ops, crawl_manager, user_dep):
# ============================================================================ # ============================================================================
@asynccontextmanager @asynccontextmanager
async def get_s3_client(storage): async def get_s3_client(storage, use_access=False):
""" context manager for s3 client""" """ context manager for s3 client"""
if not storage.endpoint_url.endswith("/"): endpoint_url = (
storage.endpoint_url += "/" storage.endpoint_url if not use_access else storage.access_endpoint_url
)
if not endpoint_url.endswith("/"):
endpoint_url += "/"
parts = urlsplit(storage.endpoint_url) parts = urlsplit(endpoint_url)
bucket, key = parts.path[1:].split("/", 1) bucket, key = parts.path[1:].split("/", 1)
endpoint_url = parts.scheme + "://" + parts.netloc endpoint_url = parts.scheme + "://" + parts.netloc
@ -100,7 +103,7 @@ async def get_presigned_url(archive, crawlfile, crawl_manager, duration=3600):
else: else:
raise Exception("No Default Storage Found, Invalid Storage Type") raise Exception("No Default Storage Found, Invalid Storage Type")
async with get_s3_client(s3storage) as (client, bucket, key): async with get_s3_client(s3storage, True) as (client, bucket, key):
key += crawlfile.filename key += crawlfile.filename
presigned_url = await client.generate_presigned_url( presigned_url = await client.generate_presigned_url(

10
configs/config.sample.env
View File

@ -38,4 +38,14 @@ REGISTRATION_ENABLED=1
JWT_TOKEN_LIFETIME_MINUTES=60 JWT_TOKEN_LIFETIME_MINUTES=60
# auth sign -- uncomment to enable signing
# WACZ_SIGN_URL="http://authsign:8080/sign"
# optional token for signing (useful if using remote signing server)
# WACZ_SIGN_TOKEN=""

21
configs/signing.sample.yaml Normal file
View File

@ -0,0 +1,21 @@
signing:
domain: example.com # domain to retrieve a cert for (passed to ACME servers, required)
email: test@example.com # email for acme auth (passed to ACME servers, required)
port: 80 # local port for acme domain check (should be 80, change if running behind a proxy)
output: /data # dir to store the keys and certs (for internal use)
staging: False # generate staging certs
# optional: set a 'cross-singing' CA and private key
# this will be used along with ACME (Lets Encrypt) to sign the same CSR
# csca_cert: <ca-cert.pem>
# csca_private_key: <ca-private-key.pem>
# rfc3161 timestamp authority cert chain + timestamp urls
# at least one required, if multiple, one is selected at random
timestamping:
# time server cert chain (cert + ca cert)
# pkg:// url to load from python package data
- certfile: pkg://authsign.trusted/ts-chain.pem
url: http://freetsa.org/tsr # timeserver URL

25
docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3.5'
services: services:
backend: backend:
build: ./backend build: ./backend
image: registry.digitalocean.com/btrix/webrecorder/browsertrix-api image: webrecorder/browsertrix-backend
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock - /var/run/docker.sock:/var/run/docker.sock
@ -20,7 +20,7 @@ services:
frontend: frontend:
build: ./frontend build: ./frontend
image: registry.digitalocean.com/btrix/webrecorder/browsertrix-frontend image: webrecorder/browsertrix-frontend
ports: ports:
- 9871:80 - 9871:80
@ -50,7 +50,7 @@ services:
minio: minio:
image: minio/minio image: minio/minio
command: server /data --console-address :9001 command: ["server", "/data", "--console-address", ":9001"]
ports: ports:
- 9000:9000 - 9000:9000
- 9001:9001 - 9001:9001
@ -77,10 +77,29 @@ services:
image: tianon/true image: tianon/true
container_name: volume_placeholder container_name: volume_placeholder
# enable to support signing of wacz files
# port 80 must be open to automatically generate cert via LetsEncrypt
authsign:
image: webrecorder/authsign:0.3.1
volumes:
- btrix-sign-data:/data
- ./configs/signing.yaml:/app-config/signing.yaml
environment:
- CONFIG=/app-config/signing.yaml
env_file:
- ./configs/config.env
ports:
- 80:80
volumes: volumes:
btrix-redis-data: btrix-redis-data:
btrix-mongo-data: btrix-mongo-data:
btrix-minio-data: btrix-minio-data:
btrix-sign-data:
networks: networks: