Conversation
c3d05d2 to
c20aa5a
Compare
c20aa5a to
dcb5a5d
Compare
dcb5a5d to
dee0eef
Compare
|
I actually really think that all of this stuff with TLS is not where we want to be spending our time. Nginx really does that well, and it is trivial and normal and best practice to use that highly optimized software for TLS termination. Outside of places where we want to tie together identity with certificates (which has led to some minor ruin), it doesn't really make sense to have code in NuCypher that deals with https. Obviously I had forever to comment on this and it's a little late right now and I deeply respect and appreciate the time spent dealing with it and I'm sorry I didn't chime in with all this at a more appropriate hour but all the lines of code dealing with TLS CLI options are lines of code that are already in NGINX and could be gotten for free with docker-compose. |
|
@vepkenez, as part of running Porter we are already running a web server (Hendrix) so at the moment putting nginx on top of that seems superfluous. That being said, as a view to the future, I have been playing around a little with using nginx as a reverse proxy, to potentially allow for more complex authentication mechanisms for users of Porter (see #2706 ). It is unclear how Porter will be run, and how the users of the Porter service will be authenticated. Simple basic auth can be baked into Porter directly relatively easily, but anything more involved like OAuth2 or Token Authentication may necessitate something like nginx. To that end this was the beginning of the docker-compose to get nginx working as a reverse proxy - without any authentication: version: '3'
services:
nginx-proxy:
restart: always
image: nginxproxy/nginx-proxy:alpine
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- "${TLS_DIR}:/etc/nginx/certs/"
porter:
restart: on-failure
image: nucypher:latest
build:
context: ../../..
dockerfile: deploy/docker/Dockerfile
expose:
# Default Porter port
- "9155"
volumes:
- .:/code
- ~/.local/share/nucypher:/nucypher
command: [ "nucypher", "porter", "run",
"--provider", "${WEB3_PROVIDER_URI}",
"--network", "${NUCYPHER_NETWORK}" ]
environment:
- VIRTUAL_HOST=porter.local
- VIRTUAL_PORT=9155
depends_on:
- nginx-proxy |
dee0eef to
58cb369
Compare
| "--provider", "${WEB3_PROVIDER_URI}", | ||
| "--network", "${NUCYPHER_NETWORK}"] | ||
|
|
||
| porter-https: |
There was a problem hiding this comment.
This looks good although on an architectural level, if we're using docker-compose, maybe the ssl would be just as well handled by having an nginx container acting as a reverse proxy and then forwarding to the nucypher container on port 80. Then you would just have one NuCypher container defined in here, and an nginx container.
kinda like this https://dzone.com/articles/how-to-nginx-reverse-proxy-with-docker-compose
Type of PR:
Required reviews:
What this does:
Docker compose for Porter service. Based over #2720 .
Issues fixed/closed:
Fixes #2669