diff --git a/api/Dockerfile b/api/Dockerfile index b4e03c1456d..1cad4c52c7c 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -151,7 +151,8 @@ LABEL org.opencontainers.image.source="https://github.com/WordPress/openverse" WORKDIR /app -COPY nginx.conf.template /etc/nginx/templates/openverse-api.conf.template +COPY nginx/nginx.conf.template /etc/nginx/templates/openverse-api.conf.template +COPY nginx/snippets /etc/nginx/snippets # Copy static files from `api` target COPY --from=api /static /app/static diff --git a/api/compose.yml b/api/compose.yml index 0a624f8dd90..3fa99345316 100644 --- a/api/compose.yml +++ b/api/compose.yml @@ -2,7 +2,6 @@ services: cache: profiles: - api - - api_extra image: docker.io/redis:7.2.5 ports: - "50263:6379" @@ -10,7 +9,6 @@ services: web: profiles: - api - - api_extra build: target: api additional_contexts: @@ -47,24 +45,11 @@ services: - SEMANTIC_VERSION=${SEMANTIC_VERSION:-v1.0.0} - API_PY_VERSION - PDM_INSTALL_ARGS=--dev + image: openverse-api_nginx:${API_PDM_HASH:-latest} + pull_policy: never ports: - "50270:8080" environment: DJANGO_NGINX_UPSTREAM_URL: web:50280 depends_on: - web - - proxy: - profiles: - - api_extra - image: docker.io/nginx:alpine - ports: - - "50200:9080" - - "50243:9443" - environment: - HTTPS_PORT: 50243 # See `ports` mapping above. - depends_on: - - web - volumes: - - ../docker/nginx/templates:/etc/nginx/templates:z - - ../docker/nginx/certs:/etc/nginx/certs:z diff --git a/api/justfile b/api/justfile index 0df97fc80c7..9bddb7b6e7b 100644 --- a/api/justfile +++ b/api/justfile @@ -50,7 +50,7 @@ up *flags: # Bring up services specific to the API profile, in addition to the API server up-extra *flags: - env COMPOSE_PROFILES="api_extra" just ../up {{ flags }} + env COMPOSE_PROFILES="api,api_extra" just ../up {{ flags }} # Wait for all profile services to be up wait-up: up diff --git a/api/nginx.conf.template b/api/nginx/nginx.conf.template similarity index 83% rename from api/nginx.conf.template rename to api/nginx/nginx.conf.template index 9902524563d..82a799e1fc3 100644 --- a/api/nginx.conf.template +++ b/api/nginx/nginx.conf.template @@ -60,21 +60,11 @@ server { } location / { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_pass http://django; - error_page 500 /500.json; + include snippets/django_location.conf; } location ~ ^/(v1|admin)/ { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_pass http://django; - error_page 500 /500.json; + include snippets/django_location.conf; } location /500.json { diff --git a/api/nginx/snippets/django_location.conf b/api/nginx/snippets/django_location.conf new file mode 100644 index 00000000000..e8cc45a850f --- /dev/null +++ b/api/nginx/snippets/django_location.conf @@ -0,0 +1,6 @@ +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header Host $http_host; +proxy_redirect off; +proxy_pass http://django; +error_page 500 /500.json; diff --git a/docker/nginx/.gitignore b/docker/nginx/.gitignore deleted file mode 100644 index df9128702e3..00000000000 --- a/docker/nginx/.gitignore +++ /dev/null @@ -1 +0,0 @@ -certs/ diff --git a/docker/nginx/justfile b/docker/nginx/justfile deleted file mode 100644 index 80d5934795d..00000000000 --- a/docker/nginx/justfile +++ /dev/null @@ -1,19 +0,0 @@ -set dotenv-load := false - -COLOR := "\\033[0;35m" -NO_COLOR := "\\033[0m" - -# Show all available recipes -@_default: - printf "\n{{ COLOR }}# NGINX (path: \`docker/nginx/\`)\n" - printf "==============================={{ NO_COLOR }}\n" - just --list --unsorted - - -# Make locally trusted certificates (requires mkcert installed) -cert: - mkdir -p certs/ - mkcert \ - -cert-file certs/openverse.crt \ - -key-file certs/openverse.key \ - dev.openverse.test localhost 127.0.0.1 ::1 diff --git a/docker/nginx/templates/web.conf.template b/docker/nginx/templates/web.conf.template deleted file mode 100644 index a5c7db8b593..00000000000 --- a/docker/nginx/templates/web.conf.template +++ /dev/null @@ -1,24 +0,0 @@ -server { - listen 9080; - server_name localhost; - - location / { - return 301 https://$host:${HTTPS_PORT}$request_uri; - } -} - -server { - listen 9443 ssl; - server_name localhost; - - location / { - proxy_pass http://web:8000; - - proxy_set_header Host $host:$server_port; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - - ssl_certificate /etc/nginx/certs/openverse.crt; - ssl_certificate_key /etc/nginx/certs/openverse.key; -} diff --git a/documentation/api/guides/https.md b/documentation/api/guides/https.md deleted file mode 100644 index 3e0119a3894..00000000000 --- a/documentation/api/guides/https.md +++ /dev/null @@ -1,55 +0,0 @@ -# Local HTTPS testing - -To access the API over HTTPS, we need to proxy to it using NGINX. Note that this -proxy is different from the API NGINX image that is specifically aimed at -serving static files in live environments. - -## Prerequisites - -Make sure you have gone through the -[quickstart guide](/api/guides/quickstart.md) before attempting this as this is -a slightly more advanced process. - -Additionally, you will need to install `mkcert`. -[Follow `mkcert`'s installation guide](https://github.com/FiloSottile/mkcert?tab=readme-ov-file#installation) -to do so. - -```{caution} -`ov` does not yet support mkcert. You must run this command without `ov` -on your host system for it to work. -``` - -## Steps - -1. Create certificates for NGINX to use. - - ```{caution} - Run this on your host system, `ov` does not support mkcert. - ``` - - ```bash - just docker/nginx/cert - ``` - - This will create a certificate file `openversse.crt` and a key file - `openverse.key` in the `docker/nginx/certs/` directory. - -2. Start the API along with its dependencies: - - ```bash - ov just api/up - ``` - - The `api/up` recipe orchestrates the following services: `cache`, `db`, - `upstream_db`, `es`, `indexer_worker`, `ingestion_server`, `web` and `proxy`. - - Note that the `proxy` service here is the NGINX instance that will handle our - HTTPS requests. - -3. Make an API call over HTTPS. - - ```bash - ov just api/stats images https://localhost:50243 - ov just _curl-get "images/stats/" https://localhost:50243 - [{"source_name":"flickr","display_name":"Flickr","source_url":"https://www.flickr.com","logo_url":null,"media_count":2500},{"source_name":"stocksnap","display_name":"StockSnap","source_url":"https://stocksnap.io","logo_url":null,"media_count":2500}]% - ``` diff --git a/documentation/api/guides/index.md b/documentation/api/guides/index.md index 1a7d2180d7d..65c9afef18c 100644 --- a/documentation/api/guides/index.md +++ b/documentation/api/guides/index.md @@ -7,5 +7,4 @@ quickstart test deploy documentation -https ``` diff --git a/documentation/general/https.md b/documentation/general/https.md deleted file mode 100644 index d4ac6cbe541..00000000000 --- a/documentation/general/https.md +++ /dev/null @@ -1,19 +0,0 @@ -# Testing HTTPS - -To emulate the proxying behavior of production, we have set up an NGINX proxy -that serves the API over `https` by proxying to the Gunicorn server which serves -over `http`. - -This proxy uses certificates from the `nginx/certs/` directory. These -certificates can be generated using `mkcert` with the `ov just nginx/cert` -command. - -Additionally, to test with the dev hostname `dev.openverse.test`, add the -following line to your hosts file. - -```text -127.0.0.1 dev.openverse.test -``` - -Visiting `http://dev.openverse.test:9080` in your browser should permanently -redirect you to `https://dev.openverse.test:9443`. diff --git a/documentation/general/index.md b/documentation/general/index.md index 64930d6f0ab..6b289dedcf1 100644 --- a/documentation/general/index.md +++ b/documentation/general/index.md @@ -10,7 +10,6 @@ test zero_downtime_database_management deployment logging -https stack ```