ORNL · nedvedba · Mar 6, 2024 · Mar 6, 2024 · Mar 7, 2024 · Mar 7, 2024
diff --git a/compose/build_images_for_compose.sh b/compose/build_images_for_compose.sh
@@ -32,4 +32,3 @@ docker build -f \
   --build-arg RUNTIME="datafed-runtime" \
   "${PROJECT_ROOT}" \
   -t datafed-foxx:latest
-
diff --git a/compose/compose_core.yml b/compose/compose_core.yml
@@ -18,12 +18,11 @@ services:
       DATAFED_CORE_ADDRESS_PORT_INTERNAL: "datafed-core:7513"
       UID: "${DATAFED_UID}"
     image: datafed-web:latest
-    ports:
-      - 443:443 # This must be the same port that is mapped to the host for redirects to work
     volumes:
       - ./keys:/opt/datafed/keys
     networks:
-      - datafed-internal
+      datafed-internal:
+        ipv4_address: 172.16.0.10
 
   datafed-core:
     image: datafed-core:latest
@@ -80,6 +79,17 @@ services:
     networks:
       - datafed-internal
 
+  nginx:
+    image: nginx:latest
+    depends_on: ["datafed-web"]
+    volumes:
+      - ./keys:/keys
+      - ./nginx.conf:/etc/nginx/conf.d/nginx.conf
+    ports:
+      - 443:443 # this replaces the port that was open on the datafed-web service
+    networks:
+      - datafed-internal
+
 volumes:
   keys:
 
@@ -88,4 +98,7 @@ networks:
     driver: bridge
   datafed-internal:
     driver: bridge
+    ipam:
+      config:
+        - subnet: 172.16.0.0/24
 
diff --git a/compose/generate_env.sh b/compose/generate_env.sh
@@ -91,7 +91,7 @@ else
 fi
 if [ -z "${DATAFED_COMPOSE_HTTPS_SERVER_PORT}" ]
 then
-  local_DATAFED_COMPOSE_HTTPS_SERVER_PORT="443"
+  local_DATAFED_COMPOSE_HTTPS_SERVER_PORT="8081"
 else
   local_DATAFED_COMPOSE_HTTPS_SERVER_PORT=$(printenv DATAFED_COMPOSE_HTTPS_SERVER_PORT)
 fi

diff --git a/compose/nginx.conf b/compose/nginx.conf
@@ -0,0 +1,18 @@
+upstream backend {
+    server 172.16.0.10:8081;
+}
+server {
+    listen 443 ssl;
+
+    ssl_certificate /keys/cert.crt;
+    ssl_certificate_key /keys/cert.key;
+
+    location / {
+        proxy_pass https://backend;
+        proxy_ssl_server_name on;
+        proxy_ssl_protocols TLSv1.2 TLSv1.3;
+        proxy_ssl_verify off;
+        proxy_ssl_verify_depth 2;
+        proxy_ssl_trusted_certificate /keys/cert.crt;
+    }
+}
diff --git a/scripts/generate_ws_config.sh b/scripts/generate_ws_config.sh
@@ -64,7 +64,7 @@ fi
 
 if [ -z "${DATAFED_HTTPS_SERVER_PORT}" ]
 then
-  local_DATAFED_HTTPS_SERVER_PORT="443"
+  local_DATAFED_HTTPS_SERVER_PORT="8081" # This is not set to 443 since we have nginx in front of the webserver, and we want to be able to run the web server not as a superuser
 else
   local_DATAFED_HTTPS_SERVER_PORT=$(printenv DATAFED_HTTPS_SERVER_PORT)
 fi