diff --git a/.github/workflows/build-push-image-mta.yml b/.github/workflows/build-push-image-mta.yml new file mode 100644 index 0000000..8e5a378 --- /dev/null +++ b/.github/workflows/build-push-image-mta.yml @@ -0,0 +1,47 @@ +--- +name: "Build EPOS-MSL MTA image and push it to registry" + +on: + push: + branches: + - 'development' + - 'dev-update-docker' + paths: + - '.github/workflows/build-push-image-mta.yml' + - 'docker/images/mta/**' + +jobs: + push-image: + if: github.repository == 'utrechtuniversity/epos-msl' + runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write + + steps: + - name: Extract branch name + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT + id: extract_branch + + - name: Check out EPOS-MSL catalog repository + uses: actions/checkout@v4 + with: + path: epos-msl + repository: UtrechtUniversity/epos-msl + ref: ${{ steps.extract_branch.outputs.branch }} + + - name: Authenticate to the container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + context: epos-msl/docker/images/mta + file: epos-msl/docker/images/mta/Dockerfile + push: true + tags: ghcr.io/utrechtuniversity/epos-msl-cat-mta:latest diff --git a/docker/.env b/docker/.env index 0d02510..3caa69b 100644 --- a/docker/.env +++ b/docker/.env @@ -54,3 +54,15 @@ MYSQL_ROOT_PASSWORD=testtest MSLAPI_DB_PASSWORD=testtest FAST_API_TOKEN=notokenspecified + +# MTA role can be either "mailpit" or "postfix" +MTA_ROLE=mailpit + +POSTFIX_RELAYHOST_FQDN=notspecified +POSTFIX_RELAYHOST_PORT=25 +POSTFIX_RELAYHOST_USERNAME=changeme +POSTFIX_RELAYHOST_PASSWORD=changeme +POSTFIX_RELAYHOST_AUTH_ENABLED=yes +POSTFIX_RELAYHOST_TLS_ENABLED=yes +POSTFIX_MYHOSTNAME=changeme +POSTFIX_ORIGIN=changeme diff --git a/docker/build-local-images.sh b/docker/build-local-images.sh index 0d72b48..68b4200 100755 --- a/docker/build-local-images.sh +++ b/docker/build-local-images.sh @@ -3,7 +3,7 @@ set -e cd images -for image in ckan nginx solr msl-api +for image in ckan nginx solr msl-api mta do cd "$image" echo "Building image $image ..." ./build.sh diff --git a/docker/docker-compose-separate-msl-api.yml b/docker/docker-compose-separate-msl-api.yml index 8b0db60..b8ba886 100644 --- a/docker/docker-compose-separate-msl-api.yml +++ b/docker/docker-compose-separate-msl-api.yml @@ -51,8 +51,11 @@ services: environment: - EPOS_MSL_HOST=${EPOS_MSL_HOST} - EPOS_MSL_HOST_PORT=${EPOS_MSL_HOST_PORT} + - MTA_ROLE=${MTA_ROLE} ports: - "${EPOS_MSL_HOST_IP}:${EPOS_MSL_HOST_PORT}:443" + sysctls: + net.ipv4.ip_unprivileged_port_start: 0 volumes: - nginx_config:/etc/nginx/conf.d - nginx_certificates:/etc/certificates @@ -115,3 +118,19 @@ services: redis: container_name: redis image: redis:6.2 + + mta: + container_name: mta + image: ghcr.io/utrechtuniversity/epos-msl-cat-mta:latest + environment: + - MTA_ROLE=${MTA_ROLE} + - POSTFIX_RELAYHOST_FQDN=${POSTFIX_RELAYHOST_FQDN} + - POSTFIX_RELAYHOST_PORT=${POSTFIX_RELAYHOST_PORT} + - POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME} + - POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD} + - POSTFIX_RELAYHOST_AUTH_ENABLED=${POSTFIX_RELAYHOST_AUTH_ENABLED} + - POSTFIX_RELAYHOST_TLS_ENABLED=${POSTFIX_RELAYHOST_TLS_ENABLED} + - POSTFIX_MYHOSTNAME=${POSTFIX_MYHOSTNAME} + - POSTFIX_ORIGIN=${POSTFIX_ORIGIN} + sysctls: + net.ipv4.ip_unprivileged_port_start: 0 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 001bf84..adb6d8a 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -52,8 +52,11 @@ services: environment: - EPOS_MSL_HOST=${EPOS_MSL_HOST} - EPOS_MSL_HOST_PORT=${EPOS_MSL_HOST_PORT} + - MTA_ROLE=${MTA_ROLE} ports: - "${EPOS_MSL_HOST_IP}:${EPOS_MSL_HOST_PORT}:443" + sysctls: + net.ipv4.ip_unprivileged_port_start: 0 volumes: - nginx_config:/etc/nginx/conf.d - nginx_certificates:/etc/certificates @@ -103,3 +106,19 @@ services: redis: container_name: redis image: redis:6.2 + + mta: + container_name: mta + image: ghcr.io/utrechtuniversity/epos-msl-cat-mta:latest + environment: + - MTA_ROLE=${MTA_ROLE} + - POSTFIX_RELAYHOST_FQDN=${POSTFIX_RELAYHOST_FQDN} + - POSTFIX_RELAYHOST_PORT=${POSTFIX_RELAYHOST_PORT} + - POSTFIX_RELAYHOST_USERNAME=${POSTFIX_RELAYHOST_USERNAME} + - POSTFIX_RELAYHOST_PASSWORD=${POSTFIX_RELAYHOST_PASSWORD} + - POSTFIX_RELAYHOST_AUTH_ENABLED=${POSTFIX_RELAYHOST_AUTH_ENABLED} + - POSTFIX_RELAYHOST_TLS_ENABLED=${POSTFIX_RELAYHOST_TLS_ENABLED} + - POSTFIX_MYHOSTNAME=${POSTFIX_MYHOSTNAME} + - POSTFIX_ORIGIN=${POSTFIX_ORIGIN} + sysctls: + net.ipv4.ip_unprivileged_port_start: 0 diff --git a/docker/images/mta/Dockerfile b/docker/images/mta/Dockerfile new file mode 100644 index 0000000..1457bfb --- /dev/null +++ b/docker/images/mta/Dockerfile @@ -0,0 +1,48 @@ +# This is an image for running the MSL-API application, that is part of the EPOS-MSL catalog + +# See CKAN docs on installation from Docker Compose on usage +FROM ubuntu:noble +MAINTAINER Yoda team + +ENV MAILPIT_VERSION=v1.21.8 + +# Need bash to get nvm/npm to work with default init files +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Set timezone +ENV TZ=UTC +RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone + +# Setting the locale +ENV LC_ALL=en_US.UTF-8 +RUN apt-get update +RUN apt-get install --no-install-recommends -y locales +RUN sed -i "/$LC_ALL/s/^# //g" /etc/locale.gen +RUN dpkg-reconfigure --frontend=noninteractive locales +RUN update-locale LANG=${LC_ALL} + +# Install common dependencies +RUN apt -y install curl golang git && \ + curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.1/install.sh | bash && \ + source /root/.nvm/nvm.sh && \ + nvm install v18 + +### Install Mailpit +RUN cd / && \ + source /root/.nvm/nvm.sh && \ + git clone -c advice.detachedHead=false https://github.com/axllent/mailpit.git && \ + cd mailpit && \ + git checkout ${MAILPIT_VERSION} && \ + npm install && \ + npm run package && \ + CGO_ENABLED=0 go build -ldflags "-s -w -X github.com/axllent/mailpit/config.Version=${VERSION}" -o /mailpit.bin + +### Install Postfix +RUN apt -y install postfix sasl2-bin mailutils +ADD main.cf /etc/postfix/main.cf +ADD master.cf /etc/postfix/master.cf + +# Run +ADD mta-entrypoint.sh /mta-entrypoint.sh +RUN chmod +x /mta-entrypoint.sh +CMD ["/mta-entrypoint.sh"] diff --git a/docker/images/mta/build.sh b/docker/images/mta/build.sh new file mode 100755 index 0000000..9e990e9 --- /dev/null +++ b/docker/images/mta/build.sh @@ -0,0 +1,2 @@ +#!/bin/sh +docker build -t ghcr.io/utrechtuniversity/epos-msl-cat-mta:latest . $* diff --git a/docker/images/mta/main.cf b/docker/images/mta/main.cf new file mode 100644 index 0000000..0f81898 --- /dev/null +++ b/docker/images/mta/main.cf @@ -0,0 +1,54 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +myorigin = $mydomain + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on +# fresh installs. +compatibility_level = 3.6 + + + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_security_level=may + +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_security_level=may +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +smtp_use_tls = INSERT_POSTFIX_RELAYHOST_TLS_ENABLED +smtp_sasl_auth_enable = INSERT_POSTFIX_RELAYHOST_AUTH_ENABLED +smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd +smtp_sasl_security_options = INSERT_POSTFIX_SMTP_SASL_SECURITY_OPTIONS +smtp_sasl_tls_security_options = INSERT_POSTFIX_SMTP_SASL_TLS_SECURITY_OPTIONS + +smtpd_data_restrictions = reject_unauth_pipelining +smtpd_discard_ehlo_keywords = chunking, silent-discard + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = INSERT_POSTFIX_MYHOSTNAME +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +mydestination = +relayhost = [INSERT_POSTFIX_RELAYHOST_FQDN]:INSERT_POSTFIX_RELAYHOST_PORT +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/docker/images/mta/master.cf b/docker/images/mta/master.cf new file mode 100644 index 0000000..a7588c1 --- /dev/null +++ b/docker/images/mta/master.cf @@ -0,0 +1,140 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - y - - smtpd +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - y - - smtpd +#submissions inet n - y - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - n - 0 discard +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - y - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +#mailman unix - n n - - pipe +# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} diff --git a/docker/images/mta/mta-entrypoint.sh b/docker/images/mta/mta-entrypoint.sh new file mode 100644 index 0000000..8beed3e --- /dev/null +++ b/docker/images/mta/mta-entrypoint.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +if [ "$MTA_ROLE" == "mailpit" ] +then BINDIP=$(ip addr | grep eth0 | grep inet | awk '{print $2}' | cut -d '/' -f 1) + /mailpit.bin -s $BINDIP:25 +elif [ "$MTA_ROLE" == "postfix" ] +then echo "[$POSTFIX_RELAYHOST]:$POSTFIX_RELAYHOST_PORT $POSTFIX_RELAYHOST_USERNAME:$POSTFIX_RELAYHOST_PASSWORD" > /etc/postfix/sasl_passwd + cd /etc/postfix + postmap sasl_passwd + + # Update configuration values + + if [ "$POSTFIX_RELAYHOST_AUTH_ENABLED" == "yes" ] + then export POSTFIX_SMTP_SASL_SECURITY_OPTIONS=noanonymous + export POSTFIX_SMTP_SASL_TLS_SECURITY_OPTIONS=noanonymous + else export POSTFIX_SMTP_SASL_SECURITY_OPTIONS="" + export POSTFIX_SMTP_SASL_TLS_SECURITY_OPTIONS="" + fi + + perl -pi.bak -e '$postfix_relayhost_fqdn=$ENV{POSTFIX_RELAYHOST_FQDN}; s/INSERT_POSTFIX_RELAYHOST_FQDN/"$postfix_relayhost_fqdn"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_relayhost_port=$ENV{POSTFIX_RELAYHOST_PORT}; s/INSERT_POSTFIX_RELAYHOST_PORT/"$postfix_relayhost_port"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_relayhost_username=$ENV{POSTFIX_RELAYHOST_USERNAME}; s/INSERT_POSTFIX_RELAYHOST_USERNAME/"$postfix_relayhost_username"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_relayhost_password=$ENV{POSTFIX_RELAYHOST_PASSWORD}; s/INSERT_POSTFIX_RELAYHOST_PASSWORD/"$postfix_relayhost_password"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_relayhost_auth_enabled=$ENV{POSTFIX_RELAYHOST_AUTH_ENABLED}; s/INSERT_POSTFIX_RELAYHOST_AUTH_ENABLED/"$postfix_relayhost_auth_enabled"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_relayhost_tls_enabled=$ENV{POSTFIX_RELAYHOST_TLS_ENABLED}; s/INSERT_POSTFIX_RELAYHOST_TLS_ENABLED/"$postfix_relayhost_tls_enabled"/ge' \ + /etc/postfix/main.cf + + perl -pi.bak -e '$postfix_myhostname=$ENV{POSTFIX_MYHOSTNAME}; s/INSERT_POSTFIX_MYHOSTNAME/"$postfix_myhostname"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_origin=$ENV{POSTFIX_ORIGIN}; s/INSERT_POSTFIX_ORIGIN/"$postfix_origin"/ge' \ + /etc/postfix/main.cf + + perl -pi.bak -e '$postfix_smtp_sasl_security_options=$ENV{POSTFIX_SMTP_SASL_SECURITY_OPTIONS}; s/INSERT_POSTFIX_SMTP_SASL_SECURITY_OPTIONS/"$postfix_smtp_sasl_security_options"/ge' \ + /etc/postfix/main.cf + perl -pi.bak -e '$postfix_smtp_sasl_tls_security_options=$ENV{POSTFIX_SMTP_SASL_TLS_SECURITY_OPTIONS}; s/INSERT_POSTFIX_SMTP_SASL_TLS_SECURITY_OPTIONS/"$postfix_smtp_sasl_tls_security_options"/ge' \ + /etc/postfix/main.cf + + # Start Postfix master directly (since we can't disable forking for the main postfix binary) + /usr/lib/postfix/sbin/master -c /etc/postfix -d + +else + echo "Unknown MTA role: $MTA_ROLE." + sleep 300 +fi diff --git a/docker/images/nginx/Dockerfile b/docker/images/nginx/Dockerfile index 13ccae5..83ccc58 100644 --- a/docker/images/nginx/Dockerfile +++ b/docker/images/nginx/Dockerfile @@ -3,7 +3,9 @@ FROM nginx:1.27 MAINTAINER Yoda team -ADD ckan.site /etc/nginx/conf.d/ckan.conf +ADD nginx.site.part1 /etc/nginx/nginx.site.part1 +ADD nginx.site.part2 /etc/nginx/nginx.site.part2 +ADD nginx.site.part-mailpit /etc/nginx/nginx.site.part-mailpit RUN rm /etc/nginx/conf.d/default.conf ADD epos-msl.cnf /etc/certificates/epos-msl.cnf ADD nginx-entrypoint.sh /nginx-entrypoint.sh diff --git a/docker/images/nginx/nginx-entrypoint.sh b/docker/images/nginx/nginx-entrypoint.sh index 7c3f29a..fc6ec7e 100644 --- a/docker/images/nginx/nginx-entrypoint.sh +++ b/docker/images/nginx/nginx-entrypoint.sh @@ -4,6 +4,12 @@ export EPOS_MSL_HOST="$EPOS_MSL_HOST" perl -pi.bak -e '$epos_msl_host=$ENV{EPOS_MSL_HOST}; s/EPOS_MSL_HOST/$epos_msl_host/ge' /etc/certificates/epos-msl.cnf +## Only include mailpit rev proxy configuration is mailpit is enabled. +if [ "$MTA_ROLE" == "mailpit" ] +then cat /etc/nginx/nginx.site.part1 /etc/nginx/nginx.site.part-mailpit /etc/nginx/nginx.site.part2 > /etc/nginx/conf.d/nginx.conf +else cat /etc/nginx/nginx.site.part1 /etc/nginx/nginx.site.part2 > /etc/nginx/conf.d/nginx.conf +fi + ## Generate certificates if needed cd /etc/certificates if [ -f "epos-msl.pem" ] diff --git a/docker/images/nginx/nginx.site.part-mailpit b/docker/images/nginx/nginx.site.part-mailpit new file mode 100644 index 0000000..8c9f22a --- /dev/null +++ b/docker/images/nginx/nginx.site.part-mailpit @@ -0,0 +1,13 @@ + location /mailpit { + proxy_pass http://mta:8025/; + proxy_set_header Host PUT_HOST_HEADER_HERE; + proxy_set_header X-Forwarded-Proto https; + proxy_cache cache; + proxy_cache_bypass $cookie_auth_tkt; + proxy_no_cache $cookie_auth_tkt; + proxy_cache_valid 30m; + proxy_cache_key $host$scheme$proxy_host$request_uri; + # In emergency comment out line to force caching + # proxy_ignore_headers X-Accel-Expires Expires Cache-Control; + } + diff --git a/docker/images/nginx/ckan.site b/docker/images/nginx/nginx.site.part1 similarity index 99% rename from docker/images/nginx/ckan.site rename to docker/images/nginx/nginx.site.part1 index 240733e..c9a3468 100644 --- a/docker/images/nginx/ckan.site +++ b/docker/images/nginx/nginx.site.part1 @@ -53,5 +53,3 @@ server { # In emergency comment out line to force caching # proxy_ignore_headers X-Accel-Expires Expires Cache-Control; } - -} diff --git a/docker/images/nginx/nginx.site.part2 b/docker/images/nginx/nginx.site.part2 new file mode 100644 index 0000000..5c34318 --- /dev/null +++ b/docker/images/nginx/nginx.site.part2 @@ -0,0 +1 @@ +}