Closes #519: Use Let's Encrypt and NGINX for certs on staging (#649)

* Add nginx and SSL

docker-compose-staging.yml

@@ -0,0 +1,68 @@
+# Version 3, most current, and recommended compose file version
+# https://docs.docker.com/compose/compose-file/compose-versioning/
+version: '3'
+
+services:
+  telescope:
+    container_name: telescope_staging
+    build:
+      context: .
+      dockerfile: Dockerfile
+    env_file: .env
+    environment:
+      # a place-holder for the variable passed by CLI with a default value
+      # the passed or default value is a command to run `telescope`
+      - script=${script:-start}
+      # override the .env variable for `REDIS_URL`
+      - REDIS_URL=redis://redis:${REDIS_PORT}
+    depends_on:
+      - redis
+      - login
+    ports:
+      - '$PORT:$PORT'
+    restart: always
+
+  redis:
+    image: redis:latest
+    ports:
+      - '$REDIS_PORT:$REDIS_PORT'
+    restart: always
+
+  # SSO Identity Provider test service, https://simplesamlphp.org
+  # Access to the authentication page via http://localhost:8080/simplesaml or https://localhost:8443/simplesaml
+  login:
+    environment:
+      - SIMPLESAMLPHP_SP_ENTITY_ID=${SAML2_CLIENT_ID:-saml-poc}
+      - SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=${SAML2_REDIRECT_URI}
+    # image owner's blog post https://medium.com/disney-streaming/setup-a-single-sign-on-saml-test-environment-with-docker-and-nodejs-c53fc1a984c9
+    image: kristophjunge/test-saml-idp
+    ports:
+      # These ports + port 80 are pre-defined in the latter image
+      # http port
+      - '8080:8080'
+      # https port
+      - '8443:8443'
+    restart: always
+
+  nginx:
+    image: nginx:latest
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ../certbot/conf:/etc/letsencrypt
+      - ../certbot/www:/var/www/certbot
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    depends_on: telescope
+    # This makes nginx reload its configuration (and certificates) every six hours in the background and
+    # launches nginx in the foreground
+    command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
+
+  certbot:
+    image: certbot/certbot
+    volumes:
+      - ../certbot/conf:/etc/letsencrypt
+      - ../certbot/www:/var/www/certbot
+    # This will check if your certificate is up for renewal every 12 hours as recommended by Let’s Encrypt
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

nginx.conf

@@ -0,0 +1,36 @@
+events {}
+
+http {
+  server {
+    listen 80 default_server;
+    server_name _;
+    return 301 https://$host$request_uri;
+  }
+
+  server {
+    listen 443 ssl;
+    server_name dev.telescope.cdot.systems;
+
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    ssl_certificate /etc/letsencrypt/live/dev.telescope.cdot.systems/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dev.telescope.cdot.systems/privkey.pem;
+
+    location / {
+      proxy_pass http://telescope_staging:3000;
+    }
+
+    location /.well-known/acme-challenge/ {
+      root /var/www/certbot;
+    }
+  }
+
+  server {
+    listen 80;
+    server_name login.telescope.cdot.systems;
+    location / {
+      proxy_pass http://telescope/login;
+    }
+  }
+}