geosolutions-it/sciadro-backend

docker quick review / questions

Closed this issue · 3 comments

  • On the server there are references to Let's Encrypt but it looks like HTTPS is not enabled. It should be enabled and documented
  • NGINX is exposed on port 8081 instead of 80 (and 443) is there a specific reason?
  • MapStore container port is mapped on the the host, why? Shouldn't is be reacheable through Nginx
  • RabbitMQ ports are mapped on the host too. Why?
  • Firewall is not enabled
  • GeoStore (MapStore) is using the embedded H2 database instead of PostgreSQL (this is OK for now)
  • Looks like PostgreSQL data directory is "volatile" (not mounted from the host or from a docker volume) is this expected?
  • According to Lets encrypt i didnt set it up, i wasnt even aware it is there
    Do you want me to use it and generate ssl cert for the server domain (i suppose we need domain for the server, ip is not enough)
  • nginx will be switched for 80
  • all traffic will be send trough nginx, no more direct calls to frontend
  • i didnt firewall config, do you want me do to that?
  • switch H2 db to postgresl, ill need some guidlines how to do that
  • make postgresql volume persistent, ill do that
  • According to Lets encrypt i didnt set it up, i wasnt even aware it is there
    Do you want me to use it and generate ssl cert for the server domain (i suppose we need domain for the server, ip is not enough)

we don't need it now

  • nginx will be switched for 80

please proceed with this

  • all traffic will be send trough nginx, no more direct calls to frontend

please proceed with this

  • i didnt firewall config, do you want me do to that?

please proceed with this

  • switch H2 db to postgresl, ill need some guidlines how to do that

we don't need it now

  • make postgresql volume persistent, ill do that

we don't need it now

@petrus7 please provide an estimate

Firewall not done yet
here is example config which i want to test:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw allow ftp
sudo ufw route allow proto tcp from any to any port 80