readme
This commit is contained in:
parent
112dec11d2
commit
63884e696b
120
README.md
120
README.md
|
|
@ -102,6 +102,122 @@ secure.
|
|||
Then you can use django-admin to complete the settings with SAML2 metadata, inclusing a private key and x509
|
||||
certificate. Run the following and **append** the output to `rugwebsite/settings.py`
|
||||
|
||||
PYTHONPATH=. DJANGO_SETTINGS_MODULE=settings django-admin init-saml2-settings --country NL --city Groningen --organisation 'University of Groningen' --organisation-unit 'Research and Innovation Support' --common-name 'cosmo.service.rug.nl/rugwebsite' --state Groningen --support-name 'Research and Innovation Support' --support-email 'ris@list.rug.nl' --technical-name 'Research and Innovation Support' --technical-email 'ris@list.rug.nl' --base-url 'cosmo.service.rug.nl' --entity-id 'www.rug.nl/cosmo'
|
||||
PYTHONPATH=. DJANGO_SETTINGS_MODULE=settings django-admin init-saml2-settings --country NL --city Groningen \
|
||||
--organisation 'University of Groningen' --organisation-unit 'Research and Innovation Support' \
|
||||
--common-name 'cosmo.service.rug.nl' --state Groningen \
|
||||
--support-name 'Research and Innovation Support' --support-email 'ris@list.rug.nl' \
|
||||
--technical-name 'Research and Innovation Support' --technical-email 'ris@list.rug.nl' \
|
||||
--base-url 'https://cosmo.service.rug.nl' --entity-id 'https://www.rug.nl/cosmo'
|
||||
|
||||
You can change these settings if you like.
|
||||
You can change these settings if you like. Make sure to choose these correctly for your situation:
|
||||
|
||||
* entity-id
|
||||
* common-name
|
||||
* base-url, including http or https and a prefix to all paths, make sure base-url + "/sso/saml/metadata?provider=RuG"
|
||||
is a working url.
|
||||
* support-name, support-email, technical-name, technical-email
|
||||
|
||||
### Database and static files
|
||||
|
||||
Create the database
|
||||
|
||||
PYTHONPATH=. DJANGO_SETTINGS_MODULE=settings django-admin migrate
|
||||
|
||||
And collect all static files (javascript, css, etc). Recall what the absolute path of rugwebsite/static is.
|
||||
|
||||
PYTHONPATH=. DJANGO_SETTINGS_MODULE=settings django-admin collectstatic
|
||||
|
||||
### Host the website using Gunicorn
|
||||
|
||||
Create a `rugwebsite/wsgi.py`
|
||||
|
||||
import os, sys
|
||||
|
||||
sys.path.insert(0, 'absolute-path-to/rugwebsite/venv/lib/python3.5/site-packages/')
|
||||
sys.path.insert(0, 'absolute-path-to/rugwebsite/venv/lib64/python3.5/site-packages/')
|
||||
sys.path.insert(0, 'absolute-path-to/rugwebsite/')
|
||||
|
||||
from django.core.wsgi import get_wsgi_application
|
||||
os.environ.setdefault("DJANGO_SETTINGS_MODULE", "settings")
|
||||
|
||||
application = get_wsgi_application()
|
||||
|
||||
You can test-run the website with gunicorn like, but it won't host the static files (javascript, css, etc). Decide on
|
||||
what port it should run, for example `8890`.
|
||||
|
||||
absolute-path-to/rugwebsite/venv/bin/gunicorn --bind 127.0.0.1:8890 wsgi
|
||||
|
||||
you can run this in a `sceen`, but it might be better to create a service like, in centos you create a
|
||||
`/usr/lib/systemd/system/yourwebsite.service` like this
|
||||
|
||||
[Unit]
|
||||
Description=your website gunicorn deamon description
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
PIDFile=/run/gunicorn/yourwebsitepid
|
||||
User=cosmo
|
||||
Group=cosmo
|
||||
RuntimeDirectory=gunicorn
|
||||
WorkingDirectory=/home/cosmo/rug-website/
|
||||
ExecStart=absolute-path-to/rugwebsite/venv/bin/gunicorn --pid /run/gunicorn/yourwebsitepid --bind 127.0.0.1:8890 wsgi
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
ExecStop=/bin/kill -s TERM $MAINPID
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
You can start your service using `sudo service yourwebsite start` (or `restart`, `status`, `stop`, ...)
|
||||
|
||||
### nginx proxy
|
||||
|
||||
You can use nginx to proxy your website, and add https-support (instead of plain http), but also to server the static
|
||||
files efficiently. Make sure nginx is installed and configure the website, for example by creating the
|
||||
`/etc/nginx/conf.d/yourwebsite.conf` file on centos:
|
||||
|
||||
# Make sure the port matches
|
||||
upstream yourwebsiteupstream {
|
||||
server 127.0.0.1:8890;
|
||||
}
|
||||
|
||||
# Forward http to https
|
||||
server {
|
||||
listen 80;
|
||||
server_name cosmo.service.rug.nl;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
client_max_body_size 64M;
|
||||
proxy_connect_timeout 300;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 300;
|
||||
send_timeout 300;
|
||||
listen 443 ssl;
|
||||
server_name cosmo.service.rug.nl;
|
||||
ssl_certificate /etc/nginx/conf.d/cosmo.service.rug.nl.pem;
|
||||
ssl_certificate_key /etc/nginx/conf.d/cosmo.service.rug.nl.key;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
|
||||
|
||||
location = /favicon.ico { access_log off; log_not_found off; }
|
||||
location /static/ {
|
||||
alias absolute-path-to/rugwebsite/static/;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://yourwebsiteupstream/;
|
||||
proxy_set_header Host cosmo.service.rug.nl;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
||||
# This setting is important, it allows SAML2 to verify the provider url, whithout getting into trouble because
|
||||
# the https-part is handled by nginx, and hence not seen by the django SAML2 code.
|
||||
proxy_set_header X_FORWARDED_PROTO https;
|
||||
}
|
||||
}
|
||||
|
||||
Restart nginx to load the settings `sudo service nginx restart` (or `reload`, to only reload the settings instaed of a
|
||||
full restart)
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ SAML_PROVIDERS = [{{
|
|||
"organization": {{
|
||||
"en-US": {{
|
||||
"name": ORGANISATION,
|
||||
"displayname": ORGANISATION,
|
||||
"displayname": ORGANISATION + " / " + ORGANISATION_UNIT,
|
||||
"url": BASE_URL
|
||||
}}
|
||||
}},
|
||||
|
|
|
|||
Loading…
Reference in New Issue