Merge pull request #92 from medizininformatik-initiative/contextpaths…

…-portal

Support portal subdomain and context path deployment

feasibility-portal/README.md

@@ -66,6 +66,39 @@ The portal is configured by default to start the following services:
 - UI
 - Keycloak
 
+For the reverse proxy you need to choose the configuration (variable `FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG` in
+[proxy/.env](./proxy/.env)) which also decides what the changes to the `.env` files you have to make:
+
+- [./subdomains.nginx.conf](./proxy/subdomains.nginx.conf) with separate domains for the services (Backend, UI, Keycloak)
+  - All subdomains must point to the host machine the portal will run.
+
+  - Set the service hostnames (`BACKEND_HOSTNAME`, `KEYCLOAK_HOSTNAME` and `GUI_HOSTNAME`, depending on which services you need) in [proxy/.env](./proxy/.env).
+- Change the following variables in [keycloak/.env](./keycloak /.env):
+      - `FEASIBILITY_KC_HOSTNAME_URL`and `FEASIBILITY_KC_HOSTNAME_ADMIN_URL`: set the domain part to the value you set for `KEYCLOAK_HOSTNAME` before.
+      -` FEASIBILITY_KC_HTTP_RELATIVE_PATH`: set to `/auth`.
+- Change the values for the variables `FEASIBILITY_BACKEND_API_BASE_URL` in [backend/.env](./backend/.env) and `FEASIBILITY_BACKEND_ALLOWED_ORIGINS` in [backend /.env](./backend/.env)
+          to the base url of your feasibility portal backend. In the [backend/.env](./backend/.env) change the values for the variable `FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_ISSUER`	to the base url of your feasibility portal keycloak.
+- Change the following variables in [gui/deploy-config.json](./gui/deploy-config.json):
+      - `uiBackendApi > baseUrl`: set the domain part of the local feasibility portal backend.
+      -  `auth > baseUrl`: set the domain part of the local feasibility portal keycloak.
+- On the [proxy/.env] use this variable `FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG=./subdomains.nginx.conf`.
+
+- [./context-paths.nginx.conf](./proxy/context-paths.nginx.conf) which requires only one domain and uses context paths (`/auth` for keycloak,`/api` for backend and `/`) for user interface.
+- The domain must point to the host machine the portal will run.
+- On the [proxy/.env] use this variable`FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG=./context-paths.nginx.conf`
+-  Change the following variable `FEASIBILITY_KC_HOSTNAME_URL` and `FEASIBILITY_KC_HOSTNAME_ADMIN_URL` in [keycloak/.env]: set the domain part of your domain. The path must be set to /auth at the end of the url. For example, https://example.org/auth.
+- Add `/auth` in the following variable `FEASIBILITY_KC_HTTP_RELATIVE_PATH` in [keycloak/.env]
+- Change the following variable `FEASIBILITY_BACKEND_API_BASE_URL` in [backend/.env]: set the domain part of your domain. The path must be set to /api at the end of the url. For example, https://example.org/api.
+- Change the following variable `FEASIBILITY_BACKEND_ALLOWED_ORIGINS`  in [backend/.env]: set the domain part of your domain. For example, https://example.org.
+- Change the following variable`FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_ISSUER` in [backend/.env]: set the domain part of your domain. The path must be set to /api at the end of the url. For example, https://example.org/auth.
+- Add `/auth` in the following variable `FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_JWK` in [backend/.env]
+- Change the variable `FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL` when using the bundled keycloak in [backend/.env]replace the values with https://DOMAIN:REV_PROXY_PORT/auth/realms/blaze where DOMAIN is your domain and REV_PROXY_PORT is the port number set in rev-proxy/.env (default 444). For example, https://example.org:444/auth/realms/blaze.
+- On the [gui/deploy-config.json] change the following variables:
+  - `uiBackendApi > baseUrl`: set the domain part of the local feasibility portal backend with the context path `/api`. For example https://example.org/api.
+  -  `auth > baseUrl`: set the domain part of the local feasibility portal keycloak the context path `/auth`. For example https://example.org/auth.
+
+Please note that the keycloak provided here is an example setup, and we strongly recommend for each site to adjust the keycloak installation to their local security requirements or connect the local feasibility portal to a keycloak already provided at the site.
+
 For more details on the environment variables see the paragraph **Configurable environment variables** of this README.
 
 ### Step 6 - Start the feasibility portal

feasibility-portal/backend/.env.default

@@ -1,8 +1,8 @@
 # ----- app
 FEASIBILITY_BACKEND_CQL_TRANSLATE_ENABLED=true
 FEASIBILITY_BACKEND_FHIR_TRANSLATE_ENABLED=false
-FEASIBILITY_BACKEND_API_BASE_URL=https://api.datenportal.localhost
-FEASIBILITY_BACKEND_ALLOWED_ORIGINS=https://datenportal.localhost
+FEASIBILITY_BACKEND_API_BASE_URL=https://example.org/api
+FEASIBILITY_BACKEND_ALLOWED_ORIGINS=https://example.org
 FEASIBILITY_BACKEND_ONTOLOGY_ORDER="Diagnose, Prozedur, Person, Laboruntersuchung, Medikamentenverabreichung, Bioprobe, Einwilligung"
 FEASIBILITY_BACKEND_MAX_SAVED_QUERIES_PER_USER=100
 # ---- db config
@@ -15,18 +15,18 @@ FEASIBILITY_BACKEND_KEYCLOAK_ENABLED=true
 FEASIBILITY_BACKEND_KEYCLOAK_ALLOWED_ROLE=FeasibilityUser
 FEASIBILITY_BACKEND_KEYCLOAK_POWER_ROLE=FeasibilityPowerUser
 FEASIBILITY_BACKEND_KEYCLOAK_ADMIN_ROLE=FeasibilityAdmin
-FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_ISSUER=https://auth.datenportal.localhost
-FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_JWK=http://auth:8080
+FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_ISSUER=https://example.org/auth
+FEASIBILITY_BACKEND_KEYCLOAK_BASE_URL_JWK=http://auth:8080/auth
 FEASIBILITY_BACKEND_KEYCLOAK_REALM=feasibility
 #---- Direct broker
 FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_ENABLED=true
 FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_USE_CQL=false
 FEASIBILITY_BACKEND_BROKER_CLIENT_OBFUSCATE_RESULT_COUNT=false
 FEASIBILITY_BACKEND_FLARE_WEBSERVICE_BASE_URL=http://flare:8080
 FEASIBILITY_BACKEND_CQL_SERVER_BASE_URL=http://fhir-server:8080/fhir
-FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME=
-FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD=
-FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL=https://keycloak.localhost:444/realms/blaze
+FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME=admin
+FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD=admin
+FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL=https://example.org:444/auth/realms/blaze
 FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_ID=account
 FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_SECRET=insecure
 # ---- DSF  broker

feasibility-portal/backend/docker-compose.yml

@@ -10,8 +10,8 @@ services:
       QUERY_VALIDATION_ENABLED: ${FEASIBILITY_BACKEND_QUERY_VALIDATION_ENABLED:-true}
       CQL_TRANSLATE_ENABLED: ${FEASIBILITY_BACKEND_CQL_TRANSLATE_ENABLED:-true}
       FHIR_TRANSLATE_ENABLED: ${FEASIBILITY_BACKEND_FHIR_TRANSLATE_ENABLED:-false}
-      API_BASE_URL: ${FEASIBILITY_BACKEND_API_BASE_URL:-https://localhost/api/}
-      ALLOWED_ORIGINS: ${FEASIBILITY_BACKEND_ALLOWED_ORIGINS:-https://localhost}
+      API_BASE_URL: ${FEASIBILITY_BACKEND_API_BASE_URL:-https://example.org/api/}
+      ALLOWED_ORIGINS: ${FEASIBILITY_BACKEND_ALLOWED_ORIGINS:-https://example.org}
       QUERYRESULT_EXPIRY_MINUTES: ${FEASIBILITY_BACKEND_QUERYRESULT_EXPIRY_MINUTES:-5}
       ONTOLOGY_ORDER: ${FEASIBILITY_BACKEND_ONTOLOGY_ORDER:-"Diagnose, Prozedur, Person, Laboruntersuchung, Medikamentenverabreichung, Bioprobe, Einwilligung"}
       MAX_SAVED_QUERIES_PER_USER: ${FEASIBILITY_BACKEND_MAX_SAVED_QUERIES_PER_USER:-100}
@@ -34,9 +34,9 @@ services:
       BROKER_CLIENT_OBFUSCATE_RESULT_COUNT: ${FEASIBILITY_BACKEND_BROKER_CLIENT_OBFUSCATE_RESULT_COUNT:-false}
       FLARE_WEBSERVICE_BASE_URL: ${FEASIBILITY_BACKEND_FLARE_WEBSERVICE_BASE_URL:-http://flare:8080}
       CQL_SERVER_BASE_URL: ${FEASIBILITY_BACKEND_CQL_SERVER_BASE_URL:-http://fhir-server:8080/fhir}
-      BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME}
-      BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD}
-      BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL:-https://keycloak.localhost:444/realms/blaze}
+      BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_USERNAME:-admin}
+      BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_BASIC_PASSWORD:-admin}
+      BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_ISSUER_URL:-https://example.org:444/auth/realms/blaze}
       BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_ID: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_ID:-account}
       BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_SECRET: ${FEASIBILITY_BACKEND_BROKER_CLIENT_DIRECT_AUTH_OAUTH_CLIENT_SECRET:-insecure}
       # ---- Aktin broker

feasibility-portal/gui/deploy-config.json.default

@@ -6,10 +6,10 @@
     "baseUrl": "/api"
   },
   "uiBackendApi": {
-    "baseUrl": "https://api.datenportal.localhost/api/v3"
+    "baseUrl": "https://example.org/api/v3"
   },
   "auth": {
-    "baseUrl": "https://auth.datenportal.localhost",
+    "baseUrl": "https://example.org/auth",
     "realm": "feasibility",
     "clientId": "feasibility-webapp",
     "roles": ["FeasibilityUser"]

feasibility-portal/keycloak/.env.default

@@ -2,10 +2,10 @@ FEASIBILITY_KC_DB=keycloakdb
 FEASIBILITY_KC_DB_USER=keycloakdbuser
 FEASIBILITY_KC_DB_PW=keycloakdbpw
 FEASIBILITY_KC_ADMIN_USER=admin
-FEASIBILITY_KC_ADMIN_PW=adminpw
-FEASIBILITY_KC_HTTP_RELATIVE_PATH=/
-FEASIBILITY_KC_HOSTNAME_URL=https://auth.datenportal.localhost
-FEASIBILITY_KC_HOSTNAME_ADMIN_URL=https://auth.datenportal.localhost
+FEASIBILITY_KC_ADMIN_PW=admin
+FEASIBILITY_KC_HTTP_RELATIVE_PATH=/auth
+FEASIBILITY_KC_HOSTNAME_URL=https://example.org/auth
+FEASIBILITY_KC_HOSTNAME_ADMIN_URL=https://example.org/auth
 FEASIBILITY_KC_LOG_LEVEL=info
 FEASIBILITY_KC_PROXY=edge
 

feasibility-portal/keycloak/docker-compose.yml

@@ -1,3 +1,4 @@
+
 services:
   auth-db:
     image: postgres:15-alpine
@@ -16,13 +17,13 @@ services:
     environment:
       KC_DB: postgres
       KC_DB_URL: "jdbc:postgresql://auth-db:5432/${FEASIBILITY_KC_DB}"
-      KC_DB_USERNAME: ${FEASIBILITY_KC_DB_USER}
-      KC_DB_PASSWORD: ${FEASIBILITY_KC_DB_PW}
-      KEYCLOAK_ADMIN: ${FEASIBILITY_KC_ADMIN_USER}
-      KEYCLOAK_ADMIN_PASSWORD: ${FEASIBILITY_KC_ADMIN_PW}
-      KC_HTTP_RELATIVE_PATH:  ${FEASIBILITY_KC_HTTP_RELATIVE_PATH}
-      KC_HOSTNAME: ${FEASIBILITY_KC_HOSTNAME_URL:-https://auth.datenportal.localhost}
-      KC_HOSTNAME_ADMIN: ${FEASIBILITY_KC_HOSTNAME_ADMIN_URL}
+      KC_DB_USERNAME: ${FEASIBILITY_KC_DB_USER:-keycloakdbuser}
+      KC_DB_PASSWORD: ${FEASIBILITY_KC_DB_PW:-keycloakdbpw}
+      KEYCLOAK_ADMIN: ${FEASIBILITY_KC_ADMIN_USER:-}
+      KEYCLOAK_ADMIN_PASSWORD: ${FEASIBILITY_KC_ADMIN_PW:-}
+      KC_HTTP_RELATIVE_PATH:  ${FEASIBILITY_KC_HTTP_RELATIVE_PATH:-/auth}
+      KC_HOSTNAME: ${FEASIBILITY_KC_HOSTNAME_URL:-https://auth.localhost}
+      KC_HOSTNAME_ADMIN: ${FEASIBILITY_KC_HOSTNAME_ADMIN_URL:-https://auth.localhost}
       KC_LOG_LEVEL: ${FEASIBILITY_KC_LOG_LEVEL:-info}
       KC_PROXY: ${FEASIBILITY_KC_PROXY:-edge}
     volumes:

feasibility-portal/proxy/.env.default

@@ -1,6 +1,13 @@
+# Set separate hostnames if 'subdomains.nginx.conf' is used (see FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG below).
+# For 'context-paths.nginx.conf' these values are ignored.
 BACKEND_HOSTNAME=api.datenportal.localhost
 KEYCLOAK_HOSTNAME=auth.datenportal.localhost
 GUI_HOSTNAME=datenportal.localhost
-PROXY_CERTIFICATE_PATH=../auth/cert.pem
-PROXY_CERTIFICATE_KEY_PATH=../auth/key.pem
-PROXY_NGINX_CONFIG_PATH=./nginx.conf
+
+# Comment one of the FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG depending if it is used 'subdomains.nginx.conf' or 'context-paths.nginx.conf'
+FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG=./subdomains.nginx.conf
+#FEASIBILITY_PORTAL_PROXY_NGINX_CONFIG=./context-paths.nginx.conf
+FEASIBILITY_PORTAL_PROXY_CERTIFICATE_PATH=../auth/cert.pem
+FEASIBILITY_PORTAL_PROXY_CERTIFICATE_KEY_PATH=../auth/key.pem
+
+

feasibility-portal/proxy/conf.d/backend.conf.template

@@ -1,12 +1,22 @@
- server {
+server {
+    listen       8443 ssl;
+    http2        on;
+    server_name ${BACKEND_HOSTNAME};
 
-        listen       8443 ssl;
-        server_name ${BACKEND_HOSTNAME};
-
-        location / {
-            proxy_pass http://feasibility-gui-backend:8090/;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header X-Forwarded-Host  $host;
-        }
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
 
+    location / {
+        #Used with 'subdomains.nginx.conf' 
+        proxy_pass http://feasibility-gui-backend:8090/;
+
+        #Used with 'context-paths.nginx.conf'
+        #set $backend_upstream http://feasibility-gui-backend:8090;
+        #proxy_pass http://$backend_upstream$request_uri;
     }
+
+}

feasibility-portal/proxy/conf.d/gui.conf.template

@@ -1,17 +1,23 @@
 server {
+    listen      8443 ssl;
+    http2        on;
+    server_name ${GUI_HOSTNAME};
 
-        listen       8443 ssl;
-        server_name ${GUI_HOSTNAME};
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+    root   /usr/share/nginx/html;
+    }
 
-        location / {
-            proxy_pass http://dataportal-ui:8080/;
-            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Host $host;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-            proxy_read_timeout 86400;
-        }
+    location / {
+        #Used with 'subdomains.nginx.conf' 
+        proxy_pass http://dataportal-ui:8080/;
+
+        #Used with 'context-paths.nginx.conf'       
+        #set                  $gui_upstream http://dataportal-ui:8080;
+        #proxy_pass            http://$gui_upstream$request_uri;
 
     }
+
+}

feasibility-portal/proxy/conf.d/keycloak.conf.template

@@ -1,30 +1,21 @@
 server {
+    listen       8443 ssl;
+    http2        on;
+    server_name ${KEYCLOAK_HOSTNAME};
 
-        listen       8443 ssl;
-        server_name ${KEYCLOAK_HOSTNAME};
+    # redirect server error pages to the static page /50x.html
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
 
-        location / {
-            proxy_buffers 4 128k;
-            proxy_busy_buffers_size 128k;
-            proxy_buffer_size 64k;
-            proxy_pass http://auth:8080;
-            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header X-Forwarded-Host $host;
-            proxy_set_header X-Forwarded-Port $server_port;
-            proxy_set_header X-Real-IP $remote_addr;
-        }
+    location / {
+        #Used with 'subdomains.nginx.conf' 
+        proxy_pass http://auth:8080;
 
-  #location /keycloakadmin {
-  #        proxy_buffers 4 128k;
-  #        proxy_busy_buffers_size 128k;
-  #        proxy_buffer_size 64k;
-  #        proxy_pass http://auth:8080;
-  #        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  #        proxy_set_header X-Forwarded-Proto $scheme;
-  #        proxy_set_header X-Forwarded-Host $host;
-  #        proxy_set_header X-Forwarded-Port $server_port;
-  #        proxy_set_header X-Real-IP $remote_addr;
-  #    }
+        #Used with 'context-paths.nginx.conf'     
+        #set $auth_upstream http://auth:8080;
+        #proxy_pass http://$auth_upstream$request_uri;
     }
 
+}