-
Notifications
You must be signed in to change notification settings - Fork 4
Deploying SciGateway
To deploy SciGateway itself on it's own is fairly simple - since it is purely html + javascript it can be served by any static server. Or, you could write your own server and run that as a service. Some information on how to do this generally are detailed on the ReactJS deployment documentation page: https://create-react-app.dev/docs/deployment.
Below I will describe how I set up SciGateway on the scigateway-preprod.esc.rl.ac.uk machine.
yum install httpd
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
/etc/httpd/conf.d/scigateway.conf
<VirtualHost *:80>
ServerName http://scigateway-preprod.esc.rl.ac.uk
<LocationMatch "^/api/(.*)">
ProxyPassMatch "http://scigateway-preprod.esc.rl.ac.uk:8000/api/$1"
</LocationMatch>
<Directory "/var/www/html">
RewriteEngine on
# Don't rewrite files or directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
# Rewrite everything else to index.html to allow html5 state links
RewriteRule ^ index.html [QSA,L]
</Directory>
</VirtualHost>
This sets up Apache on port 80, it forwards any requests to /api to port 8000 (this is where we'll host an auth server), and rewrites all paths back to index.html as long as they don't correspond to a real file or directory (this allows for client side routing).
If you're setting up HTTPS on the server, you'd need to use this config instead. This sets up a redirect from HTTP to HTTPS and provides the SSL certificate and details.
<VirtualHost *:80>
ServerName http://scigateway-preprod.esc.rl.ac.uk
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/scigateway-preprod_esc_rl_ac_uk.crt
SSLCertificateKeyFile /etc/pki/tls/private/scigateway-preprod.key
SSLCertificateChainFile /etc/pki/tls/certs/scigateway-preprod_esc_rl_ac_uk.ca-bundle.crt
Header always set Strict-Transport-Security "max-age=63072000"
ServerName http://scigateway-preprod.esc.rl.ac.uk
<LocationMatch "^/api/(.*)">
ProxyPassMatch "http://scigateway-preprod.esc.rl.ac.uk:8000/$1"
</LocationMatch>
<LocationMatch "^/datagateway-api/(.*)">
ProxyPassMatch "http://scigateway-preprod.esc.rl.ac.uk:5000/$1"
</LocationMatch>
<FilesMatch ".(json)$">
Header set Cache-Control "no-cache"
</FilesMatch>
<Directory "/var/www/html">
RewriteEngine on
# Don't rewrite files or directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
# Rewrite everything else to index.html to allow html5 state links
RewriteRule ^ index.html [QSA,L]
</Directory>
</VirtualHost>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
Note that the SSL config was generated using the following tool: https://ssl-config.mozilla.org/#server=apache&version=2.4.6&config=intermediate&openssl=1.0.2k-fips&guideline=5.6 - this is useful to double check the versions of apache/openssl etc. across different machines. You might also need to comment out the lines in /etc/httpd/conf.d/ssl.conf that configure the SSLProtocol and SSLCipherSuite - but my experience is that these are overridden for us. You can test it's working by using nmap: e.g. nmap --script ssl-enum-ciphers -p 443 scigateway-preprod.esc.rl.ac.uk should only list TLSv1.2 and only a few ciphers vs than if our SSLProtocol and SSLCipherSuite lines are removed/commented out.
Additionally, for security reasons we need to turn off the TRACE HTPP method - do so by adding the following line to /etc/httpd/conf/httpd.conf
/etc/httpd/conf/httpd.conf
TraceEnable Off
systemctl start httpd
systemctl enable httpd
This was flagged as part of a security scan, so will need to be done to any server exposed over HTTPS. You'll need to edit /etc/sysctl.conf and add the following line:
/etc/sysctl.conf
net.ipv4.tcp_timestamps = 0
And then run
sysctl -p
On scigateway-preprod.esc.rl.ac.uk, the SciGateway repository is cloned and built by the ICAT glassfish user in the /home/glassfish/scigateway folder - which contains all the git repos.
Run yarn install to install dependencies and ensure your settings files are correct (e.g. public/settings.json exists and is configured correctly, check your strings file (default is public/res/default.json))
SciGateway has its own default homepage located at the web root /. An optional setting, "homepageUrl" in public/settings.json can be used to override this default homepage and set any registered route as the homepage. For example, datagateway-dataview includes the DataGateway-specific homepage, which is a registered route in datagateway-dataview-settings.json with the link "/datagateway". Therefore, to set this as the replacement SciGateway homepage, add the following to public/settings.json:
"homepageUrl": "/datagateway"
yarn build
This will build SciGateway in production mode. This will minimise the JavaScript and perform other performance improvements.
cp -r build/* /var/www/html/
In order for SciGateway to have login functionality, it needs to be able to contact an auth server. The Apache config is already proxying requests to /api to port 8000, so we just need to run our auth server. If you run
node server/auth-server.js
In the root of SciGateway then this should run the server and if you try logging in with SciGateway it should work. Now, we don't want to have to run this manually ourselves so we can create a systemd service file to run the auth server as a service.
Create /etc/systemd/system/scigateway-auth-test.service and paste the following contents:
[Unit]
Description=Default scigateway auth server
Documentation=https://github.com/ral-facilities/scigateway/wiki
After=network.target
[Service]
Type=simple
User=glassfish
ExecStart=/usr/bin/node /home/glassfish/scigateway/scigateway/server/auth-server.js
Restart=on-failure
RestartSec=2
[Install]
WantedBy=multi-user.target
(this assumes that there is an unprivileged glassfish user that has cloned the SciGateway repo - as is used by the ICAT stack - you can change this to be any unprivileged user)
It's all well and good to be able to deploy the test auth server, but this doesn't help if we want to authenticate using scigateway-auth, which supplies ICAT authentication capabilities. We can instead choose to set up scigateway-auth instead of the auth-server.js server.
NOTE: You can only have one authentication server running at a time, so disable auth-server.js if you had previously set it up.
git clone https://github.com/ral-facilities/scigateway-auth.git
As root:
yum install epel-release
yum install python36 python36-pip
yum install httpd-devel
pip3 install mod-wsgi
mod_wsgi-express install-module > /etc/httpd/conf.modules.d/02-wsgi.conf
As glassfish, in /home/glassfish/scigateway/scigateway-auth:
pip3 install --user -r requirements.txt
In /home/glassfish/scigateway/scigateway-auth, you will need to copy the example config file config.json.example and modify it to suit your needs. The host and port values only affect the dev server and so can be ignored, but other options like icat_url need to be modified to suit your deployment.
e.g. for our setup
{
"host": "127.0.0.1",
"port": 5000,
"debug_mode": false,
"icat_url": "https://scigateway-preprod.esc.rl.ac.uk:8181/icat",
"log_level": "INFO",
"access_token_valid_for": 120,
"refresh_token_valid_for": 120,
"blacklist": [],
"verify": "/home/glassfish/scigateway/scigateway-auth/icat_cert.crt"
}
The verify config option specifies how requests will verify that ICAT is trusted to communicate over SSL. This can be set to false to disable certificate verification but better is to supply ICAT's actual self signed certificate. ICAT's certificate can be extracted using the following steps:
keytool -importkeystore -srckeystore /home/glassfish/payara[version-string]/glassfish/domains/domain1/config/keystore.jks -srcstoretype JKS -srcstorepass changeit -destkeystore keystore.p12 -storepass changeit -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -passin pass:changeit -clcerts -nokeys -out /home/glassfish/scigateway/scigateway-auth/icat_cert.crt
/etc/httpd/conf.d/scigateway-auth
Listen 8000
<VirtualHost *:8000>
ServerName http://scigateway-preprod.esc.rl.ac.uk
WSGIPassAuthorization On
WSGIDaemonProcess scigateway-auth user=glassfish group=glassfish threads=1 python-path=/home/glassfish/scigateway/scigateway-auth
WSGIScriptAlias / /var/www/scigateway-auth/scigateway-auth.wsgi process-group=scigateway-auth application-group=%{GLOBAL}
<Directory /var/www/scigateway-auth>
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
This sets up Apache to run mod_wsgi on port 8000. It expects a wsgi file in /var/www/scigateway-auth/scigateway-auth.wsgi and runs the server as the unprivileged glassfish user.
Create /var/www/datagateway-api/datagateway-api.wsgi
#! /usr/bin/python3.6
import logging
import sys
logging.basicConfig(stream=sys.stderr)
sys.path.insert(0, '/home/glassfish/scigateway/scigateway-auth/scigateway-auth/')
from app import app as application
systemctl restart httpd
This tells mod_wsgi the actual location of our app and how to run it.
Since we are now using the ICAT authenticator, we need to update our settings.json to reflect this. It's recommended to update the settings.json in both the git folder (/home/glassfish/scigateway/scigateway/public/settings.json) and the deployment folder (/var/www/html/settings.json) - updating the deployment folder will immediately reflect any changes whereas updating the git folder will ensure the changes are applied when you next build SciGateway.
Switch the auth-provider field to say icat instead of jwt
In order to make the most of the SciGateway ICAT authenticator, the run.properties file of the ICAT you are suing may need to be updated. There are optional config options for authenticators: friendly, which specifies a more human readable name for the authenticator; and admin, which indicates whether an authenticator is intended for admin use only. If a friendly name is set, then SciGateway will display that name in the dropdown instead of the mnemonic, and if admin is true then SciGateway will not display it in the dropdown (since that authenticator is for admin use only, it should not be displayed in the frontend). Updating the run.properties file requires reinstalling ICAT, and thus production ICATs will need to plan around this, either by incorporating the change into existing downtime plans or planning a downtime exclusively for this change.
-
Architecture
-
Dev environment
-
Developing a plugin
-
Deployment
- Deploying SciGateway
- SciGateway Settings
- Deploying plugins
-
Releasing
-
Plugins
-
Continuous Integration
-
UX
-
Feedback