From e86d283ca0934ffeb2bf392a001e165f4615268e Mon Sep 17 00:00:00 2001 From: Fernando Ribeiro Date: Fri, 23 May 2025 11:54:06 +0100 Subject: [PATCH 01/15] SSO integration for EE. Initial implementation and some refactoring --- .dockerignore | 6 +++- deployment/enterprise/.env.template | 11 +++++++ deployment/enterprise/.sso.env.template | 33 +++++++++++++++++++ deployment/enterprise/docker-compose.sso.yml | 19 +++++++++++ deployment/enterprise/docker-compose.yml | 4 --- deployment/enterprise/sso/boxy.sql | 2 ++ .../enterprise/sso/sso-connections/test.js | 8 +++++ .../enterprise/sso/sso-connections/test.xml | 18 ++++++++++ deployment/enterprise/sso/sso-init.sh | 23 +++++++++++++ 9 files changed, 119 insertions(+), 5 deletions(-) create mode 100644 deployment/enterprise/.sso.env.template create mode 100644 deployment/enterprise/docker-compose.sso.yml create mode 100644 deployment/enterprise/sso/boxy.sql create mode 100644 deployment/enterprise/sso/sso-connections/test.js create mode 100644 deployment/enterprise/sso/sso-connections/test.xml create mode 100755 deployment/enterprise/sso/sso-init.sh diff --git a/.dockerignore b/.dockerignore index 1cd57768..888af20a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -77,5 +77,9 @@ docs/_build/ # PyBuilder target/ -#Ipython Notebook +# Ipython Notebook .ipynb_checkpoints + +# SSO +*.pem +*.crt diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index e2e2adc7..191c6267 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -215,3 +215,14 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json #QGIS_EXTRACTOR_TIMEOUT=60 #OVERVIEW_MAX_FILE_SIZE=1048576 # 1MB + +### SSO ################################################################################################################ +SSO_ENABLED=True +SSO_SERVER_PRODUCT_ID=MerginMaps +SSO_SERVER_URL=http://172.17.0.1:5225 #FIXME +SSO_SERVER_API_URL=http://172.17.0.1:5225 #FIXME + +SSO_SESSION_EXPIRATION=14 + +# If use multi tenant flow by default +# SSO_FORCE_MULTI_TENANT=True diff --git a/deployment/enterprise/.sso.env.template b/deployment/enterprise/.sso.env.template new file mode 100644 index 00000000..6977c6d2 --- /dev/null +++ b/deployment/enterprise/.sso.env.template @@ -0,0 +1,33 @@ +# for full list check https://boxyhq.com/docs/jackson/deploy/env-variables + +# need to be base64 encoded values +# JACKSON_API_KEYS= +# DB_ENCRYPTION_KEY= +# NEXTAUTH_JWT_SIGNING_PRIVATE_KEY= +# NEXTAUTH_SECRET= +# these comes from key pair +# PRIVATE_KEY= +# PUBLIC_KEY= + +# fixme with proper credentials +NEXTAUTH_ACL=*@example.com +RETRACED_ADMIN_ROOT_TOKEN='dev' +NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy + +EXTERNAL_URL=http://localhost:5225 +NEXTAUTH_URL=http://localhost:5225 +# beware it should use different db and user in production +DB_URL=postgres://postgres:postgres@db:5432/jackson +DB_ENGINE=sql +DB_TYPE=postgres +DB_TTL=300 +DB_CLEANUP_LIMIT=1000 +DB_MANUAL_MIGRATION=0 +SAML_AUDIENCE=https://saml.mergin.com +BOXYHQ_NO_TELEMETRY=1 +BOXYHQ_NO_ANALYTICS=1 +DO_NOT_TRACK=1 +IDP_ENABLED=0 +ADMIN_PORTAL_HIDE_AUDIT_LOGS=1 +ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=1 +PRE_LOADED_CONNECTION=/sso-connections diff --git a/deployment/enterprise/docker-compose.sso.yml b/deployment/enterprise/docker-compose.sso.yml new file mode 100644 index 00000000..c9e4e50b --- /dev/null +++ b/deployment/enterprise/docker-compose.sso.yml @@ -0,0 +1,19 @@ +networks: + mergin: + name: mergin-ee + +services: + jackson: + image: boxyhq/jackson:1.45.3 + container_name: merginmaps-sso + restart: always + volumes: + - ./sso/sso-connections:/sso-connections + env_file: + - .sso.env + networks: + - mergin + depends_on: + - db + ports: + - 5225:5225 diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index cb5084c8..9156155a 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -19,7 +19,6 @@ services: - db networks: - mergin - web: image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-front:2025.3.0 container_name: merginmaps-web @@ -30,7 +29,6 @@ services: - .prod.env networks: - mergin - proxy: image: nginxinc/nginx-unprivileged:1.27 container_name: merginmaps-proxy @@ -81,7 +79,6 @@ services: - redis networks: - mergin - db: image: postgres:14 container_name: merginmaps-db @@ -96,7 +93,6 @@ services: - 5432:5432 networks: - mergin - redis: image: redis container_name: merginmaps-redis diff --git a/deployment/enterprise/sso/boxy.sql b/deployment/enterprise/sso/boxy.sql new file mode 100644 index 00000000..4d534e64 --- /dev/null +++ b/deployment/enterprise/sso/boxy.sql @@ -0,0 +1,2 @@ +-- Bootstrap script for the database when first initialized +CREATE DATABASE jackson; diff --git a/deployment/enterprise/sso/sso-connections/test.js b/deployment/enterprise/sso/sso-connections/test.js new file mode 100644 index 00000000..bbc1e1ca --- /dev/null +++ b/deployment/enterprise/sso/sso-connections/test.js @@ -0,0 +1,8 @@ +module.exports = { + defaultRedirectUrl: 'http://localhost:8080', + redirectUrl: '["http://localhost:8080"]', + tenant: 'example.com', + product: 'MerginMaps', + name: 'testConnection', + description: 'Just a test connection', +}; \ No newline at end of file diff --git a/deployment/enterprise/sso/sso-connections/test.xml b/deployment/enterprise/sso/sso-connections/test.xml new file mode 100644 index 00000000..a09f949e --- /dev/null +++ b/deployment/enterprise/sso/sso-connections/test.xml @@ -0,0 +1,18 @@ + + + + + + +MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ== + + + + + +urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + + \ No newline at end of file diff --git a/deployment/enterprise/sso/sso-init.sh b/deployment/enterprise/sso/sso-init.sh new file mode 100755 index 00000000..0abbd485 --- /dev/null +++ b/deployment/enterprise/sso/sso-init.sh @@ -0,0 +1,23 @@ +#!/bin/bash +set -eu + +# Create sso env file +grep -v '^#' ../.sso.env.template > ../.sso.env +# create key pair for sso if not present +if [[ ! -f key.pem ]] || [[ ! -f public.crt ]]; then + echo "Generating certificates for boxy..." + openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes -batch +fi + + +# generate some random secrets +echo JACKSON_API_KEYS=$(openssl rand -base64 32) >> ../.sso.env +echo DB_ENCRYPTION_KEY=$(openssl rand -base64 32) >> ../.sso.env +echo DB_ENCRYPTION_KEY=$(openssl rand -base64 32) >> ../.sso.env +echo NEXTAUTH_SECRET=$(openssl rand -base64 32) >> ../.sso.env +echo PUBLIC_KEY=$(cat public.crt | base64 | tr -d '\n') >> ../.sso.env +echo PRIVATE_KEY=$(cat key.pem | base64 | tr -d '\n') >> ../.sso.env + + +# make jackson secret key available to mergin-server +export $(grep JACKSON_API_KEYS ../.sso.env | xargs) From c9d4e125a75316aebc36a7640cc6aa7013df9508 Mon Sep 17 00:00:00 2001 From: Fernando Ribeiro Date: Mon, 2 Jun 2025 12:30:52 +0100 Subject: [PATCH 02/15] Update latest sso developments --- .gitignore | 4 ++++ deployment/common/nginx.conf | 21 ++++++++++++++++++ deployment/enterprise/.sso.env | 28 ++++++++++++++++++++++++ deployment/enterprise/docker-compose.yml | 11 ++++++---- 4 files changed, 60 insertions(+), 4 deletions(-) create mode 100644 deployment/enterprise/.sso.env diff --git a/.gitignore b/.gitignore index 94220ca0..be5ac2dc 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,7 @@ web-app/.node-version mergin-db-ce docker-compose.local.yml + +# SSO +*.pem +*.crt diff --git a/deployment/common/nginx.conf b/deployment/common/nginx.conf index da22340b..27e8b728 100644 --- a/deployment/common/nginx.conf +++ b/deployment/common/nginx.conf @@ -58,3 +58,24 @@ server { alias /data/; } } + +server { + listen 8081; + listen [::]:8081; + server_name _; + + client_max_body_size 4G; + + # Don't show version information + server_tokens off; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://${BOXY_HOST}:5225; + } + } diff --git a/deployment/enterprise/.sso.env b/deployment/enterprise/.sso.env new file mode 100644 index 00000000..b48b7053 --- /dev/null +++ b/deployment/enterprise/.sso.env @@ -0,0 +1,28 @@ + + +NEXTAUTH_ACL=*@example.com +RETRACED_ADMIN_ROOT_TOKEN='dev' +NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy + +EXTERNAL_URL=http://localhost:5225 +NEXTAUTH_URL=http://localhost:5225 +DB_URL=postgres://postgres:postgres@db:5432/jackson +DB_ENGINE=sql +DB_TYPE=postgres +DB_TTL=300 +DB_CLEANUP_LIMIT=1000 +DB_MANUAL_MIGRATION=0 +SAML_AUDIENCE=https://saml.mergin.com +BOXYHQ_NO_TELEMETRY=1 +BOXYHQ_NO_ANALYTICS=1 +DO_NOT_TRACK=1 +IDP_ENABLED=0 +ADMIN_PORTAL_HIDE_AUDIT_LOGS=1 +ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=1 +PRE_LOADED_CONNECTION=/sso-connections +JACKSON_API_KEYS=2E4TUX0sBRxzE5uZjrNNoJ59do5wsrCQr4SDA02TZSw= +DB_ENCRYPTION_KEY=dfV7QDMAljXxoZ5p97qoxs54r7nSmVrPRSXbJiybOGI= +DB_ENCRYPTION_KEY=jmrl6zeRrhPiCZazKe0rzCDMgB8l83451JR6H3ETJMo= +NEXTAUTH_SECRET=R46iY3KqKqycBHFO+ZYXFT7bWJzHHhEBoMcBSNE5Lj0= +PUBLIC_KEY=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURaVENDQWsyZ0F3SUJBZ0lVUkZraUxGN0ViV1BmTCtCdmVWYTlTNnA5Mk13d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlOVEExTWpJeE1ERTVOVGRhRncweU5qQTFNakl4Ck1ERTVOVGRhTUVJeEN6QUpCZ05WQkFZVEFsaFlNUlV3RXdZRFZRUUhEQXhFWldaaGRXeDBJRU5wZEhreEhEQWEKQmdOVkJBb01FMFJsWm1GMWJIUWdRMjl0Y0dGdWVTQk1kR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUNwZ3hzRGtyTFZCcUNsMnBRdjFxcW9kS2VTUWFPRUZVVS9oUHVSMzZYVWxpYXJvazZUCmp1MDNpdmpkMDBCR0habG5mODEzZmtvM3ZtK2ZldnFvTFVkVlg2M2ZWcjJTalZ5NkFaazNyK21MM0RqZHJ1VVoKaWhNNmw0SzJiS0RIcFlHaVhYSnQ4U2dYeVcrNjBNWFErY1JoWFlTQXdMbzcvdm1SRGs5c0o5YjNNb0ZUZkF2bApjZXVyUkUzamRSbHdUMml2Z0FXR2xaWHFzdjBqNGNjcTY4UXY0b3FuTzdRNWdNWFk0WnNQbStIaWp6NXkvY3ovClh6a2hSNWZjdDd3Qk1IWm51RmNuQmh3dGdJS3lOQmtQdXZPRHhFUkNUSFlwOUU5bEhKdGcvZmRSSWE3RkFZcEEKUlMwVnRNOCszV2EvcWFrN0JlSXRpNko4RjQwSUZxU0RrT1M5QWdNQkFBR2pVekJSTUIwR0ExVWREZ1FXQkJUNApqK21MVDFHMHZ5MkRJMVRNVkZLM1JVcVppekFmQmdOVkhTTUVHREFXZ0JUNGorbUxUMUcwdnkyREkxVE1WRkszClJVcVppekFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJKMXB3a1hvaFEKbjNWNndtUUtjbTd3TTJ0RjRpYTE1NWxsbnZ3NHJkQ21HazQ1ZkhXMW9qQlFhZk9ZUGY0dzRWNjg0RXFIOGZUQwpCalR2b3dwek5aT01XMlFvTzRPNFlhUjJzYkNhdXRwenZZSWFOTDdodmYzTnVyN0FNZ0theUdUV0plOHFiYzZvCldhN2tyV0l3dStlVGZnNEZ2dXZkTkFZOWlheGZ1Q1Iza0I3U05lTU5FWjViS29zVzE2am5ZY1RBYUp4ejRCM0EKcy8yb3hiSUJZOGpHdk12UVltTWVzdDF6ZTJuM0taM0kxNVphVVlNMG9ZeDBuQ1Q0UUlUS2J6QmJNRk02SlNFcAphdlphUWxWMzBpaUZyWXROMFRJVURXRDJ1SDBnbVF6RTk1dnFWNDNWTUpQWUlpcHV0T05sN3hYOHlXbzgxcCtPCkl5UDh6VDlSdm1nRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== +PRIVATE_KEY=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3BneHNEa3JMVkJxQ2wKMnBRdjFxcW9kS2VTUWFPRUZVVS9oUHVSMzZYVWxpYXJvazZUanUwM2l2amQwMEJHSFpsbmY4MTNma28zdm0rZgpldnFvTFVkVlg2M2ZWcjJTalZ5NkFaazNyK21MM0RqZHJ1VVppaE02bDRLMmJLREhwWUdpWFhKdDhTZ1h5Vys2CjBNWFErY1JoWFlTQXdMbzcvdm1SRGs5c0o5YjNNb0ZUZkF2bGNldXJSRTNqZFJsd1QyaXZnQVdHbFpYcXN2MGoKNGNjcTY4UXY0b3FuTzdRNWdNWFk0WnNQbStIaWp6NXkvY3ovWHpraFI1ZmN0N3dCTUhabnVGY25CaHd0Z0lLeQpOQmtQdXZPRHhFUkNUSFlwOUU5bEhKdGcvZmRSSWE3RkFZcEFSUzBWdE04KzNXYS9xYWs3QmVJdGk2SjhGNDBJCkZxU0RrT1M5QWdNQkFBRUNnZ0VBQngrTlNROG5HTENZbTUrZHpvelV5eE5yMzBlRzJZd1RSdUlOdUVtUHJHbEsKNHJlRldjb055ZUc3SjRjekVqODRMUk0velIrdmVyd3o4SjI0WHN6WVRJd2l3Rm5peVgvTFA3M0ZkSU9kNnRTcwpSeFNNYUJCWFVvVC9aeThWYW81WDdqekRERCt3RVovVFpDUlZ5N3hUTmt3NXZ6ZGFIQjlRMlhtaWVNY0x6NE5zClRXNE0yNzlNcFlBUGlWTDZpaWxwSVVZd2s1em1QYjFJdm9ONm10WTNCUDN5ekdvNjNuTk5HQUJUZjF3Y1dySGsKb0NIQnRILzUzc3JKRkMycVBjRG9ILzNmNFlMMXNqZGM0TE5QL201M25yR2xOOGV1RXZyNWY0VHNkbDloMXFNUQoySGRud0JrVDlRdmY5dVE1WFp5L05XS1VpallOSUZha21rSGh5TkV5K1FLQmdRRFRFbkNaTnZJWVF3bE1DN1c0CmRqdFFCS3prT1JLSXBYaDBtQzdLcnNlWG5CZGFSVGpiREVjSWV3SU95MHBYVjc2MWh6UlovQ2l2N3RldzY1Zk0KVFlRMkFjM3JOL043dWFWV3JsWDJrbXdQSWtJMHFzL2l5bG00WG1ZcHhMT2xNeDBaSWt3M1AwTWE5UmxEbGtrOQpPOUFNemlEN0NkUE55dExQdEprOTlqa2hud0tCZ1FETm1BUzZkbGJqZ2RJT2lydDh3ZkFZYXU4M2NkQTMrSDNKCjBjUmJwR2hxdnRYT01CZGRlM3A2c0hqSkZzNkFEbXEzOUUybHZoVm94dXRiK2ZxM0RZd1pwU0FwYjBZREQreGMKS1FoRnBvbWlwVzhiSy9KRmFrb0x1NUMwbXFHdDlLbFpvVEtidmRFcnhZYlF2dzUzeklmcmJPbnQ4ZGJBOHhwRApxQWpVaS9NMEl3S0JnQ01renRxejYxdGV6ZzE3WmFaeENTOHBtQi9uNE00ZnZ3NnF5QiszT2tSa0dQOU94MGl4Cm9xSW0yUkRkaUdOQ21ONWd4TGEyNVk5bGxVUS85ZVp1Z2JUOFYrenlRL2cxMFBHOTFWSll6dVUyTHcvVjRRZEIKNmU1b3lWbnJCbjViSkYwcStNVzZJdEk2UFJxankwNEd4MzFhVk9OM24yeUVlTlZjbktkVWQrN0JBb0dBQ2tsVAoyengyaG5XRlhBTG05SXdEaGtVN2FNdkIvanJwbUVKdGo2US9NVEFSSkhyVmdIRGdKT2xWY2NJNVhNRGI2QTVLCklFUE5jR3ViZFFPaDNxekgyTFNoVWxGbDhGdEltU2ZZYVJ1M0FUTkR4dGxCQ3VZUmhGckRGN1l3NXJJNkV1ajAKemtRR0JpbWc0Q3JlLzNGMVQzc29qU1l2ZDRIeVMzWkowdENadjM4Q2dZQkVhOHRXSXZGMFJKZVI3bHFpY3VEWQpXdFhOTy9Jamw3TE9ab2huZUYrL2dSQlZQMG1DNkV2U2J5cTEremw0QW13VHRlSzNiMzBUK2xaS2gwYkhmTnFOCldlU1c0WXJHN29PTG5rSzFZMER2dlNhZHk3OENzUWNObElNSWFPN3pJU3lhT0lvckJrM1loamwrNXZjZmkxQzYKd29MbUk1SE93ZHl1a21IekpsMld5dz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index 9156155a..73347523 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -5,7 +5,7 @@ networks: services: server: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.3.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 container_name: merginmaps-server restart: always user: 901:999 @@ -20,7 +20,7 @@ services: networks: - mergin web: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-front:2025.3.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-front:2025.4.0 container_name: merginmaps-web restart: always depends_on: @@ -37,6 +37,9 @@ services: user: 101:999 ports: - "8080:8080" + - "8081:8081" + environment: + - BOXY_HOST=${BOXY_HOST:-localhost} volumes: - ./data:/data # map data dir to host - ../common/nginx.conf:/etc/nginx/templates/default.conf.template @@ -47,7 +50,7 @@ services: - server celery-beat: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.3.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 container_name: merginmaps-celery-beat restart: always user: 901:999 @@ -63,7 +66,7 @@ services: - mergin celery-worker: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.3.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 container_name: merginmaps-celery-worker restart: always user: 901:999 From 823ebe1a23e7085e846fab034ac89ed2ceb87386 Mon Sep 17 00:00:00 2001 From: Fernando Ribeiro Date: Mon, 2 Jun 2025 12:39:40 +0100 Subject: [PATCH 03/15] Remove autogenerated sso env file --- deployment/enterprise/.sso.env | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 deployment/enterprise/.sso.env diff --git a/deployment/enterprise/.sso.env b/deployment/enterprise/.sso.env deleted file mode 100644 index b48b7053..00000000 --- a/deployment/enterprise/.sso.env +++ /dev/null @@ -1,28 +0,0 @@ - - -NEXTAUTH_ACL=*@example.com -RETRACED_ADMIN_ROOT_TOKEN='dev' -NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy - -EXTERNAL_URL=http://localhost:5225 -NEXTAUTH_URL=http://localhost:5225 -DB_URL=postgres://postgres:postgres@db:5432/jackson -DB_ENGINE=sql -DB_TYPE=postgres -DB_TTL=300 -DB_CLEANUP_LIMIT=1000 -DB_MANUAL_MIGRATION=0 -SAML_AUDIENCE=https://saml.mergin.com -BOXYHQ_NO_TELEMETRY=1 -BOXYHQ_NO_ANALYTICS=1 -DO_NOT_TRACK=1 -IDP_ENABLED=0 -ADMIN_PORTAL_HIDE_AUDIT_LOGS=1 -ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=1 -PRE_LOADED_CONNECTION=/sso-connections -JACKSON_API_KEYS=2E4TUX0sBRxzE5uZjrNNoJ59do5wsrCQr4SDA02TZSw= -DB_ENCRYPTION_KEY=dfV7QDMAljXxoZ5p97qoxs54r7nSmVrPRSXbJiybOGI= -DB_ENCRYPTION_KEY=jmrl6zeRrhPiCZazKe0rzCDMgB8l83451JR6H3ETJMo= -NEXTAUTH_SECRET=R46iY3KqKqycBHFO+ZYXFT7bWJzHHhEBoMcBSNE5Lj0= -PUBLIC_KEY=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURaVENDQWsyZ0F3SUJBZ0lVUkZraUxGN0ViV1BmTCtCdmVWYTlTNnA5Mk13d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1FqRUxNQWtHQTFVRUJoTUNXRmd4RlRBVEJnTlZCQWNNREVSbFptRjFiSFFnUTJsMGVURWNNQm9HQTFVRQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlOVEExTWpJeE1ERTVOVGRhRncweU5qQTFNakl4Ck1ERTVOVGRhTUVJeEN6QUpCZ05WQkFZVEFsaFlNUlV3RXdZRFZRUUhEQXhFWldaaGRXeDBJRU5wZEhreEhEQWEKQmdOVkJBb01FMFJsWm1GMWJIUWdRMjl0Y0dGdWVTQk1kR1F3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQgpEd0F3Z2dFS0FvSUJBUUNwZ3hzRGtyTFZCcUNsMnBRdjFxcW9kS2VTUWFPRUZVVS9oUHVSMzZYVWxpYXJvazZUCmp1MDNpdmpkMDBCR0habG5mODEzZmtvM3ZtK2ZldnFvTFVkVlg2M2ZWcjJTalZ5NkFaazNyK21MM0RqZHJ1VVoKaWhNNmw0SzJiS0RIcFlHaVhYSnQ4U2dYeVcrNjBNWFErY1JoWFlTQXdMbzcvdm1SRGs5c0o5YjNNb0ZUZkF2bApjZXVyUkUzamRSbHdUMml2Z0FXR2xaWHFzdjBqNGNjcTY4UXY0b3FuTzdRNWdNWFk0WnNQbStIaWp6NXkvY3ovClh6a2hSNWZjdDd3Qk1IWm51RmNuQmh3dGdJS3lOQmtQdXZPRHhFUkNUSFlwOUU5bEhKdGcvZmRSSWE3RkFZcEEKUlMwVnRNOCszV2EvcWFrN0JlSXRpNko4RjQwSUZxU0RrT1M5QWdNQkFBR2pVekJSTUIwR0ExVWREZ1FXQkJUNApqK21MVDFHMHZ5MkRJMVRNVkZLM1JVcVppekFmQmdOVkhTTUVHREFXZ0JUNGorbUxUMUcwdnkyREkxVE1WRkszClJVcVppekFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJKMXB3a1hvaFEKbjNWNndtUUtjbTd3TTJ0RjRpYTE1NWxsbnZ3NHJkQ21HazQ1ZkhXMW9qQlFhZk9ZUGY0dzRWNjg0RXFIOGZUQwpCalR2b3dwek5aT01XMlFvTzRPNFlhUjJzYkNhdXRwenZZSWFOTDdodmYzTnVyN0FNZ0theUdUV0plOHFiYzZvCldhN2tyV0l3dStlVGZnNEZ2dXZkTkFZOWlheGZ1Q1Iza0I3U05lTU5FWjViS29zVzE2am5ZY1RBYUp4ejRCM0EKcy8yb3hiSUJZOGpHdk12UVltTWVzdDF6ZTJuM0taM0kxNVphVVlNMG9ZeDBuQ1Q0UUlUS2J6QmJNRk02SlNFcAphdlphUWxWMzBpaUZyWXROMFRJVURXRDJ1SDBnbVF6RTk1dnFWNDNWTUpQWUlpcHV0T05sN3hYOHlXbzgxcCtPCkl5UDh6VDlSdm1nRgotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== -PRIVATE_KEY=LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3BneHNEa3JMVkJxQ2wKMnBRdjFxcW9kS2VTUWFPRUZVVS9oUHVSMzZYVWxpYXJvazZUanUwM2l2amQwMEJHSFpsbmY4MTNma28zdm0rZgpldnFvTFVkVlg2M2ZWcjJTalZ5NkFaazNyK21MM0RqZHJ1VVppaE02bDRLMmJLREhwWUdpWFhKdDhTZ1h5Vys2CjBNWFErY1JoWFlTQXdMbzcvdm1SRGs5c0o5YjNNb0ZUZkF2bGNldXJSRTNqZFJsd1QyaXZnQVdHbFpYcXN2MGoKNGNjcTY4UXY0b3FuTzdRNWdNWFk0WnNQbStIaWp6NXkvY3ovWHpraFI1ZmN0N3dCTUhabnVGY25CaHd0Z0lLeQpOQmtQdXZPRHhFUkNUSFlwOUU5bEhKdGcvZmRSSWE3RkFZcEFSUzBWdE04KzNXYS9xYWs3QmVJdGk2SjhGNDBJCkZxU0RrT1M5QWdNQkFBRUNnZ0VBQngrTlNROG5HTENZbTUrZHpvelV5eE5yMzBlRzJZd1RSdUlOdUVtUHJHbEsKNHJlRldjb055ZUc3SjRjekVqODRMUk0velIrdmVyd3o4SjI0WHN6WVRJd2l3Rm5peVgvTFA3M0ZkSU9kNnRTcwpSeFNNYUJCWFVvVC9aeThWYW81WDdqekRERCt3RVovVFpDUlZ5N3hUTmt3NXZ6ZGFIQjlRMlhtaWVNY0x6NE5zClRXNE0yNzlNcFlBUGlWTDZpaWxwSVVZd2s1em1QYjFJdm9ONm10WTNCUDN5ekdvNjNuTk5HQUJUZjF3Y1dySGsKb0NIQnRILzUzc3JKRkMycVBjRG9ILzNmNFlMMXNqZGM0TE5QL201M25yR2xOOGV1RXZyNWY0VHNkbDloMXFNUQoySGRud0JrVDlRdmY5dVE1WFp5L05XS1VpallOSUZha21rSGh5TkV5K1FLQmdRRFRFbkNaTnZJWVF3bE1DN1c0CmRqdFFCS3prT1JLSXBYaDBtQzdLcnNlWG5CZGFSVGpiREVjSWV3SU95MHBYVjc2MWh6UlovQ2l2N3RldzY1Zk0KVFlRMkFjM3JOL043dWFWV3JsWDJrbXdQSWtJMHFzL2l5bG00WG1ZcHhMT2xNeDBaSWt3M1AwTWE5UmxEbGtrOQpPOUFNemlEN0NkUE55dExQdEprOTlqa2hud0tCZ1FETm1BUzZkbGJqZ2RJT2lydDh3ZkFZYXU4M2NkQTMrSDNKCjBjUmJwR2hxdnRYT01CZGRlM3A2c0hqSkZzNkFEbXEzOUUybHZoVm94dXRiK2ZxM0RZd1pwU0FwYjBZREQreGMKS1FoRnBvbWlwVzhiSy9KRmFrb0x1NUMwbXFHdDlLbFpvVEtidmRFcnhZYlF2dzUzeklmcmJPbnQ4ZGJBOHhwRApxQWpVaS9NMEl3S0JnQ01renRxejYxdGV6ZzE3WmFaeENTOHBtQi9uNE00ZnZ3NnF5QiszT2tSa0dQOU94MGl4Cm9xSW0yUkRkaUdOQ21ONWd4TGEyNVk5bGxVUS85ZVp1Z2JUOFYrenlRL2cxMFBHOTFWSll6dVUyTHcvVjRRZEIKNmU1b3lWbnJCbjViSkYwcStNVzZJdEk2UFJxankwNEd4MzFhVk9OM24yeUVlTlZjbktkVWQrN0JBb0dBQ2tsVAoyengyaG5XRlhBTG05SXdEaGtVN2FNdkIvanJwbUVKdGo2US9NVEFSSkhyVmdIRGdKT2xWY2NJNVhNRGI2QTVLCklFUE5jR3ViZFFPaDNxekgyTFNoVWxGbDhGdEltU2ZZYVJ1M0FUTkR4dGxCQ3VZUmhGckRGN1l3NXJJNkV1ajAKemtRR0JpbWc0Q3JlLzNGMVQzc29qU1l2ZDRIeVMzWkowdENadjM4Q2dZQkVhOHRXSXZGMFJKZVI3bHFpY3VEWQpXdFhOTy9Jamw3TE9ab2huZUYrL2dSQlZQMG1DNkV2U2J5cTEremw0QW13VHRlSzNiMzBUK2xaS2gwYkhmTnFOCldlU1c0WXJHN29PTG5rSzFZMER2dlNhZHk3OENzUWNObElNSWFPN3pJU3lhT0lvckJrM1loamwrNXZjZmkxQzYKd29MbUk1SE93ZHl1a21IekpsMld5dz09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K From 00331d193b8acd6f2301f2da4fe3bb63302ba410 Mon Sep 17 00:00:00 2001 From: Fernando Ribeiro Date: Thu, 5 Jun 2025 14:14:04 +0100 Subject: [PATCH 04/15] Final adjustments and some documentation --- .gitignore | 1 + deployment/enterprise/README.md | 33 ++++++++++++++++++++ deployment/enterprise/docker-compose.sso.yml | 2 -- deployment/enterprise/docker-compose.yml | 3 +- 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index be5ac2dc..7614b44b 100644 --- a/.gitignore +++ b/.gitignore @@ -18,6 +18,7 @@ venv/ # production env .prod.env +.sso.env # generated documentation gen diff --git a/deployment/enterprise/README.md b/deployment/enterprise/README.md index 5620c12c..a14dc092 100644 --- a/deployment/enterprise/README.md +++ b/deployment/enterprise/README.md @@ -26,3 +26,36 @@ cp .env.template .prod.env Next step is to create data directory for Mergin Maps `data` with proper permissions. Should you prefer a different location, please do search and replace it in config files (`.prod.env`, `docker-compose.yml`). Make sure your volume is large enough since Mergin Maps keeps all projects files, their history and also needs some space for temporary processing. For more details about deployment please check [docs](https://merginmaps.com/docs/server/install/#deployment). + +Finally initialize your Mergin Maps stack with: + +```shell +docker compose up -d +``` + +# WebMaps + +Webmaps support is activate with environment variable `MAPS_ENABLED=True` on the main `.prod.env` configuration file. +Also check other important webmaps related environment variables configurations on Mergin Maps [docs](https://merginmaps.com/docs/server/environment/#webmaps) + + +If you have it enabled, after the normal Mergin Maps stack is initialized simply run: + +```shell +docker compose -f docker-compose.maps.yml up -d +``` + +# SSO + +For SSO deployment, first you need to change some relevant content on the provide `.sso.env.template` file, namely the default values on the following environment variable: (`NEXTAUTH_ADMIN_CREDENTIALS, RETRACED_ADMIN_ROOT_TOKEN, NEXTAUTH_ACL`). + +Next, under folder `sso-connections` run the initialization script `sso-init.sh`. This will generate a ready to use file with some pregenerated secrets needed for the sso backend. If you want, and it's actually advised, you can create/generate your own secrets. + +Before the deployment, check that SSO related environment variables, namely `SSO_ENABLE=True`, are set. +Please follow Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. + +Finally simply run the SSO stack with: + +```shell +docker compose -f docker-compose.sso.yml up -d +``` \ No newline at end of file diff --git a/deployment/enterprise/docker-compose.sso.yml b/deployment/enterprise/docker-compose.sso.yml index c9e4e50b..89e72284 100644 --- a/deployment/enterprise/docker-compose.sso.yml +++ b/deployment/enterprise/docker-compose.sso.yml @@ -13,7 +13,5 @@ services: - .sso.env networks: - mergin - depends_on: - - db ports: - 5225:5225 diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index 73347523..d363cac3 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -88,12 +88,11 @@ services: restart: always volumes: - ./mergin-db-enterprise:/var/lib/postgresql/data + - ./sso/boxy.sql:/docker-entrypoint-initdb.d/boxy.sql environment: - POSTGRES_DB=mergin - POSTGRES_USER=postgres - POSTGRES_PASSWORD=postgres # !TODO Change this and also change .prod.env $DB_PASSWORD accordingly - ports: - - 5432:5432 networks: - mergin redis: From feb78ff1ab31c26bdc258d982a6286ffc770ac39 Mon Sep 17 00:00:00 2001 From: Fernando Ribeiro Date: Fri, 6 Jun 2025 15:17:56 +0100 Subject: [PATCH 05/15] Final adjustments to PR --- deployment/common/nginx.conf | 20 ------------------- deployment/enterprise/.env.template | 13 ++++++------ deployment/enterprise/README.md | 8 +++++--- deployment/enterprise/docker-compose.sso.yml | 2 +- deployment/enterprise/docker-compose.yml | 1 + .../enterprise/sso/sso-connections/test.js | 8 -------- deployment/enterprise/sso/sso-init.sh | 4 ---- deployment/enterprise/sso/sso-nginx.conf | 20 +++++++++++++++++++ 8 files changed, 34 insertions(+), 42 deletions(-) delete mode 100644 deployment/enterprise/sso/sso-connections/test.js create mode 100644 deployment/enterprise/sso/sso-nginx.conf diff --git a/deployment/common/nginx.conf b/deployment/common/nginx.conf index 27e8b728..e2af9e29 100644 --- a/deployment/common/nginx.conf +++ b/deployment/common/nginx.conf @@ -59,23 +59,3 @@ server { } } -server { - listen 8081; - listen [::]:8081; - server_name _; - - client_max_body_size 4G; - - # Don't show version information - server_tokens off; - - location / { - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://${BOXY_HOST}:5225; - } - } diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index 191c6267..a2c6de05 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -200,7 +200,7 @@ MERGIN_LOGO_URL=fixme # MAPS ################################################################################################################# -MAPS_ENABLED=True +#MAPS_ENABLED=True OVERVIEW_DATA=/overviews @@ -217,12 +217,13 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json #OVERVIEW_MAX_FILE_SIZE=1048576 # 1MB ### SSO ################################################################################################################ -SSO_ENABLED=True +#SSO_ENABLED=True SSO_SERVER_PRODUCT_ID=MerginMaps -SSO_SERVER_URL=http://172.17.0.1:5225 #FIXME -SSO_SERVER_API_URL=http://172.17.0.1:5225 #FIXME +SSO_SERVER_URL=http://localhost:8081 +SSO_SERVER_API_URL=http://merginmaps-proxy:8081 +SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 -SSO_SESSION_EXPIRATION=14 +SSO_SESSION_EXPIRATION=300 # 5 minutes # If use multi tenant flow by default -# SSO_FORCE_MULTI_TENANT=True +# SSO_FORCE_MULTI_TENANT=False diff --git a/deployment/enterprise/README.md b/deployment/enterprise/README.md index a14dc092..612854ea 100644 --- a/deployment/enterprise/README.md +++ b/deployment/enterprise/README.md @@ -47,11 +47,13 @@ docker compose -f docker-compose.maps.yml up -d # SSO -For SSO deployment, first you need to change some relevant content on the provide `.sso.env.template` file, namely the default values on the following environment variable: (`NEXTAUTH_ADMIN_CREDENTIALS, RETRACED_ADMIN_ROOT_TOKEN, NEXTAUTH_ACL`). +For SSO deployment, you need create a `.sso.env` configuration file. +We provide you a convenience script under folder `sso-connections` for this. Run the initialization script `sso-init.sh`. This will generate a ready to use file with some pregenerated secrets needed for the sso backend. +Another option, the most advised, you manually create `.sso.env` from the provided `.sso.env.template` and generate your own secrets keys as well other relevant configurations. -Next, under folder `sso-connections` run the initialization script `sso-init.sh`. This will generate a ready to use file with some pregenerated secrets needed for the sso backend. If you want, and it's actually advised, you can create/generate your own secrets. +Take a closer look to these environment variables, namely change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS, RETRACED_ADMIN_ROOT_TOKEN, NEXTAUTH_ACL`). -Before the deployment, check that SSO related environment variables, namely `SSO_ENABLE=True`, are set. +Before the deployment, check that SSO related environment variables on the main `.prod.env` file, namely `SSO_ENABLE=True`, are set. Please follow Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. Finally simply run the SSO stack with: diff --git a/deployment/enterprise/docker-compose.sso.yml b/deployment/enterprise/docker-compose.sso.yml index 89e72284..fc659078 100644 --- a/deployment/enterprise/docker-compose.sso.yml +++ b/deployment/enterprise/docker-compose.sso.yml @@ -12,6 +12,6 @@ services: env_file: - .sso.env networks: - - mergin + - mergin # If you plan to deploy SSO stack on an isolated machine, just comment out this ports: - 5225:5225 diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index d363cac3..4d79ed42 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -43,6 +43,7 @@ services: volumes: - ./data:/data # map data dir to host - ../common/nginx.conf:/etc/nginx/templates/default.conf.template + - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template # Comment out if not using SSO networks: - mergin depends_on: diff --git a/deployment/enterprise/sso/sso-connections/test.js b/deployment/enterprise/sso/sso-connections/test.js deleted file mode 100644 index bbc1e1ca..00000000 --- a/deployment/enterprise/sso/sso-connections/test.js +++ /dev/null @@ -1,8 +0,0 @@ -module.exports = { - defaultRedirectUrl: 'http://localhost:8080', - redirectUrl: '["http://localhost:8080"]', - tenant: 'example.com', - product: 'MerginMaps', - name: 'testConnection', - description: 'Just a test connection', -}; \ No newline at end of file diff --git a/deployment/enterprise/sso/sso-init.sh b/deployment/enterprise/sso/sso-init.sh index 0abbd485..91e3d91a 100755 --- a/deployment/enterprise/sso/sso-init.sh +++ b/deployment/enterprise/sso/sso-init.sh @@ -17,7 +17,3 @@ echo DB_ENCRYPTION_KEY=$(openssl rand -base64 32) >> ../.sso.env echo NEXTAUTH_SECRET=$(openssl rand -base64 32) >> ../.sso.env echo PUBLIC_KEY=$(cat public.crt | base64 | tr -d '\n') >> ../.sso.env echo PRIVATE_KEY=$(cat key.pem | base64 | tr -d '\n') >> ../.sso.env - - -# make jackson secret key available to mergin-server -export $(grep JACKSON_API_KEYS ../.sso.env | xargs) diff --git a/deployment/enterprise/sso/sso-nginx.conf b/deployment/enterprise/sso/sso-nginx.conf new file mode 100644 index 00000000..ce122cc9 --- /dev/null +++ b/deployment/enterprise/sso/sso-nginx.conf @@ -0,0 +1,20 @@ +server { + listen 8081; + listen [::]:8081; + server_name _; + + client_max_body_size 4G; + + # Don't show version information + server_tokens off; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://${BOXY_HOST}:5225; + } + } From 1e9630089d73a769797182ffe0ba9aeb2e3635dc Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 9 Jun 2025 18:10:00 +0200 Subject: [PATCH 06/15] Updates: - do not expose port for polis - readme formating and AI text updates - add sso api key to sso-init.sh - get rid of boxy_host --- deployment/enterprise/.env.template | 16 ++-- deployment/enterprise/.sso.env.template | 13 +-- deployment/enterprise/README.md | 81 ++++++++++++------- deployment/enterprise/docker-compose.sso.yml | 8 +- deployment/enterprise/docker-compose.yml | 13 ++- deployment/enterprise/sso/boxy.sql | 2 +- .../enterprise/sso/sso-connections/test.xml | 18 ----- deployment/enterprise/sso/sso-init.sh | 8 +- deployment/enterprise/sso/sso-nginx.conf | 2 +- 9 files changed, 87 insertions(+), 74 deletions(-) delete mode 100644 deployment/enterprise/sso/sso-connections/test.xml diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index a2c6de05..20d8ecae 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -217,13 +217,19 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json #OVERVIEW_MAX_FILE_SIZE=1048576 # 1MB ### SSO ################################################################################################################ -#SSO_ENABLED=True -SSO_SERVER_PRODUCT_ID=MerginMaps +#SSO_ENABLED=False + +# public URL of the SSO server, used for redirecting users to SSO login page SSO_SERVER_URL=http://localhost:8081 + +# internal URL of the api server, used for internal calls to polis API SSO_SERVER_API_URL=http://merginmaps-proxy:8081 + +# internal URL of the SSO server, used for internal calls to polis API SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 -SSO_SESSION_EXPIRATION=300 # 5 minutes +# by default token is alive for 14 days (use seconds as unit +# SSO_SESSION_EXPIRATION=14 * 24 * 3600 -# If use multi tenant flow by default -# SSO_FORCE_MULTI_TENANT=False +# use SERVICE_ID to identify your SSO connections in polis +# SSO_SERVER_PRODUCT_ID= diff --git a/deployment/enterprise/.sso.env.template b/deployment/enterprise/.sso.env.template index 6977c6d2..3b1abc4e 100644 --- a/deployment/enterprise/.sso.env.template +++ b/deployment/enterprise/.sso.env.template @@ -1,4 +1,5 @@ -# for full list check https://boxyhq.com/docs/jackson/deploy/env-variables +# Environment variables for Ory Polis SSO server +# for full list check https://www.ory.sh/docs/polis/deploy/env-variables # need to be base64 encoded values # JACKSON_API_KEYS= @@ -14,8 +15,12 @@ NEXTAUTH_ACL=*@example.com RETRACED_ADMIN_ROOT_TOKEN='dev' NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy -EXTERNAL_URL=http://localhost:5225 -NEXTAUTH_URL=http://localhost:5225 +# Add some not real domain here. It will be used for SAML application initialization. For more details see: https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience +SAML_AUDIENCE= + +# Chnage in production to real domain where Polis will be deployed +EXTERNAL_URL=http://localhost:8081 +NEXTAUTH_URL=http://localhost:8081 # beware it should use different db and user in production DB_URL=postgres://postgres:postgres@db:5432/jackson DB_ENGINE=sql @@ -23,11 +28,9 @@ DB_TYPE=postgres DB_TTL=300 DB_CLEANUP_LIMIT=1000 DB_MANUAL_MIGRATION=0 -SAML_AUDIENCE=https://saml.mergin.com BOXYHQ_NO_TELEMETRY=1 BOXYHQ_NO_ANALYTICS=1 DO_NOT_TRACK=1 IDP_ENABLED=0 ADMIN_PORTAL_HIDE_AUDIT_LOGS=1 ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=1 -PRE_LOADED_CONNECTION=/sso-connections diff --git a/deployment/enterprise/README.md b/deployment/enterprise/README.md index 612854ea..000df1a4 100644 --- a/deployment/enterprise/README.md +++ b/deployment/enterprise/README.md @@ -1,63 +1,86 @@ # Mergin Maps Enterprise Edition Deployment -Suitable for Ubuntu servers, one node deployment using docker compose and system nginx as a reverse proxy. -> [!IMPORTANT] -> Docker images for Mergin Maps Enterprise edition are stored on a private AWS ECR repository. +Suitable for Ubuntu servers, single-node deployment using Docker Compose and system NGINX as a reverse proxy. + +> [!IMPORTANT] +> Docker images for Mergin Maps Enterprise Edition are stored in a private AWS ECR repository. > To access them, you need a Mergin Maps Enterprise [subscription](https://merginmaps.com/pricing). -> Please contact Mergin Maps [sales team](https://merginmaps.com/contact-sales)! +> Please contact the Mergin Maps [sales team](https://merginmaps.com/contact-sales)! + +## Login to Mergin Maps AWS ECR Repository -## Login to Mergin Maps AWS ECR repository ```shell aws ecr --region eu-west-1 get-login-password | docker login --username AWS --password-stdin 433835555346.dkr.ecr.eu-west-1.amazonaws.com ``` -## Load docker images, configure and run mergin maps stack -For running Mergin Maps you need to load local docker images (if any). Make sure you have access to Lutra's ECR repository. You can check it by running -``` +## Load Docker Images, Configure, and Run Mergin Maps Stack + +To run Mergin Maps, you need to load local Docker images (if any). Make sure you have access to Lutra's ECR repository. You can check this by running: + +```shell docker pull 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.3.0 ``` -Then modify [docker-compose file](docker-compose.yml) and create environment file `.prod.env` from `.env.template`. Details about configuration can be find in [docs](https://merginmaps.com/docs/server/install/). +Then modify the [docker-compose file](docker-compose.yml) and create the environment file `.prod.env` from `.env.template`. Details about configuration can be found in the [docs](https://merginmaps.com/docs/server/install/). ```shell cp .env.template .prod.env ``` -Next step is to create data directory for Mergin Maps `data` with proper permissions. Should you prefer a different location, please do search and replace it in config files (`.prod.env`, `docker-compose.yml`). Make sure your volume is large enough since Mergin Maps keeps all projects files, their history and also needs some space for temporary processing. +The next step is to create a data directory for Mergin Maps (`data`) with proper permissions. If you prefer a different location, please search and replace it in the configuration files (`.prod.env`, `docker-compose.yml`). Ensure your volume is large enough since Mergin Maps stores all project files, their history, and requires space for temporary processing. -For more details about deployment please check [docs](https://merginmaps.com/docs/server/install/#deployment). +For more details about deployment, please check the [docs](https://merginmaps.com/docs/server/install/#deployment). -Finally initialize your Mergin Maps stack with: +### Configure SSO (Optional) + +For SSO deployment, you need to run the initialization script: ```shell -docker compose up -d +cd sso +bash ./sso/sso-init.sh`. ``` -# WebMaps +This will generate a ready-to-use file with some pre-generated secrets needed for the SSO backend. +Alternatively, and most recommended, you can manually create `.sso.env` from the provided `.sso.env.template` and generate your own secret keys as well as other relevant configurations. -Webmaps support is activate with environment variable `MAPS_ENABLED=True` on the main `.prod.env` configuration file. -Also check other important webmaps related environment variables configurations on Mergin Maps [docs](https://merginmaps.com/docs/server/environment/#webmaps) +Pay close attention to these environment variables and change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS`, `RETRACED_ADMIN_ROOT_TOKEN`, `NEXTAUTH_ACL`). To set up your connection with a SAML application, fill in `SAML_AUDIENCE` with a domain. [More details here](https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience). +Before deployment, ensure that the SSO-related environment variables in the main `.prod.env` file, namely `SSO_ENABLED=True`, are set. +Please follow the Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. -If you have it enabled, after the normal Mergin Maps stack is initialized simply run: +Also, check if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file. -```shell -docker compose -f docker-compose.maps.yml up -d -``` +If you want to configure the Polis server to run on different domain in production (for example, `sso.example.com`), you need to add this domain to the following variables: + +* `EXTERNAL_URL=https://sso.example.com` +* `NEXTAUTH_URL=https://sso.example.com` +* `SSO_SERVER_URL=https://sso.example.com` -# SSO +### Configure WebMaps (Optional) -For SSO deployment, you need create a `.sso.env` configuration file. -We provide you a convenience script under folder `sso-connections` for this. Run the initialization script `sso-init.sh`. This will generate a ready to use file with some pregenerated secrets needed for the sso backend. -Another option, the most advised, you manually create `.sso.env` from the provided `.sso.env.template` and generate your own secrets keys as well other relevant configurations. +WebMaps support is activated with the environment variable `MAPS_ENABLED=True` in the main `.prod.env` configuration file. +Also, check other important WebMaps-related environment variable configurations in the Mergin Maps [docs](https://merginmaps.com/docs/server/environment/#webmaps). -Take a closer look to these environment variables, namely change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS, RETRACED_ADMIN_ROOT_TOKEN, NEXTAUTH_ACL`). +## Run Mergin Maps Stack -Before the deployment, check that SSO related environment variables on the main `.prod.env` file, namely `SSO_ENABLE=True`, are set. -Please follow Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. +Finally, initialize your Mergin Maps stack with: -Finally simply run the SSO stack with: +```shell +docker compose up -d +``` + +If you have WebMaps enabled, after the main Mergin Maps stack is initialized, simply run: ```shell docker compose -f docker-compose.sso.yml up -d -``` \ No newline at end of file +# restart merginmaps-proxy nginx in case of any errors with connections +``` + +The Polis server admin panel will then be available at http://localhost:8081. + +If you have WebMaps enabled, after the main Mergin Maps stack is initialized, simply run: + +```shell +docker compose -f docker-compose.maps.yml up -d +``` + diff --git a/deployment/enterprise/docker-compose.sso.yml b/deployment/enterprise/docker-compose.sso.yml index fc659078..08a311fe 100644 --- a/deployment/enterprise/docker-compose.sso.yml +++ b/deployment/enterprise/docker-compose.sso.yml @@ -3,15 +3,11 @@ networks: name: mergin-ee services: - jackson: + sso-server: image: boxyhq/jackson:1.45.3 - container_name: merginmaps-sso + container_name: merginmaps-sso-server restart: always - volumes: - - ./sso/sso-connections:/sso-connections env_file: - .sso.env networks: - mergin # If you plan to deploy SSO stack on an isolated machine, just comment out this - ports: - - 5225:5225 diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index 4d79ed42..5ec9bdaf 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -5,7 +5,7 @@ networks: services: server: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee container_name: merginmaps-server restart: always user: 901:999 @@ -20,7 +20,7 @@ services: networks: - mergin web: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-front:2025.4.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-front:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee container_name: merginmaps-web restart: always depends_on: @@ -38,12 +38,11 @@ services: ports: - "8080:8080" - "8081:8081" - environment: - - BOXY_HOST=${BOXY_HOST:-localhost} volumes: - ./data:/data # map data dir to host - ../common/nginx.conf:/etc/nginx/templates/default.conf.template - - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template # Comment out if not using SSO + # If using sso, uncomment the next line + - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template networks: - mergin depends_on: @@ -51,7 +50,7 @@ services: - server celery-beat: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee container_name: merginmaps-celery-beat restart: always user: 901:999 @@ -67,7 +66,7 @@ services: - mergin celery-worker: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.4.0 + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee container_name: merginmaps-celery-worker restart: always user: 901:999 diff --git a/deployment/enterprise/sso/boxy.sql b/deployment/enterprise/sso/boxy.sql index 4d534e64..dc26244e 100644 --- a/deployment/enterprise/sso/boxy.sql +++ b/deployment/enterprise/sso/boxy.sql @@ -1,2 +1,2 @@ --- Bootstrap script for the database when first initialized +-- Bootstrap script for the database when first initialized. We need to create jackson database as declared in DB_URL variable. CREATE DATABASE jackson; diff --git a/deployment/enterprise/sso/sso-connections/test.xml b/deployment/enterprise/sso/sso-connections/test.xml deleted file mode 100644 index a09f949e..00000000 --- a/deployment/enterprise/sso/sso-connections/test.xml +++ /dev/null @@ -1,18 +0,0 @@ - - - - - - -MIIC4jCCAcoCCQC33wnybT5QZDANBgkqhkiG9w0BAQsFADAyMQswCQYDVQQGEwJV SzEPMA0GA1UECgwGQm94eUhRMRIwEAYDVQQDDAlNb2NrIFNBTUwwIBcNMjIwMjI4 MjE0NjM4WhgPMzAyMTA3MDEyMTQ2MzhaMDIxCzAJBgNVBAYTAlVLMQ8wDQYDVQQK DAZCb3h5SFExEjAQBgNVBAMMCU1vY2sgU0FNTDCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBALGfYettMsct1T6tVUwTudNJH5Pnb9GGnkXi9Zw/e6x45DD0 RuRONbFlJ2T4RjAE/uG+AjXxXQ8o2SZfb9+GgmCHuTJFNgHoZ1nFVXCmb/Hg8Hpd 4vOAGXndixaReOiq3EH5XvpMjMkJ3+8+9VYMzMZOjkgQtAqO36eAFFfNKX7dTj3V pwLkvz6/KFCq8OAwY+AUi4eZm5J57D31GzjHwfjH9WTeX0MyndmnNB1qV75qQR3b 2/W5sGHRv+9AarggJkF+ptUkXoLtVA51wcfYm6hILptpde5FQC8RWY1YrswBWAEZ NfyrR4JeSweElNHg4NVOs4TwGjOPwWGqzTfgTlECAwEAATANBgkqhkiG9w0BAQsF AAOCAQEAAYRlYflSXAWoZpFfwNiCQVE5d9zZ0DPzNdWhAybXcTyMf0z5mDf6FWBW 5Gyoi9u3EMEDnzLcJNkwJAAc39Apa4I2/tml+Jy29dk8bTyX6m93ngmCgdLh5Za4 khuU3AM3L63g7VexCuO7kwkjh/+LqdcIXsVGO6XDfu2QOs1Xpe9zIzLpwm/RNYeX UjbSj5ce/jekpAw7qyVVL4xOyh8AtUW1ek3wIw1MJvEgEPt0d16oshWJpoS1OT8L r/22SvYEo3EmSGdTVGgk3x3s+A0qWAqTcyjr7Q4s/GKYRFfomGwz0TZ4Iw1ZN99M m0eo2USlSRTVl7QHRTuiuSThHpLKQQ== - - - - - -urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress - - - - - \ No newline at end of file diff --git a/deployment/enterprise/sso/sso-init.sh b/deployment/enterprise/sso/sso-init.sh index 91e3d91a..35575b5d 100755 --- a/deployment/enterprise/sso/sso-init.sh +++ b/deployment/enterprise/sso/sso-init.sh @@ -5,15 +5,19 @@ set -eu grep -v '^#' ../.sso.env.template > ../.sso.env # create key pair for sso if not present if [[ ! -f key.pem ]] || [[ ! -f public.crt ]]; then - echo "Generating certificates for boxy..." + echo "Generating certificates for sso server..." openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes -batch fi # generate some random secrets -echo JACKSON_API_KEYS=$(openssl rand -base64 32) >> ../.sso.env +API_KEY=$(openssl rand -base64 32) +echo JACKSON_API_KEYS=$API_KEY >> ../.sso.env echo DB_ENCRYPTION_KEY=$(openssl rand -base64 32) >> ../.sso.env echo DB_ENCRYPTION_KEY=$(openssl rand -base64 32) >> ../.sso.env echo NEXTAUTH_SECRET=$(openssl rand -base64 32) >> ../.sso.env echo PUBLIC_KEY=$(cat public.crt | base64 | tr -d '\n') >> ../.sso.env echo PRIVATE_KEY=$(cat key.pem | base64 | tr -d '\n') >> ../.sso.env + +# mergin maps related env variables +echo SSO_SERVER_API_KEY=$API_KEY >> ../.prod.env diff --git a/deployment/enterprise/sso/sso-nginx.conf b/deployment/enterprise/sso/sso-nginx.conf index ce122cc9..a019a851 100644 --- a/deployment/enterprise/sso/sso-nginx.conf +++ b/deployment/enterprise/sso/sso-nginx.conf @@ -15,6 +15,6 @@ server { # we don't want nginx trying to do something clever with # redirects, we set the Host: header above already. proxy_redirect off; - proxy_pass http://${BOXY_HOST}:5225; + proxy_pass http://sso-server:5225; } } From ec27c7b47a42e22d9c39a555d5c2cbe5f25d525f Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 9 Jun 2025 18:13:17 +0200 Subject: [PATCH 07/15] MAPS_ENABLED true --- deployment/enterprise/.env.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index 20d8ecae..d48f9722 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -200,7 +200,7 @@ MERGIN_LOGO_URL=fixme # MAPS ################################################################################################################# -#MAPS_ENABLED=True +MAPS_ENABLED=True OVERVIEW_DATA=/overviews From 94f3c2ab512c6835654790c26f98c22270111b1b Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 9 Jun 2025 18:22:08 +0200 Subject: [PATCH 08/15] Explain SSO_SERVER_PRODUCT_ID --- deployment/enterprise/.env.template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index d48f9722..443b3c68 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -231,5 +231,6 @@ SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 # by default token is alive for 14 days (use seconds as unit # SSO_SESSION_EXPIRATION=14 * 24 * 3600 -# use SERVICE_ID to identify your SSO connections in polis +# This should be the same as SSO connection Product field in admin panel. +# Default value is mergin-maps-product string # SSO_SERVER_PRODUCT_ID= From 3100ca8c3ff699e594898c41ca598e7bad40d25d Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 9 Jun 2025 18:30:52 +0200 Subject: [PATCH 09/15] add explanation about api key --- deployment/enterprise/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/enterprise/README.md b/deployment/enterprise/README.md index 000df1a4..bf095867 100644 --- a/deployment/enterprise/README.md +++ b/deployment/enterprise/README.md @@ -45,7 +45,7 @@ Alternatively, and most recommended, you can manually create `.sso.env` from the Pay close attention to these environment variables and change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS`, `RETRACED_ADMIN_ROOT_TOKEN`, `NEXTAUTH_ACL`). To set up your connection with a SAML application, fill in `SAML_AUDIENCE` with a domain. [More details here](https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience). -Before deployment, ensure that the SSO-related environment variables in the main `.prod.env` file, namely `SSO_ENABLED=True`, are set. +Before deployment, ensure that the SSO-related environment variables in the main `.prod.env` file (`SSO_ENABLED=True`) are set. If you used `sso-init.sh`, variable `SSO_SERVER_API_KEY` is set properly. On the other hand, if you created `.sso.env` manually, you need to set it manually to be the same as one of `JACKSON_API_KEYS`. Please follow the Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. Also, check if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file. From 494ffd11ed098894195ad0e19deb83054d7b138d Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Thu, 12 Jun 2025 12:35:13 +0200 Subject: [PATCH 10/15] Introduce sso ssl proxy - disable INTERNAL_URL in templates - move internal_url to init script - removed some readme parts as it will be in docs --- deployment/common/ssl-proxy.conf | 118 +++++++++++------------ deployment/common/ssl-sso-proxy.conf | 60 ++++++++++++ deployment/enterprise/.env.template | 6 +- deployment/enterprise/README.md | 11 +-- deployment/enterprise/docker-compose.yml | 2 +- deployment/enterprise/sso/sso-init.sh | 2 + 6 files changed, 127 insertions(+), 72 deletions(-) create mode 100644 deployment/common/ssl-sso-proxy.conf diff --git a/deployment/common/ssl-proxy.conf b/deployment/common/ssl-proxy.conf index e4746e24..8c838fb7 100644 --- a/deployment/common/ssl-proxy.conf +++ b/deployment/common/ssl-proxy.conf @@ -1,63 +1,63 @@ - server { - listen 80; - server_name merginmaps.company.com; # FIXME +server { + listen 80; + server_name merginmaps.company.com; # FIXME - if ($scheme != "https") { - return 301 https://$host$request_uri; - } + if ($scheme != "https") { + return 301 https://$host$request_uri; } - - upstream app_server { - # route to the application proxy - server 127.0.0.1:8080 fail_timeout=0; - } - - server { - listen 443 ssl; - server_name merginmaps.company.com; # FIXME - client_max_body_size 4G; - - ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME - ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME - - # Don't show version information - server_tokens off; - - # Enable gzip compression - gzip on; - gzip_min_length 10240; - gzip_comp_level 1; - gzip_vary on; - gzip_proxied any; - gzip_types - text/css - text/javascript - application/javascript - application/x-javascript; - - # Prevent crawlers from indexing and following links for all content served from the mergin app - add_header X-Robots-Tag "none"; - - # Protect against clickjacking iframe - add_header Content-Security-Policy "frame-ancestors 'self';" always; - - # Add a HSTS policy to prevent plain http from browser - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # Set cookies security flags - proxy_cookie_flags ~ secure httponly samesite=strict; - - location / { - root /var/www/html; - - # The lines below were copied from application proxy - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $http_host; - # we don't want nginx trying to do something clever with - # redirects, we set the Host: header above already. - proxy_redirect off; - proxy_pass http://app_server; - } +} + +upstream app_server { + # route to the application proxy + server 127.0.0.1:8080 fail_timeout=0; +} + +server { + listen 443 ssl; + server_name merginmaps.company.com; # FIXME + client_max_body_size 4G; + + ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME + ssl_certificate /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME + + # Don't show version information + server_tokens off; + + # Enable gzip compression + gzip on; + gzip_min_length 10240; + gzip_comp_level 1; + gzip_vary on; + gzip_proxied any; + gzip_types + text/css + text/javascript + application/javascript + application/x-javascript; + + # Prevent crawlers from indexing and following links for all content served from the mergin app + add_header X-Robots-Tag "none"; + + # Protect against clickjacking iframe + add_header Content-Security-Policy "frame-ancestors 'self';" always; + + # Add a HSTS policy to prevent plain http from browser + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Set cookies security flags + proxy_cookie_flags ~ secure httponly samesite=strict; + + location / { + root /var/www/html; + + # The lines below were copied from application proxy + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://app_server; } +} diff --git a/deployment/common/ssl-sso-proxy.conf b/deployment/common/ssl-sso-proxy.conf new file mode 100644 index 00000000..b20e363f --- /dev/null +++ b/deployment/common/ssl-sso-proxy.conf @@ -0,0 +1,60 @@ + +server { + listen 80; + server_name sso.company.com; # FIXME + + if ($scheme != "https") { + return 301 https://$host$request_uri; + } +} + +upstream sso_server { + # route to the application proxy + server 127.0.0.1:5225 fail_timeout=0; +} + +server { + listen 443 ssl; + server_name sso.company.com; # FIXME + client_max_body_size 4G; + + ssl_certificate_key /etc/letsencrypt/live/sso.company.com/privkey.pem; # FIXME + ssl_certificate /etc/letsencrypt/live/sso.company.com/fullchain.pem; # FIXME + + # Don't show version information + server_tokens off; + + # Enable gzip compression + gzip on; + gzip_min_length 10240; + gzip_comp_level 1; + gzip_vary on; + gzip_proxied any; + gzip_types + text/css + text/javascript + application/javascript + application/x-javascript; + + # Prevent crawlers from indexing and following links for all content served from the mergin app + add_header X-Robots-Tag "none"; + + # Protect against clickjacking iframe + add_header Content-Security-Policy "frame-ancestors 'self';" always; + + # Add a HSTS policy to prevent plain http from browser + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Set cookies security flags + proxy_cookie_flags ~ secure httponly samesite=strict; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $http_host; + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + proxy_pass http://sso_server:5225; + } +} diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index 443b3c68..566215db 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -223,14 +223,14 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json SSO_SERVER_URL=http://localhost:8081 # internal URL of the api server, used for internal calls to polis API -SSO_SERVER_API_URL=http://merginmaps-proxy:8081 +# SSO_SERVER_API_URL=http://merginmaps-proxy:8081 # internal URL of the SSO server, used for internal calls to polis API -SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 +# SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 # by default token is alive for 14 days (use seconds as unit # SSO_SESSION_EXPIRATION=14 * 24 * 3600 # This should be the same as SSO connection Product field in admin panel. # Default value is mergin-maps-product string -# SSO_SERVER_PRODUCT_ID= +# SSO_SERVER_PRODUCT_ID=mergin-maps-product diff --git a/deployment/enterprise/README.md b/deployment/enterprise/README.md index bf095867..b52709d3 100644 --- a/deployment/enterprise/README.md +++ b/deployment/enterprise/README.md @@ -43,18 +43,11 @@ bash ./sso/sso-init.sh`. This will generate a ready-to-use file with some pre-generated secrets needed for the SSO backend. Alternatively, and most recommended, you can manually create `.sso.env` from the provided `.sso.env.template` and generate your own secret keys as well as other relevant configurations. -Pay close attention to these environment variables and change their default values: (`NEXTAUTH_ADMIN_CREDENTIALS`, `RETRACED_ADMIN_ROOT_TOKEN`, `NEXTAUTH_ACL`). To set up your connection with a SAML application, fill in `SAML_AUDIENCE` with a domain. [More details here](https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience). +Make sure if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file. -Before deployment, ensure that the SSO-related environment variables in the main `.prod.env` file (`SSO_ENABLED=True`) are set. If you used `sso-init.sh`, variable `SSO_SERVER_API_KEY` is set properly. On the other hand, if you created `.sso.env` manually, you need to set it manually to be the same as one of `JACKSON_API_KEYS`. -Please follow the Mergin Maps [documentation](https://merginmaps.com/docs/server/environment/#sso) on this topic. +Please follow the Mergin Maps [documentation](http://localhost:5173/docs/server/install/#deployment-of-single-sign-on-sso) on this topic. -Also, check if the proxy has mounted the [./sso/sso-nginx.conf](./sso/sso-nginx.conf) file in the main [docker-compose.yml](./docker-compose.yml) file. -If you want to configure the Polis server to run on different domain in production (for example, `sso.example.com`), you need to add this domain to the following variables: - -* `EXTERNAL_URL=https://sso.example.com` -* `NEXTAUTH_URL=https://sso.example.com` -* `SSO_SERVER_URL=https://sso.example.com` ### Configure WebMaps (Optional) diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index 5ec9bdaf..b6a1f945 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -42,7 +42,7 @@ services: - ./data:/data # map data dir to host - ../common/nginx.conf:/etc/nginx/templates/default.conf.template # If using sso, uncomment the next line - - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template + # - ./sso/sso-nginx.conf:/etc/nginx/templates/sso.conf.template networks: - mergin depends_on: diff --git a/deployment/enterprise/sso/sso-init.sh b/deployment/enterprise/sso/sso-init.sh index 35575b5d..28255b19 100755 --- a/deployment/enterprise/sso/sso-init.sh +++ b/deployment/enterprise/sso/sso-init.sh @@ -21,3 +21,5 @@ echo PRIVATE_KEY=$(cat key.pem | base64 | tr -d '\n') >> ../.sso.env # mergin maps related env variables echo SSO_SERVER_API_KEY=$API_KEY >> ../.prod.env +echo SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 >> ../.prod.env +echo SSO_SERVER_API_URL=http://merginmaps-proxy:8081 >> ../.prod.env From 34bcc18ffcd329005da7d95f213851a608074843 Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 16 Jun 2025 13:32:04 +0200 Subject: [PATCH 11/15] bump boxy to 1.48.2 --- deployment/enterprise/.sso.env.template | 15 ++++++++------- deployment/enterprise/docker-compose.sso.yml | 2 +- .../{common => enterprise}/ssl-sso-proxy.conf | 2 +- 3 files changed, 10 insertions(+), 9 deletions(-) rename deployment/{common => enterprise}/ssl-sso-proxy.conf (97%) diff --git a/deployment/enterprise/.sso.env.template b/deployment/enterprise/.sso.env.template index 3b1abc4e..2ae0c0ed 100644 --- a/deployment/enterprise/.sso.env.template +++ b/deployment/enterprise/.sso.env.template @@ -27,10 +27,11 @@ DB_ENGINE=sql DB_TYPE=postgres DB_TTL=300 DB_CLEANUP_LIMIT=1000 -DB_MANUAL_MIGRATION=0 -BOXYHQ_NO_TELEMETRY=1 -BOXYHQ_NO_ANALYTICS=1 -DO_NOT_TRACK=1 -IDP_ENABLED=0 -ADMIN_PORTAL_HIDE_AUDIT_LOGS=1 -ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=1 +DB_MANUAL_MIGRATION=false +BOXYHQ_NO_TELEMETRY=true +BOXYHQ_NO_ANALYTICS=true +DO_NOT_TRACK=true +IDP_ENABLED=false +ADMIN_PORTAL_HIDE_AUDIT_LOGS=true +ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=true +ADMIN_PORTAL_HIDE_DIRECTORY_SYNC=true diff --git a/deployment/enterprise/docker-compose.sso.yml b/deployment/enterprise/docker-compose.sso.yml index 08a311fe..12158df2 100644 --- a/deployment/enterprise/docker-compose.sso.yml +++ b/deployment/enterprise/docker-compose.sso.yml @@ -4,7 +4,7 @@ networks: services: sso-server: - image: boxyhq/jackson:1.45.3 + image: boxyhq/jackson:1.48.2 container_name: merginmaps-sso-server restart: always env_file: diff --git a/deployment/common/ssl-sso-proxy.conf b/deployment/enterprise/ssl-sso-proxy.conf similarity index 97% rename from deployment/common/ssl-sso-proxy.conf rename to deployment/enterprise/ssl-sso-proxy.conf index b20e363f..31f4749f 100644 --- a/deployment/common/ssl-sso-proxy.conf +++ b/deployment/enterprise/ssl-sso-proxy.conf @@ -55,6 +55,6 @@ server { # we don't want nginx trying to do something clever with # redirects, we set the Host: header above already. proxy_redirect off; - proxy_pass http://sso_server:5225; + proxy_pass http://sso_server; } } From 077fe22df2c850998f5e05db3a2aa88737f0ce66 Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Mon, 16 Jun 2025 13:55:35 +0200 Subject: [PATCH 12/15] proxy to mm proxy for sso --- deployment/enterprise/ssl-sso-proxy.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/enterprise/ssl-sso-proxy.conf b/deployment/enterprise/ssl-sso-proxy.conf index 31f4749f..59559239 100644 --- a/deployment/enterprise/ssl-sso-proxy.conf +++ b/deployment/enterprise/ssl-sso-proxy.conf @@ -10,7 +10,7 @@ server { upstream sso_server { # route to the application proxy - server 127.0.0.1:5225 fail_timeout=0; + server 127.0.0.1:8081 fail_timeout=0; } server { From 178f4f8505094d7e341c429dde87b2ab48ddb98e Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Thu, 19 Jun 2025 11:44:45 +0200 Subject: [PATCH 13/15] Cleanup of retraced admin root token --- deployment/enterprise/.env.template | 2 +- deployment/enterprise/.sso.env.template | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index 566215db..89da269b 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -217,7 +217,7 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json #OVERVIEW_MAX_FILE_SIZE=1048576 # 1MB ### SSO ################################################################################################################ -#SSO_ENABLED=False +SSO_ENABLED=False # public URL of the SSO server, used for redirecting users to SSO login page SSO_SERVER_URL=http://localhost:8081 diff --git a/deployment/enterprise/.sso.env.template b/deployment/enterprise/.sso.env.template index 2ae0c0ed..66017fb7 100644 --- a/deployment/enterprise/.sso.env.template +++ b/deployment/enterprise/.sso.env.template @@ -12,11 +12,10 @@ # fixme with proper credentials NEXTAUTH_ACL=*@example.com -RETRACED_ADMIN_ROOT_TOKEN='dev' NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy # Add some not real domain here. It will be used for SAML application initialization. For more details see: https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience -SAML_AUDIENCE= +SAML_AUDIENCE=https://saml.example.com # Chnage in production to real domain where Polis will be deployed EXTERNAL_URL=http://localhost:8081 From 4e500ee4efb5e90e6f6f18b743281c22f87e177b Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Thu, 19 Jun 2025 12:10:04 +0200 Subject: [PATCH 14/15] add better description and sso_server_api_key --- deployment/enterprise/.env.template | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deployment/enterprise/.env.template b/deployment/enterprise/.env.template index 935e6ba4..2c67d13c 100644 --- a/deployment/enterprise/.env.template +++ b/deployment/enterprise/.env.template @@ -225,10 +225,13 @@ SSO_ENABLED=False # public URL of the SSO server, used for redirecting users to SSO login page SSO_SERVER_URL=http://localhost:8081 +# api key used for internal calls to SSO server. +# SSO_SERVER_API_KEY=fixme + # internal URL of the api server, used for internal calls to polis API # SSO_SERVER_API_URL=http://merginmaps-proxy:8081 -# internal URL of the SSO server, used for internal calls to polis API +# internal URL of the SSO server, used for internal calls to polis Oauth API # SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081 # by default token is alive for 14 days (use seconds as unit From a8da9e1bd4f35b2575772779f95c1e3b513d5269 Mon Sep 17 00:00:00 2001 From: "marcel.kocisek" Date: Thu, 19 Jun 2025 12:37:43 +0200 Subject: [PATCH 15/15] bump server version to sso beta --- deployment/enterprise/docker-compose.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deployment/enterprise/docker-compose.yml b/deployment/enterprise/docker-compose.yml index e120441f..2e61542d 100644 --- a/deployment/enterprise/docker-compose.yml +++ b/deployment/enterprise/docker-compose.yml @@ -5,7 +5,7 @@ networks: services: server: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.5.0.beta.1 container_name: merginmaps-server restart: always user: 901:999 @@ -21,7 +21,7 @@ services: networks: - mergin web: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-front:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-front:2025.5.0.beta.1 container_name: merginmaps-web restart: always depends_on: @@ -51,7 +51,7 @@ services: - server celery-beat: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.5.0.beta.1 container_name: merginmaps-celery-beat restart: always user: 901:999 @@ -67,7 +67,7 @@ services: - mergin celery-worker: - image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-back:build-8a3e33fc537915f79c1fd545548b7a8e7726b89a-ee + image: 433835555346.dkr.ecr.eu-west-1.amazonaws.com/mergin/mergin-ee-back:2025.5.0.beta.1 container_name: merginmaps-celery-worker restart: always user: 901:999