Deployment
MARV’s frontend uses a service worker, which requires HTTPS for non-localhost access. You can either use a self-signed certificate or Let’s Encrypt. The latter only if your webserver is accessible from the internet.
For production usage we strongly recommend to use nginx as a reverse-proxy. The increased setup overhead is justified by greatly increased performance for serving large files.
Two deployments are described here in short:
NGINX as a reverse proxy with a Let’s Encrypt certificate (recommended)
Gunicorn with a self-signed certificate (development only)
Gunicorn behind NGINX
References:
When working behind a reverse proxy MARV’s default Gunicorn config will work without change.
nginx config
Nginx allows marv to offload serving data from disk which is especially useful for large files. Adjust the paths of the nested internal location block to point to your store, within the docker container and outside of the docker container, under the assumption, that nginx is running directly on your host system. In case you are running marv in a virtual environment also directly on the host system, the paths are identical.
server {
server_name example.com;
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
server {
server_name example.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
include /usr/lib/python3.7/site-packages/certbot_nginx/tls_configs/options-ssl-nginx.conf;
ssl_stapling_verify on;
ssl_stapling on;
add_header Strict-Transport-Security "max-age=63072000" always;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# Docker setup running at the root
location / {
# Attachments are EE-only, but the rule won't hurt CE
location /docker/container/path/to/attachments {
internal;
alias /host/path/to/attachments;
}
location /docker/container/path/to/store {
internal;
alias /host/path/to/store;
}
location /docker/container/path/to/leavesdir {
internal;
alias /host/path/to/leavesdir;
}
location /docker/container/path/to/resources {
internal;
alias /host/path/to/resources;
}
location /docker/container/path/to/scanroot {
internal;
alias /host/path/to/scanroot;
}
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8000;
}
# Native installation running in different application root
location = /approot {
rewrite ^(.*)$ $1/ redirect;
}
location /approot/ {
# Attachments are EE-only, but the rule won't hurt CE
location /approot/path/to/attachments {
internal;
alias /path/to/attachments;
}
location /approot/path/to/store {
internal;
alias /path/to/store;
}
location /approot/path/to/leavesdir {
internal;
alias /path/to/leavesdir;
}
location /approot/path/to/resources {
internal;
alias /path/to/resources;
}
location /approot/path/to/scanroot {
internal;
alias /path/to/scanroot;
}
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:8001;
}
}
For a certificate signed by a custom CA (see steps below) point ssl_trusted_certificate
to the CA certificate and adjust ssl_certificate
and ssl_certificate_key
to the generated files accordingly.
Gunicorn with HTTPS
Note
Use this mode of deployment for development setups only.
Gunicorn supports HTTPS out of the box with the limitation that it cannot serve HTTP and HTTPS simultaneously. To activate HTTPS mode you only need to provide Gunicorn with a certificate and corresponding keyfile. Use the --keyfile
and --certfile
options of MARV to enable the HTTPS mode. The following example makes MARV run on the default HTTPS port:
(venv) $ marv serve --port 443 \
--certfile /etc/letsencrypt/live/example.com/fullchain.pem \
--keyfile /etc/letsencrypt/live/example.com/privkey.pem