-
Notifications
You must be signed in to change notification settings - Fork 0
Installation Instructions
This document describes how to deploy the server side.
To start the server in development mode, one has to build and start the native component and then build and start the server side application.
Steps necessary to start the development server:
- Install and start a MySQL server.
- Build the native component.
sudo apt install libcppunit-dev lcov cd native make all
- Start the native component GRPC server:
sudo apt install protobuf-compiler cd native-component ./gradlew run
- Start the server side application:
sudo apt install protobuf-compiler cd backend ./gradlew bootRun
After successful start, the server will be available on http://localhost:8080.
The server side can be easily deployed in development mode by Docker. To do so, we provided Dockerfiles, and a docker-compose.yml. The docker-compose file automates the installation described above, however, this instance is not configured securely for production use.
To start the server, issue the following commands:
docker-compose build
docker-compose up
After successful start, the server will be available on http://localhost:8080.
To deploy the server side in production mode, the security implications have to be considered. The Architectural Overview document describes the overall architecture of the system, and deliberates the security measures to be taken when deploying.
To meet the described measures, the server is recommended to be deployed via docker. The following docker-compose file can achieve this result:
version: '2'
services:
caff-db-secure:
image: cyprien/mysql-tls:5.7
container_name: caff-db-secure
restart: always
environment:
- MYSQL_RANDOM_ROOT_PASSWORD=yes
- MYSQL_DATABASE=<DB_NAME>
- MYSQL_USER=<DB_USER>
- MYSQL_PASSWORD=<DB_PASSWORD>
volumes:
- caff-db-secure-store:/var/lib/mysql
networks:
- caff-db-network
caff-parser:
build:
context: .
dockerfile: docker/native.Dockerfile
container_name: caff-parser
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
networks:
- caff-parser-network
caff-store:
build:
context: .
dockerfile: docker/backend.Dockerfile
container_name: caff-store
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
- caff-store-db-certs:/certs
environment:
- spring.datasource.url=jdbc:mysql://caff-db-secure:3306/<DB_NAME>?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:/certs/keystore.ks&clientCertificateKeyStorePassword=<KEYSTORE_PASSWORD>&trustCertificateKeyStoreUrl=file:/certs/truststore.ks&trustCertificateKeyStorePassword=<TRUSTSTORE_PASSWORD>
- spring.datasource.username=<DB_USERNAME>
- spring.datasource.password=<DB_PASSWORD>
- spring.native.address=caff-parser:50051
- security.jwt.token.secret-key=<SECRET>
- spring.mail.host=smtp.gmail.com
- spring.mail.port=587
- spring.mail.username=<SMTP_USERNAME>
- spring.mail.password=<SMTP_PASSWORD>
- spring.mail.sender=<SMTP_SENDER>
labels:
- "traefik.enable=true"
- "traefik.docker.network=traefik_proxy"
- "traefik.backend=caff-store"
- "traefik.frontend.rule=Host:<DOMAIN>"
- "traefik.port=8080"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.SSLHost=<DOMAIN>"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
networks:
- traefik_proxy
- caff-parser-network
- caff-db-network
depends_on:
- caff-parser
- caff-db-secure
traefik:
hostname: traefik
image: traefik:v1.7.26
container_name: traefik
restart: always
domainname: <DOMAIN>
networks:
- default
- traefik_proxy
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik-config:/etc/traefik
networks:
traefik_proxy:
external:
name: traefik_proxy
caff-parser-network:
caff-db-network:
default:
driver: bridge
volumes:
traefik-config:
driver: local
caff-db-secure-store:
driver: local
caff-store-db-certs:
driver: local
The file has placeholder values and volumes that are to be configured:
-
<DB_NAME>
,<DB_USER>
,<DB_PASSWORD>
: These should configure the database name and access credentials. The password should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets). -
<SMTP_USER>
,<SMTP_PASSWORD>
,<SMTP_SENDER>
: These should configure the SMTP server. The password should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets). -
<DOMAIN>
: The domain to host the server on. -
traefik-config
: This volume should configure the traefik reverse proxy, and enable SSL encryption. More information on how to do this can be found on traefik's site. -
caff-db-secure-store
: This volume should configure the certificates required for the MySQL instance. The MySQL instance can be configured in a different manner, we opted for this docker image for the sake of simplicity. To see more info, see the image's site. -
caff-store-db-certs
: This volume should contain the keystore and truststore required by the Java ecosystem, that encode the client side certificate of the server, and the certificate of the MySQL server. Moreover,<KEYSTORE_PASSWORD>
and<TRUSTSTORE_PASSWORD>
should contain the passwords of these files. The passwords should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets).
To start the server, issue the following commands:
docker-compose build
docker-compose up
Then, scaling the application is possible with, on demand:
docker-compose scale caff-store=n
© Grotesque Gecko, 2020
- Functional Requirements and Use Cases
- Security Requirements and Objectives
- Threat Assessment
- Quality Gates
- Chosen Technologies
- Required Security Functionalities
- Structural Model of the System
- Behavioral Model of the System