Installation Instructions

This document describes how to deploy the server side.

Development mode

To start the server in development mode, one has to build and start the native component and then build and start the server side application.

Steps necessary to start the development server:

• Install and start a MySQL server.
• Build the native component.

  sudo apt install libcppunit-dev lcov
  cd native
  make all

• Start the native component GRPC server:

  sudo apt install protobuf-compiler
  cd native-component
  ./gradlew run

• Start the server side application:

  sudo apt install protobuf-compiler
  cd backend
  ./gradlew bootRun

After successful start, the server will be available on http://localhost:8080.

Development mode (Docker)

The server side can be easily deployed in development mode by Docker. To do so, we provided Dockerfiles, and a docker-compose.yml. The docker-compose file automates the installation described above, however, this instance is not configured securely for production use.

To start the server, issue the following commands:

docker-compose build
docker-compose up

After successful start, the server will be available on http://localhost:8080.

Production mode

To deploy the server side in production mode, the security implications have to be considered. The Architectural Overview document describes the overall architecture of the system, and deliberates the security measures to be taken when deploying.

To meet the described measures, the server is recommended to be deployed via docker. The following docker-compose file can achieve this result:

version: '2'
services:
  caff-db-secure:
    image: cyprien/mysql-tls:5.7
    container_name: caff-db-secure
    restart: always
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=<DB_NAME>
      - MYSQL_USER=<DB_USER>
      - MYSQL_PASSWORD=<DB_PASSWORD>
    volumes:
     - caff-db-secure-store:/var/lib/mysql
    networks:
      - caff-db-network

  caff-parser:
    build:
      context: .
      dockerfile: docker/native.Dockerfile
    container_name: caff-parser
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
    networks:
      - caff-parser-network

  caff-store:
    build:
      context: .
      dockerfile: docker/backend.Dockerfile
    container_name: caff-store
    restart: always
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - caff-store-db-certs:/certs
    environment:
      - spring.datasource.url=jdbc:mysql://caff-db-secure:3306/<DB_NAME>?verifyServerCertificate=true&useSSL=true&requireSSL=true&clientCertificateKeyStoreUrl=file:/certs/keystore.ks&clientCertificateKeyStorePassword=<KEYSTORE_PASSWORD>&trustCertificateKeyStoreUrl=file:/certs/truststore.ks&trustCertificateKeyStorePassword=<TRUSTSTORE_PASSWORD>
      - spring.datasource.username=<DB_USERNAME>
      - spring.datasource.password=<DB_PASSWORD>
      - spring.native.address=caff-parser:50051
      - security.jwt.token.secret-key=<SECRET>
      - spring.mail.host=smtp.gmail.com
      - spring.mail.port=587
      - spring.mail.username=<SMTP_USERNAME>
      - spring.mail.password=<SMTP_PASSWORD>
      - spring.mail.sender=<SMTP_SENDER>
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.backend=caff-store"
      - "traefik.frontend.rule=Host:<DOMAIN>"  
      - "traefik.port=8080"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=<DOMAIN>"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=true"  
    networks:
      - traefik_proxy
      - caff-parser-network
      - caff-db-network
    depends_on:
      - caff-parser
      - caff-db-secure
  traefik:
      hostname: traefik
      image: traefik:v1.7.26
      container_name: traefik
      restart: always
      domainname: <DOMAIN>
      networks:
        - default
        - traefik_proxy
      ports:
        - "80:80"
        - "443:443"
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock:ro
        - traefik-config:/etc/traefik

networks:
  traefik_proxy:
    external:
      name: traefik_proxy
  caff-parser-network:
  caff-db-network:
  default:
    driver: bridge
  
volumes:
  traefik-config:
    driver: local
  caff-db-secure-store:
    driver: local
  caff-store-db-certs:
    driver: local
    

The file has placeholder values and volumes that are to be configured:

• <DB_NAME>, <DB_USER>, <DB_PASSWORD>: These should configure the database name and access credentials. The password should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets).
• <SMTP_USER>, <SMTP_PASSWORD>, <SMTP_SENDER>: These should configure the SMTP server. The password should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets).
• <DOMAIN>: The domain to host the server on.
• traefik-config: This volume should configure the traefik reverse proxy, and enable SSL encryption. More information on how to do this can be found on traefik's site.
• caff-db-secure-store: This volume should configure the certificates required for the MySQL instance. The MySQL instance can be configured in a different manner, we opted for this docker image for the sake of simplicity. To see more info, see the image's site.
• caff-store-db-certs: This volume should contain the keystore and truststore required by the Java ecosystem, that encode the client side certificate of the server, and the certificate of the MySQL server. Moreover, <KEYSTORE_PASSWORD> and <TRUSTSTORE_PASSWORD> should contain the passwords of these files. The passwords should be considered sensitive data, and preferably stored in a sensitive data store (e.g. Docker secrets).