Skip to content
GitHub

Docker Compose

This is an example deployment of Rafiki on a Linux virtual machine using nginx as a reverse proxy. You must change the values in the examples appropriate for your environment.

Virtual Machine preparation

Deploy the virtual machine:

Terminal window
sudo apt update && sudo apt install nginx certbot python3-certbot-nginx

Domain preparation

Generate the Let’s Encrypt certificates:

Terminal window
certbot certonly --manual --preferred-challenges=dns --email EMAIL --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d DOMAIN

As Let’s Encrypt certificates are valid for 90 days, you must set up a cron process to renew the certificate on a regular schedule:

Terminal window
crontab -e
0 3 * * * crontab renew

Update DNS records

Next update the DNS records to point to the static external IP address of the volumes:

serviceURLexample
adminadmin.DOMAINadmin.myrafiki.com
authauth.DOMAINauth.myrafiki.com
connectorconnector.DOMAINconnector.myrafiki.com
ilpilp.DOMAINilp.myrafiki.com

Server preparation

Create nginx configuration files for every exposed domain:

Admin

Terminal window
    server_name admin.myrafiki.com;


    listen 443 ssl;


    ssl_certificate /etc/letsencrypt/live/admin.myrafiki.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.myrafiki.com/privkey.pem;


    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade "";
        proxy_set_header Connection "";
        proxy_set_header Host $server_name;
        proxy_set_header Accept-Encoding "";
        proxy_cache_bypass $http_upgrade;


        proxy_pass_request_headers on;


        proxy_pass http://localhost:4010;
    }
}


server {
    server_name admin.myrafiki.com;


    listen 80;


    if ($host = admin.myrafiki.com) {
      return 301 https://$host$request_uri;
    }


    return 404;
}

Auth

Terminal window
server {
    server_name auth.myrafiki.com;


    listen 443 ssl;


    ssl_certificate /etc/letsencrypt/live/auth.myrafiki.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.myrafiki.com/privkey.pem;


    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade "";
        proxy_set_header Connection "";
        proxy_set_header Host $server_name;
        proxy_set_header Accept-Encoding "";
        proxy_cache_bypass $http_upgrade;


        proxy_pass_request_headers on;


        proxy_pass http://localhost:3002;
    }
}


server {
    server_name auth.myrafiki.com;


    listen 80;


    if ($host = auth.myrafiki.com) {
      return 301 https://$host$request_uri;
    }


    return 404;
}

Connector

Terminal window
server {
    server_name connector.myrafiki.com;


    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/connector.myrafiki.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/connector.myrafiki.com/privkey.pem; # managed by Certbot


    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade "";
        proxy_set_header Connection "";
        proxy_set_header Host $server_name;
        proxy_set_header Accept-Encoding "";
        proxy_cache_bypass $http_upgrade;


        proxy_pass_request_headers on;


        proxy_pass http://localhost:3002;
    }
}


server {
    server_name connector.myrafiki.com;


    listen 80;


    if ($host = connector.myrafiki.com) {
      return 301 https://$host$request_uri;
    }


    return 404;
}

ILP

Terminal window
server {
    server_name ilp.myrafiki.com;


    listen 443 ssl;


    ssl_certificate /etc/letsencrypt/live/ilp.myrafiki.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ilp.myrafiki.com/privkey.pem;


    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;


    location / {
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade "";
        proxy_set_header Connection "";
        proxy_set_header Host $server_name;
        proxy_set_header Accept-Encoding "";
        proxy_cache_bypass $http_upgrade;


        proxy_pass_request_headers on;


        proxy_pass http://localhost:4000;
    }
}


server {
    server_name ilp.myrafiki.com;


    listen 80;


    if ($host = ilp.myrafiki.com) {
            return 301 https://$host$request_uri;
    }


    return 404;
}