Compare commits
	
		
			37 Commits
		
	
	
		
			propagate/
			...
			propagate/
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
|  | d616b9ef3a | ||
| 6bce626075 | |||
| d70efc6943 | |||
| a3cb815dd1 | |||
| ebd6c503bd | |||
| 55b70f1a36 | |||
| 1d5624496d | |||
| 3a6b5c4850 | |||
| c0c6dcd1ce | |||
| 3ac57ce7d1 | |||
| 3cb24f7587 | |||
| 6579a5a0c9 | |||
| 1ead7a8d16 | |||
| 63aa212ccb | |||
| 6d396a640f | |||
| 6ec4a797ca | |||
| 9720bd7fa6 | |||
| 60b5a8989b | |||
| c22af67a06 | |||
| e29e80b650 | |||
| 46bbeeef30 | |||
| 6b0c103d75 | |||
| faee3aaa48 | |||
| beb87dd97a | |||
| db6a1e148c | |||
| ab396f7656 | |||
| b65d3d301f | |||
| 6332985ebd | |||
| 010149e6b6 | |||
| 90e935a49e | |||
| 6e32209824 | |||
| 79a1644530 | |||
| 5cfee3d18f | |||
| d0a62bfd24 | |||
| 6c665fab04 | |||
| 723f3ec954 | |||
| 0f36dd1943 | 
							
								
								
									
										4
									
								
								.env
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								.env
									
									
									
									
									
								
							| @@ -1,4 +1,6 @@ | ||||
| ALFRESCO_DIR=~/alfresco | ||||
| ALFRESCO_LICENSE_DIR=~/alfresco/license | ||||
|  | ||||
| PROXY_PROTOCOL=http | ||||
| PROXY_HOST=localhost | ||||
| PROXY_PORT=8080 | ||||
| IDENTITY_SERVICE_BASEURL=http://auth.example.org:8080 | ||||
|   | ||||
| @@ -4,27 +4,53 @@ | ||||
| version: "2" | ||||
|  | ||||
| services: | ||||
|  | ||||
|     identity: | ||||
|         image: alfresco/alfresco-identity-service:1.3 | ||||
|         user: jboss | ||||
|     platform: | ||||
|         image: alfresco/alfresco-content-repository-community:6.2.0-ga | ||||
|         mem_limit: 1700m | ||||
|         environment: | ||||
|             KEYCLOAK_USER: admin | ||||
|             KEYCLOAK_PASSWORD: admin | ||||
|             KEYCLOAK_HOSTNAME: auth.example.org | ||||
|             KEYCLOAK_IMPORT: /tmp/keycloak-alfresco-realm.json | ||||
|             KEYCLOAK_STATISTICS: enabled | ||||
|         networks: | ||||
|             default: | ||||
|                 aliases: | ||||
|                     - "auth.example.org" | ||||
|         volumes: | ||||
|             - ./keycloak-alfresco-realm.json:/tmp/keycloak-alfresco-realm.json:ro | ||||
|             JAVA_OPTS: " | ||||
|                 -Ddb.driver=org.postgresql.Driver | ||||
|                 -Ddb.username=alfresco | ||||
|                 -Ddb.password=alfresco | ||||
|                 -Ddb.url=jdbc:postgresql://postgres-acs:5432/alfresco | ||||
|                 -Dindex.subsystem.name=noindex | ||||
|                 -Dalfresco.host=${PROXY_HOST} | ||||
|                 -Dalfresco.port=${PROXY_PORT} | ||||
|                 -Dalfresco.protocol=${PROXY_PROTOCOL} | ||||
|                 -Daos.baseUrlOverwrite=${PROXY_PROTOCOL}://${PROXY_HOST}:${PROXY_PORT}/alfresco/aos | ||||
|                 -Dmessaging.broker.url=\"failover:(nio://activemq:61616)?timeout=3000&jms.useCompression=true\" | ||||
|                 -Ddeployment.method=DOCKER_COMPOSE | ||||
|                 -Dcsrf.filter.enabled=false | ||||
|                 -XX:MinRAMPercentage=50 -XX:MaxRAMPercentage=80 | ||||
|  | ||||
|                 -Dtransform.service.enabled=false | ||||
|                 -Dlocal.transform.service.enabled=false | ||||
|                  | ||||
|                 -Dsystem.content.eagerOrphanCleanup=true | ||||
|                 -Dsystem.content.orphanProtectDays=0 | ||||
|                 -Djodconverter.enabled=false | ||||
|                 " | ||||
|         depends_on: | ||||
|             - postgres-acs | ||||
|             - activemq | ||||
|      | ||||
|     postgres-acs: | ||||
|         image: postgres:11.7 | ||||
|         mem_limit: 512m | ||||
|         environment: | ||||
|             - POSTGRES_PASSWORD=alfresco | ||||
|             - POSTGRES_USER=alfresco | ||||
|             - POSTGRES_DB=alfresco | ||||
|         command: postgres -c max_connections=300 -c log_min_messages=LOG | ||||
|  | ||||
|     activemq: | ||||
|         image: alfresco/alfresco-activemq:5.15.8 | ||||
|         mem_limit: 256m | ||||
|  | ||||
|     proxy: | ||||
|         build: ./nginx-ingress | ||||
|         image: local/nginx-ingress:aims | ||||
|         image: local/nginx-ingress:acs | ||||
|         ports: | ||||
|             - 8080:8080 | ||||
|         depends_on: | ||||
|             - identity | ||||
|             - platform | ||||
|   | ||||
| @@ -1,47 +0,0 @@ | ||||
| { | ||||
|   "realm": "alfresco", | ||||
|   "enabled": true, | ||||
|   "sslRequired": "external", | ||||
|   "registrationAllowed": false, | ||||
|   "roles": { | ||||
|     "realm": [ { | ||||
|       "name": "user", | ||||
|       "description": "User privileges" | ||||
|     }, { | ||||
|       "name": "admin", | ||||
|       "description": "Administrator privileges" | ||||
|     } ] | ||||
|   }, | ||||
|   "clients": [ | ||||
|     { | ||||
|       "clientId": "alfresco", | ||||
|       "name": "Alfresco Products", | ||||
|       "enabled": true, | ||||
|       "alwaysDisplayInConsole": false, | ||||
|       "redirectUris": [ "*" ], | ||||
|       "standardFlowEnabled": true, | ||||
|       "implicitFlowEnabled": true, | ||||
|       "directAccessGrantsEnabled": false, | ||||
|       "publicClient": true, | ||||
|       "protocol": "openid-connect", | ||||
|       "attributes": { | ||||
|         "login_theme": "alfresco" | ||||
|       } | ||||
|     } | ||||
|   ], | ||||
|   "requiredCredentials": [ "password" ], | ||||
|   "users": [ | ||||
|     { | ||||
|       "username": "admin", | ||||
|       "email": "admin@app.activiti.com", | ||||
|       "enabled": true, | ||||
|       "credentials" : [ | ||||
|         { | ||||
|           "type" : "password", | ||||
|           "value" : "admin" | ||||
|         } | ||||
|       ], | ||||
|       "realmRoles": [ "user", "admin" ] | ||||
|     } | ||||
|   ] | ||||
| } | ||||
| @@ -1,7 +1,7 @@ | ||||
| #!/bin/sh | ||||
|  | ||||
| if [[ $AIMS_URL ]]; then | ||||
|   sed -i s%http:\/\/identity:8080%"$AIMS_URL"%g /etc/nginx/nginx.conf | ||||
| if [[ $ACS_PLATFORM_URL ]]; then | ||||
|   sed -i s%http:\/\/platform:8080%"$ACS_PLATFORM_URL"%g /etc/nginx/nginx.conf | ||||
| fi | ||||
|  | ||||
| if [[ $ACCESS_LOG ]]; then | ||||
|   | ||||
| @@ -19,22 +19,31 @@ http { | ||||
|  | ||||
|         proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; | ||||
|         proxy_redirect off; | ||||
| #        proxy_buffering off; | ||||
|         proxy_buffer_size	64k; | ||||
|         proxy_buffers		4 256k; | ||||
|         proxy_busy_buffers_size	256k; | ||||
|         proxy_buffering off; | ||||
|         proxy_set_header Host              $http_host; | ||||
|         proxy_set_header X-Real-IP         $remote_addr; | ||||
|         proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for; | ||||
|         proxy_set_header X-Forwarded-Proto $scheme; | ||||
|         proxy_pass_header Set-Cookie; | ||||
|          | ||||
|         # Protect access to SOLR APIs | ||||
|         location ~ ^(/.*/service/api/solr/.*)$ {return 403;} | ||||
|         location ~ ^(/.*/s/api/solr/.*)$ {return 403;} | ||||
|         location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;} | ||||
|         location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;} | ||||
|  | ||||
|         location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;} | ||||
|         location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;} | ||||
|          | ||||
|         # Protect access to Prometheus endpoint | ||||
|         location ~ ^(/.*/s/prometheus)$ {return 403;} | ||||
|          | ||||
|         location / { | ||||
|             return 301 $scheme://$http_host/auth; | ||||
|             proxy_pass http://platform:8080; | ||||
|         } | ||||
|  | ||||
|         location /auth/ { | ||||
|             proxy_pass http://identity:8080; | ||||
|         location /alfresco/ { | ||||
|             proxy_pass http://platform:8080; | ||||
|  | ||||
|             # If using external proxy / load balancer (for initial redirect if no trailing slash) | ||||
|             absolute_redirect off; | ||||
|   | ||||
		Reference in New Issue
	
	Block a user