Skip to content

Commit

Permalink
Merge branch 'master' into enhancement/fix-reminder-link
Browse files Browse the repository at this point in the history
  • Loading branch information
kevgliss authored Oct 16, 2023
2 parents cfaafb3 + 398e839 commit a9c641d
Show file tree
Hide file tree
Showing 60 changed files with 2,127 additions and 213 deletions.
105 changes: 53 additions & 52 deletions docs/docs/administration/installation.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -115,38 +115,40 @@ proxy_pass passes the external request to the Python process. The port must matc

You can make some adjustments to get a better user experience:

```nginx
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
server {
listen 80;
return 301 https://$host$request_uri;
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
access_log /var/log/nginx/log/dispatch.access.log;
error_log /var/log/nginx/log/dispatch.error.log;

location /api {
proxy_pass http://127.0.0.1:8000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
listen 443;
access_log /var/log/nginx/log/dispatch.access.log;
error_log /var/log/nginx/log/dispatch.error.log;
location /api {
proxy_pass http://127.0.0.1:8000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location / {
root /path/to/dispatch/static/dist;
include mime.types;
index index.html;
}

}
```

Nginx will serve the favicon and static files, which it is much better at than python.

We recommended that you deploy TLS when deploying Dispatch. It may be obvious given Dispatch’s purpose, but the sensitive nature of Dispatch and what it controls makes this essential. A sample config for Dispatch that also terminates TLS:
Expand All @@ -155,79 +157,78 @@ We recommended that you deploy TLS when deploying Dispatch. It may be obvious gi
Some paths will have to be adjusted based on where you have chosen to install Dispatch.
:::

```
```nginx
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
server {
listen 80;
return 301 https://$host$request_uri;
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
access_log /var/log/nginx/log/dispatch.access.log;
error_log /var/log/nginx/log/dispatch.error.log;
listen 443;
access_log /var/log/nginx/log/dispatch.access.log;
error_log /var/log/nginx/log/dispatch.error.log;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE cipher suites, recommended 2048 bits
# Diffie-Hellman parameter for DHE cipher suites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
ssl_dhparam /path/to/dhparam.pem;
# modern configuration. tweak to your needs.
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
resolver <IP DNS resolver>;
location /api {
proxy_pass http://127.0.0.1:8000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
location /api {
proxy_pass http://127.0.0.1:8000;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
}
location / {
root /path/to/dispatch/static/dist;
include mime.types;
index index.html;
}
}
```

Apache
An example apache config:

```
```apache
<VirtualHost \*:443>
...
SSLEngine on
Expand Down
12 changes: 8 additions & 4 deletions docs/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

47 changes: 37 additions & 10 deletions requirements-base.txt
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ aiocache==0.12.2
# via -r requirements-base.in
aiofiles==23.2.1
# via -r requirements-base.in
aiohttp==3.8.5
aiohttp==3.8.6
# via
# -r requirements-base.in
# openai
Expand Down Expand Up @@ -39,6 +39,12 @@ blis==0.7.10
# via thinc
blockkit==1.5.2
# via -r requirements-base.in
boto3==1.28.59
# via -r requirements-base.in
botocore==1.31.59
# via
# boto3
# s3transfer
cachetools==5.3.1
# via
# -r requirements-base.in
Expand Down Expand Up @@ -71,10 +77,14 @@ click==8.1.7
# schemathesis
# typer
# uvicorn
cloudpathlib==0.15.1
# via weasel
colorama==0.4.6
# via schemathesis
confection==0.1.1
# via thinc
# via
# thinc
# weasel
cryptography==39.0.2
# via
# -r requirements-base.in
Expand Down Expand Up @@ -106,7 +116,7 @@ deprecation==2.1.0
# via pdpyras
dnspython==2.4.2
# via email-validator
duo-client==5.0.1
duo-client==5.1.0
# via -r requirements-base.in
ecdsa==0.18.0
# via python-jose
Expand All @@ -122,7 +132,7 @@ frozenlist==1.4.0
# aiosignal
google-api-core==2.11.1
# via google-api-python-client
google-api-python-client==2.101.0
google-api-python-client==2.102.0
# via -r requirements-base.in
google-auth==2.22.0
# via
Expand Down Expand Up @@ -180,6 +190,10 @@ jinja2==3.1.2
# spacy
jira==2.0.0
# via -r requirements-base.in
jmespath==1.0.1
# via
# boto3
# botocore
joblib==1.3.2
# via -r requirements-base.in
jsonpath-ng==1.6.0
Expand All @@ -200,7 +214,7 @@ lxml==4.9.3
# premailer
mako==1.2.4
# via alembic
markdown==3.4.4
markdown==3.5
# via -r requirements-base.in
markupsafe==2.1.3
# via
Expand Down Expand Up @@ -245,6 +259,7 @@ packaging==23.1
# spacy
# statsmodels
# thinc
# weasel
pandas==2.1.1
# via
# -r requirements-base.in
Expand All @@ -267,12 +282,12 @@ preshed==3.0.8
# via
# spacy
# thinc
protobuf==4.24.3
protobuf==4.24.4
# via
# -r requirements-base.in
# google-api-core
# googleapis-common-protos
psycopg2-binary==2.9.8
psycopg2-binary==2.9.9
# via -r requirements-base.in
pyasn1==0.5.0
# via
Expand All @@ -294,6 +309,7 @@ pydantic==1.10.13
# fastapi
# spacy
# thinc
# weasel
pyjwt[crypto]==2.8.0
# via
# msal
Expand All @@ -315,6 +331,7 @@ pytest-subtests==0.7.0
python-dateutil==2.8.2
# via
# -r requirements-base.in
# botocore
# emails
# pandas
python-jose==3.3.0
Expand Down Expand Up @@ -346,6 +363,7 @@ requests==2.31.0
# schemathesis
# spacy
# starlette-testclient
# weasel
requests-oauthlib==1.3.1
# via
# atlassian-python-api
Expand All @@ -358,6 +376,8 @@ rsa==4.9
# google-auth
# oauth2client
# python-jose
s3transfer==0.7.0
# via boto3
schedule==1.2.1
# via -r requirements-base.in
schemathesis==3.19.7
Expand Down Expand Up @@ -388,7 +408,7 @@ six==1.16.0
# validators
slack-bolt==1.18.0
# via -r requirements-base.in
slack-sdk==3.22.0
slack-sdk==3.23.0
# via
# -r requirements-base.in
# slack-bolt
Expand All @@ -398,14 +418,15 @@ smart-open==6.3.0
# via
# pathy
# spacy
# weasel
sniffio==1.3.0
# via
# anyio
# httpcore
# httpx
sortedcontainers==2.4.0
# via hypothesis
spacy==3.6.1
spacy==3.7.1
# via -r requirements-base.in
spacy-legacy==3.0.12
# via spacy
Expand All @@ -426,6 +447,7 @@ srsly==2.4.7
# confection
# spacy
# thinc
# weasel
starlette==0.27.0
# via
# fastapi
Expand Down Expand Up @@ -455,6 +477,7 @@ typer==0.9.0
# via
# pathy
# spacy
# weasel
typing-extensions==4.7.1
# via
# alembic
Expand All @@ -467,8 +490,9 @@ tzdata==2023.3
# via pandas
uritemplate==4.1.1
# via google-api-python-client
urllib3==1.26.16
urllib3==1.26.17
# via
# botocore
# google-auth
# pdpyras
# requests
Expand All @@ -483,6 +507,9 @@ wasabi==1.1.2
# via
# spacy
# thinc
# weasel
weasel==0.3.2
# via spacy
werkzeug==2.3.7
# via schemathesis
wrapt==1.15.0
Expand Down
Loading

0 comments on commit a9c641d

Please sign in to comment.