diff --git a/_includes/docker-compose.yml b/_includes/docker-compose.yml index 9e77dd1..8c2a0b4 100644 --- a/_includes/docker-compose.yml +++ b/_includes/docker-compose.yml @@ -30,6 +30,7 @@ services: - POSTGRES_USER=pguser - POSTGRES_PASSWORD=pgpassword volumes: + # Map 'data' volume such that postgres database is stored externally - data:/var/lib/postgresql/data/ restart: unless-stopped @@ -43,8 +44,8 @@ services: depends_on: - inventree-db volumes: + # Data volume must map to /home/inventree/data - data:/home/inventree/data - - static:/home/inventree/static environment: # Default environment variables are configured to match the 'db' container # Note: If you change the database image, these will need to be adjusted @@ -66,8 +67,8 @@ services: - inventree-db - inventree-server volumes: + # Data volume must map to /home/inventree/data - data:/home/inventree/data - - static:/home/inventree/static environment: # Default environment variables are configured to match the 'db' container # Note: If you change the database image, these will need to be adjusted @@ -81,7 +82,8 @@ services: restart: unless-stopped # nginx acts as a reverse proxy - # static files are served by nginx + # static files are served directly by nginx + # media files are served by nginx, although authentication is redirected to inventree-server # web requests are redirected to gunicorn # NOTE: You will need to provide a working nginx.conf file! inventree-proxy: @@ -93,11 +95,11 @@ services: # Change "1337" to the port that you want InvenTree web server to be available on - 1337:80 volumes: - # Provide nginx.conf file to the container + # Provide ./nginx.conf file to the container # Refer to the provided example file as a starting point - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro - # Static data volume is mounted to /var/www/static - - static:/var/www/static:ro + # nginx proxy needs access to static and media files + - data:/var/www restart: unless-stopped volumes: @@ -110,6 +112,4 @@ volumes: o: bind # This directory specified where InvenTree data are stored "outside" the docker containers # Change this path to a local system path where you want InvenTree data stored - device: /path/to/data - # Static files, shared between containers - static: \ No newline at end of file + device: /path/to/data \ No newline at end of file diff --git a/_includes/nginx.conf b/_includes/nginx.conf index a9eff10..2703787 100644 --- a/_includes/nginx.conf +++ b/_includes/nginx.conf @@ -1,3 +1,4 @@ + server { # Listen for connection on (internal) port 80 @@ -10,17 +11,17 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; - + proxy_redirect off; - + client_max_body_size 100M; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; - + proxy_buffering off; proxy_request_buffering off; - + } # Redirect any requests for static files @@ -34,4 +35,23 @@ server { add_header Cache-Control "public"; } + # Redirect any requests for media files + location /media/ { + alias /var/www/media/; + + # Media files require user authentication + auth_request /auth; + } + + # Use the 'user' API endpoint for auth + location /auth { + internal; + + proxy_pass http://inventree-server:8000/auth/; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header X-Original-URI $request_uri; + } + } \ No newline at end of file diff --git a/docs/start/intro.md b/docs/start/intro.md index 3784077..12dccf8 100644 --- a/docs/start/intro.md +++ b/docs/start/intro.md @@ -135,3 +135,33 @@ Refer to the following guides for further instructions: - [**Bare metal development server setup guide**](./development.md) - [**Bare metal production server setup guide**](./install.md) + +## Debug Mode + +By default, the InvenTree web server is configured to run in [DEBUG mode](https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-DEBUG). + +Running in DEBUG mode provides many handy development features, however it is strongly recommended *NOT* to run in DEBUG mode in a production environment. This recommendation is made because DEBUG mode leaks a lot of information about your installation and may pose a security risk. + +So, for a production setup, you should set `INVENTREE_DEBUG=false` in the [configuration options](./config.md). + +### Potential Issues + +However, turning off DEBUG mode creates further work for the system administrator. In particular, when running in DEBUG mode, the InvenTree web server natively manages *static* and *media* files, which means that the InvenTree server can run "monolithically" without the need for a separate web server. + +With DEBUG mode turned off, a separate web server is required for serving *static* and *media* files. You can find further information in the [django documentation](https://docs.djangoproject.com/en/dev/howto/static-files/deployment/). + +There are *many* different ways that a sysadmin might wish to handle this. + +The [docker production example](./docker_prod.md) provides an example using [Nginx](https://www.nginx.com/) to serve *static* and *media* files, and redirecting other requests to the InvenTree web server itself. + +You may use this as a jumping off point, or use an entirely different server setup. + +#### Static Files + +Static files can be served without any need for authentication. In fact, they must be accessible *without* authentication, otherwise the unauthenticated views (such as the login screen) will not function correctly. + +#### Media Files + +It is highly recommended that the *media* files are served in such a way that user authentication is required. + +Refer to the [docker production example](./docker_prod.md) for a demonstration of using nginx to serve media files only to authenticated users, and forward authentication requests to the InvenTree web server.