there were some issues with https://openlmis.atlassian.net/browse/OLMIS-6053
so Angola team has started working on adding SSL/TLS with Let’s Encrypt to the OpenLMIS architecture and here is our solution.
- we created an Nginx based proxy which handles HTTPS (all HTTP request being redirected to HTTPS),
- upgraded service-configuration service to handles getting and renewing a signed certificate from Let’s Encrypt.
- a separate Docker network for both openlmis/nginx and OpenLMIS-Angola/nginx-tls,
- a separate Docker network for every node except OpenLMIS-Angola/nginx-tls
- current architecture stays intact,
- services communicating with each other still send requests to openlmis/nginx and doesn’t involve the nginx-tls,
- additional layer hides all services and consul so for our users HTTPS is the only way to communicate with OpenLMIS.
- additional layers extend execution time approximately 6%.
We are still testing it but is this solution good enough to introduce it to the Core?