Skip to content

How to setup CKAN on Production with Apache Nginx and SSL with Letsencrypt

Jump to bottom
Shashank Sharma edited this page Mar 11, 2021 · 1 revision

NOTE: Please first follow the instructions here to setup CKAN on developemnt.

Why not paster + Nginx

Also, the CKAN documentation recommends this combination as well.

Setup process

  • Create a production.ini File

       cp /etc/ckan/default/development.ini /etc/ckan/default/production.ini

  • Install Apache, modwsgi, modrpaf, Nginx

      sudo apt-get install apache2 libapache2-mod-wsgi libapache2-mod-rpaf nginx

  • Install an email server

      sudo apt-get install postfix

  NOTE: When asked to choose a Postfix configuration, choose "Internet Site" and press return.

  • Create the WSGI script file /etc/ckan/default/apache.wsgi

      import os
  activate_this = os.path.join('/usr/lib/ckan/default/bin/activate_this.py')
  execfile(activate_this, dict(__file__=activate_this))

  from paste.deploy import loadapp
  config_filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'production.ini')
  from paste.script.util.logging_config import fileConfig
  fileConfig(config_filepath)
  _application = loadapp('config:%s' % config_filepath)

  def application(environ, start_response):
      environ['wsgi.url_scheme'] = environ.get('HTTP_X_URL_SCHEME', 'http')
      return _application(environ, start_response)

  • Create the Apache config file /etc/apache2/sites-available/ckan.conf

      <VirtualHost *:80>
      ServerName justicehub.in
      ServerAlias www.justicehub.in
      WSGIScriptAlias / /etc/ckan/default/apache.wsgi

      # Pass authorization info on (needed for rest api).
      WSGIPassAuthorization On

      # Deploy as a daemon (avoids conflicts between CKAN instances).
      WSGIDaemonProcess ckan_default display-name=ckan_default processes=2 threads=15

      WSGIProcessGroup ckan_default

      ErrorLog /var/log/apache2/ckan_default.error.log
      CustomLog /var/log/apache2/ckan_default.custom.log combined

      <IfModule mod_rpaf.c>
          RPAFenable On
          RPAFsethostname On
          RPAFproxy_ips 127.0.0.1
      </IfModule>

      <Directory />
          Require all granted
      </Directory>

  </VirtualHost>

  • Enable the site

      sudo a2ensite ckan
  sudo a2dissite 000-default
  sudo service apache2 reload

  • Install Letsencrypt certificates

    • Add Certbot PPA

        sudo apt-get update
  sudo apt-get install software-properties-common
  sudo add-apt-repository universe
  sudo add-apt-repository ppa:certbot/certbot
  sudo apt-get update

    • Install Certbot

        sudo apt-get install certbot python-certbot-apache

    • Get and install your certificates

        sudo certbot --apache

The last step here might end up in an error like:

Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 10 of /etc/apache2/sites-enabled/ckan.conf:
Name duplicates previous WSGI daemon definition.

Just follow along. Ref
It's also needed to change the Apache sites configuration to make CKAN accesible only locally. In order to achieve this, modify the file /etc/apache2/sites-available/ckan.conf and replace the following line:

<VirtualHost *:80>

By this one:

<VirtualHost 127.0.0.1:8080>

  • Modify the Apache ports.conf file /etc/apache2/ports.conf

    • Replace this line:

        Listen 80

    • With this one:

        Listen 8080

  • Create the Nginx config file /etc/nginx/sites-available/ckan

      proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
  proxy_temp_path /tmp/nginx_proxy 1 2;

  server {
      listen 443;
      ssl on;
      ssl_certificate /etc/letsencrypt/live/justicehub.in/cert.pem;
      ssl_certificate_key /etc/letsencrypt/live/justicehub.in/privkey.pem;

      client_max_body_size 100M;

      location / {
          proxy_pass http://127.0.0.1:8080/;
          proxy_set_header X-Url-Scheme $scheme;
          proxy_set_header Host $host;
          proxy_cache cache;
          proxy_cache_bypass $cookie_auth_tkt;
          proxy_no_cache $cookie_auth_tkt;
          proxy_cache_valid 30m;
          proxy_cache_key $host$scheme$proxy_host$request_uri;
          # In emergency comment out line to force caching
          # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
      }
  }
  server {
      listen 80;
      server_name justicehub.in;
      rewrite ^ https://$server_name$request_uri? permanent;
  }

  • Enable nginx site

      sudo rm -vi /etc/nginx/sites-enabled/default
  sudo ln -s /etc/nginx/sites-available/ckan /etc/nginx/sites-enabled/ckan
  sudo service nginx restart

References:

Clone this wiki locally