Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/geosolutions-it/clevmetro-nfd

Cleveland Metroparks - Natural Features Database
https://github.com/geosolutions-it/clevmetro-nfd

django mapstore2 python species

Last synced: 9 months ago
JSON representation

Cleveland Metroparks - Natural Features Database

Awesome Lists containing this project

README 

          
# clevmetro-nfd

Cleveland Metroparks - Natural Features Database



## Overview



The software is composed of a [client application](nfdclient/README.md) based on MapStore2, React and Redux technologies,

and a [REST API](nfdapi/README.md) based on Django. Have a look at both subprojects for detailed development and

deployment documentation.



## Deployment 



Clone the repository with the --recursive option to automatically clone submodules:



`git clone --recursive https://github.com/geosolutions-it/clevmetro-nfd.git`



Then configure Apache or Nginx to serve the nfdclient application on the root

("/") path and the nfdapi Django application on "nfdapi/" path.



The client application is served as static content.



The nfdapi application should be served using a WSGI compatible web server such as Apache or Nginx.

A [systemd script is provided](nfdapi/deploy/metroparksnfd.service) for deploying nfdapi as a system service

using the uWSGI application container. uWSGI can be integrated

with Apache or Nginx [using different approaches](http://uwsgi-docs.readthedocs.io/en/latest/WebServers.html).

For the dev server, a simple proxy configuration was used to integrate Apache with uWSGI.



The following configuration file can be used to configure Apache for

nfdclient and nfdapi applications:



```

# /etc/apache2/conf-enabled/nfdapi.conf

Header set Access-Control-Allow-Origin "*"

Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"

Alias /static /opt/clevmetro-nfd/nfdclient



      Order allow,deny

      Allow from all

      Require all granted



Alias /media /var/www/media



      Order allow,deny

      Allow from all

      Require all granted



Alias /nfdapi-static /var/www/clevmetronfd-static



      Order allow,deny

      Allow from all

      Require all granted



ProxyPass /nfdapi http://localhost:3001/nfdapi

ProxyPassReverse /nfdapi http://localhost:3001/nfdapi

```



Redirect http to https (requires mod_rewrite to be enabled):



```

# /etc/apache2/sites-enabled/000-default.conf



	# The ServerName directive sets the request scheme, hostname and port that

	# the server uses to identify itself. This is used when creating

	# redirection URLs. In the context of virtual hosts, the ServerName

	# specifies what hostname must appear in the request's Host: header to

	# match this virtual host. For the default virtual host (this file) this

	# value is not decisive as it is used as a last resort host regardless.

	# However, you must set it for any further virtual host explicitly.

	#ServerName www.example.com



	ServerAdmin webmaster@localhost

	DocumentRoot /opt/clevmetro-nfd/nfdclient



	ServerName dev.nfd.geo-solutions.it

	Redirect permanent / https://dev.nfd.geo-solutions.it/



	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

	# error, crit, alert, emerg.

	# It is also possible to configure the loglevel for particular

	# modules, e.g.

	#LogLevel info ssl:warn



	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined



	# For most configuration files from conf-available/, which are

	# enabled or disabled at a global level, it is possible to

	# include a line for only one particular virtual host. For example the

	# following line enables the CGI configuration for this host only

	# after it has been globally disabled with "a2disconf".

	#Include conf-available/serve-cgi-bin.conf



```



Configure SSL enpoint (requires a valid SSL certificate):



```

# /etc/apache2/sites-enabled/default-ssl.conf



	

		ServerAdmin webmaster@localhost



		DocumentRoot /opt/clevmetro-nfd/nfdclient



		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

		# error, crit, alert, emerg.

		# It is also possible to configure the loglevel for particular

		# modules, e.g.

		#LogLevel info ssl:warn



		ErrorLog ${APACHE_LOG_DIR}/error.log

		CustomLog ${APACHE_LOG_DIR}/access.log combined



		# For most configuration files from conf-available/, which are

		# enabled or disabled at a global level, it is possible to

		# include a line for only one particular virtual host. For example the

		# following line enables the CGI configuration for this host only

		# after it has been globally disabled with "a2disconf".

		#Include conf-available/serve-cgi-bin.conf



		#   SSL Engine Switch:

		#   Enable/Disable SSL for this virtual host.

		SSLEngine on



		#   A self-signed (snakeoil) certificate can be created by installing

		#   the ssl-cert package. See

		#   /usr/share/doc/apache2/README.Debian.gz for more info.

		#   If both key and certificate are stored in the same file, only the

		#   SSLCertificateFile directive is needed.

		SSLCertificateFile	/etc/letsencrypt/live/dev.nfd.geo-solutions.it/fullchain.pem

		SSLCertificateKeyFile /etc/letsencrypt/live/dev.nfd.geo-solutions.it/privkey.pem



		#   Server Certificate Chain:

		#   Point SSLCertificateChainFile at a file containing the

		#   concatenation of PEM encoded CA certificates which form the

		#   certificate chain for the server certificate. Alternatively

		#   the referenced file can be the same as SSLCertificateFile

		#   when the CA certificates are directly appended to the server

		#   certificate for convinience.

		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt



		#   Certificate Authority (CA):

		#   Set the CA certificate verification path where to find CA

		#   certificates for client authentication or alternatively one

		#   huge file containing all of them (file must be PEM encoded)

		#   Note: Inside SSLCACertificatePath you need hash symlinks

		#		 to point to the certificate files. Use the provided

		#		 Makefile to update the hash symlinks after changes.

		#SSLCACertificatePath /etc/ssl/certs/

		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt



		#   Certificate Revocation Lists (CRL):

		#   Set the CA revocation path where to find CA CRLs for client

		#   authentication or alternatively one huge file containing all

		#   of them (file must be PEM encoded)

		#   Note: Inside SSLCARevocationPath you need hash symlinks

		#		 to point to the certificate files. Use the provided

		#		 Makefile to update the hash symlinks after changes.

		#SSLCARevocationPath /etc/apache2/ssl.crl/

		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl



		#   Client Authentication (Type):

		#   Client certificate verification type and depth.  Types are

		#   none, optional, require and optional_no_ca.  Depth is a

		#   number which specifies how deeply to verify the certificate

		#   issuer chain before deciding the certificate is not valid.

		#SSLVerifyClient require

		#SSLVerifyDepth  10



		#   SSL Engine Options:

		#   Set various options for the SSL engine.

		#   o FakeBasicAuth:

		#	 Translate the client X.509 into a Basic Authorisation.  This means that

		#	 the standard Auth/DBMAuth methods can be used for access control.  The

		#	 user name is the `one line' version of the client's X.509 certificate.

		#	 Note that no password is obtained from the user. Every entry in the user

		#	 file needs this password: `xxj31ZMTZzkVA'.

		#   o ExportCertData:

		#	 This exports two additional environment variables: SSL_CLIENT_CERT and

		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

		#	 server (always existing) and the client (only existing when client

		#	 authentication is used). This can be used to import the certificates

		#	 into CGI scripts.

		#   o StdEnvVars:

		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.

		#	 Per default this exportation is switched off for performance reasons,

		#	 because the extraction step is an expensive operation and is usually

		#	 useless for serving static content. So one usually enables the

		#	 exportation for CGI and SSI requests only.

		#   o OptRenegotiate:

		#	 This enables optimized SSL connection renegotiation handling when SSL

		#	 directives are used in per-directory context.

		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

		

				SSLOptions +StdEnvVars

		

		

				SSLOptions +StdEnvVars

		



		#   SSL Protocol Adjustments:

		#   The safe and default but still SSL/TLS standard compliant shutdown

		#   approach is that mod_ssl sends the close notify alert but doesn't wait for

		#   the close notify alert from client. When you need a different shutdown

		#   approach you can use one of the following variables:

		#   o ssl-unclean-shutdown:

		#	 This forces an unclean shutdown when the connection is closed, i.e. no

		#	 SSL close notify alert is send or allowed to received.  This violates

		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use

		#	 this when you receive I/O errors because of the standard approach where

		#	 mod_ssl sends the close notify alert.

		#   o ssl-accurate-shutdown:

		#	 This forces an accurate shutdown when the connection is closed, i.e. a

		#	 SSL close notify alert is send and mod_ssl waits for the close notify

		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in

		#	 practice often causes hanging connections with brain-dead browsers. Use

		#	 this only for browsers where you know that their SSL implementation

		#	 works correctly.

		#   Notice: Most problems of broken clients are also related to the HTTP

		#   keep-alive facility, so you usually additionally want to disable

		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

		#   "force-response-1.0" for this.

		# BrowserMatch "MSIE [2-6]" \

		#		nokeepalive ssl-unclean-shutdown \

		#		downgrade-1.0 force-response-1.0



ServerName dev.nfd.geo-solutions.it

	



```

Images are stored on /var/www/media/images. Ensure the folder exists and is writable by the www-data user.



Have a look to the specific [nfdapi readme file](nfdapi/README.md) for

additional configuration steps (required for develoment and deployment

envs).