Infisign Network Access Gateway (NAG): Pre-requisites and Installation Documentation

Server Requirements: Staging Server Requirements for NAG

Server -1

CPU - 4

Memory -16 GB

Storage - 25 GB

OS -Ubuntu/RHEL

Server Requirements: Production Server Requirements for NAG

Server-1

CPU - 4

Memory -32 GB

Storage - 100 GB

OS -Ubuntu/RHEL

Server-2

CPU - 4

Memory -32 GB

Storage - 100 GB

OS -Ubuntu/RHEL

Load Balancer Server-3

CPU - 2

Memory -4 GB

Storage - 25 GB

OS -Ubuntu/RHEL

Load Balancer Server-4

CPU - 2

Memory -4 GB

Storage - 25 GB

OS -Ubuntu/RHEL

Appendix - Manual Installation Steps

Env file

.env

MONGO_INITDB_ROOT_USERNAME=infisignroot
MONGO_INITDB_ROOT_PASSWORD=FVYG4hkj321cf89cyvu5678HJGFC67iOfdbffeae0a65d
MONGO_DB_CONNECTION=mongodb://infisignroot:FVYG4hkj321cf89cyvu5678HJGFC67iOfdbffeae0a65d@nag_db:27017/

docker-compose_template.yaml

Save this file as a docker-compose_template.yaml

Command to save the file - vi docker-compose_template.yaml

version: "3.4"

services:
  db:
    image: mongo:4.4-bionic
    environment:
      - MONGO_INITDB_ROOT_USERNAME=infisignroot
      - MONGO_INITDB_ROOT_PASSWORD=FVYG4hkj321cf89cyvu5678HJGFC67iOfdbffeae0a65d
    ports:
      - "27018:27017"
    volumes:
      - db:/data/db
      - ./config/mongo/mongod.conf:/etc/mongod.conf

  backendapp:
    image: infisign/infisign-nag:admin-latest
    command: bash /app/docker-entrypoint.sh
    environment:
      - API_HOSTNAME=https://app.infisign.net/
      - SSO_HOSTNAME=<mydomain>/sso/verify
      - INFISIGN_NAG_SUBSCRIPTION_KEY=test
      - INFISIGN_NAG_URL_IDENTIFIER=test
      - INFISIGN_NAG_TENANT_ID=test
      - SENTRY_ENV=<nag_envname>
      - BACKEND_IMAGE=infisign/infisign-nag:admin-latest
      - SSO_IMAGE=infisign/infisign-nag:sso-latest
      - FRONTEND_IMAGE=infisign/infisign-nag:mfe-latest
      - DIRECTORY_IMAGE=infisign/infisign-nag:dir-latest
      - SCHEDULED_TIME=22:00
      - MONGO_DB_CONNECTION=mongodb://infisignroot:FVYG4hkj321cf89cyvu5678HJGFC67iOfdbffeae0a65d@nag_db:27017/
      - IS_MULTI_INSTANCE=false
      - SENTRY_ENABLED=true
    ports:
      - "8001:8001"
    depends_on:
      - db

  directory:
    image: infisign/infisign-nag:dir-latest
    environment:
      - BASE_URL=<mydomain>
      - SENTRY_ENV=<nag_envname>
      - SENTRY_ENABLED=true
    ports:
      - "8082:80"

  frontend:
    image: infisign/infisign-nag:mfe-latest
    environment:
      - DOMAIN_URL=<mydomain>
      - API_ENDPOINT=<mydomain>
      - SSO_URL=<mydomain>/sso/verify
      - SENTRY_ENV=<nag_envname>
      - SENTRY_ENABLED=true
    ports:
      - "8081:80"

  sso:
    image: infisign/infisign-nag:sso-latest
    environment:
      - DOMAIN_URL=<mydomain>
      - DEV_ENDPOINT=<mydomain>
      - SOCKET_URL=<mydomain>
      - SENTRY_ENV=<nag_envname>
      - SENTRY_ENABLED=true
    ports:
      - "8080:80"

  os:
    image: infisign/infisign-nag:os-staging
    ports:
      - "8010:8010"

  nginx:
    image: nginx:latest
    ports:
      - "80:80"
    volumes:
      - ./config/nginx/:/etc/nginx/conf.d
    depends_on:
      - backendapp
      - frontend
      - sso
      - directory
      - os

volumes:
  db:
    name: db-infisign
    external: false

Note; Update the value of INFISIGN_NAG_SUBSCRIPTION_KEY and INFISIGN_NAG_URL_IDENTIFIER

Update OTHER_INSTANCES=http://otherinstanceip

Add secondary instance ip in primary instance conf and primary in secondary ip instance conf

docker-compose.yaml file creation

File needs to be created on the server.

Create a new folder in the name of config using the following command.

mkdir config

open the config folder and create two new folders mongo and nginx.

Open the folder mongo.

Create a file in the name of mongod and paste the below script.

# mongod.conf

# for documentation of all options, see:
#   http://docs.mongodb.org/manual/reference/configuration-options/

# Where and how to store data.
# storage:
#   dbPath: /var/lib/mongodb
#   journal:
#     enabled: true
#  engine:
#  mmapv1:
#  wiredTiger:

# where to write logging data.
# systemLog:
#   destination: file
#   logAppend: true
#   path: /var/log/mongodb/mongod.log

# network interfaces
net:
port: 27017
bindIp: 0.0.0.0


# how the process runs
# processManagement:
#   timeZoneInfo: /usr/share/zoneinfo

#security:

#operationProfiling:

#replication:

#sharding:

## Enterprise-Only Options:

#auditLog:

#snmp:

Open the folder nginx.

Create a file in the name of nginx_template and paste the below script.

upstream backendapp {
	server backendapp:8001;
}

upstream frontend {
	server frontend:80;
}

upstream sso {
	server sso:80;
}

upstream os {
	server os:8010;
}

upstream directory {
	server directory:80;
}

server {
	listen 80;

	server_name <myip>;

	location /nag {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /directory{
		proxy_pass http://directory;
	}

	location / {
		proxy_pass http://frontend;
	}

	location /sso{
		proxy_pass http://sso;
	}

	location /os-service/ {
		rewrite ^/os-service/(.*)$ /$1 break;
		proxy_pass http://os;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /saml-service/saml {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	 location /openid-service/openid {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /auth-service/service {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /verification-service/service {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /directory-service/service {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /identity-service/service {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}

	location /cloudrunner-service/cloudrunner {
		proxy_pass http://backendapp;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_redirect off;
	}
}

The below Shell script will be used for docker-compose.yaml file creation

Create a file name using write_environment.sh and paste the below script.

echo "Starting Environment File config"

env_var_template="./docker-compose_template.yaml"

machine_ip=$(curl -s https://ifconfig.me)

my_domain="test"

system=$(uname -s)
release=$(uname -r)

nag_envname="${system}-${release}-${machine_ip}"

if [ ! -f "$env_var_template" ]; then
echo "Error: Template for Environment file '$env_var_template' not found."
exit 1
fi

template_content=$(cat "$env_var_template")
updated_content=$(echo "$template_content" | sed "s/<myip>/$machine_ip/g")
updated_content=$(echo "$updated_content" | sed "s/<mydomain>/$my_domain/g")
updated_content=$(echo "$updated_content" | sed "s/<nag_envname>/$nag_envname/g")

if [ $? -ne 0 ]; then
echo "Error: Failed to replace the placeholder in the Environment template."
exit 1
fi

env_file="./docker-compose.yaml"
echo "$updated_content" > "$env_file"

echo "Environment variable config is Done"

echo "Started nginx config file creation"

env_var_template="config/nginx/nginx_template"

template_content=$(cat "$env_var_template")
updated_content=$(echo "$template_content" | sed "s/<myip>/$machine_ip/g")

if [ $? -ne 0 ]; then
echo "Error: Failed to replace the placeholder in the Environment template."
exit 1
fi

env_file="config/nginx/nginx.conf"
echo "$updated_content" > "$env_file"

echo "Nginx config is Done"

Note: Update the value of my_domain in the above code

Before running the below command give write permission to the file.

sudo chmod 400 write_environment.sh

Command to run the script - sudo sh write_environment.sh

get-host-ip.py

#!/usr/bin/env python3
import sys
from socket import AF_INET, SOCK_DGRAM, socket


def main():
the_socket = socket(AF_INET, SOCK_DGRAM)
try:
the_socket.connect(("8.8.8.8", 80))
inet_addr = the_socket.getsockname()
if "-v" in sys.argv:
print(f"IP address={inet_addr[0]}", file=sys.stderr)
print(inet_addr[0])
except:
print("Failed to connect", file=sys.stderr)
print("127.0.0.1")

if __name__ == "__main__":
main()

Give the write permission to this script chmod 777 -R get-host-ip.py

Docker setup on the Server

Docker and Docker compose should be installed on the server.

Step 1 - Docker installation

The below Shell script will be used for installation.

docker_install.sh

#!/bin/bash
# Check if Docker is installed
if ! command -v docker &> /dev/null
then
# Docker not found, installing Docker
echo "Docker not found. Installing Docker..."
# Update the apt package index
sudo apt update
# Install packages to allow apt to use a repository over HTTPS
sudo apt install -y \
apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release
# Add Docker’s official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
# Set up the stable Docker repository
echo \
"deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io
# Add user to docker group
sudo usermod -aG docker $USER
HOST_DEFAULT_ROUTE_IP=$(./get-host-ip.py)
docker swarm init --advertise-addr $HOST_DEFAULT_ROUTE_IP

echo "Docker installed successfully."
else
echo "Docker is already installed."
fi

Step 2 - Docker Compose Installation

docker_compose.sh

The below Shell script will be used for installation.

#!/bin/bash
# Check if Docker Compose is installed
if ! command -v docker-compose &> /dev/null
then
# Docker Compose not found, installing Docker Compose
echo "Docker Compose not found. Installing Docker Compose..."
# Download the current stable release of Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
# Apply executable permissions to the binary
sudo chmod +x /usr/local/bin/docker-compose
echo "Docker Compose installed successfully."
else
echo "Docker Compose is already installed."
fi

Step 3 - Running the service using restart_all.sh script

restart_all.sh

#! /usr/bin/env bash

SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

set -a
source $SCRIPT_DIR/.env
set +a

docker stack deploy --compose-file=$SCRIPT_DIR/docker-compose.yaml $extra_args nag --with-registry-auth --prune

docker service update --force nag_nginx
docker service update --force nag_backendapp
docker service update --force nag_frontend
docker service update --force nag_sso
docker service update --force nag_os

Command to run the script - ./restart_all.sh

Updated handling

Create the nag_update.sh

#!/bin/bash

CURRENT_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

if ! command -v jq &> /dev/null; then
echo "jq is not installed. Installing jq..."

sudo apt-get update
sudo apt-get install -y jq

# Check again if jq is installed
if ! command -v jq &> /dev/null; then
echo "Failed to install jq. Exiting."
exit 1
fi
fi

BACKEND_CONTAINER_ID=$(docker ps -qf "name=nag_backendapp")

if [ -z "$BACKEND_CONTAINER_ID" ]; then
echo "Container not found or not running."
exit 1
fi

docker exec "$BACKEND_CONTAINER_ID" cat /app/nag_update.json > $CURRENT_PATH/nag_update.json

json_file="$CURRENT_PATH/nag_update.json"

can_update=$(jq -r .can_update "$json_file")

if [ "$can_update" = "true" ]; then
if $CURRENT_PATH/restart_all.sh; then
jq '.can_update = false' "$json_file" > "$json_file.tmp" && mv "$json_file.tmp" "$json_file"
docker cp $json_file $BACKEND_CONTAINER_ID:/app/nag_update.json
echo "Updated successfully"
else
echo "Error:failed. Update aborted"
fi
else
echo "No Updates. Exiting..."
fi

Create the write_crontab.sh

#!/bin/bash

CURRENT_PATH=$(pwd)
echo "The current path is: $CURRENT_PATH"

# Define the command and schedule
CRON_COMMAND="$CURRENT_PATH/nag_update.sh 2>&1 | /usr/bin/logger -t CRONOUTPUT"
CRON_SCHEDULE="0 */12 * * *"

echo "$CRON_COMMAND"

# Write the command to a temporary crontab file
echo "$CRON_SCHEDULE $CRON_COMMAND" > /tmp/my_cronjob

# Install the temporary crontab file
crontab /tmp/my_cronjob

# Remove the temporary crontab file
rm /tmp/my_cronjob

echo "Cron job set up successfully!"

Note: Update the CRON_SCHEDULE="0 */12 * * *" based on your needed time to update the scripts

Run the write_crontab.sh to make sure to update the instance for latest code in the scheduled time

Setup Completed

Your service is now running in this URI

{{URI}} - Public ip of the instance with 80 port

Use the Public IP to view the NAG Dashboard.