Install
Installation instructions
Hosting requirements:
Operating System: GNU Linux/Unix CPU: 4 cores, 64 bit RAM Memory: 16 GB Storage: 350 GB Network: Public IP address, ports 80 and 443
Prerequisites:
Open JDK 8 PostgreSQL 11 with PostGIS 2.4 extension MongoDB 4.2
Deliverables:
Main application: ocportal.jar
Configure SMTP server to serve on localhost port 25 without any authentication.
PostgreSQL
Database name must be oc-portal. Application connects to the database via 5432 port.
Make sure that postgres user exists and PostgreSQL is configured to trust all local ip v4 connections.
In /etc/postgresql/11/main/pg_hba.conf you must have the following lines:
IPv4 local connections:
host all all 127.0.0.1/32 trust
MongoDB
Please install MongoDB 4.2 Community Edition based using the instructions here https://docs.mongodb.com/v4.2/installation/#mongodb-community-edition-installation-tutorials
Application Settings:
Command | Comment |
---|---|
-DjwtSecret=1234 |
A secret used to generate JWT tokens. If changed all users of PMC Reporter app will have to login again. |
-Dgoogle.recaptcha.secret=4567 |
Google Recaptcha Secret |
-DLOG_DIR=/opt/ocportal/logs/ |
Path to the directory where all application logs will be written. |
-DgaId=Google-analytics-id |
Google Analytics ID |
-DserverURL=https://server.address |
External URL of the service. Used to: generate links that are sent out in emails in OCDS files |
-Dfile.encoding=UTF-8 |
Default file encoding. Must be UTF-8. |
-DJava.awt.headless=true |
Instructs JVM to not use display/mouse/keyboard. |
-XX:+HeapDumpOnOutOfMemoryError |
Create heap dump when out of memory error occurs. |
-XX:HeapDumpPath=/opt/ocportal/hd |
Specify the path where to store heap dumps. |
-Xms512m |
Initial heap size. |
-Xmx8192m |
Maximum possible heap size. |
-XX:+UseG1GC |
Use Garbage-First (G1) garbage collector. |
-Dwicket.configuration=deployment |
Must be set to deployment. |
-server |
Enable JVM server optimizations. |
Installation steps:
Create ocportal user.
$ useradd ocportal
Create /opt/ocportal, /opt/ocportal/logs and /opt/ocportal/heapdumps folders.
$ mkdir -p /opt/ocportal/logs /opt/ocportal/heapdumps
Copy ocportal.jar to /opt/ocportal folder.
$ cp ocportal.jar /opt/ocportal
Make sure that /opt/ocportal and its content is owned by ocportal user.
$ chown -R ocportal /opt/ocportal
Register, configure and enable the app as a system service.
Use ocportal.service from Annex 1 and copy it to /etc/systemd/system directory.
$ systemctl enable ocportal
$ systemctl start ocportal
Nginx
Web requests to the applications are dispatched by Nginx 1.14 webserver, running on Debian GNU/Linux Stable (Buster) AMD64.
The webserver is configured to redirect any plain text (HTTP) requests to their TLS-encrypted (HTTPS) counterparts. Additionally, it is enforcing Strict Transport Security by pinning the necessary headers. TLS certificate is provided by LetsEncrypt service. The server is configured to only allow secure modern encryption protocols (TLS v1.2 and v1.3) as well as only strong cipher suites.
The server requests compliant robots not to index the website by serving a restrictive robots.txt file.
Configuration file:
events {
}
http {
include /etc/nginx/mime.types;
client_max_body_size 32m;
gzip on;
gzip_types application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml text/css text/javascript text/xml;
gzip_vary on;
proxy_http_version 1.1;
ssl_ciphers 'HIGH !CAMELLIA !PSK !kRSA !SHA1 !SHA256 !SHA384';
ssl_dhparam /etc/ssl/dhparam;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
server {
add_header Strict-Transport-Security 'max-age=86400; includeSubDomains' always;
client_max_body_size 32m;
gzip on;
gzip_types application/javascript application/json application/x-javascript application/xml application/xml+rss image/svg+xml text/css text/javascript text/xml;
gzip_vary on;
listen 443 ssl http2;
listen [::]:443 ssl http2;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
server_name server.address;
ssl_certificate /etc/letsencrypt/live/server.address/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/server.address/privkey.pem;
location / {
proxy_pass http://ocportal;
}
location /ci {
proxy_pass http://ocportal:8082;
}
location = /robots.txt {
expires 7d;
return 200 'User-Agent: *\nDisallow: /\n';
}
}
}
Annex 1
Example ocportal.service file:
[Unit]
Description=OCPortal
After=syslog.target postgresql.service
BindsTo=postgresql.service
[Service]
User=ocportal
Group=ocportal
WorkingDirectory=/opt/ocportal
ExecStart=/usr/bin/java -jar -server -Dwicket.configuration=deployment -Dsmsgateway.key=1 -DjwtSecret=1234 -Dgoogle.recaptcha.secret=4567 -Dfile.encoding=UTF-8 -Xms512m -Xmx8192m -XX:MaxMetaspaceSize=256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/ocportal/hd
-XX:ReservedCodeCacheSize=128m -DJava.awt.headless=true -XX:+UseG1GC
-DLOG_DIR=/opt/ocportal/logs/ -Dbackup.home=/opt/backup -DgaId=google-analytics-id -DserverURL=https://server.address -jar /opt/ocportal/ocportal.jar
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target