Deploy Lissi Verifier using Docker-Compose
Prerequisites
A running Lissi Agent instance deployed using Docker-Compose (see here)
Access to the Docker image (is granted via a personal access token)
Setup
1. Update the Lissi Agent Configuration
Update the ~/app/server/docker-compose.yml
Add the lissi-verifier
service:
lissi-verifier:
container_name: lissi-verifier
image: "${LISSI_VERIFIER_IMAGE}"
ports:
- "127.0.0.1:8888:8080"
environment:
- KEYCLOAK_AUTHSERVERURL=${KEYCLOAK_AUTH_SERVER_URL}
- LISSIAGENT_URL=http://lissi-agent-controller:9080/ctrl/api/v1.0
- LISSIAGENT_TENANT-ID=${LISSI_VERIFIER_TENANT_ID}
- LISSIAGENT_WEBHOOK-API-KEY=${LISSI_VERIFIER_WEBHOOK_API_KEY}
depends_on:
- aries-cloud-agent
networks:
- lissi-agent-network
- lissi-keycloak-network
logging:
driver: "json-file"
options:
max-file: "5"
max-size: "50m"
restart: on-failure
Modify the aries-cloud-agent
startup parameters and add a second --webhook-url
parameter as shown in line 10:
aries-cloud-agent:
container_name: aries-cloud-agent
image: ${ACAPY_IMAGE}
entrypoint: /bin/bash
command: [
"-c",
"sleep 10;
aca-py start \
[...]
--webhook-url 'http://lissi-verifier:8080/api/acapy-webhook#$LISSI_VERIFIER_WEBHOOK_API_KEY' \
[...]
]
Update ~/app/client/nginx.conf
Add a server context at the bottom of the file:
server {
server_name verifier.NGINX_HOST_PLACEHOLDER;
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
# security configs (see https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)
# do not display the nginx version number
server_tokens off;
# prevent potential DoS attacks
client_body_buffer_size 1k;
client_header_buffer_size 1k;
# upload images with max 1 MB size possible!
client_max_body_size 1000k;
large_client_header_buffers 4 4k; # min 4k are required after update to NGINX version 20.0
ssl_buffer_size 8k;
ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
# exclude TLSv1 and TLSv1.1 (unsafe)
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
ssl_certificate /etc/letsencrypt/live/NGINX_HOST_PLACEHOLDER/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/NGINX_HOST_PLACEHOLDER/privkey.pem;
root /opt/app-root/src;
index index.html index.htm;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Lissi Verifier WebSocket
location ^~ /stomp {
proxy_pass http://lissi-verifier:8080;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 10m;
proxy_set_header Origin "";
}
# Lissi Verifier API
location / {
limit_except GET HEAD POST { deny all; }
proxy_pass http://lissi-verifier:8080;
}
}
Update the ~/app/client/letsencrypt/create-cert-staging.sh
Replace -d ${SERVER_PUB_DOMAIN_NAME}
with:
-d ${SERVER_PUB_DOMAIN_NAME} \
-d verifier.${SERVER_PUB_DOMAIN_NAME}
Update the ~/app/client/letsencrypt/create-cert.sh
Replace -d ${SERVER_PUB_DOMAIN_NAME}
with:
-d ${SERVER_PUB_DOMAIN_NAME} \
-d verifier.${SERVER_PUB_DOMAIN_NAME}
2. Update the .profile
Add the following parameters to the ~/.profile
export LISSI_VERIFIER_IMAGE="milissi.azurecr.io/lissi-verifier:X.X.X"
export LISSI_VERIFIER_TENANT_ID="default_tenant"
export LISSI_VERIFIER_WEBHOOK_API_KEY="<RANDOM_KEY>"
LISSI_VERIFIER_TENANT_ID
determines the tenant that the Lissi Verifier will connect to. The Lissi Verifer will only show proof templates from this tenant.
3. Start the Lissi Verifier
source ~/.profile
cd ~/app/client
./manage.sh stop
cd ~/app/server
./manage.sh stop
cd ~/app/keycloak
./manage.sh stop
cd ~/app
sh install-lissi.sh
During the installation process, you need to manually confirm (U)pdate certificate/(C)cancel
with U
.
Test the Lissi Verifier
Access your Lissi Verifier instance via https://verifier.<your-domain>
and log in with the same credentials used to access the Lissi Agent.