From e9ad7deae26b5bee78e5f5b758f5ec0bc37e5db8 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 11:45:51 +0100 Subject: [PATCH 01/14] Create openconext-dev client image --- .github/workflows/main.yml | 10 ++++++++++ Dockerfile.sbs-client | 17 +++++++++++++++++ client/apache.conf | 28 ++++++++++++++++++++++++++++ client/package.json | 2 +- 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 Dockerfile.sbs-client create mode 100644 client/apache.conf diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4200da888..871a08bfa 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -353,6 +353,16 @@ jobs: tags: ${{ steps.meta-sbs-server.outputs.tags }} labels: ${{ steps.meta-sbs-server.outputs.labels }} + - name: Build and push Docker SBS-client image + uses: docker/build-push-action@v5 + with: + context: "." + file: "Dockerfile.sbs-client" + pull: true + push: true + tags: ${{ steps.meta-sbs-client.outputs.tags }} + labels: ${{ steps.meta-sbs-client.outputs.labels }} + Schema_pr: name: Update schema cache diff --git a/Dockerfile.sbs-client b/Dockerfile.sbs-client new file mode 100644 index 000000000..9356b26a2 --- /dev/null +++ b/Dockerfile.sbs-client @@ -0,0 +1,17 @@ +# Build SRAM SBS (apache) server image +FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server +RUN rm -f /etc/apache2/sites-enabled/*.conf +COPY apache.conf /etc/apache2/sites-enabled/apache.conf +RUN a2enmod proxy_wstunnel + +# Set the default workdir +WORKDIR /opt + +# Install SBS +COPY sbs.tar.xz /opt/sbs.tar.xz + +# Untar sbs +RUN tar -Jxf sbs.tar.xz + +#CMD ["bash"] + diff --git a/client/apache.conf b/client/apache.conf new file mode 100644 index 000000000..f3cb61476 --- /dev/null +++ b/client/apache.conf @@ -0,0 +1,28 @@ +ServerName sbs +DocumentRoot /var/www/html + +Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" +Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" + +#RewriteEngine On +#RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) +#RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f +#RewriteRule ^/(.*)$ /index.html [L] + +ProxyRequests off +ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ +ProxyPassReverse / http://sbs-server:8080/ +ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ +ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ + + + Header set Cache-Control: "public, max-age=31536000, immutable" + + + Header set Cache-Control: "no-cache, private" + + + + Require all granted + Options -Indexes + diff --git a/client/package.json b/client/package.json index 040c43981..f35948d6f 100644 --- a/client/package.json +++ b/client/package.json @@ -58,7 +58,7 @@ "ws": "^8.17.1" }, "scripts": { - "start": "DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=false HOST=localhost react-scripts start", + "start": "DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=false react-scripts start", "build": "DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=true react-scripts build", "test": "DANGEROUSLY_DISABLE_HOST_CHECK=true GENERATE_SOURCEMAP=false react-scripts test --transformIgnorePatterns 'node_modules/(?!i18n-js)/'", "analyze": "source-map-explorer build/static/js/main.*.js " From 90784cbf981132720b64467bd84990c329945245 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 12:54:28 +0100 Subject: [PATCH 02/14] WIP --- .github/workflows/main.yml | 22 +++++++++++++----- Dockerfile.sbs | 47 ++++---------------------------------- Dockerfile.sbs-server | 47 ++++++++++++++++++++++++++++++++++---- 3 files changed, 63 insertions(+), 53 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 871a08bfa..5a19cd64a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,6 +18,7 @@ env: REGISTRY: ghcr.io IMAGE_NAME_SBS: surfscz/sram-sbs IMAGE_NAME_SERVER: surfscz/sram-sbs-server + IMAGE_NAME_CLIENT: surfscz/sram-sbs-client jobs: Server_tests: @@ -317,15 +318,15 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - # The SBS image - - name: Extract metadata (tags, labels) for SBS image + # The SBS (apache) image + - name: Extract metadata (tags, labels) for SBS-server image id: meta-sbs uses: docker/metadata-action@v5 with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_SBS }} - - name: Build and push Docker SBS image + - name: Build and push Docker SBS-server image uses: docker/build-push-action@v5 with: context: "." @@ -335,15 +336,15 @@ jobs: tags: ${{ steps.meta-sbs.outputs.tags }} labels: ${{ steps.meta-sbs.outputs.labels }} - # The SBS (apache) server image - - name: Extract metadata (tags, labels) for SBS-server image + # The SBS server image + - name: Extract metadata (tags, labels) for SBS image id: meta-sbs-server uses: docker/metadata-action@v5 with: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_SERVER }} - - name: Build and push Docker SBS-server image + - name: Build and push Docker SBS image uses: docker/build-push-action@v5 with: context: "." @@ -353,6 +354,15 @@ jobs: tags: ${{ steps.meta-sbs-server.outputs.tags }} labels: ${{ steps.meta-sbs-server.outputs.labels }} + + # The SBS client image + - name: Extract metadata (tags, labels) for SBS-server image + id: meta-sbs-client + uses: docker/metadata-action@v5 + with: + images: | + ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_CLIENT }} + - name: Build and push Docker SBS-client image uses: docker/build-push-action@v5 with: diff --git a/Dockerfile.sbs b/Dockerfile.sbs index 9d050602b..8f6b045d0 100644 --- a/Dockerfile.sbs +++ b/Dockerfile.sbs @@ -1,47 +1,10 @@ -# First build SRAM SBS image -FROM python:3.11-slim-bookworm AS sram-sbs - -# Do an initial clean up and general upgrade of the distribution -ENV DEBIAN_FRONTEND noninteractive -RUN apt clean && apt autoclean && apt update -RUN apt -y upgrade && apt -y dist-upgrade - -# Install the packages we need -RUN apt install -y curl \ - git \ - build-essential \ - pkgconf \ - python3-dev \ - default-libmysqlclient-dev \ - libxmlsec1-dev - -# Clean up -RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* +# Build SRAM SBS (apache) server image +FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server +RUN rm -f /etc/apache2/sites-enabled/*.conf +RUN a2enmod proxy_wstunnel # Set the default workdir WORKDIR /opt -# Install SBS -COPY sbs.tar.xz /opt/sbs.tar.xz - -# Untar sbs -RUN tar -Jxf sbs.tar.xz - -# Create venv dir -#RUN virtualenv /opt/sbs - -#RUN . /opt/sbs/bin/activate && \ -RUN pip install -r /opt/sbs/server/requirements/test.txt - -# Copy entrypoint -COPY misc/entrypoint.sh /entrypoint.sh -RUN chmod 755 /entrypoint.sh - -# Set the default workdir -WORKDIR /opt/sbs - -EXPOSE 8080 - -ENTRYPOINT ["/entrypoint.sh"] #CMD ["bash"] -CMD ["/usr/local/bin/gunicorn --worker-class eventlet --workers 8 --bind 0.0.0.0:8080 server.__main__:app"] + diff --git a/Dockerfile.sbs-server b/Dockerfile.sbs-server index 8f6b045d0..9d050602b 100644 --- a/Dockerfile.sbs-server +++ b/Dockerfile.sbs-server @@ -1,10 +1,47 @@ -# Build SRAM SBS (apache) server image -FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server -RUN rm -f /etc/apache2/sites-enabled/*.conf -RUN a2enmod proxy_wstunnel +# First build SRAM SBS image +FROM python:3.11-slim-bookworm AS sram-sbs + +# Do an initial clean up and general upgrade of the distribution +ENV DEBIAN_FRONTEND noninteractive +RUN apt clean && apt autoclean && apt update +RUN apt -y upgrade && apt -y dist-upgrade + +# Install the packages we need +RUN apt install -y curl \ + git \ + build-essential \ + pkgconf \ + python3-dev \ + default-libmysqlclient-dev \ + libxmlsec1-dev + +# Clean up +RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* # Set the default workdir WORKDIR /opt -#CMD ["bash"] +# Install SBS +COPY sbs.tar.xz /opt/sbs.tar.xz + +# Untar sbs +RUN tar -Jxf sbs.tar.xz + +# Create venv dir +#RUN virtualenv /opt/sbs +#RUN . /opt/sbs/bin/activate && \ +RUN pip install -r /opt/sbs/server/requirements/test.txt + +# Copy entrypoint +COPY misc/entrypoint.sh /entrypoint.sh +RUN chmod 755 /entrypoint.sh + +# Set the default workdir +WORKDIR /opt/sbs + +EXPOSE 8080 + +ENTRYPOINT ["/entrypoint.sh"] +#CMD ["bash"] +CMD ["/usr/local/bin/gunicorn --worker-class eventlet --workers 8 --bind 0.0.0.0:8080 server.__main__:app"] From 40c05b700fd9a4b47ebfa92448d09fb752c5660f Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 13:07:45 +0100 Subject: [PATCH 03/14] WIP --- .github/workflows/main.yml | 6 +++--- Dockerfile.sbs-client | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 5a19cd64a..cc0fb1ca3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -326,7 +326,7 @@ jobs: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_SBS }} - - name: Build and push Docker SBS-server image + - name: Build and push Docker SBS image uses: docker/build-push-action@v5 with: context: "." @@ -344,7 +344,7 @@ jobs: images: | ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_SERVER }} - - name: Build and push Docker SBS image + - name: Build and push Docker SBS-server image uses: docker/build-push-action@v5 with: context: "." @@ -356,7 +356,7 @@ jobs: # The SBS client image - - name: Extract metadata (tags, labels) for SBS-server image + - name: Extract metadata (tags, labels) for SBS-client image id: meta-sbs-client uses: docker/metadata-action@v5 with: diff --git a/Dockerfile.sbs-client b/Dockerfile.sbs-client index 9356b26a2..970356182 100644 --- a/Dockerfile.sbs-client +++ b/Dockerfile.sbs-client @@ -1,7 +1,7 @@ # Build SRAM SBS (apache) server image FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server RUN rm -f /etc/apache2/sites-enabled/*.conf -COPY apache.conf /etc/apache2/sites-enabled/apache.conf +COPY client/apache.conf /etc/apache2/sites-enabled/apache.conf RUN a2enmod proxy_wstunnel # Set the default workdir From 7e8d0d0517772b0782a47e58352f8b45ced418aa Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 13:29:06 +0100 Subject: [PATCH 04/14] WIP --- Dockerfile.sbs-client | 4 +++- Dockerfile.sbs-server | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile.sbs-client b/Dockerfile.sbs-client index 970356182..3135f7379 100644 --- a/Dockerfile.sbs-client +++ b/Dockerfile.sbs-client @@ -1,7 +1,9 @@ # Build SRAM SBS (apache) server image -FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server +FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-client + RUN rm -f /etc/apache2/sites-enabled/*.conf COPY client/apache.conf /etc/apache2/sites-enabled/apache.conf + RUN a2enmod proxy_wstunnel # Set the default workdir diff --git a/Dockerfile.sbs-server b/Dockerfile.sbs-server index 9d050602b..614a028cf 100644 --- a/Dockerfile.sbs-server +++ b/Dockerfile.sbs-server @@ -1,5 +1,5 @@ # First build SRAM SBS image -FROM python:3.11-slim-bookworm AS sram-sbs +FROM python:3.11-slim-bookworm AS sram-sbs-server # Do an initial clean up and general upgrade of the distribution ENV DEBIAN_FRONTEND noninteractive From 12334760c2ac7e9b7e15586653e3fd8f833520c3 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 13:44:38 +0100 Subject: [PATCH 05/14] Add debug step --- .github/workflows/main.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cc0fb1ca3..42ccbceb1 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -373,6 +373,16 @@ jobs: tags: ${{ steps.meta-sbs-client.outputs.tags }} labels: ${{ steps.meta-sbs-client.outputs.labels }} + # Setup tmate session + - name: Setup tmate session + env: + ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG}} + if: ${{ failure() && env.ACTIONS_STEP_DEBUG == 'true' }} + uses: mxschmitt/action-tmate@v3 + with: + limit-access-to-actor: true + timeout-minutes: 60 + Schema_pr: name: Update schema cache From 1ca9ac884c39b5d9765d30f98f458952aacf94ec Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 14:27:57 +0100 Subject: [PATCH 06/14] WIP --- Dockerfile.sbs-client | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Dockerfile.sbs-client b/Dockerfile.sbs-client index 3135f7379..a2f3229ec 100644 --- a/Dockerfile.sbs-client +++ b/Dockerfile.sbs-client @@ -1,6 +1,17 @@ # Build SRAM SBS (apache) server image FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-client +# Do an initial clean up and general upgrade of the distribution +ENV DEBIAN_FRONTEND noninteractive +RUN apt clean && apt autoclean && apt update +RUN apt -y upgrade && apt -y dist-upgrade + +# Install the packages we need +RUN apt install -y xz-utils + +# Clean up +RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* + RUN rm -f /etc/apache2/sites-enabled/*.conf COPY client/apache.conf /etc/apache2/sites-enabled/apache.conf @@ -16,4 +27,3 @@ COPY sbs.tar.xz /opt/sbs.tar.xz RUN tar -Jxf sbs.tar.xz #CMD ["bash"] - From 24ed38c6f5d65e5b5b5bb2ebb8ff9b71a2cc615b Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 15:08:40 +0100 Subject: [PATCH 07/14] WIP --- client/apache.conf | 49 ++++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/client/apache.conf b/client/apache.conf index f3cb61476..640a553c2 100644 --- a/client/apache.conf +++ b/client/apache.conf @@ -1,28 +1,31 @@ -ServerName sbs -DocumentRoot /var/www/html +Listen 8080 + + ServerName sbs + DocumentRoot /opt/sbs/client/build -Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" -Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" + Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" + Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" -#RewriteEngine On -#RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) -#RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f -#RewriteRule ^/(.*)$ /index.html [L] + #RewriteEngine On + #RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) + #RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f + #RewriteRule ^/(.*)$ /index.html [L] -ProxyRequests off -ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ -ProxyPassReverse / http://sbs-server:8080/ -ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ -ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ + ProxyRequests off + ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ + ProxyPassReverse / http://sbs-server:8080/ + ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ + ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ - - Header set Cache-Control: "public, max-age=31536000, immutable" - - - Header set Cache-Control: "no-cache, private" - + + Header set Cache-Control: "public, max-age=31536000, immutable" + + + Header set Cache-Control: "no-cache, private" + - - Require all granted - Options -Indexes - + + Require all granted + Options -Indexes + + From e9692226b7e35bf80e02dd98a63167063351c01d Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 15:36:55 +0100 Subject: [PATCH 08/14] WIP --- Dockerfile.sbs | 11 ++++++++++- client/apache-dev.conf | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 client/apache-dev.conf diff --git a/Dockerfile.sbs b/Dockerfile.sbs index 8f6b045d0..dac4d1132 100644 --- a/Dockerfile.sbs +++ b/Dockerfile.sbs @@ -1,7 +1,16 @@ # Build SRAM SBS (apache) server image FROM ghcr.io/openconext/openconext-basecontainers/apache2:latest AS sram-sbs-server + +# Do an initial clean up and general upgrade of the distribution +ENV DEBIAN_FRONTEND noninteractive +RUN apt clean && apt autoclean && apt update +RUN apt -y upgrade && apt -y dist-upgrade + +# Clean up +RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* + RUN rm -f /etc/apache2/sites-enabled/*.conf -RUN a2enmod proxy_wstunnel +COPY client/apache-dev.conf /etc/apache2/sites-enabled/apache.conf # Set the default workdir WORKDIR /opt diff --git a/client/apache-dev.conf b/client/apache-dev.conf new file mode 100644 index 000000000..91324db27 --- /dev/null +++ b/client/apache-dev.conf @@ -0,0 +1,33 @@ +Listen 8080 + + ServerName sbs + DocumentRoot /var/www/html + + Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" + Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" + + #RewriteEngine On + #RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) + #RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f + #RewriteRule ^/(.*)$ /index.html [L] + + ProxyRequests off + ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ + ProxyPassReverse / http://sbs-server:8080/ + ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ + ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ + ProxyPass / http://sbs-client:8080/ + ProxyPassReverse / http://sbs-client:8080/ + + + Header set Cache-Control: "public, max-age=31536000, immutable" + + + Header set Cache-Control: "no-cache, private" + + + + Require all granted + Options -Indexes + + From 03558ab88ae7a5abae4c9931e78634930bef8bd6 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 16:13:26 +0100 Subject: [PATCH 09/14] WIP --- Dockerfile.sbs | 2 +- Dockerfile.sbs-client | 2 +- client/apache.conf | 31 ---------------------- {client => etc}/apache-dev.conf | 0 etc/apache.conf | 46 +++++++++++++++++++-------------- misc/entrypoint.sh | 8 +++--- 6 files changed, 33 insertions(+), 56 deletions(-) delete mode 100644 client/apache.conf rename {client => etc}/apache-dev.conf (100%) diff --git a/Dockerfile.sbs b/Dockerfile.sbs index dac4d1132..0adb530d2 100644 --- a/Dockerfile.sbs +++ b/Dockerfile.sbs @@ -10,7 +10,7 @@ RUN apt -y upgrade && apt -y dist-upgrade RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* RUN rm -f /etc/apache2/sites-enabled/*.conf -COPY client/apache-dev.conf /etc/apache2/sites-enabled/apache.conf +COPY etc/apache-dev.conf /etc/apache2/sites-enabled/apache.conf # Set the default workdir WORKDIR /opt diff --git a/Dockerfile.sbs-client b/Dockerfile.sbs-client index a2f3229ec..5baf2a2e3 100644 --- a/Dockerfile.sbs-client +++ b/Dockerfile.sbs-client @@ -13,7 +13,7 @@ RUN apt install -y xz-utils RUN apt autoremove -y && apt clean && apt autoclean && rm -rf /var/lib/apt/lists/* RUN rm -f /etc/apache2/sites-enabled/*.conf -COPY client/apache.conf /etc/apache2/sites-enabled/apache.conf +COPY etc/apache.conf /etc/apache2/sites-enabled/apache.conf RUN a2enmod proxy_wstunnel diff --git a/client/apache.conf b/client/apache.conf deleted file mode 100644 index 640a553c2..000000000 --- a/client/apache.conf +++ /dev/null @@ -1,31 +0,0 @@ -Listen 8080 - - ServerName sbs - DocumentRoot /opt/sbs/client/build - - Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" - Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" - - #RewriteEngine On - #RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) - #RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f - #RewriteRule ^/(.*)$ /index.html [L] - - ProxyRequests off - ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ - ProxyPassReverse / http://sbs-server:8080/ - ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ - ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ - - - Header set Cache-Control: "public, max-age=31536000, immutable" - - - Header set Cache-Control: "no-cache, private" - - - - Require all granted - Options -Indexes - - diff --git a/client/apache-dev.conf b/etc/apache-dev.conf similarity index 100% rename from client/apache-dev.conf rename to etc/apache-dev.conf diff --git a/etc/apache.conf b/etc/apache.conf index 22752c74a..640a553c2 100644 --- a/etc/apache.conf +++ b/etc/apache.conf @@ -1,23 +1,31 @@ -# ServerName {{ hostnames.sbs }} -#ErrorLog /proc/self/fd/2 -#CustomLog /proc/self/fd/1 common -DocumentRoot /var/www/html +Listen 8080 + + ServerName sbs + DocumentRoot /opt/sbs/client/build -# Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.{{ base_domain }}; frame-ancestors 'none'; block-all-mixed-content;" -# Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" + Header set Content-Security-Policy "default-src 'self'; base-uri 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'; form-action 'self' https://*.dev.openconext.local; frame-ancestors 'none'; block-all-mixed-content;" + Header set Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(self), gamepad=(), speaker-selection=()" -RewriteEngine On -RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) -RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f -RewriteRule ^/(.*)$ /index.html [L] + #RewriteEngine On + #RewriteCond %{REQUEST_URI} !^/(api|pam-weblogin|flasgger_static|swagger|health|config|info|socket.io) + #RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-f + #RewriteRule ^/(.*)$ /index.html [L] -ProxyRequests off -ProxyPass /socket.io/ ws://server:8080/socket.io/ -ProxyPassReverse /socket.io/ ws://server:8080/socket.io/ -ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://server:8080/ -ProxyPassReverse / http://server:8080/ + ProxyRequests off + ProxyPassMatch ^/(api|pam-weblogin|flasgger_static|swagger|health|config|info) http://sbs-server:8080/ + ProxyPassReverse / http://sbs-server:8080/ + ProxyPass /socket.io/ ws://sbs-server:8080/socket.io/ + ProxyPassReverse /socket.io/ ws://sbs-server:8080/socket.io/ - - Require all granted - Options -Indexes - + + Header set Cache-Control: "public, max-age=31536000, immutable" + + + Header set Cache-Control: "no-cache, private" + + + + Require all granted + Options -Indexes + + diff --git a/misc/entrypoint.sh b/misc/entrypoint.sh index e0141cce1..aed9aa15a 100644 --- a/misc/entrypoint.sh +++ b/misc/entrypoint.sh @@ -15,10 +15,10 @@ rm -f /opt/sbs/server/config/config.yml rm -f /opt/sbs/server/migrations/alembic.ini rm -f /opt/sbs/client/build/static/disclaimer.css rm -rf /opt/sbs/server/config/saml/saml -ln -s /opt/sbs/config/config.yml /opt/sbs/server/config/config.yml -ln -s /opt/sbs/config/alembic.ini /opt/sbs/server/migrations/alembic.ini -ln -s /opt/sbs/config/saml /opt/sbs/server/config/saml -cp /opt/sbs/config/disclaimer.css /opt/sbs/client/build/static/disclaimer.css +cp /opt/sbs/config/config.yml /opt/sbs/server/config/config.yml +cp /opt/sbs/config/alembic.ini /opt/sbs/server/migrations/alembic.ini +cp /opt/sbs/config/disclaimer.css /opt/sbs/client/build/static/disclaimer.css +cp /opt/sbs/config/saml /opt/sbs/server/config/saml if [ -e "/opt/sbs/cert/frontend.crt" ] then From f8a90c53956e22365ae0e9e35183bf51dbd0f2d4 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 16:26:06 +0100 Subject: [PATCH 10/14] WIP --- misc/entrypoint.sh | 2 +- server/migrations/alembic.ini | 9 ++++----- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/misc/entrypoint.sh b/misc/entrypoint.sh index aed9aa15a..d1020ed44 100644 --- a/misc/entrypoint.sh +++ b/misc/entrypoint.sh @@ -18,7 +18,7 @@ rm -rf /opt/sbs/server/config/saml/saml cp /opt/sbs/config/config.yml /opt/sbs/server/config/config.yml cp /opt/sbs/config/alembic.ini /opt/sbs/server/migrations/alembic.ini cp /opt/sbs/config/disclaimer.css /opt/sbs/client/build/static/disclaimer.css -cp /opt/sbs/config/saml /opt/sbs/server/config/saml +cp -r /opt/sbs/config/saml /opt/sbs/server/config/saml if [ -e "/opt/sbs/cert/frontend.crt" ] then diff --git a/server/migrations/alembic.ini b/server/migrations/alembic.ini index 22bb24e88..361364763 100644 --- a/server/migrations/alembic.ini +++ b/server/migrations/alembic.ini @@ -35,7 +35,7 @@ script_location = migrations # are written from script.py.mako # output_encoding = utf-8 -sqlalchemy.url = mysql+mysqldb://sbs:sbs@127.0.0.1/sbs +sqlalchemy.url = mysql+mysqldb://sbs:secret@mariadb/sbs?charset=utf8mb4 # Logging configuration @@ -49,9 +49,8 @@ keys = console keys = generic [logger_root] -level = WARN +level = NOTSET handlers = console -qualname = [logger_sqlalchemy] level = WARN @@ -66,9 +65,9 @@ qualname = alembic [handler_console] class = StreamHandler args = (sys.stderr,) -level = NOTSET +level = DEBUG formatter = generic [formatter_generic] format = %(levelname)-5.5s [%(name)s] %(message)s -datefmt = %H:%M:%S \ No newline at end of file +datefmt = %H:%M:%S From b503614c01a6ac482d5fd6a86c2e4dbdffb84322 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Mon, 18 Nov 2024 16:45:14 +0100 Subject: [PATCH 11/14] WIP --- misc/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) mode change 100644 => 100755 misc/entrypoint.sh diff --git a/misc/entrypoint.sh b/misc/entrypoint.sh old mode 100644 new mode 100755 index d1020ed44..7245c500d --- a/misc/entrypoint.sh +++ b/misc/entrypoint.sh @@ -18,7 +18,7 @@ rm -rf /opt/sbs/server/config/saml/saml cp /opt/sbs/config/config.yml /opt/sbs/server/config/config.yml cp /opt/sbs/config/alembic.ini /opt/sbs/server/migrations/alembic.ini cp /opt/sbs/config/disclaimer.css /opt/sbs/client/build/static/disclaimer.css -cp -r /opt/sbs/config/saml /opt/sbs/server/config/saml +cp -rf /opt/sbs/config/saml /opt/sbs/server/config if [ -e "/opt/sbs/cert/frontend.crt" ] then From 3155a2047eeb5c8030fb92742c70fe14e54fc4da Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Tue, 19 Nov 2024 11:09:22 +0100 Subject: [PATCH 12/14] WIP --- docker-compose.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 8977676be..b7eef9e2f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,7 +7,7 @@ volumes: services: redis: - image: "docker.io/redis" + image: "redis" container_name: "sbs-redis" client: @@ -73,4 +73,5 @@ services: ports: - "8978:8978" volumes: - - "cloudbeaver:/opt/cloudbeaver/workspace" \ No newline at end of file + - "cloudbeaver:/opt/cloudbeaver/workspace" + From dae4b4d648f6d48729d93964e2809836bf6c100a Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Wed, 20 Nov 2024 09:12:53 +0100 Subject: [PATCH 13/14] Fix entrypoint.sh --- misc/entrypoint.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/misc/entrypoint.sh b/misc/entrypoint.sh index 7245c500d..70a831bb5 100755 --- a/misc/entrypoint.sh +++ b/misc/entrypoint.sh @@ -41,9 +41,6 @@ then echo "New id is $($PRIVDROP id -u):$($PRIVDROP id -g)" fi - -cd /opt/sbs - # Run migrations _RUN_MIGRATIONS=${RUN_MIGRATIONS:-0} _MIGRATIONS_ONLY=${MIGRATIONS_ONLY:-0} @@ -60,5 +57,7 @@ then fi fi +cd /opt/sbs + # Hand off to the CMD exec ${PRIVDROP} $@ \ No newline at end of file From c19aef3982b5d7d8429ab0bae76846c20e6e2f68 Mon Sep 17 00:00:00 2001 From: Martin van Es Date: Tue, 3 Dec 2024 09:33:47 +0100 Subject: [PATCH 14/14] Fix entrypoint.sh --- misc/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misc/entrypoint.sh b/misc/entrypoint.sh index 70a831bb5..a2d12a8b4 100755 --- a/misc/entrypoint.sh +++ b/misc/entrypoint.sh @@ -41,6 +41,8 @@ then echo "New id is $($PRIVDROP id -u):$($PRIVDROP id -g)" fi +cd /opt/sbs + # Run migrations _RUN_MIGRATIONS=${RUN_MIGRATIONS:-0} _MIGRATIONS_ONLY=${MIGRATIONS_ONLY:-0} @@ -57,7 +59,5 @@ then fi fi -cd /opt/sbs - # Hand off to the CMD -exec ${PRIVDROP} $@ \ No newline at end of file +exec ${PRIVDROP} $@