From c8d87a936b358f985dc841878e2376e2b5e8fd7e Mon Sep 17 00:00:00 2001 From: Georgios Kalpakas Date: Mon, 27 Feb 2017 12:11:55 +0200 Subject: [PATCH] feat(aio): add support for HTTPS (certificates provided by host - fallback to self-signed) --- aio/aio-builds-setup/dockerbuild/Dockerfile | 23 +++++++++++++++++-- .../dockerbuild/nginx/aio-builds.conf | 14 +++++++++-- .../scripts-js/lib/verify-setup/helper.ts | 9 +------- .../scripts-sh/upload-server-prod.sh | 1 + aio/aio-builds-setup/docs/NOTES.md | 7 +++--- 5 files changed, 38 insertions(+), 16 deletions(-) mode change 100755 => 100644 aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh diff --git a/aio/aio-builds-setup/dockerbuild/Dockerfile b/aio/aio-builds-setup/dockerbuild/Dockerfile index a69b76d248..3d8469a606 100644 --- a/aio/aio-builds-setup/dockerbuild/Dockerfile +++ b/aio/aio-builds-setup/dockerbuild/Dockerfile @@ -11,14 +11,15 @@ VOLUME /var/www/aio-builds EXPOSE 80 443 ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \ + AIO_DOMAIN_NAME=ngbuilds.io TEST_AIO_DOMAIN_NAME=test-ngbuilds.io \ AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \ - AIO_NGINX_HOSTNAME=nginx-prod.localhost TEST_AIO_NGINX_HOSTNAME=nginx-test.localhost \ + AIO_NGINX_HOSTNAME=nginx.localhost TEST_AIO_NGINX_HOSTNAME=nginx.localhost \ AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \ AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \ AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \ AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \ AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \ - AIO_UPLOAD_HOSTNAME=upload-prod.localhost TEST_AIO_UPLOAD_HOSTNAME=upload-test.localhost \ + AIO_UPLOAD_HOSTNAME=upload.localhost TEST_AIO_UPLOAD_HOSTNAME=upload.localhost \ AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \ AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \ NODE_ENV=production @@ -43,6 +44,7 @@ RUN apt-get update -y && apt-get install -y \ nano \ nginx \ nodejs \ + openssl \ rsyslog \ yarn RUN yarn global add pm2 @@ -62,12 +64,27 @@ RUN sed -i "s|{{\$TEST_AIO_NGINX_HOSTNAME}}|$TEST_AIO_NGINX_HOSTNAME|" /etc/dnsm RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf +# Set up SSL/TLS certificates +RUN mkdir -p /etc/ssl/localcerts +RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$AIO_NGINX_HOSTNAME" \ + -out /etc/ssl/localcerts/$AIO_DOMAIN_NAME.crt \ + -keyout /etc/ssl/localcerts/$AIO_DOMAIN_NAME.key +RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$TEST_AIO_NGINX_HOSTNAME" \ + -out /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.crt \ + -keyout /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.key +RUN chmod -R 400 /etc/ssl/localcerts +RUN cp /etc/ssl/localcerts/*.crt /usr/local/share/ca-certificates +RUN update-ca-certificates + + # Set up nginx (for production and testing) RUN rm /etc/nginx/sites-enabled/* COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf +RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf +RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf @@ -75,7 +92,9 @@ RUN ln -s /etc/nginx/sites-available/aio-builds-prod.conf /etc/nginx/sites-enabl COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf +RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$TEST_AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf +RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$TEST_AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf diff --git a/aio/aio-builds-setup/dockerbuild/nginx/aio-builds.conf b/aio/aio-builds-setup/dockerbuild/nginx/aio-builds.conf index 26975a4ad9..d6d879a977 100644 --- a/aio/aio-builds-setup/dockerbuild/nginx/aio-builds.conf +++ b/aio/aio-builds-setup/dockerbuild/nginx/aio-builds.conf @@ -1,9 +1,14 @@ # Serve PR-preview requests server { + server_name "~^pr(?[1-9][0-9]*)-(?[0-9a-f]{40})\."; + listen {{$AIO_NGINX_PORT_HTTP}}; listen [::]:{{$AIO_NGINX_PORT_HTTP}}; + listen {{$AIO_NGINX_PORT_HTTPS}} ssl; + listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl; - server_name "~^pr(?[1-9][0-9]*)-(?[0-9a-f]{40})\."; + ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt; + ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key; root {{$AIO_BUILDS_DIR}}/$pr/$sha; disable_symlinks on from=$document_root; @@ -16,10 +21,15 @@ server { # Handle all other requests server { + server_name _; + listen {{$AIO_NGINX_PORT_HTTP}} default_server; listen [::]:{{$AIO_NGINX_PORT_HTTP}}; + listen {{$AIO_NGINX_PORT_HTTPS}} ssl default_server; + listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl; - server_name _; + ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt; + ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key; # Health check location "~^\/health-check\/?$" { diff --git a/aio/aio-builds-setup/dockerbuild/scripts-js/lib/verify-setup/helper.ts b/aio/aio-builds-setup/dockerbuild/scripts-js/lib/verify-setup/helper.ts index 045464398a..ae119395dd 100644 --- a/aio/aio-builds-setup/dockerbuild/scripts-js/lib/verify-setup/helper.ts +++ b/aio/aio-builds-setup/dockerbuild/scripts-js/lib/verify-setup/helper.ts @@ -110,14 +110,7 @@ class Helper { } public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) { - Object.keys(this.portPerScheme).forEach(scheme => { - // TODO (gkalpak): Enable HTTPS tests - if (scheme === 'https') { - return it('should have tests'); - } - - suiteFactory(scheme, this.portPerScheme[scheme]); - }); + Object.keys(this.portPerScheme).forEach(scheme => suiteFactory(scheme, this.portPerScheme[scheme])); } public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn { diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh old mode 100755 new mode 100644 index ca05dce584..ac153b9763 --- a/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh +++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e -o pipefail +# Start the upload-server instance # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. # (Currently, there doesn't seem to be a straight forward way.) action=$([ "$1" == "stop" ] && echo "stop" || echo "start") diff --git a/aio/aio-builds-setup/docs/NOTES.md b/aio/aio-builds-setup/docs/NOTES.md index beb69fe99f..d4f4c1246f 100644 --- a/aio/aio-builds-setup/docs/NOTES.md +++ b/aio/aio-builds-setup/docs/NOTES.md @@ -17,13 +17,12 @@ --name \ -p 80:80 \ -p 443:443 \ - -v :/var/www/aio-builds \ + [-v :/etc/ssl/localcerts:ro] \ + -v :/var/www/aio-builds \ [:] ` ## Questions - Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container? -- Currently, builds will only be remove when the PR is closed. It is possible to upload arbitrary builds (for non-existent commits) until then. - Instead of creating new comments for each commit, update the original comment? -- Do we need a static IP address? -- Do we care about persistent disk automatic backup? +- Do we want to drop HTTP support (and/or redirect to HTTPS)?