feat(aio): add support for HTTPS (certificates provided by host - fallback to self-signed)

This commit is contained in:
Georgios Kalpakas 2017-02-27 12:11:55 +02:00 committed by Chuck Jazdzewski
parent 6b8413f7b3
commit c8d87a936b
5 changed files with 38 additions and 16 deletions

View File

@ -11,14 +11,15 @@ VOLUME /var/www/aio-builds
EXPOSE 80 443 EXPOSE 80 443
ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \ ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \
AIO_DOMAIN_NAME=ngbuilds.io TEST_AIO_DOMAIN_NAME=test-ngbuilds.io \
AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \ AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \
AIO_NGINX_HOSTNAME=nginx-prod.localhost TEST_AIO_NGINX_HOSTNAME=nginx-test.localhost \ AIO_NGINX_HOSTNAME=nginx.localhost TEST_AIO_NGINX_HOSTNAME=nginx.localhost \
AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \ AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \
AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \ AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \
AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \ AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \
AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \ AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \
AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \ AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \
AIO_UPLOAD_HOSTNAME=upload-prod.localhost TEST_AIO_UPLOAD_HOSTNAME=upload-test.localhost \ AIO_UPLOAD_HOSTNAME=upload.localhost TEST_AIO_UPLOAD_HOSTNAME=upload.localhost \
AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \ AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \
AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \ AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \
NODE_ENV=production NODE_ENV=production
@ -43,6 +44,7 @@ RUN apt-get update -y && apt-get install -y \
nano \ nano \
nginx \ nginx \
nodejs \ nodejs \
openssl \
rsyslog \ rsyslog \
yarn yarn
RUN yarn global add pm2 RUN yarn global add pm2
@ -62,12 +64,27 @@ RUN sed -i "s|{{\$TEST_AIO_NGINX_HOSTNAME}}|$TEST_AIO_NGINX_HOSTNAME|" /etc/dnsm
RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf
# Set up SSL/TLS certificates
RUN mkdir -p /etc/ssl/localcerts
RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$AIO_NGINX_HOSTNAME" \
-out /etc/ssl/localcerts/$AIO_DOMAIN_NAME.crt \
-keyout /etc/ssl/localcerts/$AIO_DOMAIN_NAME.key
RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$TEST_AIO_NGINX_HOSTNAME" \
-out /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.crt \
-keyout /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.key
RUN chmod -R 400 /etc/ssl/localcerts
RUN cp /etc/ssl/localcerts/*.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
# Set up nginx (for production and testing) # Set up nginx (for production and testing)
RUN rm /etc/nginx/sites-enabled/* RUN rm /etc/nginx/sites-enabled/*
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf
@ -75,7 +92,9 @@ RUN ln -s /etc/nginx/sites-available/aio-builds-prod.conf /etc/nginx/sites-enabl
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$TEST_AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$TEST_AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf

View File

@ -1,9 +1,14 @@
# Serve PR-preview requests # Serve PR-preview requests
server { server {
server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\.";
listen {{$AIO_NGINX_PORT_HTTP}}; listen {{$AIO_NGINX_PORT_HTTP}};
listen [::]:{{$AIO_NGINX_PORT_HTTP}}; listen [::]:{{$AIO_NGINX_PORT_HTTP}};
listen {{$AIO_NGINX_PORT_HTTPS}} ssl;
listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\."; ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
root {{$AIO_BUILDS_DIR}}/$pr/$sha; root {{$AIO_BUILDS_DIR}}/$pr/$sha;
disable_symlinks on from=$document_root; disable_symlinks on from=$document_root;
@ -16,10 +21,15 @@ server {
# Handle all other requests # Handle all other requests
server { server {
server_name _;
listen {{$AIO_NGINX_PORT_HTTP}} default_server; listen {{$AIO_NGINX_PORT_HTTP}} default_server;
listen [::]:{{$AIO_NGINX_PORT_HTTP}}; listen [::]:{{$AIO_NGINX_PORT_HTTP}};
listen {{$AIO_NGINX_PORT_HTTPS}} ssl default_server;
listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
server_name _; ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
# Health check # Health check
location "~^\/health-check\/?$" { location "~^\/health-check\/?$" {

View File

@ -110,14 +110,7 @@ class Helper {
} }
public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) { public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) {
Object.keys(this.portPerScheme).forEach(scheme => { Object.keys(this.portPerScheme).forEach(scheme => suiteFactory(scheme, this.portPerScheme[scheme]));
// TODO (gkalpak): Enable HTTPS tests
if (scheme === 'https') {
return it('should have tests');
}
suiteFactory(scheme, this.portPerScheme[scheme]);
});
} }
public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn { public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn {

View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
set -e -o pipefail set -e -o pipefail
# Start the upload-server instance
# TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user. # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
# (Currently, there doesn't seem to be a straight forward way.) # (Currently, there doesn't seem to be a straight forward way.)
action=$([ "$1" == "stop" ] && echo "stop" || echo "start") action=$([ "$1" == "stop" ] && echo "stop" || echo "start")

View File

@ -17,13 +17,12 @@
--name <instance-name> \ --name <instance-name> \
-p 80:80 \ -p 80:80 \
-p 443:443 \ -p 443:443 \
-v <host-snapshots-dir>:/var/www/aio-builds \ [-v <host-cert-dir>:/etc/ssl/localcerts:ro] \
-v <host-builds-dir>:/var/www/aio-builds \
<name>[:<tag>] <name>[:<tag>]
` `
## Questions ## Questions
- Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container? - Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container?
- Currently, builds will only be remove when the PR is closed. It is possible to upload arbitrary builds (for non-existent commits) until then.
- Instead of creating new comments for each commit, update the original comment? - Instead of creating new comments for each commit, update the original comment?
- Do we need a static IP address? - Do we want to drop HTTP support (and/or redirect to HTTPS)?
- Do we care about persistent disk automatic backup?