feat(aio): add support for HTTPS (certificates provided by host - fallback to self-signed)
This commit is contained in:
parent
6b8413f7b3
commit
c8d87a936b
|
@ -11,14 +11,15 @@ VOLUME /var/www/aio-builds
|
||||||
EXPOSE 80 443
|
EXPOSE 80 443
|
||||||
|
|
||||||
ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \
|
ENV AIO_BUILDS_DIR=/var/www/aio-builds TEST_AIO_BUILDS_DIR=/tmp/aio-builds \
|
||||||
|
AIO_DOMAIN_NAME=ngbuilds.io TEST_AIO_DOMAIN_NAME=test-ngbuilds.io \
|
||||||
AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \
|
AIO_GITHUB_TOKEN= TEST_AIO_GITHUB_TOKEN= \
|
||||||
AIO_NGINX_HOSTNAME=nginx-prod.localhost TEST_AIO_NGINX_HOSTNAME=nginx-test.localhost \
|
AIO_NGINX_HOSTNAME=nginx.localhost TEST_AIO_NGINX_HOSTNAME=nginx.localhost \
|
||||||
AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \
|
AIO_NGINX_PORT_HTTP=80 TEST_AIO_NGINX_PORT_HTTP=8080 \
|
||||||
AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \
|
AIO_NGINX_PORT_HTTPS=443 TEST_AIO_NGINX_PORT_HTTPS=4433 \
|
||||||
AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \
|
AIO_REPO_SLUG=angular/angular TEST_AIO_REPO_SLUG= \
|
||||||
AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \
|
AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js \
|
||||||
AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \
|
AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh \
|
||||||
AIO_UPLOAD_HOSTNAME=upload-prod.localhost TEST_AIO_UPLOAD_HOSTNAME=upload-test.localhost \
|
AIO_UPLOAD_HOSTNAME=upload.localhost TEST_AIO_UPLOAD_HOSTNAME=upload.localhost \
|
||||||
AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \
|
AIO_UPLOAD_MAX_SIZE=20971520 TEST_AIO_UPLOAD_MAX_SIZE=20971520 \
|
||||||
AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \
|
AIO_UPLOAD_PORT=3000 TEST_AIO_UPLOAD_PORT=3001 \
|
||||||
NODE_ENV=production
|
NODE_ENV=production
|
||||||
|
@ -43,6 +44,7 @@ RUN apt-get update -y && apt-get install -y \
|
||||||
nano \
|
nano \
|
||||||
nginx \
|
nginx \
|
||||||
nodejs \
|
nodejs \
|
||||||
|
openssl \
|
||||||
rsyslog \
|
rsyslog \
|
||||||
yarn
|
yarn
|
||||||
RUN yarn global add pm2
|
RUN yarn global add pm2
|
||||||
|
@ -62,12 +64,27 @@ RUN sed -i "s|{{\$TEST_AIO_NGINX_HOSTNAME}}|$TEST_AIO_NGINX_HOSTNAME|" /etc/dnsm
|
||||||
RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf
|
RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf
|
||||||
|
|
||||||
|
|
||||||
|
# Set up SSL/TLS certificates
|
||||||
|
RUN mkdir -p /etc/ssl/localcerts
|
||||||
|
RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$AIO_NGINX_HOSTNAME" \
|
||||||
|
-out /etc/ssl/localcerts/$AIO_DOMAIN_NAME.crt \
|
||||||
|
-keyout /etc/ssl/localcerts/$AIO_DOMAIN_NAME.key
|
||||||
|
RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$TEST_AIO_NGINX_HOSTNAME" \
|
||||||
|
-out /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.crt \
|
||||||
|
-keyout /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.key
|
||||||
|
RUN chmod -R 400 /etc/ssl/localcerts
|
||||||
|
RUN cp /etc/ssl/localcerts/*.crt /usr/local/share/ca-certificates
|
||||||
|
RUN update-ca-certificates
|
||||||
|
|
||||||
|
|
||||||
# Set up nginx (for production and testing)
|
# Set up nginx (for production and testing)
|
||||||
RUN rm /etc/nginx/sites-enabled/*
|
RUN rm /etc/nginx/sites-enabled/*
|
||||||
|
|
||||||
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf
|
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf
|
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
|
RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf
|
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
|
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf
|
||||||
|
@ -75,7 +92,9 @@ RUN ln -s /etc/nginx/sites-available/aio-builds-prod.conf /etc/nginx/sites-enabl
|
||||||
|
|
||||||
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf
|
COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf
|
RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
|
RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$TEST_AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf
|
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
|
RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$TEST_AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf
|
RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf
|
||||||
|
|
|
@ -1,9 +1,14 @@
|
||||||
# Serve PR-preview requests
|
# Serve PR-preview requests
|
||||||
server {
|
server {
|
||||||
|
server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\.";
|
||||||
|
|
||||||
listen {{$AIO_NGINX_PORT_HTTP}};
|
listen {{$AIO_NGINX_PORT_HTTP}};
|
||||||
listen [::]:{{$AIO_NGINX_PORT_HTTP}};
|
listen [::]:{{$AIO_NGINX_PORT_HTTP}};
|
||||||
|
listen {{$AIO_NGINX_PORT_HTTPS}} ssl;
|
||||||
|
listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
|
||||||
|
|
||||||
server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\.";
|
ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
|
||||||
|
|
||||||
root {{$AIO_BUILDS_DIR}}/$pr/$sha;
|
root {{$AIO_BUILDS_DIR}}/$pr/$sha;
|
||||||
disable_symlinks on from=$document_root;
|
disable_symlinks on from=$document_root;
|
||||||
|
@ -16,10 +21,15 @@ server {
|
||||||
|
|
||||||
# Handle all other requests
|
# Handle all other requests
|
||||||
server {
|
server {
|
||||||
|
server_name _;
|
||||||
|
|
||||||
listen {{$AIO_NGINX_PORT_HTTP}} default_server;
|
listen {{$AIO_NGINX_PORT_HTTP}} default_server;
|
||||||
listen [::]:{{$AIO_NGINX_PORT_HTTP}};
|
listen [::]:{{$AIO_NGINX_PORT_HTTP}};
|
||||||
|
listen {{$AIO_NGINX_PORT_HTTPS}} ssl default_server;
|
||||||
|
listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
|
||||||
|
|
||||||
server_name _;
|
ssl_certificate /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
|
||||||
|
ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
|
||||||
|
|
||||||
# Health check
|
# Health check
|
||||||
location "~^\/health-check\/?$" {
|
location "~^\/health-check\/?$" {
|
||||||
|
|
|
@ -110,14 +110,7 @@ class Helper {
|
||||||
}
|
}
|
||||||
|
|
||||||
public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) {
|
public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) {
|
||||||
Object.keys(this.portPerScheme).forEach(scheme => {
|
Object.keys(this.portPerScheme).forEach(scheme => suiteFactory(scheme, this.portPerScheme[scheme]));
|
||||||
// TODO (gkalpak): Enable HTTPS tests
|
|
||||||
if (scheme === 'https') {
|
|
||||||
return it('should have tests');
|
|
||||||
}
|
|
||||||
|
|
||||||
suiteFactory(scheme, this.portPerScheme[scheme]);
|
|
||||||
});
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn {
|
public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn {
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
set -e -o pipefail
|
set -e -o pipefail
|
||||||
|
|
||||||
|
# Start the upload-server instance
|
||||||
# TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
|
# TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
|
||||||
# (Currently, there doesn't seem to be a straight forward way.)
|
# (Currently, there doesn't seem to be a straight forward way.)
|
||||||
action=$([ "$1" == "stop" ] && echo "stop" || echo "start")
|
action=$([ "$1" == "stop" ] && echo "stop" || echo "start")
|
||||||
|
|
|
@ -17,13 +17,12 @@
|
||||||
--name <instance-name> \
|
--name <instance-name> \
|
||||||
-p 80:80 \
|
-p 80:80 \
|
||||||
-p 443:443 \
|
-p 443:443 \
|
||||||
-v <host-snapshots-dir>:/var/www/aio-builds \
|
[-v <host-cert-dir>:/etc/ssl/localcerts:ro] \
|
||||||
|
-v <host-builds-dir>:/var/www/aio-builds \
|
||||||
<name>[:<tag>]
|
<name>[:<tag>]
|
||||||
`
|
`
|
||||||
|
|
||||||
## Questions
|
## Questions
|
||||||
- Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container?
|
- Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container?
|
||||||
- Currently, builds will only be remove when the PR is closed. It is possible to upload arbitrary builds (for non-existent commits) until then.
|
|
||||||
- Instead of creating new comments for each commit, update the original comment?
|
- Instead of creating new comments for each commit, update the original comment?
|
||||||
- Do we need a static IP address?
|
- Do we want to drop HTTP support (and/or redirect to HTTPS)?
|
||||||
- Do we care about persistent disk automatic backup?
|
|
||||||
|
|
Loading…
Reference in New Issue