feat(aio): add support for HTTPS (certificates provided by host - fallback to self-signed)

aio/aio-builds-setup/dockerbuild/Dockerfile

@@ -11,14 +11,15 @@ VOLUME /var/www/aio-builds
 EXPOSE 80 443
 
 ENV AIO_BUILDS_DIR=/var/www/aio-builds             TEST_AIO_BUILDS_DIR=/tmp/aio-builds              \
+    AIO_DOMAIN_NAME=ngbuilds.io                    TEST_AIO_DOMAIN_NAME=test-ngbuilds.io       \
     AIO_GITHUB_TOKEN=                              TEST_AIO_GITHUB_TOKEN=                           \
-    AIO_NGINX_HOSTNAME=nginx-prod.localhost        TEST_AIO_NGINX_HOSTNAME=nginx-test.localhost     \
+    AIO_NGINX_HOSTNAME=nginx.localhost             TEST_AIO_NGINX_HOSTNAME=nginx.localhost          \
     AIO_NGINX_PORT_HTTP=80                         TEST_AIO_NGINX_PORT_HTTP=8080                    \
     AIO_NGINX_PORT_HTTPS=443                       TEST_AIO_NGINX_PORT_HTTPS=4433                   \
     AIO_REPO_SLUG=angular/angular                  TEST_AIO_REPO_SLUG=                              \
     AIO_SCRIPTS_JS_DIR=/usr/share/aio-scripts-js                                                    \
     AIO_SCRIPTS_SH_DIR=/usr/share/aio-scripts-sh                                                    \
-    AIO_UPLOAD_HOSTNAME=upload-prod.localhost      TEST_AIO_UPLOAD_HOSTNAME=upload-test.localhost   \
+    AIO_UPLOAD_HOSTNAME=upload.localhost           TEST_AIO_UPLOAD_HOSTNAME=upload.localhost        \
     AIO_UPLOAD_MAX_SIZE=20971520                   TEST_AIO_UPLOAD_MAX_SIZE=20971520                \
     AIO_UPLOAD_PORT=3000                           TEST_AIO_UPLOAD_PORT=3001                        \
     NODE_ENV=production
@@ -43,6 +44,7 @@ RUN apt-get update -y && apt-get install -y \
     nano \
     nginx \
     nodejs \
+    openssl \
     rsyslog \
     yarn
 RUN yarn global add pm2
@@ -62,12 +64,27 @@ RUN sed -i "s|{{\$TEST_AIO_NGINX_HOSTNAME}}|$TEST_AIO_NGINX_HOSTNAME|" /etc/dnsm
 RUN sed -i "s|{{\$TEST_AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/dnsmasq.conf
 
 
+# Set up SSL/TLS certificates
+RUN mkdir -p /etc/ssl/localcerts
+RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$AIO_NGINX_HOSTNAME" \
+                -out /etc/ssl/localcerts/$AIO_DOMAIN_NAME.crt \
+                -keyout /etc/ssl/localcerts/$AIO_DOMAIN_NAME.key
+RUN openssl req -days 365 -newkey rsa:2048 -nodes -sha256 -x509 -subj "/CN=$TEST_AIO_NGINX_HOSTNAME" \
+                -out /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.crt \
+                -keyout /etc/ssl/localcerts/$TEST_AIO_DOMAIN_NAME.key
+RUN chmod -R 400 /etc/ssl/localcerts
+RUN cp /etc/ssl/localcerts/*.crt /usr/local/share/ca-certificates
+RUN update-ca-certificates
+
+
 # Set up nginx (for production and testing)
 RUN rm /etc/nginx/sites-enabled/*
 
 COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-prod.conf
 RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-prod.conf
+RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-prod.conf
 RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-prod.conf
+RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-prod.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-prod.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-prod.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-prod.conf
@@ -75,7 +92,9 @@ RUN ln -s /etc/nginx/sites-available/aio-builds-prod.conf /etc/nginx/sites-enabl
 
 COPY nginx/aio-builds.conf /etc/nginx/sites-available/aio-builds-test.conf
 RUN sed -i "s|{{\$AIO_BUILDS_DIR}}|$TEST_AIO_BUILDS_DIR|" /etc/nginx/sites-available/aio-builds-test.conf
+RUN sed -i "s|{{\$AIO_DOMAIN_NAME}}|$TEST_AIO_DOMAIN_NAME|" /etc/nginx/sites-available/aio-builds-test.conf
 RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTP}}|$TEST_AIO_NGINX_PORT_HTTP|" /etc/nginx/sites-available/aio-builds-test.conf
+RUN sed -i "s|{{\$AIO_NGINX_PORT_HTTPS}}|$TEST_AIO_NGINX_PORT_HTTPS|" /etc/nginx/sites-available/aio-builds-test.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_HOSTNAME}}|$TEST_AIO_UPLOAD_HOSTNAME|" /etc/nginx/sites-available/aio-builds-test.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_MAX_SIZE}}|$TEST_AIO_UPLOAD_MAX_SIZE|" /etc/nginx/sites-available/aio-builds-test.conf
 RUN sed -i "s|{{\$AIO_UPLOAD_PORT}}|$TEST_AIO_UPLOAD_PORT|" /etc/nginx/sites-available/aio-builds-test.conf

aio/aio-builds-setup/dockerbuild/nginx/aio-builds.conf

@@ -1,9 +1,14 @@
 # Serve PR-preview requests
 server {
+  server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\.";
+
   listen {{$AIO_NGINX_PORT_HTTP}};
   listen [::]:{{$AIO_NGINX_PORT_HTTP}};
+  listen {{$AIO_NGINX_PORT_HTTPS}} ssl;
+  listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
 
-  server_name "~^pr(?<pr>[1-9][0-9]*)-(?<sha>[0-9a-f]{40})\.";
+  ssl_certificate     /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
+  ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
 
   root             {{$AIO_BUILDS_DIR}}/$pr/$sha;
   disable_symlinks on from=$document_root;
@@ -16,10 +21,15 @@ server {
 
 # Handle all other requests
 server {
+  server_name _;
+
   listen {{$AIO_NGINX_PORT_HTTP}} default_server;
   listen [::]:{{$AIO_NGINX_PORT_HTTP}};
+  listen {{$AIO_NGINX_PORT_HTTPS}} ssl default_server;
+  listen [::]:{{$AIO_NGINX_PORT_HTTPS}} ssl;
 
-  server_name _;
+  ssl_certificate     /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.crt;
+  ssl_certificate_key /etc/ssl/localcerts/{{$AIO_DOMAIN_NAME}}.key;
 
   # Health check
   location "~^\/health-check\/?$" {

aio/aio-builds-setup/dockerbuild/scripts-js/lib/verify-setup/helper.ts

@@ -110,14 +110,7 @@ class Helper {
   }
 
   public runForAllSupportedSchemes(suiteFactory: TestSuiteFactory) {
-    Object.keys(this.portPerScheme).forEach(scheme => {
-      // TODO (gkalpak): Enable HTTPS tests
-      if (scheme === 'https') {
-        return it('should have tests');
-      }
-
-      suiteFactory(scheme, this.portPerScheme[scheme]);
-    });
+    Object.keys(this.portPerScheme).forEach(scheme => suiteFactory(scheme, this.portPerScheme[scheme]));
   }
 
   public verifyResponse(status: number | [number, string], regex = /^/): VerifyCmdResultFn {

aio/aio-builds-setup/dockerbuild/scripts-sh/upload-server-prod.sh

@@ -1,6 +1,7 @@
 #!/bin/bash
 set -e -o pipefail
 
+# Start the upload-server instance
 # TODO(gkalpak): Ideally, the upload server should be run as a non-privileged user.
 #                (Currently, there doesn't seem to be a straight forward way.)
 action=$([ "$1" == "stop" ] && echo "stop" || echo "start")

aio/aio-builds-setup/docs/NOTES.md

@@ -17,13 +17,12 @@
      --name <instance-name> \
      -p 80:80 \
      -p 443:443 \
-     -v <host-snapshots-dir>:/var/www/aio-builds \
+    [-v <host-cert-dir>:/etc/ssl/localcerts:ro] \
+     -v <host-builds-dir>:/var/www/aio-builds \
      <name>[:<tag>]
   `
 
 ## Questions
 - Do we care to keep logs (e.g. cron, nginx, aio-upload-server, aio-clean-up, pm2) outside of the container?
-- Currently, builds will only be remove when the PR is closed. It is possible to upload arbitrary builds (for non-existent commits) until then.
 - Instead of creating new comments for each commit, update the original comment?
-- Do we need a static IP address?
-- Do we care about persistent disk automatic backup?
+- Do we want to drop HTTP support (and/or redirect to HTTPS)?