intershop · dhhyi · Feb 20, 2020 · Jan 15, 2020 · Jan 22, 2020 · Jan 27, 2020
diff --git a/.gitlab-ci-get-publish.sh b/.gitlab-ci-get-publish.sh
@@ -3,7 +3,7 @@
 [ -z "$1" ] && echo "instance name required" && exit 1
 internalPort="${2:-4200}"
 
-currentPort="$(docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{(index $conf 0).HostPort}}{{end}}' "$1")"
+currentPort="$(docker inspect --format='{{(index (index .NetworkSettings.Ports "$internalPort/tcp") 0).HostPort}}' "$1")"
 
 if [ -z "$currentPort" ]
 then

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -411,7 +411,6 @@ deploy_demo_nginx:
       --detach
       --publish 4326:80
       --name "${SERVICE}"
-      -e UPSTREAM_ICM=${ICM_BASE_URL}
       -e UPSTREAM_PWA=http://$DEMO_SERVER_NAME:4321
       -e PWA_1_SUBDOMAIN=b2c
       -e PWA_1_CHANNEL=inSPIRED-inTRONICS-Site

diff --git a/dist/.gitignore b/dist/.gitignore
@@ -3,3 +3,5 @@
 !/*.sh
 !/healthcheck.js
 !/robots.txt
+!/server.crt
+!/server.key
diff --git a/dist/server.crt b/dist/server.crt
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDxDCCAqygAwIBAgIJAJYvMbbAjzehMA0GCSqGSIb3DQEBCwUAMIGNMQswCQYD
+VQQGEwJERTELMAkGA1UECAwCVEgxDTALBgNVBAcMBEplbmExEjAQBgNVBAoMCUlu
+dGVyc2hvcDEUMBIGA1UECwwLRW5naW5lZXJpbmcxJDAiBgkqhkiG9w0BCQEWFXN1
+cHBvcnRAaW50ZXJzaG9wLmNvbTESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMDEx
+NDA4NDExOVoXDTIxMDExMzA4NDExOVowgY0xCzAJBgNVBAYTAkRFMQswCQYDVQQI
+DAJUSDENMAsGA1UEBwwESmVuYTESMBAGA1UECgwJSW50ZXJzaG9wMRQwEgYDVQQL
+DAtFbmdpbmVlcmluZzEkMCIGCSqGSIb3DQEJARYVc3VwcG9ydEBpbnRlcnNob3Au
+Y29tMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDRXcHHCh2XNXdsH3zy8OQK+T6H6K29HoRus0wzv8Hp8jSbdOrF2RuH
+9EeEbdrZe+EXhiuLGg76xvxD1dLwANA5fgVIo0/nrIR7Hj1m3fAFiKGBPNSCF0UX
+P9ljWPH0U6WhHVcb+EinQdISQHObT0/OLefPZDQg5ymlZV/+fvlBV0hFkBvpSO30
+541EjUm3BubwvyciREOo1PKxnhAyUAZd7SjdM5+ORjfCX3GutTLIv7+XKUABHJ9f
+AzJ8uig60hpcsx2cceNlTQ92uEReT5qAadDwLDwVNl5DZ2jhUvjhVlZZWHtW045D
+YxCbxCjnanbn+0cydsgSxv9zvMxwB+x1AgMBAAGjJTAjMCEGA1UdEQQaMBiCCyou
+bG9jYWxob3N0gglsb2NhbGhvc3QwDQYJKoZIhvcNAQELBQADggEBAA55lAtHrxzS
+095HRl/5PQ/M1zUjgOUvLlR5WKKxdzU/nbc/n8wuZqfPL4CHD7s8EJ442yvw+WgP
+mqaiXlPBqDCQkrDgHwWnjyT7ndrl7N52bKue14i32nTlsLn/pf+FOMoDnimghQeL
+DqFzcLkHacgaxIHt5A0xy3cU/64gMeiL52V+PrgQCD4heeimIjtxGAB4c97GB7TR
+FIkk2a4iUzHs5NEv60hKm+Ksgw48wI/jHrCfcxvXJ07f5Qt57IjZkoNmCEq6NX0V
+5vvneRQjdFiprE/uiFusdSYGV1Hz2E9HrY0x/LLseS+CGWTBUlWZkOZTpdsnaqDh
+DTNpH0moNzI=
+-----END CERTIFICATE-----
diff --git a/dist/server.key b/dist/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDRXcHHCh2XNXds
+H3zy8OQK+T6H6K29HoRus0wzv8Hp8jSbdOrF2RuH9EeEbdrZe+EXhiuLGg76xvxD
+1dLwANA5fgVIo0/nrIR7Hj1m3fAFiKGBPNSCF0UXP9ljWPH0U6WhHVcb+EinQdIS
+QHObT0/OLefPZDQg5ymlZV/+fvlBV0hFkBvpSO30541EjUm3BubwvyciREOo1PKx
+nhAyUAZd7SjdM5+ORjfCX3GutTLIv7+XKUABHJ9fAzJ8uig60hpcsx2cceNlTQ92
+uEReT5qAadDwLDwVNl5DZ2jhUvjhVlZZWHtW045DYxCbxCjnanbn+0cydsgSxv9z
+vMxwB+x1AgMBAAECggEAWZmFR3g1x7NzA0vKfnHHNkcKksFqMShxRqrm7rKe+07T
+YsA7hSZv2NQbEzqsUSzp3NZnpiUlyf8EkMdeeaXvdttOyZJSrPQw0jvTzUUn5kZd
+z+BHldD9mYCSuSiki4qMtJHI6Mht116c14DLuOjNX5BXx3K7uGUVdpoW5eRTKbm5
+X4UIfa8eBtfZA063mc00/RC5s1AM4rBCr+p4xsQLOL1G4YBQk9Tdjme2VNjML37N
+HYPLTjE5tALvyDYSscAW4hXCdzzJh8JErOWw+E8W5OkkCc8eUsfw1vAovbOaJw9Y
+400Xd8ABXpJwYyg2WADwN3NGyoCFzJHj7J15nFlFQQKBgQDz8+8oIRhhlD8BNrgD
+xc0xExGcXZ5GhVQ14Xp4YBxpnXWiE5mlORJczfBfk8vwWtH5qdC7JkZsTEy/vJvu
+HglORDxYKNaHVnJNrVvhnjPICudOvaI8yLDlz5d7++3ddV/K6Hv4blXN10BYJS0B
+OjGTzUtiYZ6PtwK6PwgEXrkEBQKBgQDbtJOd6aeepGLHCzv1dcb6rQo0+mTC+vwC
+uB9/Ym/DTKSeuNBsQuqDEosMjOwLCB7RpzOU2wOxLU3y76yCBVHHC+O0EqI1FmxP
+UQ5+GLWJflX3d+zWkEp5PQwIexMD8I3hNNbBBcJHtJnTflo+C9hFKGa5rAVxwGaN
+rIUK3VGhsQKBgQClSb3cvq+6TatysxRy2e5xNa5U98lplqS77Q4ByXz2wk0Vh5ou
+rECYyJ/44jbnn2Fte3WFmCVW80t9DdnIuGktsmYAhYr1H8lKgA8lCv+ipmCapTnr
+XT8eNk05IDTGO+Svol18saVJVnKuRmH71uYIcqyE+Adq8GDUuChCbbuF0QKBgQCi
+ilyvdh55InqlcS1BsomsCPrFKP4EtjRdOqSq1EOFBB3CA07G2Vav87cFaPh0TOSo
+DH//v2xi1vaVJTXF13Ohw60JGsQAbH9iyr/jEBq2Bs5Iz+Na9dLzEPPnDk6KGpyM
+oU/D66PI8tbe/dp7jr3IpFQjRx2cA1CbvaeL2yK6cQKBgQCiuWwjsi0NhmWDPEIe
+09PWiJ8ZsZpvAqRs32qM3erskcRwzvxmegbtTByvP59kTmwiGHkquotmN5ifqJHe
+2let3V6NCMEZ0qU6LKG6GTBaBZhHuHzuyPBhDW/6i1qZZxRNV73HteluQgXWkmVQ
+UZoOi8uheodOmR4V9Mf9MREUmg==
+-----END PRIVATE KEY-----
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -1,27 +1,27 @@
 FROM ubuntu:latest as buildstep
 RUN echo "intalling nginx with mod-pagespeed" && \
   apt-get update && \
-  apt-get install -y curl build-essential zlib1g-dev libpcre3-dev unzip wget uuid-dev sudo && \
+  apt-get install -y curl build-essential zlib1g-dev libpcre3-dev unzip wget uuid-dev sudo openssl libssl-dev && \
   curl -kfL -sS https://ngxpagespeed.com/install > install.sh && \
-  bash install.sh --nginx-version latest
+  bash install.sh --nginx-version latest --additional-nginx-configure-arguments '--with-http_ssl_module'
 
 FROM scratch as configstep
 COPY --from=nginx:mainline /etc/nginx /etc/nginx
 COPY nginx.conf perf.conf pagespeed.conf /etc/nginx/
-COPY icm.conf.tmpl channel.conf.tmpl /etc/nginx/conf.d/
+COPY channel.conf.tmpl /etc/nginx/conf.d/
 COPY entrypoint.sh /
 COPY 50x.html /usr/share/nginx/html/
 
 FROM ubuntu:latest
 RUN apt-get update && \
-  apt-get install -y gettext-base && \
+  apt-get install -y gettext-base libssl1.1 && \
   apt-get -y autoremove && \
   apt-get clean && \
   rm -r /var/cache/apt /var/lib/apt/lists
 COPY --from=buildstep /usr/local/nginx /usr/local/nginx
 COPY --from=configstep / /
 ENV NPSC_ENABLE_FILTERS=in_place_optimize_for_browser,prioritize_critical_css,inline_preview_images,lazyload_images,rewrite_images,rewrite_css,remove_comments,local_storage_cache,move_css_to_head,move_css_above_scripts,collapse_whitespace,combine_javascript,extend_cache NPSC_JsPreserveURLs=off NPSC_ImagePreserveURLs=on NPSC_ForceCaching=off
 
-EXPOSE 80
+EXPOSE 80 443
 
 ENTRYPOINT [ "sh", "entrypoint.sh" ]
diff --git a/nginx/README.md b/nginx/README.md
@@ -21,6 +21,10 @@ Basic environment variables:
 
 If you want to use fully qualified names here, do not forget to also add host mappings to your orchestrator name resolution. For `docker run` this can be done with `--add-host`.
 
+If you are using http, the server will run on default port 80.
+If you use https as an upstream, it will run on default port 443.
+In the latter case you will also have to supply the files `server.key` and `server.crt` in the folder `/etx/nginx` (either by volume mapping with `docker run` or in the image itself by `docker build`).
+
 Setup at least one PWA channel configuration:
 
 - use mandatory `PWA_X_SUBDOMAIN` for the channel sub domain
@@ -61,7 +65,3 @@ docker run -d --name "my-awesome-nginx" \
 And then access the PWA with `http://b2b.<your-fully-qualified-machine-name>:4199`
 
 If your DNS is not set up correctly, you have to use something like _dnsmasq_ (Linux) or _Acrylic DNS Proxy_ (Windows), or just ask your local network administrator.
-
-## Extras
-
-To fully release the potential of this nginx, also set `UPSTREAM_ICM` in the form of `http(s)://<IP>:<PORT>` to tunnel all ICM traffic through this PageSpeed optimized nginx. This will automatically point the `ICM_BASE_URL` of the deployed PWA on a request basis to it. This however is still experimental.
diff --git a/nginx/channel.conf.tmpl b/nginx/channel.conf.tmpl
@@ -1,12 +1,38 @@
 server {
-    listen 80;
     server_name ~^$SUBDOMAIN\..+$;
+    include /etc/nginx/conf.d/listen.conf;
 
+    # let ICM handle everything ICM related
+    location ~* ^/INTERSHOP.*$ {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header X-Cache-Status IGNORE;
+
+        proxy_pass $UPSTREAM_PWA;
+    }
+
+    # respect cache entries of static assets
+    location ~* ^/(assets|.*\.(js|css|ico|json|txt|webmanifest|woff|woff2))(.*)$ {
+        proxy_cache my_cache;
+        proxy_cache_use_stale error timeout http_404 http_500 http_502 http_503 http_504;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header X-Cache-Status $upstream_cache_status;
+
+        proxy_pass $UPSTREAM_PWA;
+    }
+
+    # cache and rewriting for rendered pages
     location / {
         proxy_cache my_cache;
         proxy_cache_use_stale error timeout http_404 http_500 http_502 http_503 http_504;
 
-        proxy_set_header Host $host;
+        proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
@@ -24,15 +50,17 @@ server {
 
         rewrite ^/$ /home;
         if ($request_uri !~* ";lang=") {
-            rewrite ^(?!/INTERSHOP.*$)(?!/assets.*$)(?!.*\.js$)(?!.*\.css$)(?!.*\.ico$)(?!.*\.json$)(?!.*\.txt$)(?!.*\.webmanifest$)(.*)$ "$1;lang=$LANG";
+            rewrite ^(.*)$ "$1;lang=$LANG";
         }
-        if (-f /etc/nginx/conf.d/icm.conf) {
-            rewrite ^(?!/INTERSHOP.*$)(?!/assets.*$)(?!.*\.js$)(?!.*\.css$)(?!.*\.ico$)(?!.*\.json$)(?!.*\.txt$)(?!.*\.webmanifest$)(.*)$ "$1;icmScheme=$scheme;icmHost=$http_host";
-        }
-        rewrite ^(?!/INTERSHOP.*$)(?!/assets.*$)(?!.*\.js$)(?!.*\.css$)(?!.*\.ico$)(?!.*\.json$)(?!.*\.txt$)(?!.*\.webmanifest$)(.*)$ "$1;channel=$CHANNEL;application=$APPLICATION;features=$FEATURES;theme=$THEME" break;
+        rewrite ^(.*)$ "$1;channel=$CHANNEL;application=$APPLICATION;features=$FEATURES;theme=$THEME" break;
 
         proxy_pass $UPSTREAM_PWA;
     }
 
-    $ICM_INCLUDE
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
 }
diff --git a/nginx/entrypoint.sh b/nginx/entrypoint.sh
@@ -5,14 +5,25 @@ set -e
 
 [ -z "$UPSTREAM_PWA" ] && echo "UPSTREAM_PWA is not set" && exit 1
 
-[ -f "/etc/nginx/conf.d/default.conf" ] && rm /etc/nginx/conf.d/default.conf
-
-if [ -n "$UPSTREAM_ICM" ]
+if echo "$UPSTREAM_PWA" | grep -Eq '^https'
 then
-  envsubst \$UPSTREAM_ICM </etc/nginx/conf.d/icm.conf.tmpl > /etc/nginx/conf.d/icm.conf
-  export ICM_INCLUDE="include /etc/nginx/conf.d/icm.conf;"
+  cat >/etc/nginx/conf.d/listen.conf <<EOF
+listen 443 ssl;
+ssl_certificate     server.crt;
+ssl_certificate_key server.key;
+ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers         HIGH:!aNULL:!MD5;
+
+# https://ma.ttias.be/force-redirect-http-https-custom-port-nginx/
+error_page  497 https://\$http_host\$request_uri;
+
+EOF
+else
+  echo "listen 80;" >/etc/nginx/conf.d/listen.conf
 fi
 
+[ -f "/etc/nginx/conf.d/default.conf" ] && rm /etc/nginx/conf.d/default.conf
+
 i=1
 while true
 do
@@ -29,7 +40,7 @@ do
 
   echo "$i SUBDOMAIN=$SUBDOMAIN CHANNEL=$CHANNEL APPLICATION=$APPLICATION LANG=$LANG FEATURES=$FEATURES"
 
-  envsubst '$UPSTREAM_PWA,$SUBDOMAIN,$CHANNEL,$APPLICATION,$LANG,$FEATURES,$THEME,$ICM_INCLUDE' </etc/nginx/conf.d/channel.conf.tmpl >/etc/nginx/conf.d/channel$i.conf
+  envsubst '$UPSTREAM_PWA,$SUBDOMAIN,$CHANNEL,$APPLICATION,$LANG,$FEATURES,$THEME' </etc/nginx/conf.d/channel.conf.tmpl >/etc/nginx/conf.d/channel$i.conf
 
   i=$((i+1))
 done

diff --git a/nginx/icm.conf.tmpl b/nginx/icm.conf.tmpl