fix: allow usage of SSL certificate

ludomikula · ludomikula · commit 397f196297f9 · 2023-06-21T12:32:55.000+02:00
diff --git a/deploy/docker/Dockerfile b/deploy/docker/Dockerfile
@@ -149,8 +149,14 @@ COPY deploy/docker/frontend/01-update-nginx-conf.sh /docker-entrypoint.d/01-upda
 RUN chmod +x /docker-entrypoint.d/00-change-nginx-user.sh && \
     chmod +x /docker-entrypoint.d/01-update-nginx-conf.sh
 
-COPY deploy/docker/frontend/nginx.conf /etc/nginx/nginx.conf
+COPY deploy/docker/frontend/nginx-http.conf /etc/nginx/nginx-http.conf
+COPY deploy/docker/frontend/nginx-https.conf /etc/nginx/nginx-https.conf
+COPY deploy/docker/frontend/ssl-certificate.conf /etc/nginx/ssl-certificate.conf
+COPY deploy/docker/frontend/ssl-params.conf /etc/nginx/ssl-params.conf
+
+
 EXPOSE 3000
+EXPOSE 3443
 
 #############################################################################
 
@@ -189,6 +195,7 @@ COPY --chown=lowcoder:lowcoder deploy/docker/all-in-one/etc /lowcoder/etc
 COPY --chown=lowcoder:lowcoder deploy/docker/all-in-one/entrypoint.sh /lowcoder/entrypoint.sh
 
 EXPOSE 3000
+EXPOSE 3443
 
 ENTRYPOINT [ "/bin/sh" , "/lowcoder/entrypoint.sh" ]
 CMD ["/usr/bin/supervisord", "-n" , "-c" , "/lowcoder/etc/supervisord.conf"]
diff --git a/deploy/docker/all-in-one/entrypoint.sh b/deploy/docker/all-in-one/entrypoint.sh
@@ -19,19 +19,20 @@ fi;
 
 LOGS="/lowcoder-stacks/logs"
 DATA="/lowcoder-stacks/data"
+CERT="/lowcoder-stacks/ssl"
 # Create folder for holding application logs and data
 mkdir -p ${LOGS}/redis \
   ${LOGS}/mongodb \
   ${LOGS}/api-service \
   ${LOGS}/node-service \
   ${LOGS}/frontend \
   ${DATA}/redis \
-  ${DATA}/mongodb
+  ${DATA}/mongodb \
+  ${CERT}
 
 # Update owner of logs and data
 chown -R ${USER_ID}:${GROUP_ID} /lowcoder-stacks/ /lowcoder/etc
 
-
 # Enable services
 SUPERVISOR_AVAILABLE="/lowcoder/etc/supervisord/conf-available"
 SUPERVISOR_ENABLED="/lowcoder/etc/supervisord/conf-enabled"
@@ -62,9 +63,22 @@ if [ "${NODE_SERVICE_ENABLED:=true}" = "true" ]; then
     ln ${SUPERVISOR_AVAILABLE}/11-node-service.conf ${SUPERVISOR_ENABLED}/11-node-service.conf
 fi;
 
-# Enable forntend if configured to run
+# Enable frontend if configured to run
 if [ "${FRONTEND_ENABLED:=true}" = "true" ]; then
    ln ${SUPERVISOR_AVAILABLE}/20-frontend.conf ${SUPERVISOR_ENABLED}/20-frontend.conf
+
+   unlink /etc/nginx/nginx.conf 2>/dev/null
+   if [ -e "${CERT}/fullchain.pem" ] && [ -e "${CERT}/privkey.pem" ];
+      echo "Certificates found, starting with HTTPS."
+      ln -s /etc/nginx/nginx-https.conf /etc/nginx/nginx.conf
+      if [ ! -e "${CERT}/dhparam.pem" ]; then
+         echo "Diffle-Helmann parameters file not found, generating in now... (this can take some time)"
+         openssl dhparam -out "${CERT}/dhparam.pem" 4096
+      fi;
+   else
+      echo "Certificates not found, starting with HTTP."
+      ln -s /etc/nginx/nginx-http.conf /etc/nginx/nginx.conf
+   fi;
 fi;
 
 # Handle CMD command
diff --git a/deploy/docker/docker-compose.yaml b/deploy/docker/docker-compose.yaml
@@ -9,6 +9,7 @@ services:
     container_name: lowcoder
     ports:
       - "3000:3000"
+      - "3443:3443"
     environment:
       # enable services
       REDIS_ENABLED: "true"
diff --git a/deploy/docker/frontend/nginx-http.conf b/deploy/docker/frontend/nginx-http.conf
@@ -46,13 +46,18 @@ http {
         location /api {
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header X-Forwarded-Host $host;
+	    proxy_set_header X-Real-IP $remote_addr;
             proxy_pass __LOWCODER_API_SERVICE_URL__;
         }
 
         location /node-service/plugin-icons {
             proxy_set_header X-Forwarded-Proto $scheme;
             proxy_set_header X-Forwarded-Host $host;
+	    proxy_set_header X-Real-IP $remote_addr;
             proxy_pass __LOWCODER_NODE_SERVICE_URL__;
         }
     }
+
+    #ENABLE_HTTPS include /etc/nginx/lowcoder.https.conf;
+
 }
diff --git a/deploy/docker/frontend/nginx-https.conf b/deploy/docker/frontend/nginx-https.conf
@@ -0,0 +1,63 @@
+user  lowcoder;
+
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format main '"$time_local" client=$remote_addr '
+               'method=$request_method request="$request" '
+               'request_length=$request_length '
+               'status=$status bytes_sent=$bytes_sent '
+               'body_bytes_sent=$body_bytes_sent '
+               'referer=$http_referer '
+               'http_x_forwarded_for=$http_x_forwarded_for '
+               'user_agent="$http_user_agent" '
+               'upstream_addr=$upstream_addr '
+               'upstream_status=$upstream_status '
+               'request_time=$request_time '
+               'upstream_response_time=$upstream_response_time '
+               'upstream_connect_time=$upstream_connect_time '
+               'upstream_header_time=$upstream_header_time';
+
+    keepalive_timeout  65;
+    sendfile        on;
+    #tcp_nopush     on;
+
+    server {
+        listen 3443 ssl;
+        root /lowcoder/client;
+
+        include /etc/nginx/ssl-certificate.conf;
+        include /etc/nginx/ssl-params.conf;
+
+        location / {
+            try_files $uri /index.html;
+
+            if ($request_filename ~* .*.(html|htm)$) {
+                add_header Cache-Control no-cache;
+            }
+        }
+
+        location /api {
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+	    proxy_set_header X-Real-IP $remote_addr;
+            proxy_pass __LOWCODER_API_SERVICE_URL__;
+        }
+
+        location /node-service/plugin-icons {
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+	    proxy_set_header X-Real-IP $remote_addr;
+            proxy_pass __LOWCODER_NODE_SERVICE_URL__;
+        }
+    }
+
+}
diff --git a/deploy/docker/frontend/ssl-certificate.conf b/deploy/docker/frontend/ssl-certificate.conf
@@ -0,0 +1,2 @@
+ssl_certificate /lowcoder-stacks/ssl/fullchain.pem;
+ssl_certificate_key /lowcoder-stacks/ssl/privkey.pem;
diff --git a/deploy/docker/frontend/ssl-params.conf b/deploy/docker/frontend/ssl-params.conf
@@ -0,0 +1,18 @@
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers on;
+ssl_dhparam /lowcoder-stacks/ssl/dhparam.pem; 
+ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+ssl_ecdh_curve secp384r1;
+ssl_session_timeout  10m;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable strict transport security for now. You can uncomment the following
+# line if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";

Original file line number	Diff line number	Diff line change
`@@ -46,13 +46,18 @@ http {`
`46`	`46`	`location /api {`
`47`	`47`	`proxy_set_header X-Forwarded-Proto $scheme;`
`48`	`48`	`proxy_set_header X-Forwarded-Host $host;`
	`49`	`+ proxy_set_header X-Real-IP $remote_addr;`
`49`	`50`	`proxy_pass __LOWCODER_API_SERVICE_URL__;`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`location /node-service/plugin-icons {`
`53`	`54`	`proxy_set_header X-Forwarded-Proto $scheme;`
`54`	`55`	`proxy_set_header X-Forwarded-Host $host;`
	`56`	`+ proxy_set_header X-Real-IP $remote_addr;`
`55`	`57`	`proxy_pass __LOWCODER_NODE_SERVICE_URL__;`
`56`	`58`	`}`
`57`	`59`	`}`
	`60`	`+`
	`61`	`+ #ENABLE_HTTPS include /etc/nginx/lowcoder.https.conf;`
	`62`	`+`
`58`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ssl_certificate /lowcoder-stacks/ssl/fullchain.pem;`
	`2`	`+ssl_certificate_key /lowcoder-stacks/ssl/privkey.pem;`