Skip to content

Allow usage of SSL certificate in frontend #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 21, 2023
Merged

Allow usage of SSL certificate in frontend #222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion deploy/docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,8 +149,14 @@ COPY deploy/docker/frontend/01-update-nginx-conf.sh /docker-entrypoint.d/01-upda
RUN chmod +x /docker-entrypoint.d/00-change-nginx-user.sh && \
chmod +x /docker-entrypoint.d/01-update-nginx-conf.sh

COPY deploy/docker/frontend/nginx.conf /etc/nginx/nginx.conf
COPY deploy/docker/frontend/nginx-http.conf /etc/nginx/nginx-http.conf
COPY deploy/docker/frontend/nginx-https.conf /etc/nginx/nginx-https.conf
COPY deploy/docker/frontend/ssl-certificate.conf /etc/nginx/ssl-certificate.conf
COPY deploy/docker/frontend/ssl-params.conf /etc/nginx/ssl-params.conf


EXPOSE 3000
EXPOSE 3443

#############################################################################

Expand Down Expand Up @@ -189,6 +195,7 @@ COPY --chown=lowcoder:lowcoder deploy/docker/all-in-one/etc /lowcoder/etc
COPY --chown=lowcoder:lowcoder deploy/docker/all-in-one/entrypoint.sh /lowcoder/entrypoint.sh

EXPOSE 3000
EXPOSE 3443

ENTRYPOINT [ "/bin/sh" , "/lowcoder/entrypoint.sh" ]
CMD ["/usr/bin/supervisord", "-n" , "-c" , "/lowcoder/etc/supervisord.conf"]
Expand Down
20 changes: 17 additions & 3 deletions deploy/docker/all-in-one/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,20 @@ fi;

LOGS="/lowcoder-stacks/logs"
DATA="/lowcoder-stacks/data"
CERT="/lowcoder-stacks/ssl"
# Create folder for holding application logs and data
mkdir -p ${LOGS}/redis \
${LOGS}/mongodb \
${LOGS}/api-service \
${LOGS}/node-service \
${LOGS}/frontend \
${DATA}/redis \
${DATA}/mongodb
${DATA}/mongodb \
${CERT}

# Update owner of logs and data
chown -R ${USER_ID}:${GROUP_ID} /lowcoder-stacks/ /lowcoder/etc


# Enable services
SUPERVISOR_AVAILABLE="/lowcoder/etc/supervisord/conf-available"
SUPERVISOR_ENABLED="/lowcoder/etc/supervisord/conf-enabled"
Expand Down Expand Up @@ -62,9 +63,22 @@ if [ "${NODE_SERVICE_ENABLED:=true}" = "true" ]; then
ln ${SUPERVISOR_AVAILABLE}/11-node-service.conf ${SUPERVISOR_ENABLED}/11-node-service.conf
fi;

# Enable forntend if configured to run
# Enable frontend if configured to run
if [ "${FRONTEND_ENABLED:=true}" = "true" ]; then
ln ${SUPERVISOR_AVAILABLE}/20-frontend.conf ${SUPERVISOR_ENABLED}/20-frontend.conf

unlink /etc/nginx/nginx.conf 2>/dev/null
if [ -e "${CERT}/fullchain.pem" ] && [ -e "${CERT}/privkey.pem" ]; then
echo "Certificates found, starting with HTTPS."
ln -s /etc/nginx/nginx-https.conf /etc/nginx/nginx.conf
if [ ! -e "${CERT}/dhparam.pem" ]; then
echo "Diffle-Helmann parameters file not found, generating in now... (this can take some time)"
openssl dhparam -out "${CERT}/dhparam.pem" 4096
fi;
else
echo "Certificates not found, starting with HTTP."
ln -s /etc/nginx/nginx-http.conf /etc/nginx/nginx.conf
fi;
fi;

# Handle CMD command
Expand Down
1 change: 1 addition & 0 deletions deploy/docker/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ services:
container_name: lowcoder
ports:
- "3000:3000"
- "3443:3443"
environment:
# enable services
REDIS_ENABLED: "true"
Expand Down
2 changes: 2 additions & 0 deletions deploy/docker/frontend/nginx.conf → deploy/docker/frontend/nginx-http.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,12 +46,14 @@ http {
location /api {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass __LOWCODER_API_SERVICE_URL__;
}

location /node-service/plugin-icons {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass __LOWCODER_NODE_SERVICE_URL__;
}
}
Expand Down
63 changes: 63 additions & 0 deletions deploy/docker/frontend/nginx-https.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
user lowcoder;

worker_processes 1;

events {
worker_connections 1024;
}

http {

include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main '"$time_local" client=$remote_addr '
'method=$request_method request="$request" '
'request_length=$request_length '
'status=$status bytes_sent=$bytes_sent '
'body_bytes_sent=$body_bytes_sent '
'referer=$http_referer '
'http_x_forwarded_for=$http_x_forwarded_for '
'user_agent="$http_user_agent" '
'upstream_addr=$upstream_addr '
'upstream_status=$upstream_status '
'request_time=$request_time '
'upstream_response_time=$upstream_response_time '
'upstream_connect_time=$upstream_connect_time '
'upstream_header_time=$upstream_header_time';

keepalive_timeout 65;
sendfile on;
#tcp_nopush on;

server {
listen 3443 ssl;
root /lowcoder/client;

include /etc/nginx/ssl-certificate.conf;
include /etc/nginx/ssl-params.conf;

location / {
try_files $uri /index.html;

if ($request_filename ~* .*.(html|htm)$) {
add_header Cache-Control no-cache;
}
}

location /api {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass __LOWCODER_API_SERVICE_URL__;
}

location /node-service/plugin-icons {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass __LOWCODER_NODE_SERVICE_URL__;
}
}

}
2 changes: 2 additions & 0 deletions deploy/docker/frontend/ssl-certificate.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ssl_certificate /lowcoder-stacks/ssl/fullchain.pem;
ssl_certificate_key /lowcoder-stacks/ssl/privkey.pem;
18 changes: 18 additions & 0 deletions deploy/docker/frontend/ssl-params.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /lowcoder-stacks/ssl/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";