From 6bd4bc7bdd7c7049968ee925e22b553ccd88e4b2 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 11:45:45 -0500 Subject: [PATCH 1/7] Docker: configurable BACKEND_URL --- Dockerfile | 1 + installation/docker.conf.template | 49 ++++++++++++++++++++++++++++--- 2 files changed, 46 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index efe959b6d..4c47eae54 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,5 +10,6 @@ RUN yarn build FROM nginx:stable-alpine EXPOSE 5000 ENV PORT=5000 +ENV BACKEND_URL=http://localhost COPY installation/docker.conf.template /etc/nginx/templates/default.conf.template COPY --from=build /app/static /usr/share/nginx/html diff --git a/installation/docker.conf.template b/installation/docker.conf.template index d4393ad35..06fdc5096 100644 --- a/installation/docker.conf.template +++ b/installation/docker.conf.template @@ -2,6 +2,22 @@ # It's intended to be used by the official nginx image, which has templating functionality. # Mount at: `/etc/nginx/templates/default.conf.template` +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; + +server { + server_name localhost; + + location / { + add_header Content-Type "application/json" always; + return 404 '{"error": "Not implemented"}'; + } +} + server { listen ${PORT}; @@ -34,10 +50,9 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; } - # Return 404 on API routes so Soapbox knows what to do. - location /api { - add_header Content-Type "application/json"; - return 404 '{"error": "Not implemented"}'; + # Backend routes + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { + try_files /dev/null @backend; } # ServiceWorker: don't cache. @@ -45,4 +60,30 @@ server { add_header Cache-Control "public, max-age=0"; add_header Strict-Transport-Security "max-age=31536000" always; } + + # Proxy to the backend. + location @backend { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass ${BACKEND_URL}; + proxy_buffering on; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_cache CACHE; + proxy_cache_valid 200 7d; + proxy_cache_valid 410 24h; + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; + add_header X-Cached $upstream_cache_status; + add_header Strict-Transport-Security "max-age=31536000" always; + + tcp_nodelay on; + } } From 6d07c45903885670b0cb8b0d1b9a146f6ba8568a Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 12:54:41 -0500 Subject: [PATCH 2/7] dockerignore: .git --- .dockerignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.dockerignore b/.dockerignore index 92e9362d8..41b87855a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,5 @@ +.git + /node_modules/ /tmp/ /build/ From 9821a1f639cbd06b23b34537adce1f1e194536e5 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 13:58:13 -0500 Subject: [PATCH 3/7] Docker: adopt mastodon.conf --- installation/docker.conf.template | 47 ++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/installation/docker.conf.template b/installation/docker.conf.template index 06fdc5096..0c13a26a3 100644 --- a/installation/docker.conf.template +++ b/installation/docker.conf.template @@ -2,11 +2,20 @@ # It's intended to be used by the official nginx image, which has templating functionality. # Mount at: `/etc/nginx/templates/default.conf.template` +map_hash_bucket_size 128; + map $http_upgrade $connection_upgrade { default upgrade; '' close; } +# ActivityPub routing. +map $http_accept $activitypub_location { + default @soapbox; + "application/activity+json" @backend; + 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"' @backend; +} + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; server { @@ -20,6 +29,7 @@ server { server { listen ${PORT}; + listen [::]:${PORT}; keepalive_timeout 70; sendfile on; @@ -28,6 +38,7 @@ server { root /usr/share/nginx/html; gzip on; + gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; @@ -37,30 +48,46 @@ server { add_header Strict-Transport-Security "max-age=31536000" always; - # SPA. - # Try static files, then fall back to index.html. + # Content Security Policy (CSP) + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';"; + + # Fallback route. + # Try static files, then fall back to the SPA. location / { - try_files $uri /index.html; + try_files $uri @soapbox; } - # Build files. + # Backend routes. + # These are routes to the backend's API and important rendered pages. + location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { + try_files /dev/null @backend; + } + + # Backend ActivityPub routes. + # Conditionally send to the backend by Accept header. + location ~ ^/(inbox|users|@(.+)) { + try_files /dev/null $activitypub_location; + } + + # Soapbox build files. # New builds produce hashed filenames, so these should be cached heavily. location /packs { add_header Cache-Control "public, max-age=31536000, immutable"; add_header Strict-Transport-Security "max-age=31536000" always; } - # Backend routes - location ~ ^/(api|oauth|auth|admin|pghero|sidekiq|manifest.json|media|nodeinfo|unsubscribe|.well-known/(webfinger|host-meta|nodeinfo|change-password)|@(.+)/embed$) { - try_files /dev/null @backend; - } - - # ServiceWorker: don't cache. + # Soapbox ServiceWorker. location = /sw.js { add_header Cache-Control "public, max-age=0"; add_header Strict-Transport-Security "max-age=31536000" always; } + # Soapbox SPA (Single Page App). + location @soapbox { + try_files /index.html /dev/null; + } + # Proxy to the backend. location @backend { proxy_set_header Host $host; From 06afd122130f7cc41e0e2050e75a2d3abc59738b Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 14:46:29 -0500 Subject: [PATCH 4/7] Docker: make CSP configurable --- Dockerfile | 1 + installation/docker.conf.template | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4c47eae54..c7068a768 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,5 +11,6 @@ FROM nginx:stable-alpine EXPOSE 5000 ENV PORT=5000 ENV BACKEND_URL=http://localhost +ENV CSP= COPY installation/docker.conf.template /etc/nginx/templates/default.conf.template COPY --from=build /app/static /usr/share/nginx/html diff --git a/installation/docker.conf.template b/installation/docker.conf.template index 0c13a26a3..2759f765a 100644 --- a/installation/docker.conf.template +++ b/installation/docker.conf.template @@ -50,7 +50,7 @@ server { # Content Security Policy (CSP) # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy - add_header Content-Security-Policy "base-uri 'none'; default-src 'none'; font-src 'self'; img-src 'self' https: data: blob:; style-src 'self' 'unsafe-inline'; media-src 'self' https: data:; frame-src 'self' https:; manifest-src 'self'; connect-src 'self' data: blob:; script-src 'self'; child-src 'self'; worker-src 'self';"; + add_header Content-Security-Policy "${CSP}"; # Fallback route. # Try static files, then fall back to the SPA. @@ -97,7 +97,7 @@ server { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass ${BACKEND_URL}; + proxy_pass "${BACKEND_URL}"; proxy_buffering on; proxy_redirect off; proxy_http_version 1.1; From 8403615eb0346067fa4a22520ae619a9a2f418bd Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 15:02:12 -0500 Subject: [PATCH 5/7] Docker: open fallback backend at :4444 --- Dockerfile | 3 ++- installation/docker.conf.template | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c7068a768..bfb7c2e48 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,8 @@ RUN yarn build FROM nginx:stable-alpine EXPOSE 5000 ENV PORT=5000 -ENV BACKEND_URL=http://localhost +ENV FALLBACK_PORT=4444 +ENV BACKEND_URL=http://localhost:4444 ENV CSP= COPY installation/docker.conf.template /etc/nginx/templates/default.conf.template COPY --from=build /app/static /usr/share/nginx/html diff --git a/installation/docker.conf.template b/installation/docker.conf.template index 2759f765a..0938b756e 100644 --- a/installation/docker.conf.template +++ b/installation/docker.conf.template @@ -18,8 +18,10 @@ map $http_accept $activitypub_location { proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g; +# Fake backend for when BACKEND_URL isn't defined. server { - server_name localhost; + listen ${FALLBACK_PORT}; + listen [::]:${FALLBACK_PORT}; location / { add_header Content-Type "application/json" always; From 06646a01df32779e39d6a420e6920e55b352330e Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 15:37:34 -0500 Subject: [PATCH 6/7] GitLab CI: build a docker image --- .gitlab-ci.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 90c856e40..edd3700ae 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -142,3 +142,16 @@ pages: only: refs: - develop + +docker: + image: docker:20.10.17 + services: + - docker:20.10.17-dind + # https://medium.com/devops-with-valentine/how-to-build-a-docker-image-and-push-it-to-the-gitlab-container-registry-from-a-gitlab-ci-pipeline-acac0d1f26df + script: + - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin + - docker build -t $CI_REGISTRY_IMAGE . + - docker push $CI_REGISTRY_IMAGE + # only: + # refs: + # - develop \ No newline at end of file From 53be32de34c64bb40c9bf05a25ffc3c4d085e249 Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sun, 4 Sep 2022 15:58:48 -0500 Subject: [PATCH 7/7] GitLab CI: only publish image on develop --- .gitlab-ci.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index edd3700ae..aaca197c3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -144,14 +144,15 @@ pages: - develop docker: + stage: deploy image: docker:20.10.17 services: - - docker:20.10.17-dind + - docker:20.10.17-dind # https://medium.com/devops-with-valentine/how-to-build-a-docker-image-and-push-it-to-the-gitlab-container-registry-from-a-gitlab-ci-pipeline-acac0d1f26df script: - echo $CI_REGISTRY_PASSWORD | docker login -u $CI_REGISTRY_USER $CI_REGISTRY --password-stdin - docker build -t $CI_REGISTRY_IMAGE . - docker push $CI_REGISTRY_IMAGE - # only: - # refs: - # - develop \ No newline at end of file + only: + refs: + - develop \ No newline at end of file