diff --git a/.env.example b/.env.example index dad544580a..b6df405361 100644 --- a/.env.example +++ b/.env.example @@ -1,5 +1,5 @@ ### ODK Central ### -ODK_CENTRAL_URL=${ODK_CENTRAL_URL:-"https://proxy"} +ODK_CENTRAL_URL=${ODK_CENTRAL_URL:-"https://odkcentral:8443"} ODK_CENTRAL_USER=${ODK_CENTRAL_USER:-"test@fmtm.dev"} ODK_CENTRAL_PASSWD=${ODK_CENTRAL_PASSWD:-"testuserpassword"} diff --git a/.github/labeler.yml b/.github/labeler.yml index f1d9c2b14e..f22f4c5522 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -4,7 +4,6 @@ - "src/backend/**/*" "devops": - ".github/**/*" - - "nginx/**/*" - "scripts/**/*" - "docker-*.yml" - "**/Dockerfile" diff --git a/.github/workflows/build_proxy_imgs.yml b/.github/workflows/build_proxy_imgs.yml deleted file mode 100644 index ea4bffa818..0000000000 --- a/.github/workflows/build_proxy_imgs.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: 🔧 Build Proxy Images - -on: - # Trigger on schedule - schedule: - # Run 2:00 on 1st and 15th of every month - - cron: "0 2 1,15 * *" - # Allow manual trigger - workflow_dispatch: - -jobs: - build-cert-init-main: - uses: hotosm/gh-workflows/.github/workflows/image_build.yml@1.6.0 - with: - context: nginx - build_target: certs-init-main - image_tags: | - "ghcr.io/${{ github.repository }}/proxy:certs-init-main" - extra_build_args: | - NGINX_TAG=${{ vars.NGINX_TAG }} - multi_arch: true - - build-cert-init-dev: - uses: hotosm/gh-workflows/.github/workflows/image_build.yml@1.6.0 - with: - context: nginx - build_target: certs-init-development - image_tags: | - "ghcr.io/${{ github.repository }}/proxy:certs-init-development" - "ghcr.io/${{ github.repository }}/proxy:certs-init-staging" - extra_build_args: | - NGINX_TAG=${{ vars.NGINX_TAG }} - multi_arch: true - - build-proxy-main: - uses: hotosm/gh-workflows/.github/workflows/image_build.yml@1.6.0 - with: - context: nginx - build_target: main - image_tags: | - "ghcr.io/${{ github.repository }}/proxy:main" - extra_build_args: | - NGINX_TAG=${{ vars.NGINX_TAG }} - multi_arch: true - - build-proxy-dev: - uses: hotosm/gh-workflows/.github/workflows/image_build.yml@1.6.0 - with: - context: nginx - build_target: development - image_tags: | - "ghcr.io/${{ github.repository }}/proxy:development" - "ghcr.io/${{ github.repository }}/proxy:staging" - extra_build_args: | - NGINX_TAG=${{ vars.NGINX_TAG }} - multi_arch: true diff --git a/.gitignore b/.gitignore index 6c83c3b1eb..33829901c9 100644 --- a/.gitignore +++ b/.gitignore @@ -19,6 +19,7 @@ .Python env/ build/ +!contrib/just/build develop-eggs/ dist/ dev-dist/ diff --git a/README.md b/README.md index b85d318c4f..a581520cd9 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@
-| **CI/CD** | | [![Build and Deploy](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml/badge.svg?branch=main)](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml?query=branch%3Amain) [![Build CI Img](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml) [![Build ODK Images](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml)
[![🔧 Build Proxy Images](https://github.com/hotosm/fmtm/actions/workflows/build_proxy_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_proxy_imgs.yml) [![Publish Docs](https://github.com/hotosm/fmtm/actions/workflows/docs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/docs.yml) | +| **CI/CD** | | [![Build and Deploy](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml/badge.svg?branch=main)](https://github.com/hotosm/fmtm/actions/workflows/build_and_deploy.yml?query=branch%3Amain) [![Build CI Img](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_ci_img.yml) [![Build ODK Images](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/build_odk_imgs.yml)
[![Publish Docs](https://github.com/hotosm/fmtm/actions/workflows/docs.yml/badge.svg?branch=development)](https://github.com/hotosm/fmtm/actions/workflows/docs.yml) | | :--- | :--- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Tech Stack** | | ![FastAPI](https://img.shields.io/badge/FastAPI-005571?style=for-the-badge&logo=fastapi) ![React](https://img.shields.io/badge/react-%2320232a.svg?style=for-the-badge&logo=react&logoColor=%2361DAFB) ![Postgres](https://img.shields.io/badge/postgres-%23316192.svg?style=for-the-badge&logo=postgresql&logoColor=white) ![Kubernetes](https://img.shields.io/badge/kubernetes-%23326ce5.svg?style=for-the-badge&logo=kubernetes&logoColor=white) ![Docker](https://img.shields.io/badge/docker-%230db7ed.svg?style=for-the-badge&logo=docker&logoColor=white) | | **Code Style** | | [![Backend Style](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/format.json&labelColor=202235)](https://github.com/astral-sh/ruff) [![Frontend Style](https://img.shields.io/badge/code%20style-prettier-F7B93E?logo=Prettier)](https://github.com/prettier/prettier) [![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://pre-commit.com) | diff --git a/nginx/templates/cert-init/fmtm.conf.template b/contrib/just/build/Justfile similarity index 52% rename from nginx/templates/cert-init/fmtm.conf.template rename to contrib/just/build/Justfile index deff4f7df2..64c4ac37b1 100644 --- a/nginx/templates/cert-init/fmtm.conf.template +++ b/contrib/just/build/Justfile @@ -1,4 +1,4 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team +# Copyright (c) 2024 Humanitarian OpenStreetMap Team # # This file is part of FMTM. # @@ -16,11 +16,23 @@ # along with FMTM. If not, see . # -server { - listen 80 default_server; - server_name ${FMTM_DOMAIN}; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } -} +# Generate certs for local ODK Central https +[no-cd] +gen-odk-cert: + #!/usr/bin/env sh + openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -days 36500 \ + -nodes -keyout odkcentral.key -out odkcentral.crt -subj "/CN=odkcentral" \ + -addext "subjectAltName=DNS:odkcentral,DNS:*.odk.fmtm.localhost,IP:10.20.30.50" + + CERT_BASE64=$(cat odkcentral.crt | base64 -w0) + KEY_BASE64=$(cat odkcentral.key | base64 -w0) + + echo + echo "Cert base64:" + echo + echo ${CERT_BASE64} + echo + echo "Key base64:" + echo + echo ${KEY_BASE64} + echo diff --git a/contrib/just/start/Justfile b/contrib/just/start/Justfile index 262e7aeb2c..9c6fb3d205 100644 --- a/contrib/just/start/Justfile +++ b/contrib/just/start/Justfile @@ -83,7 +83,7 @@ tunnel: up -d api ui # Restart ODK Central with domain override (for form download urls) - CENTRAL_DOMAIN_OVERRIDE="$(echo "${odk_url}" | sed 's|^https://||')" \ + FMTM_ODK_DOMAIN="$(echo "${odk_url}" | sed 's|^https://||')" \ docker compose \ -f docker-compose.yml \ -f contrib/tunnel/docker-compose.yml \ @@ -137,4 +137,3 @@ _print-tunnel-urls fmtm_url api_url odk_url s3_url: @echo - diff --git a/docker-compose.development.yml b/docker-compose.development.yml index da962a76e4..192578ac8c 100644 --- a/docker-compose.development.yml +++ b/docker-compose.development.yml @@ -76,6 +76,77 @@ services: - fmtm-net restart: "unless-stopped" + # proxy: + # image: "ghcr.io/bunkerity/bunkerweb:1.5.9" + # depends_on: + # proxy-config: + # condition: service_started + # api: + # condition: service_started + # ui: + # condition: service_started + # central: + # condition: service_started + # required: false + # central-ui: + # condition: service_completed_successfully + # required: false + # s3: + # condition: service_started + # volumes: + # - nginx-configs:/etc/nginx + # - central_frontend:/var/www/html/odk.fmtm.localhost:ro + # environment: + # # General + # LOG_LEVEL: notice + # API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24 + # MULTISITE: yes + # USE_REVERSE_PROXY: yes + # REVERSE_PROXY_INTERCEPT_ERRORS: no + # ALLOWED_METHODS: OPTIONS|HEAD|GET|POST|PATCH|PUT|DELETE + # USE_REAL_IP: yes + # SERVE_FILES: yes + # USE_BACKUP: no + # USE_METRICS: no + # # USE_ANTIBOT: yes + # USE_BAD_BEHAVIOR: yes + # USE_LIMIT_REQ: yes + # USE_MODSECURITY: yes + # USE_BROTLI: yes + # # For OpenTelemetry + # CUSTOM_HEADER: "Access-Control-Allow-Headers: 'traceparent,tracestate'" + # # AUTO_LETS_ENCRYPT: yes + # # EMAIL_LETS_ENCRYPT: + # # USE_LETS_ENCRYPT_STAGING: yes + # # Reverse proxy configs + # SERVER_NAME: fmtm.localhost api.fmtm.localhost s3.fmtm.localhost odk.fmtm.localhost odkcentral + # fmtm.localhost_REVERSE_PROXY_HOST: http://ui:7051 + # fmtm.localhost_MAX_CLIENT_SIZE: 1G + # api.fmtm.localhost_REVERSE_PROXY_HOST: http://api:8000 + # api.fmtm.localhost_MAX_CLIENT_SIZE: 1G + # s3.fmtm.localhost_REVERSE_PROXY_HOST: http://s3:9000 + # s3.fmtm.localhost_MAX_CLIENT_SIZE: 10G + # odk.fmtm.localhost_REVERSE_PROXY_HOST: http://central:8383 + # odk.fmtm.localhost_REVERSE_PROXY_URL: ~ ^/v\d + # # buffer requests, but not responses, so streaming out works + # odk.fmtm.localhost_REVERSE_PROXY_BUFFERING: no + # odk.fmtm.localhost_MAX_CLIENT_SIZE: 500m + # # Service for local development only to facilitate https odkcentral + # odkcentral_REVERSE_PROXY_HOST: http://central:8383 + # odkcentral_REVERSE_PROXY_URL: ~ ^/v\d + # odkcentral_REVERSE_PROXY_BUFFERING: no + # # Custom cert only for local development + # odkcentral_USE_CUSTOM_SSL: yes + # odkcentral_AUTO_REDIRECT_HTTP_TO_HTTPS: no + # odkcentral_CUSTOM_SSL_CERT_DATA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2IyUnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3dGVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKeWlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYUnRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQN0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakVBMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTjNtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + # odkcentral_CUSTOM_SSL_KEY_DATA: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRCc21pQjBmUU5hR1VobEdpWnMKNks1YVo1K1hUOVM1cFdlWkhZc05SVXRlK2FRZ1hIK0pTSmpwRnFqRnNLN21abldoWkFOaUFBU2tYNHpRRUxHQQplTXdscXhneThDZUJCdytFdVo1UDFjSVp1RFg5TzV1N0Ewby8wRHZWL2dZT3Rzb2k1bnJEbFN3eXhoU0lucjc0CmEvbnl6SEJkRCtOT3dGZnZneG1mWnI4MVhLZFZtTmtQZW1JakZKODB1OVpiUlBQcVZwVDM0N1E9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + # ports: + # - ${FMTM_DEV_PORT:-7050}:8080 + # networks: + # fmtm-net: + # ipv4_address: 10.20.30.50 + # restart: "unless-stopped" + api: image: "ghcr.io/hotosm/fmtm/backend:${GIT_BRANCH}" volumes: @@ -124,6 +195,8 @@ services: depends_on: central-db: condition: service_healthy + pyxform: + condition: service_started environment: - DOMAIN=${FMTM_ODK_DOMAIN:-odk.${FMTM_DOMAIN}} - SSL_TYPE=upstream diff --git a/docker-compose.yml b/docker-compose.yml index 7172219fd9..ee6ad06cd7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,7 @@ name: fmtm volumes: + nginx-configs: fmtm_data: fmtm_db_data: fmtm_logs: @@ -29,16 +30,17 @@ volumes: networks: fmtm-net: name: fmtm-${GIT_BRANCH:-local} + ipam: + driver: default + config: + - subnet: 10.20.30.0/24 services: proxy: - image: "ghcr.io/hotosm/fmtm/proxy:debug" - build: - context: nginx - target: debug - args: - NGINX_TAG: "${NGINX_TAG:-1.27.0}" + image: "ghcr.io/bunkerity/bunkerweb:1.5.9" depends_on: + proxy-config: + condition: service_started api: condition: service_started ui: @@ -52,13 +54,84 @@ services: s3: condition: service_started volumes: - - central_frontend:/usr/share/nginx/html/central + - nginx-configs:/etc/nginx + - central_frontend:/var/www/html/odk.fmtm.localhost:ro + environment: + # General + LOG_LEVEL: notice + API_WHITELIST_IP: 127.0.0.0/8 10.20.30.0/24 + MULTISITE: yes + USE_REVERSE_PROXY: yes + REVERSE_PROXY_INTERCEPT_ERRORS: no + ALLOWED_METHODS: OPTIONS|HEAD|GET|POST|PATCH|PUT|DELETE + USE_REAL_IP: yes + SERVE_FILES: yes + USE_BACKUP: no + USE_METRICS: no + # USE_ANTIBOT: yes + USE_BAD_BEHAVIOR: no + USE_LIMIT_REQ: no + USE_MODSECURITY: no + USE_BROTLI: yes + # For OpenTelemetry + # KEEP_UPSTREAM_HEADERS: "*" + # CUSTOM_HEADER: "Access-Control-Allow-Headers: traceparent,tracestate" + # AUTO_LETS_ENCRYPT: yes + # EMAIL_LETS_ENCRYPT: + # USE_LETS_ENCRYPT_STAGING: yes + # Reverse proxy configs + SERVER_NAME: fmtm.localhost api.fmtm.localhost s3.fmtm.localhost odk.fmtm.localhost odkcentral + fmtm.localhost_REVERSE_PROXY_HOST: http://ui:7051 + fmtm.localhost_MAX_CLIENT_SIZE: 1G + api.fmtm.localhost_REVERSE_PROXY_HOST: http://api:8000 + api.fmtm.localhost_MAX_CLIENT_SIZE: 1G + s3.fmtm.localhost_REVERSE_PROXY_HOST: http://s3:9000 + s3.fmtm.localhost_MAX_CLIENT_SIZE: 10G + odk.fmtm.localhost_REVERSE_PROXY_HOST: http://central:8383 + odk.fmtm.localhost_REVERSE_PROXY_URL: ~ ^/v\d + # buffer requests, but not responses, so streaming out works + odk.fmtm.localhost_REVERSE_PROXY_BUFFERING: no + odk.fmtm.localhost_MAX_CLIENT_SIZE: 500m + # Service for local development only to facilitate https odkcentral + odkcentral_REVERSE_PROXY_HOST: http://central:8383 + odkcentral_REVERSE_PROXY_URL: ~ ^/v\d + odkcentral_REVERSE_PROXY_BUFFERING: no + # Custom cert only for local development + odkcentral_USE_CUSTOM_SSL: yes + odkcentral_AUTO_REDIRECT_HTTP_TO_HTTPS: no + odkcentral_CUSTOM_SSL_CERT_DATA: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2IyUnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3dGVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMklBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKeWlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYUnRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQN0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakVBMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTjNtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + odkcentral_CUSTOM_SSL_KEY_DATA: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRCc21pQjBmUU5hR1VobEdpWnMKNks1YVo1K1hUOVM1cFdlWkhZc05SVXRlK2FRZ1hIK0pTSmpwRnFqRnNLN21abldoWkFOaUFBU2tYNHpRRUxHQQplTXdscXhneThDZUJCdytFdVo1UDFjSVp1RFg5TzV1N0Ewby8wRHZWL2dZT3Rzb2k1bnJEbFN3eXhoU0lucjc0CmEvbnl6SEJkRCtOT3dGZnZneG1mWnI4MVhLZFZtTmtQZW1JakZKODB1OVpiUlBQcVZwVDM0N1E9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K ports: - - ${FMTM_DEV_PORT:-7050}:80 + - ${FMTM_DEV_PORT:-7050}:8080 networks: - - fmtm-net + fmtm-net: + ipv4_address: 10.20.30.50 restart: "unless-stopped" + proxy-config: + image: "ghcr.io/bunkerity/bunkerweb-scheduler:1.5.9" + depends_on: + proxy-docker-sock: + condition: service_started + environment: + - DOCKER_HOST=tcp://proxy-docker-sock:2375 + networks: + - fmtm-net + restart: "no" + entrypoint: timeout 120 ./entrypoint.sh + + proxy-docker-sock: + image: "docker.io/tecnativa/docker-socket-proxy:0.2.0" + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + environment: + - CONTAINERS=1 + - LOG_LEVEL=warning + networks: + - fmtm-net + restart: "no" + command: timeout 120 haproxy -W -db -f /usr/local/etc/haproxy/haproxy.cfg + api: image: "ghcr.io/hotosm/fmtm/backend:${TAG_OVERRIDE:-debug}" build: @@ -96,6 +169,8 @@ services: # - "5678-5679:5678" # Debugger port networks: - fmtm-net + extra_hosts: + odkcentral: 10.20.30.50 restart: "unless-stopped" deploy: replicas: ${API_REPLICAS:-1} @@ -120,7 +195,7 @@ services: - /app/node_modules/ # - ../ui:/app/node_modules/@hotosm/ui:ro environment: - - VITE_API_URL=${API_URL_OVERRIDE:-http://api.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}} + - VITE_API_URL=${API_URL_OVERRIDE:-http://api.fmtm.localhost:${FMTM_DEV_PORT:-7050}} ports: - "7051:7051" networks: @@ -135,7 +210,7 @@ services: - DISPLAY=:0 volumes: - ./src/frontend:/app - - /tmp/.X11-unix:/tmp/.X11-unix + - /tmp/.X11-unix:/tmp/.X11-unix:ro command: npm run test:e2e networks: - fmtm-net @@ -151,8 +226,10 @@ services: depends_on: central-db: condition: service_healthy + pyxform: + condition: service_started environment: - - DOMAIN=${CENTRAL_DOMAIN_OVERRIDE:-odk.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}} + - DOMAIN=${FMTM_ODK_DOMAIN:-odk.fmtm.localhost}:${FMTM_DEV_PORT:-7050} - SSL_TYPE=upstream - SYSADMIN_EMAIL=${ODK_CENTRAL_USER} - SYSADMIN_PASSWD=${ODK_CENTRAL_PASSWD} @@ -234,7 +311,7 @@ services: # Temp workaround until https://github.com/postgis/docker-postgis/issues/216 build: context: https://github.com/postgis/docker-postgis.git#master:14-3.4/alpine - command: -c 'max_connections=300' + command: -c 'wal_level=logical' -c 'max_connections=300' volumes: - fmtm_db_data:/var/lib/postgresql/data/ environment: diff --git a/docs/dev/Backend.md b/docs/dev/Backend.md index cf701fe8ff..911a407d7f 100644 --- a/docs/dev/Backend.md +++ b/docs/dev/Backend.md @@ -46,7 +46,7 @@ URLs defined in the docker-compose file and your env file. - FMTM uses ODK Central to store ODK data. - To facilitate faster development, the Docker setup includes a Central server. - The credentials are provided via the `.env` file, and the default URL to - access Central from within containers is: `https://proxy`. + access Central from within containers is: `https://odkcentral:8443`. > Alternatively, you may provide credentials to an external Central server > in the `.env`. diff --git a/nginx/Dockerfile b/nginx/Dockerfile deleted file mode 100644 index 3998bb5042..0000000000 --- a/nginx/Dockerfile +++ /dev/null @@ -1,128 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# -ARG NGINX_TAG - - -FROM docker.io/nginx:${NGINX_TAG}-bookworm as brotli-module -RUN set -ex \ - && apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install \ - -y --no-install-recommends \ - "wget" \ - "git" \ - "build-essential" \ - "libpcre3-dev" \ - "zlib1g-dev" \ - "libssl-dev" \ - "libgd-dev" \ - "libxml2-dev" \ - "uuid-dev" \ - "libxslt-dev" \ - && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y \ - && rm -rf /var/lib/apt/lists/* -ARG NGINX_TAG -RUN wget "http://nginx.org/download/nginx-${NGINX_TAG}.tar.gz" \ - && tar -xzvf "nginx-${NGINX_TAG}.tar.gz" -RUN git clone https://github.com/google/ngx_brotli.git --recursive -RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') \ - && cd "nginx-${NGINX_TAG}" \ - && ./configure --with-compat "${CONFARGS}" \ - --add-dynamic-module=../ngx_brotli \ - && make modules \ - && mv objs/ngx_http_brotli_filter_module.so \ - objs/ngx_http_brotli_static_module.so / - - - -FROM docker.io/nginx:${NGINX_TAG}-bookworm as base -ARG NGINX_TAG -ARG GIT_COMMIT -LABEL org.hotosm.fmtm.app-name="proxy" \ - org.hotosm.fmtm.app-version="${NGINX_TAG}" \ - org.hotosm.fmtm.git-commit-ref="${COMMIT_REF:-none}" \ - org.hotosm.fmtm.maintainer="sysadmin@hotosm.org" -# Install certbot, netcat -RUN set -ex \ - && apt-get update \ - && DEBIAN_FRONTEND=noninteractive apt-get install \ - -y --no-install-recommends \ - "netcat-traditional" \ - "certbot" \ - && DEBIAN_FRONTEND=noninteractive apt-get upgrade -y \ - && rm -rf /var/lib/apt/lists/* -# Add modules -COPY --from=brotli-module \ - /ngx_http_brotli_filter_module.so \ - /ngx_http_brotli_static_module.so \ - /usr/lib/nginx/modules/ -WORKDIR /usr/share/nginx/html -# Remove default Nginx static assets -RUN rm -rf ./* /etc/nginx/conf.d/default.conf /etc/nginx/nginx.conf -COPY nginx.conf \ - options-ssl-nginx.conf \ - options-security.conf \ - certs/ssl-dhparams.pem \ - /etc/nginx/ -# Add Healthcheck -HEALTHCHECK --start-period=5s --interval=5s --retries=8 \ - CMD nc -z localhost 80 || exit 1 - - - -FROM base as debug -COPY certs /etc/nginx/ -RUN cat /etc/nginx/central.crt /etc/nginx/ca.crt \ - >> /etc/nginx/central-fullchain.crt -COPY templates/dev/fmtm.conf.template \ - templates/dev/api.conf.template \ - templates/dev/odk.conf.template \ - templates/dev/minio.conf.template \ - /etc/nginx/templates/ - - - -FROM base as certs-init-main -# Replace existing /docker-entrypoint.sh -COPY container-entrypoint.sh /docker-entrypoint.sh -RUN chmod +x /docker-entrypoint.sh -COPY templates/cert-init/fmtm.conf.template \ - templates/cert-init/api.conf.template \ - templates/cert-init/minio.conf.template \ - /etc/nginx/templates/ - - - -FROM certs-init-main as certs-init-development -COPY templates/cert-init/odk.conf.template \ - /etc/nginx/templates/ - - - -FROM base as main -# API, Frontend, S3 -COPY templates/fmtm.conf.template \ - templates/api.conf.template \ - templates/minio.conf.template \ - /etc/nginx/templates/ - - - -FROM main as development -# API, Frontend, S3 + ODK -COPY templates/odk.conf.template \ - /etc/nginx/templates/ diff --git a/nginx/build_imgs.sh b/nginx/build_imgs.sh deleted file mode 100644 index 040ab2887c..0000000000 --- a/nginx/build_imgs.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash - -NGINX_TAG="${NGINX_TAG:-1.27.0}" - -# Dev certs init -echo "Building proxy:certs-init-development" -docker build nginx \ - --tag "ghcr.io/hotosm/fmtm/proxy:certs-init-development" \ - --target certs-init-development \ - --build-arg NGINX_TAG="${NGINX_TAG}" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:certs-init-development" -fi - -# Staging certs init -echo "Tagging proxy:certs-init-staging" -docker tag "ghcr.io/hotosm/fmtm/proxy:certs-init-development" \ - "ghcr.io/hotosm/fmtm/proxy:certs-init-staging" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:certs-init-staging" -fi - -# Main certs init -echo "Building proxy:certs-init-main" -docker build nginx \ - --tag "ghcr.io/hotosm/fmtm/proxy:certs-init-main" \ - --target certs-init-main \ - --build-arg NGINX_TAG="${NGINX_TAG}" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:certs-init-main" -fi - -# Dev proxy -echo "Building proxy:development" -docker build nginx \ - --tag "ghcr.io/hotosm/fmtm/proxy:development" \ - --target development \ - --build-arg NGINX_TAG="${NGINX_TAG}" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:development" -fi - -# Staging proxy -echo "Tagging proxy:staging" -docker tag "ghcr.io/hotosm/fmtm/proxy:development" \ - "ghcr.io/hotosm/fmtm/proxy:staging" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:staging" -fi - -# Main proxy -echo "Building proxy:main" -docker build nginx \ - --tag "ghcr.io/hotosm/fmtm/proxy:main" \ - --target main \ - --build-arg NGINX_TAG="${NGINX_TAG}" - -if [[ -n "$PUSH_IMGS" ]]; then - docker push "ghcr.io/hotosm/fmtm/proxy:main" -fi diff --git a/nginx/certs/ca.crt b/nginx/certs/ca.crt deleted file mode 100644 index 9222628a63..0000000000 --- a/nginx/certs/ca.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDTTCCAjWgAwIBAgIUEMHrTka4DH7Nme1tqUcOCYKCsgswDQYJKoZIhvcNAQEL -BQAwNTEOMAwGA1UEAwwFcHJveHkxCzAJBgNVBAYTAlVTMRYwFAYDVQQHDA1TYW4g -RnJhbnNpc2NvMCAXDTIzMTEyMzE0MTEyNloYDzIxMjEwNTEzMTQxMTI2WjA1MQ4w -DAYDVQQDDAVwcm94eTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuc2lz -Y28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgZTIvWLewjF/CtZaz -28KcZQljG9qOaC3QwYCe4c28bGPYJt2eQS0t3CsnWvqJnEASAXOI31uDkLX5JZ7L -sysECnKz42tZn02TyJE441d9dVxjoBxTjQ4glv4nZ/r/ZiFAEaLrQTY23LLUsdbW -RPv3vQDErhdTeuIWU9rEtT2Cqmpsxu8RbT3vL7bHBoF3bWJYI1yrP4TtZ8/tUTxH -8YpMK8pqettgsxkTO2ONyIOqo8HgyBNOChsfH08DBwsFamdTP8PPt/+Mwfk9gPOG -8kuZP8jDO3Q6h/4hP98+3LsRVc0jdQkpW6gK1bitnHdeC5JrgsoLpoj2hZJ8Wmhd -X7N1AgMBAAGjUzBRMB0GA1UdDgQWBBSwOgHB9bZzrlBa9pv54Yiniiy2VDAfBgNV -HSMEGDAWgBSwOgHB9bZzrlBa9pv54Yiniiy2VDAPBgNVHRMBAf8EBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQAELCCrqanTSknSpviAlL8X4w19gS1ihs7GzsuK/8Pl -iTqUG6vCCmyNIv900kPG5y0n5bgvkl+hqO4m9b9lpjEgrufxOzZ4KBBhG3Vg0vnW -6N829oKABieV9YkmUl70x1A6AhqLrJU5Vzomix5K3tfrkaCBRjF083H3Sv/rhbVC -kXaIrJqUtuy2JcycPpkgvmX51j0xBE/kWFFtpNymNZqLAkny/mBwsju4POFnRoKZ -e9TclE2JU0JIMSC+4A5DUYYYTzMJkaQV8QBQWMwDK2RHDGHsg/YnKmJY2GwZyIvL -oyJxInJEd+2Xha/9++iImtjC8zoWql382s8MfuCTWplw ------END CERTIFICATE----- diff --git a/nginx/certs/central.crt b/nginx/certs/central.crt deleted file mode 100644 index 7676eb60e0..0000000000 --- a/nginx/certs/central.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDqTCCApGgAwIBAgIURQPPTsV/5VRA6IpcvUK/5t5WhaswDQYJKoZIhvcNAQEL -BQAwNTEOMAwGA1UEAwwFcHJveHkxCzAJBgNVBAYTAlVTMRYwFAYDVQQHDA1TYW4g -RnJhbnNpc2NvMCAXDTIzMTEyMzE0MTUxMFoYDzIxMjMxMDMwMTQxNTEwWjBvMQsw -CQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZy -YW5zaXNjbzEMMAoGA1UECgwDSE9UMRUwEwYDVQQLDAxGTVRNIENlbnRyYWwxDjAM -BgNVBAMMBXByb3h5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArEUa -enTNEAuV5qq2HBLCA3jVgMlOn41gnM4oKVF7kYR2R+gdSF9qb7s7hJwqTJP6a4o+ -Ozul6ejQxks5vGICVqxgTTropRRxbK5XmPhk7k2uebqZonAj4B01y83FffWurkos -slD9NozQ67mPVnh8nUotkpg5kpSwpUMKNllnB9dxaucBcSSCiFqtEPKnPF7GHt2v -Qhxyv/mEi9nZNCdJp/QFg1O/IH8QlLrEhh9R0TJ1ldVuXLdZxUMNqOb2Gcl8AS91 -YYb6feXC9X++TYbaV/6sxm7uaU3BL1y7nzX7h/am9OgATkSpuABKp6salVFQ4Ww3 -nEyoWccK7swwobearwIDAQABo3UwczAfBgNVHSMEGDAWgBSwOgHB9bZzrlBa9pv5 -4Yiniiy2VDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAZBgNVHREEEjAQggVwcm94 -eYIHY2VudHJhbDAdBgNVHQ4EFgQUjpsxUprpOjKapADH6upWbd2FTXcwDQYJKoZI -hvcNAQELBQADggEBAGACWqq6iyvvRWRSgODrNxUyVt225g53IYV0yXBovN5HpQar -U9lEbmb7PEJmk3egrTb55q1e9CRzSmxolHT0AlFyzOT2CZy+siie+F89KizjLHdc -e53yUfDBf8X/TLChhQO4Jvn+1Dv93fc18OSJzfYzSDgeThty6YHRsdAG4ps3TXLx -qtoAIKuvo68oJIeGPirp4HzeUUaqjpnp4fHbTwvKBYg3HAoJBNIqcSTYRoeIyQu7 -1W4CzNpRcuub9oNIkQ4D4WwCZ5gjCe6rQb7LvPziLN/pjR6QpZ4jql4mNh5tOtKj -wR/YTAha7Q7KM5JgCJlzpsCKTUvKa8j1+KJOgaE= ------END CERTIFICATE----- diff --git a/nginx/certs/central.key b/nginx/certs/central.key deleted file mode 100644 index 5bb4c96ef3..0000000000 --- a/nginx/certs/central.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCsRRp6dM0QC5Xm -qrYcEsIDeNWAyU6fjWCczigpUXuRhHZH6B1IX2pvuzuEnCpMk/prij47O6Xp6NDG -Szm8YgJWrGBNOuilFHFsrleY+GTuTa55upmicCPgHTXLzcV99a6uSiyyUP02jNDr -uY9WeHydSi2SmDmSlLClQwo2WWcH13Fq5wFxJIKIWq0Q8qc8XsYe3a9CHHK/+YSL -2dk0J0mn9AWDU78gfxCUusSGH1HRMnWV1W5ct1nFQw2o5vYZyXwBL3Vhhvp95cL1 -f75NhtpX/qzGbu5pTcEvXLufNfuH9qb06ABORKm4AEqnqxqVUVDhbDecTKhZxwru -zDCht5qvAgMBAAECggEAM7NPhYXNTy3y8HW2TsmQYYNfrBV+W6MN5jF22yOhrqPu -7ZirRR+hrWOnMp69kRruEl08XQGDQyaElaZY7wEJC6MTCcqOrJBsk/3kuzt86wn0 -PYMzfY0jLy0FCqO4TBuyL4uCS4fD3p23S692ZbCmUXxEHhVCXgvy0b5Db9k38yGG -HRQhJwoteGhn8on1PFzSUWns8FQEe/fjSaxoawyusnYXjN22EzmMoPN8vtkaoLbA -bhBQQ6S1DpMCzn4HcaH9dTfd0T6F6e8L2Y0jc53VMUkTTUrwsxJsFxiEiM+OhaOL -ZfF2sE4TWxmZOwNzKGb6cYl+YgfN/WK4OJqglGBDQQKBgQDpgUZ+6TOCCzubBDPV -6VS0goKqe7Nq1Y9wAYTouj9LbQvReK9iUBxLuGL7NXbSFLq+Fd1EiSgY+n1wOpfM -L5oxFOdNeuuDomxqZi8j7+0V2y8lwZUnA7jdeAivL5gN+7bM3fvecPGsJVmANM4x -VLZ5Jyr46lQAFIDv8tNgwl1YwQKBgQC83aSRWo7I+BHShvbhHw3Bo5bQmsuMqdGm -TYNig51Z5Dzt13yeqVSab5hNhkj1D/pplWWJbx4Vzc9q2F6+kL3QVODrzJjv6tBG -O35hGX37PkKShs2b+eTye3Rbwzw9kOh/DsG+rLT74OcY5kpnXslc6S8VHbnlKYja -76Xi6G7fbwKBgQDZC03wp2k2RqSn6ZcZDaKriuhT+VmDQ3Dphq/49y3gOUMT+R7k -vlwe0gxHPqHsklImYAJlMywvU56HVB9HLzQezTRW45vIppApskO9HsX8W9kOOkse -kaojSfCgjhfDX6bB9NCqKcep4Km5rtu+JOTb5lleN8nOrUBQSSDLvr6vwQKBgFUF -tnMVAFhqjKNozLUVpLy6Z0drmByvykiCdpYfx/NSszcjHd/TPNn1SOwFesyPr9xe -PAJ9ul54c1qXIzfIsxqZS1P7nBHNdItZdxBBSJyVL6UE+ISyH6Yle4Ffx7uzg2bH -fuLWnvcRDRgBfBdC7YVdGCv6YNhQNWLSJayblGYTAoGBAKlAUnRdlO+oYGhdNinI -6O6JrxN83gHn3CtzW8eE5CxxVHVhhteFe/TabE76J9mIBeLno1qrthQ4sAYoZ5UM -DQzj6V2371bEQzPtYVFM9nlgcz8QhGezZD2KBYeXnNNf6FjBSlmyMVrCTJn5Omnt -gxndM9OMDRa5TvenZQVZVKfz ------END PRIVATE KEY----- diff --git a/nginx/certs/ssl-dhparams.pem b/nginx/certs/ssl-dhparams.pem deleted file mode 100644 index 088f9673dc..0000000000 --- a/nginx/certs/ssl-dhparams.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- \ No newline at end of file diff --git a/nginx/container-entrypoint.sh b/nginx/container-entrypoint.sh deleted file mode 100644 index b18eb462c1..0000000000 --- a/nginx/container-entrypoint.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash - -set -eo pipefail - -echo -echo "Substituting env vars" -echo -bash /docker-entrypoint.d/20-envsubst-on-templates.sh - -echo -echo "Starting NGINX in the background" -echo -nginx -g "daemon off;" > /dev/null 2>&1 & - -# Wait for NGINX to start with a maximum timeout of 20 seconds -timeout=20 -while [ $timeout -gt 0 ]; do - if nc -z localhost 80; then - break - fi - - echo "" - echo "Waiting for NGINX to be running..." - sleep 2 - timeout=$((timeout - 2)) -done - -# Check if the timeout was reached -if [ $timeout -eq 0 ]; then - echo "NGINX did not start within the timeout." - exit 1 -fi - -# Check if FMTM_DOMAIN is set -if [ -z "${FMTM_DOMAIN}" ]; then - echo "${FMTM_DOMAIN} variable is not set. Exiting." - exit 1 -fi - -# Check if FMTM_API_DOMAIN is set -if [ -z "${FMTM_API_DOMAIN}" ]; then - echo "${FMTM_API_DOMAIN} variable is not set. Exiting." - exit 1 -fi - -# Renew certs arg (default api & frontend only) -certbot_args=( - "--webroot" "--webroot-path=/var/www/certbot" \ - "--email" "${CERT_EMAIL}" "--agree-tos" "--no-eff-email" \ - "-d" "${FMTM_DOMAIN}" "-d" "${FMTM_API_DOMAIN}" \ -) - -# Add FMTM_ODK_DOMAIN if present -if [ -n "${FMTM_ODK_DOMAIN}" ]; then - echo "Adding ${FMTM_ODK_DOMAIN} to certificate for domain ${FMTM_DOMAIN}." - certbot_args+=("-d" "${FMTM_ODK_DOMAIN}") -fi - -# Add FMTM_S3_DOMAIN if present -if [ -n "${FMTM_S3_DOMAIN}" ]; then - echo "Adding ${FMTM_S3_DOMAIN} to certificate for domain ${FMTM_DOMAIN}." - certbot_args+=("-d" "${FMTM_S3_DOMAIN}") -fi - -# Run certbot with the constructed arguments -echo "Running command: certbot --non-interactive certonly ${certbot_args[*]}" -certbot --non-interactive certonly "${certbot_args[@]}" -echo "Certificate generated under: /etc/letsencrypt/live/${FMTM_DOMAIN}/" - -# Successful exit (stop container) -exit 0 diff --git a/nginx/nginx.conf b/nginx/nginx.conf deleted file mode 100644 index a9259eabc3..0000000000 --- a/nginx/nginx.conf +++ /dev/null @@ -1,105 +0,0 @@ -# Load brotli module -load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; -load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; - -user nginx; -worker_processes auto; -worker_rlimit_nofile 4096; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; - use epoll; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - server_tokens off; - types_hash_max_size 2048; - - keepalive_timeout 65; - - brotli on; - brotli_comp_level 6; # Adjust compression level as needed - brotli_static on; - brotli_buffers 16 8k; - brotli_min_length 20; - brotli_types - application/atom+xml - application/geo+json - application/javascript - application/x-javascript - application/json - application/ld+json - application/manifest+json - application/rdf+xml - application/rss+xml - application/vnd.ms-fontobject - application/wasm - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/eot - font/otf - font/ttf - image/bmp - image/svg+xml - text/cache-manifest - text/calendar - text/css - text/javascript - text/markdown - text/plain - text/xml - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - - # gzip compatibility backup (older clients) - gzip on; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_min_length 256; - gzip_types - application/atom+xml - application/geo+json - application/javascript - application/x-javascript - application/json - application/ld+json - application/manifest+json - application/rdf+xml - application/rss+xml - application/xhtml+xml - application/xml - font/eot - font/otf - font/ttf - image/svg+xml - text/css - text/javascript - text/plain - text/xml - application/xml+rss; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/nginx/options-security.conf b/nginx/options-security.conf deleted file mode 100644 index 7b62ca3ca1..0000000000 --- a/nginx/options-security.conf +++ /dev/null @@ -1,6 +0,0 @@ -add_header Referrer-Policy "no-referrer" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Frame-Options "SAMEORIGIN" always; -add_header X-Permitted-Cross-Domain-Policies "none" always; -add_header X-Robots-Tag "noindex, nofollow" always; -add_header X-XSS-Protection "1; mode=block" always; diff --git a/nginx/options-ssl-nginx.conf b/nginx/options-ssl-nginx.conf deleted file mode 100644 index 35b9895d46..0000000000 --- a/nginx/options-ssl-nginx.conf +++ /dev/null @@ -1,10 +0,0 @@ -ssl_session_cache shared:le_nginx_SSL:10m; -ssl_session_timeout 1440m; -ssl_session_tickets off; - -ssl_protocols TLSv1.2 TLSv1.3; -ssl_prefer_server_ciphers off; - -ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - -ssl_dhparam /etc/nginx/ssl-dhparams.pem; diff --git a/nginx/templates/api.conf.template b/nginx/templates/api.conf.template deleted file mode 100644 index ba6280db4c..0000000000 --- a/nginx/templates/api.conf.template +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream backend { - server api:8000 max_fails=1 fail_timeout=2s; - keepalive 32; -} - -server { - # Default handler for port 80 - listen 80; - server_name ${FMTM_API_DOMAIN}; - return 301 https://$host$request_uri; -} - -server { - # Default handler for port 443 - listen 443 ssl reuseport; - server_name ${FMTM_API_DOMAIN}; - - ssl_certificate /etc/letsencrypt/live/${FMTM_DOMAIN}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${FMTM_DOMAIN}/privkey.pem; - include /etc/nginx/options-ssl-nginx.conf; - include /etc/nginx/options-security.conf; - - # Max upload size 1GB - client_max_body_size 1G; - - # Response headers (Access-Control-Allow-Origin set by FastAPI, not required) - add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; - # For opentelemetry - add_header 'Access-Control-Allow-Headers' 'traceparent,tracestate'; - - location / { - # Max time to initiate connection with backend - proxy_connect_timeout 20s; - # Max time for a backend response to return, i.e. download - proxy_read_timeout 60s; - # Max time to send request to backend, i.e. upload - proxy_send_timeout 40s; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - proxy_pass http://backend; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/cert-init/api.conf.template b/nginx/templates/cert-init/api.conf.template deleted file mode 100644 index 1ddea7d23e..0000000000 --- a/nginx/templates/cert-init/api.conf.template +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -server { - # Default handler for port 80 - listen 80; - server_name ${FMTM_API_DOMAIN}; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } -} diff --git a/nginx/templates/cert-init/minio.conf.template b/nginx/templates/cert-init/minio.conf.template deleted file mode 100644 index 5d75f89c6b..0000000000 --- a/nginx/templates/cert-init/minio.conf.template +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -server { - listen 80; - server_name ${FMTM_S3_DOMAIN}; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } -} diff --git a/nginx/templates/cert-init/odk.conf.template b/nginx/templates/cert-init/odk.conf.template deleted file mode 100644 index c29aaec4f9..0000000000 --- a/nginx/templates/cert-init/odk.conf.template +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -server { - listen 80; - server_name ${FMTM_ODK_DOMAIN}; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } -} diff --git a/nginx/templates/dev/api.conf.template b/nginx/templates/dev/api.conf.template deleted file mode 100644 index c98f4d6e60..0000000000 --- a/nginx/templates/dev/api.conf.template +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream backend { - server api:8000 max_fails=1 fail_timeout=2s; - keepalive 32; -} - -server { - # Default handler for port 80 - listen 80 reuseport; - server_name api.fmtm.localhost; - - # Max upload size 1GB - client_max_body_size 1G; - - # Response headers (note: Access-Control-Allow-Origin already set by FastAPI, not required) - - location / { - # Max time to initiate connection with backend - proxy_connect_timeout 20s; - # Max time for a backend response to return, i.e. download - proxy_read_timeout 60s; - # Max time to send request to backend, i.e. upload - proxy_send_timeout 40s; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - proxy_pass http://backend; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/dev/fmtm.conf.template b/nginx/templates/dev/fmtm.conf.template deleted file mode 100644 index fe5d41e43c..0000000000 --- a/nginx/templates/dev/fmtm.conf.template +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream frontend { - # Enable sticky sessions based on an incoming client IP address - ip_hash; - - server ui:7051; -} - -server { - listen 80 default_server; - server_name fmtm.localhost; - - # Max upload size 1GB - client_max_body_size 1G; - - location / { - proxy_read_timeout 40s; - proxy_connect_timeout 20s; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - # Config to enable websockets - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - proxy_pass http://frontend; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/dev/minio.conf.template b/nginx/templates/dev/minio.conf.template deleted file mode 100644 index d60d6d1d49..0000000000 --- a/nginx/templates/dev/minio.conf.template +++ /dev/null @@ -1,57 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream minio { - server s3:9000; - # No keepalive -} - -server { - listen 80; - server_name s3.fmtm.localhost; - - # Allow special characters in headers (Minio) - ignore_invalid_headers off; - - # Max upload size 10GB - client_max_body_size 10G; - - location / { - # Disable buffering - proxy_buffering off; - proxy_request_buffering off; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_connect_timeout 300; - # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - - proxy_pass http://minio; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/dev/odk.conf.template b/nginx/templates/dev/odk.conf.template deleted file mode 100644 index 4b7ba89af2..0000000000 --- a/nginx/templates/dev/odk.conf.template +++ /dev/null @@ -1,118 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream centralapi { - server central:8383 max_fails=1 fail_timeout=2s; - keepalive 32; -} - -server { - listen 80; - server_name odk.fmtm.localhost; - - # Max upload size 500MB - client_max_body_size 500m; - - # The frontend - location / { - root /usr/share/nginx/html/central; - - #location /index.html { - # include /usr/share/odk/nginx/common-headers.conf; - # add_header Cache-Control no-cache; - #} - } - - # The API - location ~ ^/v\d { - proxy_redirect off; - # buffer requests, but not responses, so streaming out works. - proxy_request_buffering on; - proxy_buffering off; - proxy_read_timeout 2m; - proxy_connect_timeout 1m; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - proxy_pass http://centralapi; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} - -server { - listen 443 ssl; - server_name odk.fmtm.localhost; - - ssl_certificate /etc/nginx/central-fullchain.crt; - ssl_certificate_key /etc/nginx/central.key; - - # Max upload size 500MB - client_max_body_size 500m; - - # The API - location ~ ^/v\d { - proxy_redirect off; - # buffer requests, but not responses, so streaming out works. - proxy_request_buffering on; - proxy_buffering off; - proxy_read_timeout 2m; - proxy_connect_timeout 1m; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - proxy_pass http://centralapi; - } - - # Required redirect - error_page 497 https://$host:$server_port$request_uri; - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/fmtm.conf.template b/nginx/templates/fmtm.conf.template deleted file mode 100644 index f1a35f35a5..0000000000 --- a/nginx/templates/fmtm.conf.template +++ /dev/null @@ -1,52 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -server { - listen 80 default_server; - server_name ${FMTM_DOMAIN}; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl default_server; - server_name ${FMTM_DOMAIN}; - - ssl_certificate /etc/letsencrypt/live/${FMTM_DOMAIN}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${FMTM_DOMAIN}/privkey.pem; - include /etc/nginx/options-ssl-nginx.conf; - include /etc/nginx/options-security.conf; - - # Max upload size 1GB - client_max_body_size 1G; - - # Response headers - add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; - # For opentelemetry - add_header 'Access-Control-Allow-Headers' 'traceparent,tracestate'; - - location / { - # Serve FMTM frontend under /usr/share/nginx/html - root /usr/share/nginx/html/fmtm; - try_files $uri $uri/ /index.html; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/minio.conf.template b/nginx/templates/minio.conf.template deleted file mode 100644 index c6e6493ae5..0000000000 --- a/nginx/templates/minio.conf.template +++ /dev/null @@ -1,73 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream minio { - server s3:9000; - # No keepalive -} - -server { - listen 80; - server_name ${FMTM_S3_DOMAIN}; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name ${FMTM_S3_DOMAIN}; - - ssl_certificate /etc/letsencrypt/live/${FMTM_DOMAIN}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${FMTM_DOMAIN}/privkey.pem; - include /etc/nginx/options-ssl-nginx.conf; - include /etc/nginx/options-security.conf; - - # Allow special characters in headers (Minio) - ignore_invalid_headers off; - - # Max upload size 10GB - client_max_body_size 10G; - - # Response headers - add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; - # For opentelemetry - add_header 'Access-Control-Allow-Headers' 'traceparent,tracestate'; - - location / { - # Disable buffering - proxy_buffering off; - proxy_request_buffering off; - - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_connect_timeout 300; - # Default is HTTP/1, keepalive is only enabled in HTTP/1.1 - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - - proxy_pass http://minio; - } - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/nginx/templates/odk.conf.template b/nginx/templates/odk.conf.template deleted file mode 100644 index 629c261875..0000000000 --- a/nginx/templates/odk.conf.template +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright (c) 2022, 2023 Humanitarian OpenStreetMap Team -# -# This file is part of FMTM. -# -# FMTM is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# FMTM is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with FMTM. If not, see . -# - -upstream centralapi { - server central:8383 max_fails=1 fail_timeout=2s; - keepalive 32; -} - -server { - listen 80; - server_name ${FMTM_ODK_DOMAIN}; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name ${FMTM_ODK_DOMAIN}; - - ssl_certificate /etc/letsencrypt/live/${FMTM_DOMAIN}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/${FMTM_DOMAIN}/privkey.pem; - include /etc/nginx/options-ssl-nginx.conf; - include /etc/nginx/options-security.conf; - - # Max upload size 500MB - client_max_body_size 500m; - - # Response headers (Access-Control-Allow-Origin set by FastAPI, not required) - add_header 'Content-Security-Policy' 'upgrade-insecure-requests'; - # For opentelemetry - add_header 'Access-Control-Allow-Headers' 'traceparent,tracestate'; - - # The frontend - location / { - root /usr/share/nginx/html/central; - - location /index.html { - include /etc/nginx/options-security.conf; - add_header Cache-Control no-cache; - } - } - - # The API - location ~ ^/v\d { - proxy_redirect off; - # buffer requests, but not responses, so streaming out works. - proxy_request_buffering on; - proxy_buffering off; - proxy_read_timeout 2m; - proxy_connect_timeout 1m; - - # Requests headers - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Server $http_host; - proxy_set_header X-Forwarded-Port $server_port; - - # Disable buffer to temp files, tweak buffer for memory - proxy_max_temp_file_size 0; - proxy_buffer_size 64k; - proxy_buffers 8 64k; - proxy_busy_buffers_size 64k; - - proxy_pass http://centralapi; - } - - # Required redirect - error_page 497 https://$host:$server_port$request_uri; - - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } -} diff --git a/scripts/README.md b/scripts/README.md index d3bb2ccbfa..fc90a20bf9 100644 --- a/scripts/README.md +++ b/scripts/README.md @@ -1,8 +1,3 @@ # Scripts -- Directory of helper scripts related to FMTM. -- The install-fmtm.sh script is located under: - -`src/frontend/public/install-fmtm.sh` - -So it is available to install via URL. +Directory of helper scripts related to FMTM. diff --git a/scripts/renew-certs-manual.sh b/scripts/renew-certs-manual.sh deleted file mode 100644 index 6bf6195378..0000000000 --- a/scripts/renew-certs-manual.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -cleanup_and_exit() { - echo - echo "CTRL+C received, exiting..." - exit 1 -} - -# Capture CTRL+C -trap cleanup_and_exit INT - -# Prompt the user for input and set the BRANCH_NAME variable -read -erp "Enter the environment (dev/staging/prod): " ENVIRONMENT - -case "$ENVIRONMENT" in - dev) - BRANCH_NAME="development" - ;; - staging) - BRANCH_NAME="staging" - ;; - prod) - BRANCH_NAME="main" - ;; - *) - echo "Invalid environment. Please enter dev, staging, or prod." - exit 1 - ;; -esac - -# Check if any containers using the 'ghcr.io/hotosm/fmtm/proxy:${BRANCH_NAME}' image are running -if [[ -z $(docker ps -q -f "ancestor=ghcr.io/hotosm/fmtm/proxy:${BRANCH_NAME}") ]]; then - echo "No containers using the 'ghcr.io/hotosm/fmtm/proxy:${BRANCH_NAME}' image are running." - echo "You must first start the containers using:" - echo - echo "docker-compose -f docker-compose.${BRANCH_NAME}.yml up -d" - echo - exit 1 -fi - -# Execute the Docker Compose command with the determined BRANCH_NAME -docker compose exec "fmtm-$BRANCH_NAME" certbot --non-interactive renew diff --git a/src/backend/Dockerfile b/src/backend/Dockerfile index f0c17c9397..0d54f1b554 100644 --- a/src/backend/Dockerfile +++ b/src/backend/Dockerfile @@ -149,8 +149,20 @@ HEALTHCHECK --start-period=10s --interval=5s --retries=20 --timeout=5s \ FROM runtime as add-odk-certs USER root # Add the SSL cert for debug odkcentral -COPY --from=ghcr.io/hotosm/fmtm/proxy:debug \ - /etc/nginx/central-fullchain.crt /usr/local/share/ca-certificates/ +RUN echo 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI5RENDQVhtZ0F3SUJBZ0lVWXFyb\ +0dWRVdsK204eU9OY2pUU2pCWThkckN3d0NnWUlLb1pJemowRUF3SXcKRlRFVE1CRUdBMVVFQXd3S2Iy\ +UnJZMlZ1ZEhKaGJEQWdGdzB5TkRBM01qTXhNakF6TVRWYUdBOHlNVEkwTURZeQpPVEV5TURNeE5Wb3d\ +GVEVUTUJFR0ExVUVBd3dLYjJSclkyVnVkSEpoYkRCMk1CQUdCeXFHU000OUFnRUdCU3VCCkJBQWlBMk\ +lBQktSZmpOQVFzWUI0ekNXckdETHdKNEVIRDRTNW5rL1Z3aG00TmYwN203c0RTai9RTzlYK0JnNjIKe\ +WlMbWVzT1ZMRExHRklpZXZ2aHIrZkxNY0YwUDQwN0FWKytER1o5bXZ6VmNwMVdZMlE5NllpTVVuelM3\ +MWx0RQo4K3BXbFBmanRLT0JoekNCaERBZEJnTlZIUTRFRmdRVWNVekZsNUpWN1dUM045VUhxbmhSRHl\ +WT3ZjY3dId1lEClZSMGpCQmd3Rm9BVWNVekZsNUpWN1dUM045VUhxbmhSRHlWT3ZjY3dEd1lEVlIwVE\ +FRSC9CQVV3QXdFQi96QXgKQmdOVkhSRUVLakFvZ2dwdlpHdGpaVzUwY21Gc2doUXFMbTlrYXk1bWJYU\ +nRMbXh2WTJGc2FHOXpkSWNFQ2hRZQpNakFLQmdncWhrak9QUVFEQWdOcEFEQm1BakVBb2xuOGRubmlQ\ +N0dKSEJPQW4rTHVCV0ZhaUY1NHFZRmpTYyt1Clpia1cwY1pyNWw2VnZ6WVlBdGdWbUtOdTB5WWRBakV\ +BMWlvT2JRTERYdDV3S1JPWjV5VUtmbys2T21IbTV1NWkKQU5LUHd2MExqc2ZIYk5hbzJMWnduK0VxTj\ +NtdUpPNXEKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=' \ +| base64 -d > /usr/local/share/ca-certificates/central.crt RUN update-ca-certificates