PromucFlow_constructor/deploy/docker/fs/opt/appsmith/run-nginx.sh

#!/bin/bash

set -o errexit
set -o nounset
set -o pipefail
set -o xtrace

ssl_conf_path="/appsmith-stacks/data/certificate/conf"

mkdir -pv "$ssl_conf_path"

cat <<EOF > "$ssl_conf_path/options-ssl-nginx.conf"
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF

cat <<EOF > "$ssl_conf_path/ssl-dhparams.pem"
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
EOF

if [[ -z "${APPSMITH_ALLOWED_FRAME_ANCESTORS-}" ]]; then
  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
  export APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
else
  # Remove any extra rules that may be present in the frame ancestors value. This is to prevent this env variable from
  # being used to inject more rules to the CSP header. If needed, that should be supported/solved separately.
  export APPSMITH_ALLOWED_FRAME_ANCESTORS="${APPSMITH_ALLOWED_FRAME_ANCESTORS%;*}"
fi

if [[ -z "${APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX-}" ]]; then
  # For backwards compatibility, if this is not set to anything, we default to no sandbox for iframe widgets.
  export APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX="true"
fi

# Check exist certificate with given custom domain
# Heroku not support for custom domain, only generate HTTP config if deploying on Heroku
use_https=0
if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then
  use_https=1
  if ! [[ -e "/etc/letsencrypt/live/$APPSMITH_CUSTOM_DOMAIN" ]]; then
    source "/opt/appsmith/init_ssl_cert.sh"
    if ! init_ssl_cert "$APPSMITH_CUSTOM_DOMAIN"; then
      echo "Status code from init_ssl_cert is $?"
      use_https=0
    fi
  fi
fi

/opt/appsmith/templates/nginx-app.conf.sh "$use_https" "${APPSMITH_CUSTOM_DOMAIN-}"

cp -r /opt/appsmith/editor/* "$NGINX_WWW_PATH"

apply-env-vars() {
  original="$1"
  served="$2"
  node -e '
  const fs = require("fs")
  const content = fs.readFileSync("'"$original"'", "utf8").replace(
    /\b__(APPSMITH_[A-Z0-9_]+)__\b/g,
    (placeholder, name) => (process.env[name] || "")
  )
  fs.writeFileSync("'"$served"'", content)
  '
  pushd "$(dirname "$served")"
  gzip --keep --force "$(basename "$served")"
  popd
}

apply-env-vars /opt/appsmith/editor/index.html "$NGINX_WWW_PATH/index.html"

exec nginx -g "daemon off;error_log stderr info;"
Config for editor program run script instead of nginx (#8922) Add script to re-generate nginx config file & start nginx Move function init_ssl_cert into separated file and reuse it in new script and entrypoint Change command config & add new config to kill all sub-process of a supervisord child program in editor program configure file 2021-11-23 04:09:13 +00:00			`#!/bin/bash`

Apply env variables in NGINX config before startup (#11531) Instead of doing env substitutions at request processing time, do it before NGINX even starts. 2022-03-09 07:08:48 +00:00			`set -o errexit`
			`set -o nounset`
			`set -o pipefail`
			`set -o xtrace`
Config for editor program run script instead of nginx (#8922) Add script to re-generate nginx config file & start nginx Move function init_ssl_cert into separated file and reuse it in new script and entrypoint Change command config & add new config to kill all sub-process of a supervisord child program in editor program configure file 2021-11-23 04:09:13 +00:00
Work with copied cert files after fat migration (#12182) 2022-03-24 00:34:38 +00:00			`ssl_conf_path="/appsmith-stacks/data/certificate/conf"`
Apply env variables in NGINX config before startup (#11531) Instead of doing env substitutions at request processing time, do it before NGINX even starts. 2022-03-09 07:08:48 +00:00
Fix fat container not starting NGINX (#12210) 2022-03-24 09:10:42 +00:00			`mkdir -pv "$ssl_conf_path"`

Work with copied cert files after fat migration (#12182) 2022-03-24 00:34:38 +00:00			`cat <<EOF > "$ssl_conf_path/options-ssl-nginx.conf"`
			`# This file contains important security parameters. If you modify this file`
			`# manually, Certbot will be unable to automatically provide future security`
			`# updates. Instead, Certbot will print and log an error message with a path to`
			`# the up-to-date file that you will need to refer to when manually updating`
			`# this file.`

			`ssl_session_cache shared:le_nginx_SSL:10m;`
			`ssl_session_timeout 1440m;`
			`ssl_session_tickets off;`

			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";`
			`EOF`

			`cat <<EOF > "$ssl_conf_path/ssl-dhparams.pem"`
			`-----BEGIN DH PARAMETERS-----`
			`MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz`
			`+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a`
			`87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7`
			`YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi`
			`7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD`
			`ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==`
			`-----END DH PARAMETERS-----`
			`EOF`

Control where embedding of Appsmith is allowed (#15348) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-07-21 07:33:35 +00:00			`if [[ -z "${APPSMITH_ALLOWED_FRAME_ANCESTORS-}" ]]; then`
Sandboxed iFrames with srcDoc (#11426) Change iFrame widgets to use sandbox mode if srcDoc is provided Allowed options: `allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-scripts allow-top-navigation-by-user-activation` Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-10-04 09:50:45 +00:00			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors`
			`export APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"`
Control where embedding of Appsmith is allowed (#15348) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-07-21 07:33:35 +00:00			`else`
Sandboxed iFrames with srcDoc (#11426) Change iFrame widgets to use sandbox mode if srcDoc is provided Allowed options: `allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-scripts allow-top-navigation-by-user-activation` Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-10-04 09:50:45 +00:00			`# Remove any extra rules that may be present in the frame ancestors value. This is to prevent this env variable from`
			`# being used to inject more rules to the CSP header. If needed, that should be supported/solved separately.`
			`export APPSMITH_ALLOWED_FRAME_ANCESTORS="${APPSMITH_ALLOWED_FRAME_ANCESTORS%;*}"`
			`fi`

			`if [[ -z "${APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX-}" ]]; then`
			`# For backwards compatibility, if this is not set to anything, we default to no sandbox for iframe widgets.`
			`export APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX="true"`
Control where embedding of Appsmith is allowed (#15348) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-07-21 07:33:35 +00:00			`fi`

Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`# Check exist certificate with given custom domain`
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00			`# Heroku not support for custom domain, only generate HTTP config if deploying on Heroku`
chore: Refactor NGINX config templates, merge them, to reduce duplicate code (#26066) Majority of the NGINX config is the same, for both HTTP and HTTPS. Having two separate templates for them is making configuration changes error-prone, where we often risk forgetting making the same change in the other file. This PR merges the two files into one, so the above risk isn't there. It also makes it easier to experiment with the file while developing, since we have to make every single change twice during development. Note: This _will_ cause conflicts in sync, after being merged. Why are we doing this? This will be a step towards simplifying our `Dockerfile` with reduced layers and improved caching performance. The image build time in CI should be faster once this is done. 2023-08-09 16:18:58 +00:00			`use_https=0`
fix: Fix server not starting when custom domain not set 2022-04-08 09:49:11 +00:00			`if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then`
chore: Refactor NGINX config templates, merge them, to reduce duplicate code (#26066) Majority of the NGINX config is the same, for both HTTP and HTTPS. Having two separate templates for them is making configuration changes error-prone, where we often risk forgetting making the same change in the other file. This PR merges the two files into one, so the above risk isn't there. It also makes it easier to experiment with the file while developing, since we have to make every single change twice during development. Note: This _will_ cause conflicts in sync, after being merged. Why are we doing this? This will be a step towards simplifying our `Dockerfile` with reduced layers and improved caching performance. The image build time in CI should be faster once this is done. 2023-08-09 16:18:58 +00:00			`use_https=1`
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00			`if ! [[ -e "/etc/letsencrypt/live/$APPSMITH_CUSTOM_DOMAIN" ]]; then`
			`source "/opt/appsmith/init_ssl_cert.sh"`
fix: Fix server not starting when custom domain not set 2022-04-08 09:49:11 +00:00			`if ! init_ssl_cert "$APPSMITH_CUSTOM_DOMAIN"; then`
			`echo "Status code from init_ssl_cert is $?"`
chore: Refactor NGINX config templates, merge them, to reduce duplicate code (#26066) Majority of the NGINX config is the same, for both HTTP and HTTPS. Having two separate templates for them is making configuration changes error-prone, where we often risk forgetting making the same change in the other file. This PR merges the two files into one, so the above risk isn't there. It also makes it easier to experiment with the file while developing, since we have to make every single change twice during development. Note: This _will_ cause conflicts in sync, after being merged. Why are we doing this? This will be a step towards simplifying our `Dockerfile` with reduced layers and improved caching performance. The image build time in CI should be faster once this is done. 2023-08-09 16:18:58 +00:00			`use_https=0`
fix: Fix server not starting when custom domain not set 2022-04-08 09:49:11 +00:00			`fi`
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00			`fi`
Config for editor program run script instead of nginx (#8922) Add script to re-generate nginx config file & start nginx Move function init_ssl_cert into separated file and reuse it in new script and entrypoint Change command config & add new config to kill all sub-process of a supervisord child program in editor program configure file 2021-11-23 04:09:13 +00:00			`fi`

chore: Run NGINX with readonly root FS support (#27453) Part of supporting readonly root filesystem, gets NGINX to start without doing any writes to the filesystem, except for in `/tmp`. 2023-09-27 08:08:47 +00:00			`/opt/appsmith/templates/nginx-app.conf.sh "$use_https" "${APPSMITH_CUSTOM_DOMAIN-}"`

			`cp -r /opt/appsmith/editor/* "$NGINX_WWW_PATH"`
Config for editor program run script instead of nginx (#8922) Add script to re-generate nginx config file & start nginx Move function init_ssl_cert into separated file and reuse it in new script and entrypoint Change command config & add new config to kill all sub-process of a supervisord child program in editor program configure file 2021-11-23 04:09:13 +00:00
fix: Apply env replacements to view.html and edit.html (#23539) 2023-05-19 12:45:49 +00:00			`apply-env-vars() {`
			`original="$1"`
			`served="$2"`
			`node -e '`
			`const fs = require("fs")`
			`const content = fs.readFileSync("'"$original"'", "utf8").replace(`
			`/\b__(APPSMITH_[A-Z0-9_]+)__\b/g,`
			`(placeholder, name) => (process.env[name] \|\| "")`
			`)`
			`fs.writeFileSync("'"$served"'", content)`
			`'`
fix: Re-gzip html files after env variables substitution (#23546) We replace env variables in `index.html`, `view.html` and `edit.html`, just before start NGINX. But the `.gz` versions of these files don't have these changes applied to them. This PR gzips those HTML files again, after the substitutions are applied. From https://github.com/appsmithorg/appsmith/pull/23539#issuecomment-1554509537. 2023-05-31 09:57:12 +00:00			`pushd "$(dirname "$served")"`
			`gzip --keep --force "$(basename "$served")"`
			`popd`
fix: Apply env replacements to view.html and edit.html (#23539) 2023-05-19 12:45:49 +00:00			`}`

chore: Run NGINX with readonly root FS support (#27453) Part of supporting readonly root filesystem, gets NGINX to start without doing any writes to the filesystem, except for in `/tmp`. 2023-09-27 08:08:47 +00:00			`apply-env-vars /opt/appsmith/editor/index.html "$NGINX_WWW_PATH/index.html"`
Config for editor program run script instead of nginx (#8922) Add script to re-generate nginx config file & start nginx Move function init_ssl_cert into separated file and reuse it in new script and entrypoint Change command config & add new config to kill all sub-process of a supervisord child program in editor program configure file 2021-11-23 04:09:13 +00:00
Capture nginx access and error logs in fat container (#12205) 2022-03-24 08:17:25 +00:00			`exec nginx -g "daemon off;error_log stderr info;"`