PromucFlow_constructor/deploy/docker/templates/nginx/nginx-app-https.conf.template.sh

#!/bin/bash

set -o nounset

CUSTOM_DOMAIN="$1"

# By default, container will use the auto-generate certificate by Let's Encrypt
SSL_CERT_PATH="/etc/letsencrypt/live/$CUSTOM_DOMAIN/fullchain.pem"
SSL_KEY_PATH="/etc/letsencrypt/live/$CUSTOM_DOMAIN/privkey.pem"

# In case of existing custom certificate, container will use them to configure SSL
if [[ -e "/appsmith-stacks/ssl/fullchain.pem" ]] && [[ -e "/appsmith-stacks/ssl/privkey.pem" ]]; then
  SSL_CERT_PATH="/appsmith-stacks/ssl/fullchain.pem"
  SSL_KEY_PATH="/appsmith-stacks/ssl/privkey.pem"
fi

cat <<EOF
map \$http_x_forwarded_proto \$origin_scheme {
  default \$http_x_forwarded_proto;
  '' \$scheme;
}

map \$http_x_forwarded_host \$origin_host {
  default \$http_x_forwarded_host;
  '' \$host;
}

# redirect log to stdout for supervisor to capture
access_log /dev/stdout;

server {
  listen 80;
  server_name $CUSTOM_DOMAIN;

  return 301 https://\$host\$request_uri;
}

server {
  listen 443 ssl http2;
  server_name _;

  ssl_certificate $SSL_CERT_PATH;
  ssl_certificate_key $SSL_KEY_PATH;

  include /appsmith-stacks/data/certificate/conf/options-ssl-nginx.conf;
  ssl_dhparam /appsmith-stacks/data/certificate/conf/ssl-dhparams.pem;

  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
  add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self' *}";

  location = /supervisor {
    return 301 /supervisor/;
  }

  location /supervisor/ {
    proxy_http_version 1.1;
    proxy_buffering    off;
    proxy_max_temp_file_size 0;
    proxy_redirect    off;
    proxy_set_header  Host              \$http_host/supervisor/;
    proxy_set_header  X-Real-IP         \$remote_addr;
    proxy_set_header  X-Forwarded-For   \$proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto \$origin_scheme;
    proxy_set_header  X-Forwarded-Host  \$origin_host;
    proxy_set_header  Connection        "";
    proxy_pass http://localhost:9001/;
    auth_basic "Protected";
    auth_basic_user_file /etc/nginx/passwords;
  }

  proxy_set_header X-Forwarded-Proto \$origin_scheme;
  proxy_set_header X-Forwarded-Host \$origin_host;

  client_max_body_size 150m;

  gzip on;
  gzip_types *;

  server_tokens off;

  root /opt/appsmith/editor;
  index index.html;
  error_page 404 /;

  location /.well-known/acme-challenge/ {
    root /appsmith-stacks/data/certificate/certbot;
  }

  location / {
    try_files /loading.html \$uri /index.html =404;
  }

  location ~ ^/static/(js|css|media)\b {
    # Files in these folders are hashed, so we can set a long cache time.
    add_header Cache-Control "max-age=31104000, immutable";  # 360 days
  }

  # If the path has an extension at the end, then respond with 404 status if the file not found.
  location ~ ^/(?!supervisor/).*\.[a-z]+$ {
    try_files \$uri =404;
  }

  location /api {
    proxy_pass http://localhost:8080;
  }

  location /oauth2 {
    proxy_pass http://localhost:8080;
  }

  location /login {
    proxy_pass http://localhost:8080;
  }

  location /rts {
    proxy_pass http://localhost:${APPSMITH_RTS_PORT:-8091};
    proxy_http_version 1.1;
    proxy_set_header Host \$host;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Upgrade \$http_upgrade;
  }
}
EOF
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`#!/bin/bash`

			`set -o nounset`

			`CUSTOM_DOMAIN="$1"`

			`# By default, container will use the auto-generate certificate by Let's Encrypt`
			`SSL_CERT_PATH="/etc/letsencrypt/live/$CUSTOM_DOMAIN/fullchain.pem"`
			`SSL_KEY_PATH="/etc/letsencrypt/live/$CUSTOM_DOMAIN/privkey.pem"`

Include origin_scheme in new nginx configs Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2021-11-23 08:17:44 +00:00			`# In case of existing custom certificate, container will use them to configure SSL`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`if [[ -e "/appsmith-stacks/ssl/fullchain.pem" ]] && [[ -e "/appsmith-stacks/ssl/privkey.pem" ]]; then`
For paths with an extension, give 404 if missing (#17035) 2022-09-26 04:11:38 +00:00			`SSL_CERT_PATH="/appsmith-stacks/ssl/fullchain.pem"`
			`SSL_KEY_PATH="/appsmith-stacks/ssl/privkey.pem"`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`fi`

			`cat <<EOF`
Fix variable escaping in docker entrypoint script Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2021-11-23 10:20:37 +00:00			`map \$http_x_forwarded_proto \$origin_scheme {`
			`default \$http_x_forwarded_proto;`
			`'' \$scheme;`
Include origin_scheme in new nginx configs Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2021-11-23 08:17:44 +00:00			`}`
Fix X-Forwarded-Host with multiple rev-proxies (#16951) 2022-10-14 01:00:27 +00:00
			`map \$http_x_forwarded_host \$origin_host {`
			`default \$http_x_forwarded_host;`
			`'' \$host;`
			`}`

Capture nginx access and error logs in fat container (#12205) 2022-03-24 08:17:25 +00:00			`# redirect log to stdout for supervisor to capture`
			`access_log /dev/stdout;`
Include origin_scheme in new nginx configs Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2021-11-23 08:17:44 +00:00
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`server {`
			`listen 80;`
			`server_name $CUSTOM_DOMAIN;`

			`return 301 https://\$host\$request_uri;`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`server_name _;`

			`ssl_certificate $SSL_CERT_PATH;`
			`ssl_certificate_key $SSL_KEY_PATH;`

			`include /appsmith-stacks/data/certificate/conf/options-ssl-nginx.conf;`
			`ssl_dhparam /appsmith-stacks/data/certificate/conf/ssl-dhparams.pem;`

Control where embedding of Appsmith is allowed (#15348) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-07-21 07:33:35 +00:00			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors`
Change to allow all domains to embed Appsmith apps (#15619) The control to configure what domains are allowed to embed Appsmith apps is still available, but the default of not allowing anything except for 'self' is changed to allow everything. While this is convenient, we encourage our users to configure their frame ancestors to limit what domains can embed their Appsmith apps. Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-08-02 10:11:52 +00:00			`add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self' *}";`
Control where embedding of Appsmith is allowed (#15348) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-07-21 07:33:35 +00:00
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00			`location = /supervisor {`
			`return 301 /supervisor/;`
			`}`

			`location /supervisor/ {`
Fix X-Forwarded-Host with multiple rev-proxies (#16951) 2022-10-14 01:00:27 +00:00			`proxy_http_version 1.1;`
			`proxy_buffering off;`
			`proxy_max_temp_file_size 0;`
			`proxy_redirect off;`
			`proxy_set_header Host \$http_host/supervisor/;`
			`proxy_set_header X-Real-IP \$remote_addr;`
			`proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto \$origin_scheme;`
			`proxy_set_header X-Forwarded-Host \$origin_host;`
			`proxy_set_header Connection "";`
			`proxy_pass http://localhost:9001/;`
			`auth_basic "Protected";`
			`auth_basic_user_file /etc/nginx/passwords;`
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00			`}`

			`proxy_set_header X-Forwarded-Proto \$origin_scheme;`
Fix X-Forwarded-Host with multiple rev-proxies (#16951) 2022-10-14 01:00:27 +00:00			`proxy_set_header X-Forwarded-Host \$origin_host;`
Refactor to deploy Heroku using new Docker image (#9127) 2022-03-24 07:47:36 +00:00
fix: Increased Nginx limit to 150 MB to allow 100 MB Base 64 encoded files (#20617) ## Description We're increasing the default limit of request payload on cloud so that 100 MB files that are base 64 encoded can also be uploaded via Appsmith. Fixes #20424 ## Type of change - Bug fix (non-breaking change which fixes an issue) ## How Has This Been Tested? - Manual ### Test Plan > Add Testsmith test cases links that relate to this PR ### Issues raised during DP testing > Link issues raised during DP testing for better visiblity and tracking (copy link from comments dropped on this PR) ## Checklist: ### Dev activity - [ ] My code follows the style guidelines of this project - [ ] I have performed a self-review of my own code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] PR is being merged under a feature flag ### QA activity: - [ ] Test plan has been approved by relevant developers - [ ] Test plan has been peer reviewed by QA - [ ] Cypress test cases have been added and approved by either SDET or manual QA - [ ] Organized project review call with relevant stakeholders after Round 1/2 of QA - [ ] Added Test Plan Approved label after reveiwing all Cypress test 2023-02-20 15:04:02 +00:00			`client_max_body_size 150m;`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00
			`gzip on;`
Disable nginx server tokens, set gzip_type to * (#15767) 2022-08-05 11:10:38 +00:00			`gzip_types *;`

			`server_tokens off;`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00
			`root /opt/appsmith/editor;`
For paths with an extension, give 404 if missing (#17035) 2022-09-26 04:11:38 +00:00			`index index.html;`
			`error_page 404 /;`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00
Fix missing acme route in NGINX HTTPS config (#10094) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-01-01 06:09:49 +00:00			`location /.well-known/acme-challenge/ {`
			`root /appsmith-stacks/data/certificate/certbot;`
			`}`

Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`location / {`
feat: Display loading message in browser when Appsmith is starting (#22215) ## Description Added Appsmith Initializing and Starting pages to inform the users that Appsmith is starting up and they will need to wait for a few minutes before their Appsmith deployment is up and running, instead of displaying the 503 error like it earlier. ## Type of change - New feature (non-breaking change which adds functionality) # Media Initialization page ![image](https://user-images.githubusercontent.com/20785806/230869925-a342e327-c714-4cfa-8283-cf6f5bd225b5.png) Starting page ![image](https://user-images.githubusercontent.com/20785806/230869770-67654c0a-e4de-4d18-83dd-9f68230648e9.png) [Demo Video](https://drive.google.com/file/d/1sjvfbtbWHRqVfg0Vvf2JM6W3y61-KrWm/view?usp=share_link) ## How Has This Been Tested? - Manual --------- Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com> Co-authored-by: Arpit Mohan <mohanarpit@users.noreply.github.com> 2023-04-19 12:50:59 +00:00			`try_files /loading.html \$uri /index.html =404;`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`}`

chore: Add Cache-Control header for static assets (#22175) Fix https://github.com/appsmithorg/appsmith/issues/10503 Continuing discussion from https://github.com/appsmithorg/appsmith/pull/21951. 2023-04-19 01:12:01 +00:00			`location ~ ^/static/(js\|css\|media)\b {`
			`# Files in these folders are hashed, so we can set a long cache time.`
			`add_header Cache-Control "max-age=31104000, immutable"; # 360 days`
			`}`

For paths with an extension, give 404 if missing (#17035) 2022-09-26 04:11:38 +00:00			`# If the path has an extension at the end, then respond with 404 status if the file not found.`
Fix assets not loading in supervisor UI (#17543) Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2022-10-14 07:53:09 +00:00			`location ~ ^/(?!supervisor/).*\.[a-z]+$ {`
For paths with an extension, give 404 if missing (#17035) 2022-09-26 04:11:38 +00:00			`try_files \$uri =404;`
			`}`

Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`location /api {`
			`proxy_pass http://localhost:8080;`
			`}`

			`location /oauth2 {`
			`proxy_pass http://localhost:8080;`
			`}`

			`location /login {`
			`proxy_pass http://localhost:8080;`
			`}`

			`location /rts {`
fix: renamed rts port env to APPSMITH_RTS_PORT (#20121) Issue: Nginx and RTS used the same env PORT for binding it's service, while the backend server had the rts port hardcoded on its rts uri. - Renamed env PORT to APPSMITH_RTS_PORT for starting the rts server. - Updated nginx config templates to use env `APPSMITH_RTS_PORT` - Added appsmith.rts.port property in server to use env APPSMITH_RTS_PORT - Updated CommonConfig.java rtsBaseDomain to use appsmith.rts.port --------- Co-authored-by: Shrikant Sharat Kandula <shrikant@appsmith.com> 2023-02-15 01:36:02 +00:00			`proxy_pass http://localhost:${APPSMITH_RTS_PORT:-8091};`
Refactor to generate nginx config file with auto-redirect HTTPS (#9256) Refactor flow to generate nginx configuration file corresponding Custom domain set up Add 2 template for Nginx template for HTTP and HTTPS. HTTPS contains new block for auto-redirect for HTTPS 2021-11-23 05:52:09 +00:00			`proxy_http_version 1.1;`
			`proxy_set_header Host \$host;`
			`proxy_set_header Connection 'upgrade';`
			`proxy_set_header Upgrade \$http_upgrade;`
			`}`
			`}`
			`EOF`