Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
3173dd4e00
PromucFlow_constructor/deploy/docker/scripts/run-nginx.sh
Shrikant Sharat Kandula a44ea34902
chore: Refactor NGINX config templates, merge them, to reduce duplicate code (#26066) 
Majority of the NGINX config is the same, for both HTTP and HTTPS.
Having two separate templates for them is making configuration changes
error-prone, where we often risk forgetting making the same change in
the other file.

This PR merges the two files into one, so the above risk isn't there. It
also makes it easier to experiment with the file while developing, since
we have to make every single change twice during development.

Note: This _will_ cause conflicts in sync, after being merged.

Why are we doing this? This will be a step towards simplifying our
`Dockerfile` with reduced layers and improved caching performance. The
image build time in CI should be faster once this is done.
2023-08-09 21:48:58 +05:30

92 lines
3.3 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
ssl_conf_path="/appsmith-stacks/data/certificate/conf"
mkdir -pv "$ssl_conf_path"
cat <<EOF > "$ssl_conf_path/options-ssl-nginx.conf"
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
cat <<EOF > "$ssl_conf_path/ssl-dhparams.pem"
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----
EOF
if [[ -z "${APPSMITH_ALLOWED_FRAME_ANCESTORS-}" ]]; then
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
export APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
else
# Remove any extra rules that may be present in the frame ancestors value. This is to prevent this env variable from
# being used to inject more rules to the CSP header. If needed, that should be supported/solved separately.
export APPSMITH_ALLOWED_FRAME_ANCESTORS="${APPSMITH_ALLOWED_FRAME_ANCESTORS%;*}"
fi
if [[ -z "${APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX-}" ]]; then
# For backwards compatibility, if this is not set to anything, we default to no sandbox for iframe widgets.
export APPSMITH_DISABLE_IFRAME_WIDGET_SANDBOX="true"
fi
# Check exist certificate with given custom domain
# Heroku not support for custom domain, only generate HTTP config if deploying on Heroku
use_https=0
if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then
use_https=1
if ! [[ -e "/etc/letsencrypt/live/$APPSMITH_CUSTOM_DOMAIN" ]]; then
source "/opt/appsmith/init_ssl_cert.sh"
if ! init_ssl_cert "$APPSMITH_CUSTOM_DOMAIN"; then
echo "Status code from init_ssl_cert is $?"
use_https=0
fi
fi
fi
bash /opt/appsmith/templates/nginx-app.conf.sh "$use_https" "${APPSMITH_CUSTOM_DOMAIN-}" > /etc/nginx/sites-available/default
apply-env-vars() {
original="$1"
served="$2"
if [[ ! -f $original ]]; then
cp -v "$served" "$original"
fi
node -e '
const fs = require("fs")
const content = fs.readFileSync("'"$original"'", "utf8").replace(
/\b__(APPSMITH_[A-Z0-9_]+)__\b/g,
(placeholder, name) => (process.env[name] || "")
)
fs.writeFileSync("'"$served"'", content)
'
pushd "$(dirname "$served")"
gzip --keep --force "$(basename "$served")"
popd
}
apply-env-vars /opt/appsmith/index.html.original /opt/appsmith/editor/index.html
exec nginx -g "daemon off;error_log stderr info;"
Reference in New Issue View Git Blame Copy Permalink