c70adf7440
## Description
> [!TIP]
> _Add a TL;DR when the description is longer than 500 words or
extremely technical (helps the content, marketing, and DevRel team)._
>
> _Please also include relevant motivation and context. List any
dependencies that are required for this change. Add links to Notion,
Figma or any other documents that might be relevant to the PR._
Fixes #`Issue Number`
_or_
Fixes `Issue URL`
> [!WARNING]
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._
## Automation
/ok-to-test tags=""
### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results -->
> [!WARNING]
> Tests have not run on the HEAD
065cddccdcf3c98cb48ff201daf752708f24666c yet
> <hr>Fri, 15 Nov 2024 11:48:13 UTC
<!-- end of auto-generated comment: Cypress test results -->
## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Introduced new monitoring paths for telemetry data exports:
`/monitoring/traces` and `/monitoring/metrics`.
- Added a function to streamline URL management for telemetry exports.
- **Bug Fixes**
- Updated telemetry export protocols to enhance reliability and
performance.
- **Chores**
- Updated multiple OpenTelemetry dependencies to their latest versions
for improved functionality and security.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
262 lines
6.7 KiB
JavaScript
262 lines
6.7 KiB
JavaScript
import * as fs from "fs"
|
|
import {dirname} from "path"
|
|
import {spawnSync} from "child_process"
|
|
import {X509Certificate} from "crypto"
|
|
|
|
// The custom domain is expected to only have the domain. So if it has a protocol, we ignore the whole value.
|
|
// This was the effective behaviour before Caddy.
|
|
const CUSTOM_DOMAIN = (process.env.APPSMITH_CUSTOM_DOMAIN || "").replace(/^https?:\/\/.+$/, "")
|
|
const CaddyfilePath = process.env.TMP + "/Caddyfile"
|
|
const AppsmithCaddy = process.env._APPSMITH_CADDY
|
|
|
|
// Rate limit environment.
|
|
const isRateLimitingEnabled = process.env.APPSMITH_RATE_LIMIT !== "disabled"
|
|
const RATE_LIMIT = parseInt(process.env.APPSMITH_RATE_LIMIT || 100, 10)
|
|
|
|
let certLocation = null
|
|
if (CUSTOM_DOMAIN !== "") {
|
|
try {
|
|
fs.accessSync("/appsmith-stacks/ssl/fullchain.pem", fs.constants.R_OK)
|
|
certLocation = "/appsmith-stacks/ssl"
|
|
} catch {
|
|
// no custom certs, see if old certbot certs are there.
|
|
const letsEncryptCertLocation = "/appsmith-stacks/letsencrypt/live/" + CUSTOM_DOMAIN
|
|
const fullChainPath = letsEncryptCertLocation + `/fullchain.pem`
|
|
try {
|
|
fs.accessSync(fullChainPath, fs.constants.R_OK)
|
|
console.log("Old Let's Encrypt cert file exists, now checking if it's expired.")
|
|
if (!isCertExpired(fullChainPath)) {
|
|
certLocation = letsEncryptCertLocation
|
|
}
|
|
} catch {
|
|
// no certs there either, ignore.
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
const frameAncestorsPolicy = (process.env.APPSMITH_ALLOWED_FRAME_ANCESTORS || "'self'")
|
|
.replace(/;.*$/, "")
|
|
|
|
const monitoringParts = [{
|
|
path: "/monitoring/traces",
|
|
rewrite: "/v1/traces",
|
|
}, {
|
|
path: "/monitoring/metrics",
|
|
rewrite: "/v1/metrics",
|
|
}];
|
|
|
|
const parts = []
|
|
|
|
parts.push(`
|
|
{
|
|
debug
|
|
admin 0.0.0.0:2019
|
|
persist_config off
|
|
acme_ca_root /etc/ssl/certs/ca-certificates.crt
|
|
servers {
|
|
trusted_proxies static 0.0.0.0/0
|
|
metrics
|
|
}
|
|
${isRateLimitingEnabled ? "order rate_limit before basicauth" : ""}
|
|
}
|
|
|
|
(file_server) {
|
|
file_server {
|
|
precompressed br gzip
|
|
disable_canonical_uris
|
|
}
|
|
}
|
|
|
|
(reverse_proxy) {
|
|
reverse_proxy {
|
|
to 127.0.0.1:{args[0]}
|
|
header_up -Forwarded
|
|
header_up X-Appsmith-Request-Id {http.request.uuid}
|
|
}
|
|
}
|
|
|
|
(all-config) {
|
|
log {
|
|
output stdout
|
|
}
|
|
|
|
# skip logs for health check
|
|
log_skip /api/v1/health
|
|
|
|
# skip logs for sourcemap files
|
|
@source-map-files {
|
|
path_regexp ^.*\.(js|css)\.map$
|
|
}
|
|
log_skip @source-map-files
|
|
|
|
# The internal request ID header should never be accepted from an incoming request.
|
|
request_header -X-Appsmith-Request-Id
|
|
|
|
# Ref: https://stackoverflow.com/a/38191078/151048
|
|
# We're only accepting v4 UUIDs today, in order to not make it too lax unless needed.
|
|
@valid-request-id expression {header.X-Request-Id}.matches("(?i)^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$")
|
|
header @valid-request-id X-Request-Id {header.X-Request-Id}
|
|
@invalid-request-id expression !{header.X-Request-Id}.matches("(?i)^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$")
|
|
header @invalid-request-id X-Request-Id invalid_request_id
|
|
request_header @invalid-request-id X-Request-Id invalid_request_id
|
|
|
|
header {
|
|
-Server
|
|
Content-Security-Policy "frame-ancestors ${frameAncestorsPolicy}"
|
|
X-Content-Type-Options "nosniff"
|
|
X-Appsmith-Request-Id {http.request.uuid}
|
|
}
|
|
|
|
header /static/* {
|
|
Cache-Control "public, max-age=31536000, immutable"
|
|
}
|
|
|
|
request_body {
|
|
max_size ${process.env.APPSMITH_CODEC_SIZE || 150}MB
|
|
}
|
|
|
|
handle {
|
|
root * {$WWW_PATH}
|
|
try_files /loading.html /index.html
|
|
import file_server
|
|
}
|
|
|
|
root * /opt/appsmith/editor
|
|
@file file
|
|
handle @file {
|
|
import file_server
|
|
}
|
|
|
|
handle /static/* {
|
|
error 404
|
|
}
|
|
|
|
handle /info {
|
|
root * /opt/appsmith
|
|
rewrite * /info.json
|
|
import file_server
|
|
}
|
|
|
|
@backend path /api/* /oauth2/* /login/*
|
|
handle @backend {
|
|
import reverse_proxy 8080
|
|
}
|
|
|
|
handle /rts/* {
|
|
import reverse_proxy 8091
|
|
}
|
|
|
|
${
|
|
monitoringParts.map((telemetry) => `
|
|
handle ${telemetry.path} {
|
|
@unauthorized not header api-key "${process.env.APPSMITH_NEW_RELIC_OTLP_LICENSE_KEY}"
|
|
respond @unauthorized "Forbidden" 403
|
|
|
|
@method_not_allowed not method POST
|
|
respond @method_not_allowed "Method Not Allowed" 405
|
|
|
|
rewrite * ${telemetry.rewrite}
|
|
import reverse_proxy 4318
|
|
}`).join("\n")
|
|
}
|
|
|
|
redir /supervisor /supervisor/
|
|
handle_path /supervisor/* {
|
|
import reverse_proxy 9001
|
|
}
|
|
|
|
${isRateLimitingEnabled ? `rate_limit {
|
|
zone dynamic_zone {
|
|
key {http.request.client_ip}
|
|
events ${RATE_LIMIT}
|
|
window 1s
|
|
}
|
|
}`: ""}
|
|
|
|
handle_errors {
|
|
respond "{err.status_code} {err.status_text}" {err.status_code}
|
|
header {
|
|
# Remove the Server header from the response.
|
|
-Server
|
|
# Remove Cache-Control header from the response.
|
|
-Cache-Control
|
|
}
|
|
}
|
|
}
|
|
|
|
# We bind to http on 80, so that localhost requests don't get redirected to https.
|
|
:${process.env.PORT || 80} {
|
|
import all-config
|
|
}
|
|
`)
|
|
|
|
if (CUSTOM_DOMAIN !== "") {
|
|
if (certLocation) {
|
|
// There's a custom certificate, don't bind to any exact domain.
|
|
parts.push(`
|
|
https:// {
|
|
import all-config
|
|
tls ${certLocation}/fullchain.pem ${certLocation}/privkey.pem
|
|
}
|
|
`)
|
|
|
|
} else {
|
|
// No custom certificate, bind to the custom domain explicitly, so Caddy can auto-provision the cert.
|
|
parts.push(`
|
|
https://${CUSTOM_DOMAIN} {
|
|
import all-config
|
|
}
|
|
`)
|
|
|
|
}
|
|
|
|
// We have to own the http-to-https redirect, since we need to remove the `Server` header from the response.
|
|
parts.push(`
|
|
http://${CUSTOM_DOMAIN} {
|
|
redir https://{host}{uri}
|
|
header -Server
|
|
header Connection close
|
|
}
|
|
`)
|
|
}
|
|
|
|
if (!process.argv.includes("--no-finalize-index-html")) {
|
|
finalizeIndexHtml()
|
|
}
|
|
|
|
fs.mkdirSync(dirname(CaddyfilePath), { recursive: true })
|
|
fs.writeFileSync(CaddyfilePath, parts.join("\n"))
|
|
spawnSync(AppsmithCaddy, ["fmt", "--overwrite", CaddyfilePath])
|
|
spawnSync(AppsmithCaddy, ["reload", "--config", CaddyfilePath])
|
|
|
|
function finalizeIndexHtml() {
|
|
let info = null;
|
|
try {
|
|
info = JSON.parse(fs.readFileSync("/opt/appsmith/info.json", "utf8"))
|
|
} catch(e) {
|
|
// info will be empty, that's okay.
|
|
console.error("Error reading info.json", e.message)
|
|
}
|
|
|
|
const extraEnv = {
|
|
APPSMITH_VERSION_ID: info?.version ?? "",
|
|
APPSMITH_VERSION_SHA: info?.commitSha ?? "",
|
|
APPSMITH_VERSION_RELEASE_DATE: info?.imageBuiltAt ?? "",
|
|
}
|
|
|
|
const content = fs.readFileSync("/opt/appsmith/editor/index.html", "utf8").replaceAll(
|
|
/\{\{env\s+"(APPSMITH_[A-Z0-9_]+)"}}/g,
|
|
(_, name) => (process.env[name] || extraEnv[name] || "")
|
|
)
|
|
|
|
fs.writeFileSync(process.env.WWW_PATH + "/index.html", content)
|
|
}
|
|
|
|
function isCertExpired(path) {
|
|
const cert = new X509Certificate(fs.readFileSync(path, "utf-8"))
|
|
console.log(path, cert)
|
|
return new Date(cert.validTo) < new Date()
|
|
}
|
|
|