diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 55e28db4b..08ecc0379 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -248,7 +248,7 @@ jobs: ########################################################################## - name: Nginx | Build `production` image run: | - docker build -t "gradido/nginx:latest" -t "gradido/nginx:production" -t "gradido/nginx:${VERSION}" -t "gradido/nginx:${BUILD_VERSION}" -f ./nginx/Dockerfile ./ + docker build -t "gradido/nginx:latest" -t "gradido/nginx:production" -t "gradido/nginx:${VERSION}" -t "gradido/nginx:${BUILD_VERSION}" nginx/ docker save "gradido/nginx" > /tmp/nginx.tar - name: Upload Artifact uses: actions/upload-artifact@v2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 51f8e49b0..0928dc992 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -199,7 +199,7 @@ jobs: ########################################################################## - name: nginx | Build `test` image run: | - docker build -t "gradido/nginx:test" -f ./nginx/Dockerfile ./ + docker build -t "gradido/nginx:test" nginx/ docker save "gradido/nginx:test" > /tmp/nginx.tar - name: Upload Artifact uses: actions/upload-artifact@v2 diff --git a/.gitignore b/.gitignore index 5682953d4..de49b2fc1 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,7 @@ nbproject .metadata /.env package-lock.json +/deployment/bare_metal/.env +/deployment/bare_metal/nginx/sites-available/gradido.conf +/deployment/bare_metal/nginx/sites-available/update-page.conf +/deployment/bare_metal/nginx/update-page/updating.html \ No newline at end of file diff --git a/README.md b/README.md index ce8e84df0..355a40b82 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ We are currently restructuring the service to reduce dependencies and unify busi ### Open the wallet -Once you have `docker-compose` up and running, you can open [http://localhost/vue](http://localhost/vue) and create yourself a new wallet account. +Once you have `docker-compose` up and running, you can open [http://localhost/](http://localhost/) and create yourself a new wallet account. ## How to release @@ -90,7 +90,7 @@ Note: The Changelog will be regenerated with all tags on release on the external | Problem | Issue | Solution | Description | | ------- | ----- | -------- | ----------- | | docker-compose raises database connection errors | [#1062](https://github.com/gradido/gradido/issues/1062) | End `ctrl+c` and restart the `docker-compose up` after a successful build | Several Database connection related errors occur in the docker-compose log. | -| Wallet page is empty | [#1063](https://github.com/gradido/gradido/issues/1063) | Accept Cookies and Local Storage in your Browser | The page stays empty when navigating to [http://localhost/vue](http://localhost/vue) | +| Wallet page is empty | [#1063](https://github.com/gradido/gradido/issues/1063) | Accept Cookies and Local Storage in your Browser | The page stays empty when navigating to [http://localhost/](http://localhost/) | ## Useful Links diff --git a/admin/.env.dist b/admin/.env.dist index 7e81ca9ab..9d9a6fc4c 100644 --- a/admin/.env.dist +++ b/admin/.env.dist @@ -1,4 +1,4 @@ GRAPHQL_URI=http://localhost:4000/graphql -WALLET_AUTH_URL=http://localhost/vue/authenticate?token=$1 -WALLET_URL=http://localhost/vue/login +WALLET_AUTH_URL=http://localhost/authenticate?token=$1 +WALLET_URL=http://localhost/login DEBUG_DISABLE_AUTH=false \ No newline at end of file diff --git a/admin/package.json b/admin/package.json index c94d0a2b0..93fbed8ae 100644 --- a/admin/package.json +++ b/admin/package.json @@ -33,6 +33,7 @@ "core-js": "^3.6.5", "dotenv-webpack": "^7.0.3", "graphql": "^15.6.1", + "express": "^4.17.1", "identity-obj-proxy": "^3.0.0", "jest": "26.6.3", "moment": "^2.29.1", diff --git a/admin/run/server.js b/admin/run/server.js index 97a525427..bccefc65c 100644 --- a/admin/run/server.js +++ b/admin/run/server.js @@ -1,15 +1,21 @@ // Imports const express = require('express') -const serveStatic = require('serve-static') +const path = require('path') -// Port +// Host & Port +const hostname = '127.0.0.1' const port = process.env.PORT || 8080 // Express Server const app = express() -// eslint-disable-next-line node/no-path-concat -app.use(serveStatic(__dirname + '/../dist')) -app.listen(port) +// Serve files +app.use(express.static(path.join(__dirname, '../dist'))) +// Default to index.html +app.get('*', (req, res) => { + res.sendFile(path.join(__dirname, '../dist/index.html')) +}) -// eslint-disable-next-line no-console -console.log(`http://admin:${port} server started.`) +app.listen(port, hostname, () => { + // eslint-disable-next-line no-console + console.log('Listening at http://%s:%s/', hostname, port) +}) diff --git a/admin/src/components/NavBar.spec.js b/admin/src/components/NavBar.spec.js index 621ba0eb9..b084dd18b 100644 --- a/admin/src/components/NavBar.spec.js +++ b/admin/src/components/NavBar.spec.js @@ -63,7 +63,7 @@ describe('NavBar', () => { }) it('redirects to /logout', () => { - expect(windowLocationMock).toBeCalledWith('http://localhost/vue/login') + expect(windowLocationMock).toBeCalledWith('http://localhost/login') }) it('dispatches logout to store', () => { diff --git a/admin/src/config/index.js b/admin/src/config/index.js index 430f10d36..5bcf7938b 100644 --- a/admin/src/config/index.js +++ b/admin/src/config/index.js @@ -19,8 +19,8 @@ const environment = { const endpoints = { GRAPHQL_URI: process.env.GRAPHQL_URI || 'http://localhost:4000/graphql', - WALLET_AUTH_URL: process.env.WALLET_AUTH_URL || 'http://localhost/vue/authenticate?token=$1', - WALLET_URL: process.env.WALLET_URL || 'http://localhost/vue/login', + WALLET_AUTH_URL: process.env.WALLET_AUTH_URL || 'http://localhost/authenticate?token=$1', + WALLET_URL: process.env.WALLET_URL || 'http://localhost/login', } const debug = { diff --git a/backend/.env.dist b/backend/.env.dist index f38e31be5..77fd9f6cc 100644 --- a/backend/.env.dist +++ b/backend/.env.dist @@ -19,7 +19,7 @@ DB_DATABASE=gradido_community #RESEND_TIME= RESEND_TIME=10 -#EMAIL_LINK_VERIFICATION=http://localhost/vue/checkEmail/$1 +#EMAIL_LINK_VERIFICATION=http://localhost/checkEmail/$1 #KLICKTIPP_USER= #KLICKTIPP_PASSWORD= diff --git a/backend/package.json b/backend/package.json index c9314f0fd..65ce3c801 100644 --- a/backend/package.json +++ b/backend/package.json @@ -21,7 +21,6 @@ "apollo-server-express": "^2.25.2", "apollo-server-testing": "^2.25.2", "axios": "^0.21.1", - "body-parser": "^1.19.0", "class-validator": "^0.13.1", "cors": "^2.8.5", "dotenv": "^10.0.0", diff --git a/backend/src/config/index.ts b/backend/src/config/index.ts index 88d07737c..8e1218f12 100644 --- a/backend/src/config/index.ts +++ b/backend/src/config/index.ts @@ -31,8 +31,8 @@ const klicktipp = { const community = { COMMUNITY_NAME: process.env.COMMUNITY_NAME || 'Gradido Entwicklung', - COMMUNITY_URL: process.env.COMMUNITY_URL || 'http://localhost/vue/', - COMMUNITY_REGISTER_URL: process.env.COMMUNITY_REGISTER_URL || 'http://localhost/vue/register', + COMMUNITY_URL: process.env.COMMUNITY_URL || 'http://localhost/', + COMMUNITY_REGISTER_URL: process.env.COMMUNITY_REGISTER_URL || 'http://localhost/register', COMMUNITY_DESCRIPTION: process.env.COMMUNITY_DESCRIPTION || 'Die lokale Entwicklungsumgebung von Gradido.', } @@ -50,13 +50,13 @@ const email = { EMAIL_PASSWORD: process.env.EMAIL_PASSWORD || 'xxx', EMAIL_SMTP_URL: process.env.EMAIL_SMTP_URL || 'gmail.com', EMAIL_SMTP_PORT: process.env.EMAIL_SMTP_PORT || '587', - EMAIL_LINK_VERIFICATION: - process.env.EMAIL_LINK_VERIFICATION || 'http://localhost/vue/checkEmail/$1', - EMAIL_LINK_SETPASSWORD: process.env.EMAIL_LINK_SETPASSWORD || 'http://localhost/vue/reset/$1', + EMAIL_LINK_VERIFICATION: process.env.EMAIL_LINK_VERIFICATION || 'http://localhost/checkEmail/$1', + EMAIL_LINK_SETPASSWORD: process.env.EMAIL_LINK_SETPASSWORD || 'http://localhost/reset/$1', RESEND_TIME: isNaN(resendTime) ? 10 : resendTime, } const webhook = { + // Elopage WEBHOOK_ELOPAGE_SECRET: process.env.WEBHOOK_ELOPAGE_SECRET || 'secret', } diff --git a/backend/src/graphql/resolver/CommunityResolver.test.ts b/backend/src/graphql/resolver/CommunityResolver.test.ts index afc6decec..cc481c101 100644 --- a/backend/src/graphql/resolver/CommunityResolver.test.ts +++ b/backend/src/graphql/resolver/CommunityResolver.test.ts @@ -53,8 +53,8 @@ describe('CommunityResolver', () => { getCommunityInfo: { name: 'Gradido Entwicklung', description: 'Die lokale Entwicklungsumgebung von Gradido.', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register', + url: 'http://localhost/', + registerUrl: 'http://localhost/register', }, }, }) @@ -75,22 +75,22 @@ describe('CommunityResolver', () => { id: 1, name: 'Gradido Entwicklung', description: 'Die lokale Entwicklungsumgebung von Gradido.', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register-community', + url: 'http://localhost/', + registerUrl: 'http://localhost/register-community', }, { id: 2, name: 'Gradido Staging', description: 'Der Testserver der Gradido-Akademie.', - url: 'https://stage1.gradido.net/vue/', - registerUrl: 'https://stage1.gradido.net/vue/register-community', + url: 'https://stage1.gradido.net/', + registerUrl: 'https://stage1.gradido.net/register-community', }, { id: 3, name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }, ], }, @@ -112,7 +112,7 @@ describe('CommunityResolver', () => { name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }, ], }, diff --git a/backend/src/graphql/resolver/CommunityResolver.ts b/backend/src/graphql/resolver/CommunityResolver.ts index 5c9d46f34..1fa3887dc 100644 --- a/backend/src/graphql/resolver/CommunityResolver.ts +++ b/backend/src/graphql/resolver/CommunityResolver.ts @@ -29,7 +29,7 @@ export class CommunityResolver { name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }), ] return [ @@ -37,22 +37,22 @@ export class CommunityResolver { id: 1, name: 'Gradido Entwicklung', description: 'Die lokale Entwicklungsumgebung von Gradido.', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register-community', + url: 'http://localhost/', + registerUrl: 'http://localhost/register-community', }), new Community({ id: 2, name: 'Gradido Staging', description: 'Der Testserver der Gradido-Akademie.', - url: 'https://stage1.gradido.net/vue/', - registerUrl: 'https://stage1.gradido.net/vue/register-community', + url: 'https://stage1.gradido.net/', + registerUrl: 'https://stage1.gradido.net/register-community', }), new Community({ id: 3, name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }), ] } diff --git a/backend/src/index.ts b/backend/src/index.ts index a2e533e34..4c08b422d 100644 --- a/backend/src/index.ts +++ b/backend/src/index.ts @@ -13,7 +13,7 @@ async function main() { console.log(`Server is running at http://localhost:${CONFIG.PORT}`) if (CONFIG.GRAPHIQL) { // eslint-disable-next-line no-console - console.log(`GraphIQL available at http://localhost:${CONFIG.PORT}/graphql`) + console.log(`GraphIQL available at http://localhost:${CONFIG.PORT}`) } }) } diff --git a/backend/src/server/createServer.ts b/backend/src/server/createServer.ts index 4ed20232d..201c420f6 100644 --- a/backend/src/server/createServer.ts +++ b/backend/src/server/createServer.ts @@ -6,7 +6,6 @@ import 'module-alias/register' import { ApolloServer } from 'apollo-server-express' import express from 'express' -import bodyParser from 'body-parser' // database import connection from '../typeorm/connection' @@ -54,8 +53,19 @@ const createServer = async (context: any = serverContext): Promise => { // cors app.use(cors) - // bodyparser - app.use(bodyParser.json()) + // bodyparser json + app.use(express.json()) + // bodyparser text for elopage + app.use(express.text()) + + // Log every request + /* + app.use((req, res, next) => { + // eslint-disable-next-line no-console + console.log(req) + next() + }) + */ // Elopage Webhook app.post('/hook/elopage/' + CONFIG.WEBHOOK_ELOPAGE_SECRET, elopageWebhook) @@ -67,7 +77,7 @@ const createServer = async (context: any = serverContext): Promise => { context, plugins, }) - apollo.applyMiddleware({ app }) + apollo.applyMiddleware({ app, path: '/' }) return { apollo, app, con } } diff --git a/backend/src/webhook/elopage.ts b/backend/src/webhook/elopage.ts index 80fa90933..1be6c730d 100644 --- a/backend/src/webhook/elopage.ts +++ b/backend/src/webhook/elopage.ts @@ -28,19 +28,23 @@ */ import { LoginElopageBuys } from '@entity/LoginElopageBuys' -import { LoginUser } from '@entity/LoginUser' +import { getCustomRepository } from 'typeorm' import { UserResolver } from '../graphql/resolver/UserResolver' +import { LoginElopageBuysRepository } from '../typeorm/repository/LoginElopageBuys' +import { LoginUserRepository } from '../typeorm/repository/LoginUser' export const elopageWebhook = async (req: any, res: any): Promise => { + // eslint-disable-next-line no-console + console.log('Elopage Hook received') res.status(200).end() // Responding is important - + const loginElopgaeBuyRepository = await getCustomRepository(LoginElopageBuysRepository) const loginElopgaeBuy = new LoginElopageBuys() let firstName = '' let lastName = '' const entries = req.body.split('&') - entries.foreach((entry: string) => { + entries.forEach((entry: string) => { const keyVal = entry.split('=') - if (keyVal.length !== 2) { + if (keyVal.length > 2) { throw new Error(`Error parsing entry '${entry}'`) } const key = keyVal[0] @@ -88,8 +92,10 @@ export const elopageWebhook = async (req: any, res: any): Promise => { lastName = val break default: + // this is too spammy // eslint-disable-next-line no-console - console.log(`Unknown Elopage Value '${entry}'`) + // console.log(`Unknown Elopage Value '${entry}'`) + break } }) @@ -101,7 +107,7 @@ export const elopageWebhook = async (req: any, res: any): Promise => { } // Save the hook data - await loginElopgaeBuy.save() + await loginElopgaeBuyRepository.save(loginElopgaeBuy) // create user for certain products /* @@ -133,7 +139,8 @@ export const elopageWebhook = async (req: any, res: any): Promise => { } // Do we already have such a user? - if ((await LoginUser.count({ email })) !== 0) { + const loginUserRepository = await getCustomRepository(LoginUserRepository) + if ((await loginUserRepository.count({ email })) !== 0) { // eslint-disable-next-line no-console console.log(`Did not create User - already exists with email: ${email}`) return diff --git a/backend/yarn.lock b/backend/yarn.lock index b46bc183d..2c1603fbd 100644 --- a/backend/yarn.lock +++ b/backend/yarn.lock @@ -1552,7 +1552,7 @@ binary-extensions@^2.0.0: resolved "https://registry.yarnpkg.com/binary-extensions/-/binary-extensions-2.2.0.tgz#75f502eeaf9ffde42fc98829645be4ea76bd9e2d" integrity sha512-jDctJ/IVQbZoJykoeHbhXpOlNBqGNcwXJKJog42E5HDPUwQTSdjCHdihjj0DlnheQ7blbT6dHOafNAiS8ooQKA== -body-parser@1.19.0, body-parser@^1.18.3, body-parser@^1.19.0: +body-parser@1.19.0, body-parser@^1.18.3: version "1.19.0" resolved "https://registry.yarnpkg.com/body-parser/-/body-parser-1.19.0.tgz#96b2709e57c9c4e09a6fd66a8fd979844f69f08a" integrity sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw== diff --git a/community_server/src/Template/Pages/js.ctp b/community_server/src/Template/Pages/js.ctp index 60868adc4..dd1525dbe 100644 --- a/community_server/src/Template/Pages/js.ctp +++ b/community_server/src/Template/Pages/js.ctp @@ -37,5 +37,5 @@ - + diff --git a/deployment/bare_metal/.env.dist b/deployment/bare_metal/.env.dist new file mode 100644 index 000000000..70cc95521 --- /dev/null +++ b/deployment/bare_metal/.env.dist @@ -0,0 +1,14 @@ +NGINX_SERVER_NAME=_ + +#Example data + +#DEPLOY_SEED_DATA=true +# +#NGINX_REWRITE_LEGACY_URLS=true +#NGINX_SSL=true +#NGINX_SERVER_NAME=stage1.gradido.net +#NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem +#NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem +#NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem +#NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf +#NGINX_UPDATE_PAGE_ROOT=/home/gradido/gradido/deployment/bare_metal/nginx/update-page \ No newline at end of file diff --git a/deployment/bare_metal/build_and_start_login_server.sh b/deployment/bare_metal/build_and_start_login_server.sh deleted file mode 100755 index b97d1d4a9..000000000 --- a/deployment/bare_metal/build_and_start_login_server.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/bin/bash - -# stop login_server running in screen -screen -XS login quit - -# rebuild login-server -cd ../../login_server -if [ ! -d "./build" ] ; then - cd scripts - ./prepare_build.sh - cd .. -fi -cd build -cmake .. -make -j$(nproc) Gradido_LoginServer - -# rebuild locales -cd ../scripts -./compile_pot.sh -cd ../src/LOCALE -cp *.mo *.po /etc/grd_login/LOCALE/ - -cd ../../build/bin - -# start login-server -screen -dmS 'login_server' bash -c './Gradido_LoginServer' - - - diff --git a/deployment/bare_metal/install.sh b/deployment/bare_metal/install.sh new file mode 100755 index 000000000..3d1d44a2c --- /dev/null +++ b/deployment/bare_metal/install.sh @@ -0,0 +1,155 @@ +#!/bin/bash + +# This install script requires the minimum requirements already installed. +# How to do this is described in detail in [setup.md](./setup.md) + +# Load .env or .env.dist if not present +set -o allexport +if [ -f ".env" ]; then + source .env +else + source .env.dist +fi +set +o allexport + +# Install mariadb +sudo apt-get install -y mariadb-server +sudo mysql_secure_installation +# Enter current password for root (enter for none): enter +# Switch to unix_socket authentication [Y/n] Y +# Change the root password? [Y/n] n +# Remove anonymous users? [Y/n] Y +# Disallow root login remotely? [Y/n] Y +# Remove test database and access to it? [Y/n] Y +# Reload privilege tables now? [Y/n] Y + +# create db user +DB_USER=gradido +DB_PASSWORD=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-32};echo); +# create table +#create database gradido_community +# DEFAULT CHARACTER SET utf8mb4 +# DEFAULT COLLATE utf8mb4_unicode_ci; +# GRANT ALL PRIVILEGES ON gradido_community.* TO '$DB_USER'@'localhost'; +sudo mysql < Enter email address (used for urgent renewal and security notices) > support@gradido.net +> Please read the Terms of Service at > Y +> Would you be willing, once your first certificate is successfully issued, to > N +> No names were found in your configuration files. Please enter in your domain > stage1.gradido.net + +git config pull.ff only + +# Allow nginx configuration and restart for gradido +sudo nano /etc/sudoers.d/gradido +> gradido ALL=(ALL) NOPASSWD: /etc/init.d/nginx start,/etc/init.d/nginx stop,/etc/init.d/nginx restart +sudo chmod a+rw /etc/nginx/sites-enabled + +# Webhooks (optional) +sudo apt install webhook +nano ~/hooks.json +``` +[ + { + "id": "github", + "execute-command": "/home/gradido/gradido/deployment/bare_metal/start.sh", + "pass-arguments-to-command": [ + { + "source": "string", + "name": "new_deployment" + }, + ], + "command-working-directory": "/home/gradido/gradido/deployment/bare_metal", + "trigger-rule": { + "and": [ + { + "match": { + "type": "payload-hash-sha1", + "secret": "secret", + "parameter": { + "source": "header", + "name": "X-Hub-Signature" + } + } + }, + { + "match": { + "type": "value", + "value": "refs/heads/new_deployment", + "parameter": { + "source": "payload", + "name": "ref" + } + } + } + ] + } + } +] +``` + +webhook -hooks ~/hooks.json & +# or for debugging +webhook -hooks ~/hooks.json -verbose \ No newline at end of file diff --git a/deployment/bare_metal/maintenance.sh b/deployment/bare_metal/maintenance.sh new file mode 100755 index 000000000..4a268d270 --- /dev/null +++ b/deployment/bare_metal/maintenance.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# update system +sudo apt-get update +sudo apt-get upgrade + +# update pm2 +sudo yarn global add pm2 +pm2 update \ No newline at end of file diff --git a/deployment/bare_metal/nginx/common/protect.conf b/deployment/bare_metal/nginx/common/protect.conf new file mode 100644 index 000000000..6ad33bd8e --- /dev/null +++ b/deployment/bare_metal/nginx/common/protect.conf @@ -0,0 +1,54 @@ +# Deny access to readme.(txt|html) or license.(txt|html) or example.(txt|html) and other common git related files +location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { + deny all; +} +# Deny access to backup extensions & log files +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +# deny access to hidden files and directories +location ~ /\.(?!well-known\/) { + deny all; +} +# deny access to base64 encoded urls +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +# deny access to url with the javascript eval() function +location ~* "(eval\()" { + deny all; +} +# deny access to url which include \"127.0.0.1\" +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|boot\.ini|etc/passwd|eval\(|self/environ|(wp-)?config\.|cgi-|muieblack)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|configuration)\.php" { + deny all; +} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/common/protect_add_header.conf b/deployment/bare_metal/nginx/common/protect_add_header.conf new file mode 100644 index 000000000..998f10696 --- /dev/null +++ b/deployment/bare_metal/nginx/common/protect_add_header.conf @@ -0,0 +1,9 @@ +# Prevent browsers from incorrectly detecting non-scripts as scripts +# https://infosec.mozilla.org/guidelines/web_security#x-content-type-options +add_header X-Content-Type-Options "nosniff"; + +# prevent clickjacking: https://www.owasp.org/index.php/Clickjacking +# https://geekflare.com/add-x-frame-options-nginx/ +# https://infosec.mozilla.org/guidelines/web_security#x-frame-options +add_header Content-Security-Policy "frame-ancestors 'none'"; +add_header X-Frame-Options "DENY"; \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido b/deployment/bare_metal/nginx/sites-available/gradido deleted file mode 100644 index c32d82483..000000000 --- a/deployment/bare_metal/nginx/sites-available/gradido +++ /dev/null @@ -1,73 +0,0 @@ -server { - server_name _; - listen 80; - listen [::]:80; - - include /etc/nginx/common/protect.conf; - include /etc/nginx/common/protect_add_header.conf; - - root /var/www/html/gradido/community_server/webroot; - index index.php; - - gzip_static on; - - - location ~ \.php$ { - include snippets/fastcgi-php.conf; - fastcgi_pass unix:/run/php/php7.4-fpm.sock; - } - - location ~ /\.ht { - deny all; - } - - location /vue { - alias /var/www/html/gradido/frontend/dist; - index index.html; - - location ~* \.(png)$ { - expires 39d; - } - try_files $uri $uri/ /index.html = 404; - } - - location /account { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - rewrite /account/(.*) /$1 break; - - proxy_pass http://127.0.0.1:1200; - proxy_redirect off; - - - } - - location /login_api { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - rewrite /login_api/(.*) /$1 break; - - proxy_pass http://127.0.0.1:1201; - proxy_redirect off; - - - } - - - location / { - try_files $uri $uri/ /index.php?$args; - } - - access_log /var/log/nginx/access.log main; - -} diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template new file mode 100644 index 000000000..845cf56ad --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -0,0 +1,103 @@ +server { + if ($host = $NGINX_SERVER_NAME) { + return 301 https://$host$request_uri; + } + + server_name $NGINX_SERVER_NAME; + listen 80; + listen [::]:80; + return 404; +} + +server { + server_name $NGINX_SERVER_NAME; + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate $NGINX_SSL_CERTIFICATE; + ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; + include $NGINX_SSL_INCLUDE; + ssl_dhparam $NGINX_SSL_DHPARAM; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + #include /etc/nginx/common/ssl.conf; + + #gzip_static on; + + # Legacy URLS + set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS"; + if ($REWRITE_LEGACY_URLS = 'true') { + rewrite ^/vue/?(.*)$ /$1 permanent; + } + + # Frontend (default) + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:3000; + proxy_redirect off; + } + + # Backend + location /graphql { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:4000; + proxy_redirect off; + } + + # Backend webhooks + location /hook { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:4000/hook; + proxy_redirect off; + } + + # Webhook reverse proxy + location /hooks/ { + proxy_pass http://127.0.0.1:9000/hooks/; + } + + # Admin Frontend + location /admin { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:8080/; + proxy_redirect off; + } + + # TODO this could be a performance optimization + #location /vue { + # alias /var/www/html/gradido/frontend/dist; + # index index.html; + # + # location ~* \.(png)$ { + # expires 39d; + # } + # try_files $uri $uri/ /index.html = 404; + #} + + #access_log /var/log/nginx/access.log main; +} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template new file mode 100644 index 000000000..e76140b56 --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -0,0 +1,89 @@ +server { + server_name $NGINX_SERVER_NAME; + + listen 80; + listen [::]:80; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + #include /etc/nginx/common/ssl.conf; + + #gzip_static on; + + # Legacy URLS + set $REWRITE_LEGACY_URLS "$NGINX_REWRITE_LEGACY_URLS"; + if ($REWRITE_LEGACY_URLS = 'true') { + rewrite ^/vue/?(.*)$ /$1 permanent; + } + + # Frontend (default) + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:3000; + proxy_redirect off; + } + + # Backend + location /graphql { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:4000; + proxy_redirect off; + } + + # Backend webhooks + location /hook { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + # no trailing slash to keep the hook/ prefix + proxy_pass http://127.0.0.1:4000/hook; + proxy_redirect off; + } + + # Webhook reverse proxy + location /hooks/ { + proxy_pass http://127.0.0.1:9000/hooks/; + } + + # Admin Frontend + location /admin { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://127.0.0.1:8080/; + proxy_redirect off; + } + + # TODO this could be a performance optimization + #location /vue { + # alias /var/www/html/gradido/frontend/dist; + # index index.html; + # + # location ~* \.(png)$ { + # expires 39d; + # } + # try_files $uri $uri/ /index.html = 404; + #} + + #access_log /var/log/nginx/access.log main; +} \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido_updating b/deployment/bare_metal/nginx/sites-available/gradido_updating deleted file mode 100644 index df07e3715..000000000 --- a/deployment/bare_metal/nginx/sites-available/gradido_updating +++ /dev/null @@ -1,29 +0,0 @@ - -server { - server_name _; - listen 80; - listen [::]:80; - - include /etc/nginx/common/protect.conf; - include /etc/nginx/common/protect_add_header.conf; - - root /var/www/html/; - index updating.html; - - location /account { - alias /var/www/html/; - index updating.html; - } - location /vue { - alias /var/www/html/; - index updating.html; - } - - location ~ /\.ht { - deny all; - } - - access_log /var/log/nginx/access.log main; - -} - diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template new file mode 100644 index 000000000..1724ac61e --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template @@ -0,0 +1,36 @@ + +server { + if ($host = $NGINX_SERVER_NAME) { + return 301 https://$host$request_uri; + } + + server_name $NGINX_SERVER_NAME; + listen 80; + listen [::]:80; + return 404; +} +server { + server_name $NGINX_SERVER_NAME; + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate $NGINX_SSL_CERTIFICATE; + ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; + include $NGINX_SSL_INCLUDE; + ssl_dhparam $NGINX_SSL_DHPARAM; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + + root $NGINX_UPDATE_PAGE_ROOT; + index updating.html; + + #location / { + # alias $NGINX_UPDATE_PAGE_ROOT; + # index updating.html; + #} + + #access_log /var/log/nginx/access.log main; + +} + diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.template new file mode 100644 index 000000000..edc191d54 --- /dev/null +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template @@ -0,0 +1,21 @@ + +server { + server_name _; + listen 80; + listen [::]:80; + + include /etc/nginx/common/protect.conf; + include /etc/nginx/common/protect_add_header.conf; + + root $NGINX_UPDATE_PAGE_ROOT; + index updating.html; + + #location / { + # alias $NGINX_UPDATE_PAGE_ROOT; + # index updating.html; + #} + + access_log /var/log/nginx/access.log main; + +} + diff --git a/deployment/bare_metal/nginx/update-page/updating.html.template b/deployment/bare_metal/nginx/update-page/updating.html.template new file mode 100644 index 000000000..a88a40b0f --- /dev/null +++ b/deployment/bare_metal/nginx/update-page/updating.html.template @@ -0,0 +1,3 @@ +Gradido is currently updating...
+please stand by and try again in some minutes
+
\ No newline at end of file diff --git a/deployment/bare_metal/nginx/updating_original.html b/deployment/bare_metal/nginx/updating_original.html deleted file mode 100644 index 8975e3970..000000000 --- a/deployment/bare_metal/nginx/updating_original.html +++ /dev/null @@ -1 +0,0 @@ -Gradido Servers are updating..., please stand by and try again in some minutes diff --git a/deployment/bare_metal/build_frontend.sh b/deployment/bare_metal/old/build_frontend.sh similarity index 100% rename from deployment/bare_metal/build_frontend.sh rename to deployment/bare_metal/old/build_frontend.sh diff --git a/deployment/bare_metal/old/setup_server_online_ubuntu18.sh b/deployment/bare_metal/old/setup_server_online_ubuntu18.sh new file mode 100644 index 000000000..e8f766424 --- /dev/null +++ b/deployment/bare_metal/old/setup_server_online_ubuntu18.sh @@ -0,0 +1,138 @@ +# nginx security +sudo cat << "EOF" > ssl.conf +## + # SSL Settings + ## + + # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + + # enables server-side protection from BEAST attacks + # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html + ssl_prefer_server_ciphers on; + + # enable session resumption to improve https performance + # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + # ciphers chosen for forward secrecy and compatibility + # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; + + # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) + # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ + resolver 8.8.8.8 8.8.4.4; + ssl_stapling on; + ssl_stapling_verify on; + # ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt; + + # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping + # also https://hstspreload.org/ + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; +EOF + +cd /etc/nginx/conf.d +sudo cat < logging.conf +log_format main '$http_x_forwarded_for - $remote_user [$time_local] ' + '"$request_method $scheme://$host$request_uri $server_protocol" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" $request_time'; +EOF + +# fail2ban enable blocking to many http request resulting in forbidden +echo "fail2ban config" +cd /etc/fail2ban/filter.d +sudo cat < nginx-forbidden.conf +[Definition] +failregex = ^.*\[error\] \d+#\d+: .* forbidden .*, client: , .*$ + +ignoreregex = +EOF + +cd /etc/fail2ban/jail.d +sudo cat < nginx-forbidden.conf +[nginx-forbidden] +enabled = true +filter = nginx-forbidden +port = http,https +logpath = /var/log/nginx/*error*.log +findtime = 60 +bantime = 6000 +maxretry = 3 +EOF + +sudo service fail2ban restart + +# phpmyadmin +echo "install and secure phpmyadmin" +sudo apt install phpmyadmin +cd /etc/phpmyadmin/conf.d +sudo cat < pma_secure.php + +EOF +phpmyadminPwd = $(openssl passwd) +echo "Please give a username for phpmyadmin, but not root" +read phpmyadmin_user +# TODO: check if phpmyadmin_user isn't really root +sudo cat < /etc/nginx/pma_pass +$phpmyadmin_user:$phpmyadminPwd +EOF + +serverIP = $(ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1') + +sudo cat < /etc/nginx/sites-available/phpmyadmin + +server { + listen 80 ; + + listen [::]:80; + server_name $serverIP; + + + location ~* \.(png|jpg|ico)$ { + expires 30d; + } + + location ~* \.(js|css) { + expires 30d; + } + + location /phpmyadmin { + root /usr/share/phpmyadmin + index index.php; + + location ~ \.php$ { + include snippets/fastcgi-php.conf; + fastcgi_pass unix:/run/php/php7.4-fpm.sock; + } + + location / { + try_files $uri $uri/ /index.php?$args; + } + } + + location ~ /\.ht { + deny all; + } + + access_log /var/log/nginx/access.log main; +} + +EOF +sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled \ No newline at end of file diff --git a/deployment/bare_metal/setup.md b/deployment/bare_metal/setup.md new file mode 100644 index 000000000..31db1f42a --- /dev/null +++ b/deployment/bare_metal/setup.md @@ -0,0 +1,77 @@ +# Setup script to setup the server be ready to run gradido +# This assums you have root access via ssh to your cleanly setup server +# Furthermore this assumes you have debian (11 64bit) running + +> ssh root@gddhost.tld + +# change default shell +chsh +# Create user `gradido` +> useradd -d /home/gradido -m gradido +> passwd gradido +>> enter new + +# Gives the user priviledges - this might be omitted in order to harden security +# Care: This will require another administering user if you don't want root access. +# Since this setup expects the user running the software be the same as the administering user, +# you have to adjust the instructions according to that scenario. +# You might lock yourself out, if done wrong. +> usermod -a -G sudo gradido + +# Install sudo +> apt-get install sudo +# switch to the new user +> su gradido + +# Register first ssh key for user `gradido` +> mkdir ~/.ssh +> chmod 700 ~/.ssh +> nano ~/.ssh/authorized_keys +>> insert public key +>> ctrl + x +>> save + +# Test authentication via SSH +> ssh -i /path/to/privKey gradido@gddhost.tld +>> This should log you in and allow you to use sudo commands, which will require the user's password + +# Disable password authentication & root login +> cd /etc/ssh +> sudo cp sshd_config sshd_config.org +> sudo nano sshd_config +>> change `PermitRootLogin yes` to `PermitRootLogin no` +>> change `#PasswordAuthentication yes` to `PasswordAuthentication no` +>> change `UsePAM yes` to `UsePAM no` +>> ctrl + x +>> save +> sudo /etc/init.d/ssh restart + +# Test SSH Access only, no root ssh access +> ssh gradido@gddhost.tld +>> Will result in in either a password request for your key or the message `Permission denied (publickey)` +> ssh -i /path/to/privKey root@gddhost.tld +>> Will result in `Permission denied (publickey)` +> ssh -i /path/to/privKey gradido@gddhost.tld +>> Will succeed after entering the correct keys password (if any) + +# update system +> sudo apt-get update +> sudo apt-get upgrade + +# Install security tools +## ufw +> sudo apt-get install ufw +> sudo ufw allow http +> sudo ufw allow https +> sudo ufw allow ssh +> sudo ufw enable + +## fail2ban +> sudo apt-get install fail2ban +> sudo /etc/init.d/fail2ban restart + +# Install gradido +> sudo apt-get install git +> git clone https://github.com/gradido/gradido.git +> cd gradido/deployment/bare_metal +> ./install.sh \ No newline at end of file diff --git a/deployment/bare_metal/start.sh b/deployment/bare_metal/start.sh new file mode 100755 index 000000000..2be5eaee4 --- /dev/null +++ b/deployment/bare_metal/start.sh @@ -0,0 +1,114 @@ +#!/bin/bash + +# Find current directory & configure paths +set -o allexport +SCRIPT_PATH=$(realpath $0) +SCRIPT_DIR=$(dirname $SCRIPT_PATH) +LOCK_FILE=$SCRIPT_DIR/update.lock +UPDATE_HTML=$SCRIPT_DIR/nginx/update-page/updating.html +PROJECT_ROOT=$SCRIPT_DIR/../.. +NGINX_CONFIG_DIR=$SCRIPT_DIR/nginx/sites-available +set +o allexport + +# Load .env or .env.dist if not present +set -o allexport +#TODO +if [ -f "$SCRIPT_DIR/.env" ]; then + source $SCRIPT_DIR/.env +else + source $SCRIPT_DIR/.env.dist +fi +set +o allexport + +# lock start +if [ -f $LOCK_FILE ] ; then + return "Already building!" 2>/dev/null || exit 1 +fi +touch $LOCK_FILE + +# Create a new updating.html from the template +\cp $SCRIPT_DIR/nginx/update-page/updating.html.template $UPDATE_HTML + +# configure nginx for the update-page +echo 'Configuring nginx to serve the update-page
' >> $UPDATE_HTML +rm /etc/nginx/sites-enabled/gradido.conf +ln -s /etc/nginx/sites-available/update-page.conf /etc/nginx/sites-enabled/ +sudo /etc/init.d/nginx restart + +# stop all services +echo 'Stopping all Gradido services
' >> $UPDATE_HTML +pm2 stop all + +# git +BRANCH=${1:-master} +echo "Starting with git pull - branch:$BRANCH
" >> $UPDATE_HTML +cd $PROJECT_ROOT +git fetch origin $BRANCH +git checkout $BRANCH +git pull +export BUILD_COMMIT="$(git rev-parse HEAD)" + +# Generate gradido.conf from template +echo 'Generate new gradido nginx config
' >> $UPDATE_HTML +case "$NGINX_SSL" in + true) TEMPLATE_FILE="gradido.conf.ssl.template" ;; + *) TEMPLATE_FILE="gradido.conf.template" ;; +esac +envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/gradido.conf + +# Generate update-page.conf from template +echo 'Generate new update-page nginx config
' >> $UPDATE_HTML +case "$NGINX_SSL" in + true) TEMPLATE_FILE="update-page.conf.ssl.template" ;; + *) TEMPLATE_FILE="update-page.conf.template" ;; +esac +envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $NGINX_CONFIG_DIR/$TEMPLATE_FILE > $NGINX_CONFIG_DIR/update-page.conf + +# Install & build database +echo 'Updating database
' >> $UPDATE_HTML +cd $PROJECT_ROOT/database +yarn install +yarn build +if [ "$DEPLOY_SEED_DATA" = "true" ]; then + yarn dev_up + yarn dev_reset + yarn seed +else + yarn up +fi + +# Install & build backend +echo 'Updating backend
' >> $UPDATE_HTML +cd $PROJECT_ROOT/backend +yarn install +yarn build +pm2 delete gradido-backend +pm2 start --name gradido-backend "yarn --cwd $PROJECT_ROOT/backend start" +pm2 save + +# Install & build frontend +echo 'Updating frontend
' >> $UPDATE_HTML +cd $PROJECT_ROOT/frontend +yarn install +yarn build +pm2 delete gradido-frontend +pm2 start --name gradido-frontend "yarn --cwd $PROJECT_ROOT/frontend start" +pm2 save + +# Install & build admin +echo 'Updating admin
' >> $UPDATE_HTML +cd $PROJECT_ROOT/admin +yarn install +yarn build +pm2 delete gradido-admin +pm2 start --name gradido-admin "yarn --cwd $PROJECT_ROOT/admin start" +pm2 save + +# let nginx showing gradido +echo 'Configuring nginx to serve gradido again
' >> $UPDATE_HTML +ln -s /etc/nginx/sites-available/gradido.conf /etc/nginx/sites-enabled/ +rm /etc/nginx/sites-enabled/update-page.conf +sudo /etc/init.d/nginx restart + +# release lock +rm $LOCK_FILE \ No newline at end of file diff --git a/deployment/bare_metal/update_all.sh b/deployment/bare_metal/update_all.sh deleted file mode 100755 index e045d3f39..000000000 --- a/deployment/bare_metal/update_all.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -EMPTY_UPDATE_HTML=/var/www/html/updating_original.html -UPDATE_HTML=/var/www/html/updating.html -LOCK_FILE=/root/relay.lock -PROJECT_PATH=/var/www/html/gradido -SITE_CONFIG=stage1 -UPDATE_SITE_CONFIG=stage1_updating - -# this script can be called for example from webhookrelay.com relay -# to auto-deploy automatic after a update to the master branch - -if [ -f $LOCK_FILE ] ; then - retVal="Already building!" - return "${retVal}" 2>/dev/null || exit "${retVal}" -fi - -touch $LOCK_FILE - -# start with nearly empty html -# needed a nearly empty html page in the folder -cp $EMPTY_UPDATE_HTML $UPDATE_HTML - -# let nginx showing a update page -# needed nginx site-configs in nginx folders -# gradido for running gradido servers -# gradido_updating for showing upddate.html idealy for all pathes -rm /etc/nginx/sites-enabled/$SITE_CONFIG -ln -s /etc/nginx/sites-available/$UPDATE_SITE_CONFIG /etc/nginx/sites-enabled/ -service nginx restart - -# stop login server -screen -XS login quit -echo 'starting with git pull
' >> $UPDATE_HTML -cd $PROJECT_PATH -# git checkout -f master -git pull -cd deployment/bare_metal -echo 'starting with rebuilding login-server
' >> $UPDATE_HTML -./build_and_start_login_server.sh -echo 'starting with rebuilding frontend
' >> $UPDATE_HTML -./build_frontend.sh - - -# let nginx showing gradido -rm /etc/nginx/sites-enabled/$UPDATE_SITE_CONFIG -ln -s /etc/nginx/sites-available/$SITE_CONFIG /etc/nginx/sites-enabled/ -service nginx restart - -rm $LOCK_FILE - diff --git a/docker-compose.override.yml b/docker-compose.override.yml index cdaf46a7a..64a38e244 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -129,10 +129,6 @@ services: ## NGINX ################################################ ######################################################### nginx: - depends_on: - - frontend - - community-server - - login-server volumes: - ./logs/nginx:/var/log/nginx diff --git a/docker-compose.yml b/docker-compose.yml index ae72f3137..1d449fcea 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -151,15 +151,14 @@ services: ## nginx, connect login-server and community-server together (and php-fpm to community-server) nginx: build: - context: . - dockerfile: ./nginx/Dockerfile + context: ./nginx/ networks: - external-net - internal-net depends_on: - - community-server - - login-server - - frontend + - frontend + - backend + - admin ports: - 80:80 diff --git a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-01-LoginMaske.md b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-01-LoginMaske.md index eae90354f..d1a788a6b 100644 --- a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-01-LoginMaske.md +++ b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-01-LoginMaske.md @@ -28,8 +28,8 @@ Es wird die Anzeige der Login-Maske geprüft auf: Es wird die URL -* Testumgebung: https://stage1.gradido.net/vue/login -* Produktionsumgebung: https://gradido.net/vue/login +* Testumgebung: https://stage1.gradido.net/login +* Produktionsumgebung: https://gdd1.gradido.net/login aufgerufen und die Login-Maske wird angezeigt. diff --git a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-02-LoginMaske.md b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-02-LoginMaske.md index db14a3d1c..1d0a26c3e 100644 --- a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-02-LoginMaske.md +++ b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-02-LoginMaske.md @@ -31,8 +31,8 @@ Prüfung auf korrekten Funktionsweise des Buttons "Anmeldung": 2. Mit Betätigen des Buttons "Anmeldung" wird der Login-Prozess gestartet 1. *Gibt es noch weitere Prüfschritte (LOG-Ausgaben auf Login-, Community-Server o.ä.) die hier überprüft werden sollten?* 3. Bei erfolgreichem Login wird die URL angezeigt - * Testumgebung: "https://stage1.gradido.net/vue/overview" - * Produktionsumgebung: "https://gradido.net/vue/overview" + * Testumgebung: "https://stage1.gradido.net/overview" + * Produktionsumgebung: "https://gdd1.gradido.net/overview" 4. Bei fehlerhaftem Login wird eine entsprechend aussagekräftige Fehlermeldung angezeigt und die Anzeige verbleibt auf der Login-Maske. ## Ende-Bedingungen: diff --git a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-03-LoginMaske.md b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-03-LoginMaske.md index 3d9a373b2..5623aebdf 100644 --- a/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-03-LoginMaske.md +++ b/docu/Concepts/Testfallkatalog/T02-Benutzerverwaltung/T02-C001-03-LoginMaske.md @@ -21,8 +21,8 @@ Es wird in der Login-Maske die Funktion des Links "Passwort vergessen?"geprüft: Es wird die URL -* Testumgebung: https://stage1.gradido.net/vue/login -* Produktionsumgebung: https://gradido.net/vue/login +* Testumgebung: https://stage1.gradido.net/login +* Produktionsumgebung: https://gdd1.gradido.net/login aufgerufen und die Login-Maske wird angezeigt. @@ -33,8 +33,8 @@ aufgerufen und die Login-Maske wird angezeigt. * Prüfung auf korrekte Funktionsweise des Links "Passwort vergessen?" * keine sonstigen Eingaben bzw. Vorraussetzungen notwendig * Mit Betätigen des Links "Passwort vergessen?" wird der Passwort-Zurücksetzen-Prozess gestartet und unter - * der Testumgebung: https://stage1.gradido.net/vue/password - * der Produktionsumgebung: https://gradido.net/vue/password + * der Testumgebung: https://stage1.gradido.net/password + * der Produktionsumgebung: https://gdd1.gradido.net/password * folgende Maske angezeigt: ![1te Passwort zurücksetzen Maske](../image/T02-C001-03-LoginMaske1.png) @@ -70,8 +70,8 @@ aufgerufen und die Login-Maske wird angezeigt. 3. Wiederholung von Schritt 2.4.1 und 2.4.2 bis alle verfügbaren Sprachen geprüft sind 5. Link "Zurück" ist aktiv und landet auf URL - 1. Testumgebung: https://stage1.gradido.net/vue/Login - 2. Produktionsumgebung: https://gradido.net/vue/Login + 1. Testumgebung: https://stage1.gradido.net/login + 2. Produktionsumgebung: https://gdd1.gradido.net/login 6. Footer-Links: 1. "Gradido-Akademie" reagiert und landet je nach aktuell eingestellter Sprache auf URL "https://gradido.net/de" @@ -91,8 +91,8 @@ aufgerufen und die Login-Maske wird angezeigt. ![Email-Versandmakse](../image/T02-C001-03-LoginMaske2.png) 5. **In dem angegebenen Email-Postfach wird eine Email empfangen, die ein Zurücksetzen-Link enthält:** - 1. Testumgebung: https://stage1.gradido.net/vue/reset/'erzeugter rest-code' - 2. Produktionsumgebung: https://gradido.net/vue/reset/'erzeugter reset-code' + 1. Testumgebung: https://stage1.gradido.net/reset/'erzeugter rest-code' + 2. Produktionsumgebung: https://ggd1.gradido.net/reset/'erzeugter reset-code' 6. **Mit Betätigen des Reset-Links bzw. Aufruf des Rest-Links im Browser wird folgende Maske angezeigt:** ![2te Passwort zurücksetzen Maske](../image/T02-C001-03-LoginMaske3.png) @@ -137,8 +137,8 @@ aufgerufen und die Login-Maske wird angezeigt. 3. Wiederholung von Schritt 8.3.1 und 8.3.2 bis alle verfügbaren Sprachen geprüft sind 12. Link "Zurück" ist aktiv und landet auf URL - 1. Testumgebung: https://stage1.gradido.net/vue/Login - 2. Produktionsumgebung: https://gradido.net/vue/Login + 1. Testumgebung: https://stage1.gradido.net/Login + 2. Produktionsumgebung: https://gdd1.gradido.net/Login 13. Footer-Links: 1. "Gradido-Akademie" reagiert und landet je nach aktuell eingestellter Sprache auf URL "https://gradido.net/de" diff --git a/docu/create-coins-as-admin.md b/docu/create-coins-as-admin.md index 6a95df119..f03da7733 100644 --- a/docu/create-coins-as-admin.md +++ b/docu/create-coins-as-admin.md @@ -1,5 +1,5 @@ ### User creation -A user needs to be created on the login_server we do this when we create a User in the client https://$community_domain/vue/register. +A user needs to be created on the login_server we do this when we create a User in the client https://$community_domain/register. ### Admin user To set a User admin we need the following SQL query on the gradido_login database: diff --git a/frontend/run/server.js b/frontend/run/server.js index 8a3f54557..7d75acba8 100644 --- a/frontend/run/server.js +++ b/frontend/run/server.js @@ -1,15 +1,21 @@ // Imports const express = require('express') -const serveStatic = require('serve-static') +const path = require('path') -// Port +// Host & Port +const hostname = '127.0.0.1' const port = process.env.PORT || 3000 // Express Server const app = express() -// eslint-disable-next-line node/no-path-concat -app.use(serveStatic(__dirname + '/../dist')) -app.listen(port) +// Serve files +app.use(express.static(path.join(__dirname, '../dist'))) +// Default to index.html +app.get('*', (req, res) => { + res.sendFile(path.join(__dirname, '../dist/index.html')) +}) -// eslint-disable-next-line no-console -console.log(`http://frontend:${port} server started.`) +app.listen(port, hostname, () => { + // eslint-disable-next-line no-console + console.log('Listening at http://%s:%s/', hostname, port) +}) diff --git a/frontend/src/routes/router.js b/frontend/src/routes/router.js index b44c8ab7e..9cfee6242 100644 --- a/frontend/src/routes/router.js +++ b/frontend/src/routes/router.js @@ -5,7 +5,7 @@ import routes from './routes' Vue.use(VueRouter) const router = new VueRouter({ - base: '/vue', + base: '/', routes, linkActiveClass: 'active', mode: 'history', diff --git a/frontend/src/routes/router.test.js b/frontend/src/routes/router.test.js index bc2f3d340..f82065bc0 100644 --- a/frontend/src/routes/router.test.js +++ b/frontend/src/routes/router.test.js @@ -6,10 +6,10 @@ describe('router', () => { const { options } = router const { scrollBehavior, routes } = options - it('has "/vue" as base', () => { + it('has "/" as base', () => { expect(options).toEqual( expect.objectContaining({ - base: '/vue', + base: '/', }), ) }) diff --git a/frontend/src/store/store.test.js b/frontend/src/store/store.test.js index 41a0540be..da108b9ff 100644 --- a/frontend/src/store/store.test.js +++ b/frontend/src/store/store.test.js @@ -124,13 +124,13 @@ describe('Vuex store', () => { name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }) expect(state.community).toEqual({ name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }) }) }) diff --git a/frontend/src/views/Pages/Login.spec.js b/frontend/src/views/Pages/Login.spec.js index f9fde0e1e..ccca848ba 100644 --- a/frontend/src/views/Pages/Login.spec.js +++ b/frontend/src/views/Pages/Login.spec.js @@ -10,7 +10,7 @@ const apolloQueryMock = jest.fn().mockResolvedValue({ name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }, }, }) @@ -79,7 +79,7 @@ describe('Login', () => { name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }) }) @@ -111,8 +111,8 @@ describe('Login', () => { jest.clearAllMocks() mocks.$store.state.community = { name: 'Gradido Entwicklung', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register', + url: 'http://localhost/', + registerUrl: 'http://localhost/register', description: 'Die lokale Entwicklungsumgebung von Gradido.', } wrapper = Wrapper() diff --git a/frontend/src/views/Pages/Register.spec.js b/frontend/src/views/Pages/Register.spec.js index 820229a4a..56f97549d 100644 --- a/frontend/src/views/Pages/Register.spec.js +++ b/frontend/src/views/Pages/Register.spec.js @@ -11,7 +11,7 @@ const apolloQueryMock = jest.fn().mockResolvedValue({ name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }, }, }) @@ -73,7 +73,7 @@ describe('Register', () => { name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }) }) @@ -105,8 +105,8 @@ describe('Register', () => { jest.clearAllMocks() mocks.$store.state.community = { name: 'Gradido Entwicklung', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register', + url: 'http://localhost/', + registerUrl: 'http://localhost/register', description: 'Die lokale Entwicklungsumgebung von Gradido.', } wrapper = Wrapper() diff --git a/frontend/src/views/Pages/RegisterCommunity.spec.js b/frontend/src/views/Pages/RegisterCommunity.spec.js index 477e5e08e..6d6574881 100644 --- a/frontend/src/views/Pages/RegisterCommunity.spec.js +++ b/frontend/src/views/Pages/RegisterCommunity.spec.js @@ -9,7 +9,7 @@ const apolloQueryMock = jest.fn().mockResolvedValue({ name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }, }, }) @@ -61,7 +61,7 @@ describe('RegisterCommunity', () => { name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }) }) @@ -87,8 +87,8 @@ describe('RegisterCommunity', () => { jest.clearAllMocks() mocks.$store.state.community = { name: 'Gradido Entwicklung', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register', + url: 'http://localhost/', + registerUrl: 'http://localhost/register', description: 'Die lokale Entwicklungsumgebung von Gradido.', } wrapper = Wrapper() diff --git a/frontend/src/views/Pages/RegisterSelectCommunity.spec.js b/frontend/src/views/Pages/RegisterSelectCommunity.spec.js index ad80c7e38..f4e980cd0 100644 --- a/frontend/src/views/Pages/RegisterSelectCommunity.spec.js +++ b/frontend/src/views/Pages/RegisterSelectCommunity.spec.js @@ -20,7 +20,7 @@ const apolloQueryMock = jest name: 'test12', description: 'test community 12', url: 'http://test12.test12/', - registerUrl: 'http://test12.test12/vue/register', + registerUrl: 'http://test12.test12/register', }, }, }) @@ -31,22 +31,22 @@ const apolloQueryMock = jest id: 1, name: 'Gradido Entwicklung', description: 'Die lokale Entwicklungsumgebung von Gradido.', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register-community', + url: 'http://localhost/', + registerUrl: 'http://localhost/register-community', }, { id: 2, name: 'Gradido Staging', description: 'Der Testserver der Gradido-Akademie.', - url: 'https://stage1.gradido.net/vue/', - registerUrl: 'https://stage1.gradido.net/vue/register-community', + url: 'https://stage1.gradido.net/', + registerUrl: 'https://stage1.gradido.net/register-community', }, { id: 3, name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }, ], }, @@ -139,8 +139,8 @@ describe('RegisterSelectCommunity', () => { mocks.$store.state.community = { name: 'Gradido Entwicklung', description: 'Die lokale Entwicklungsumgebung von Gradido.', - url: 'http://localhost/vue/', - registerUrl: 'http://localhost/vue/register-community', + url: 'http://localhost/', + registerUrl: 'http://localhost/register-community', } wrapper = Wrapper() }) @@ -172,15 +172,15 @@ describe('RegisterSelectCommunity', () => { id: 2, name: 'Gradido Staging', description: 'Der Testserver der Gradido-Akademie.', - url: 'https://stage1.gradido.net/vue/', - registerUrl: 'https://stage1.gradido.net/vue/register-community', + url: 'https://stage1.gradido.net/', + registerUrl: 'https://stage1.gradido.net/register-community', }, { id: 3, name: 'Gradido-Akademie', description: 'Freies Institut für Wirtschaftsbionik.', url: 'https://gradido.net', - registerUrl: 'https://gdd1.gradido.com/vue/register-community', + registerUrl: 'https://gdd1.gradido.com/register-community', }, ], }) diff --git a/frontend/vue.config.js b/frontend/vue.config.js index 88dae8c4c..47b016aea 100644 --- a/frontend/vue.config.js +++ b/frontend/vue.config.js @@ -17,7 +17,7 @@ module.exports = { }, }, lintOnSave: true, - publicPath: '/vue', + publicPath: '/', configureWebpack: { // Set up all the aliases we use in our app. resolve: { diff --git a/login_server/README.md b/login_server/README.md index 118d0d53c..0628fc800 100644 --- a/login_server/README.md +++ b/login_server/README.md @@ -113,7 +113,7 @@ loginServer.db.password = loginServer.db.port = 3306 # check email path for new frontend for link generation in emails -frontend.checkEmailPath = http://localhost/vue/reset +frontend.checkEmailPath = http://localhost/reset # disable email all together email.disable = true diff --git a/login_server/src/cpsp/Login.cpsp b/login_server/src/cpsp/Login.cpsp index 6ddd8a066..4ee21ecae 100644 --- a/login_server/src/cpsp/Login.cpsp +++ b/login_server/src/cpsp/Login.cpsp @@ -299,7 +299,7 @@
- <%= langCatalog->gettext("Passwort vergessen") %> + <%= langCatalog->gettext("Passwort vergessen") %>
diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 225d16ed8..dc4ecb826 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -1,10 +1,3 @@ FROM nginx:1.21.0 -WORKDIR /var/www/cakephp - -COPY ./nginx/nginx.conf /etc/nginx/conf.d/default.conf -COPY ./nginx/fastcgi.conf /etc/nginx/ -COPY ./nginx/mime.types /etc/nginx/ - -COPY ./community_server/webroot webroot - +COPY ./gradido.conf /etc/nginx/conf.d/default.conf \ No newline at end of file diff --git a/nginx/fastcgi.conf b/nginx/fastcgi.conf deleted file mode 100644 index 238f7869f..000000000 --- a/nginx/fastcgi.conf +++ /dev/null @@ -1,25 +0,0 @@ -fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; \ No newline at end of file diff --git a/nginx/gradido.conf b/nginx/gradido.conf new file mode 100644 index 000000000..bfb079d32 --- /dev/null +++ b/nginx/gradido.conf @@ -0,0 +1,84 @@ +server { + server_name $NGINX_SERVER_NAME; + + listen 80; + listen [::]:80; + + #include /etc/nginx/common/protect.conf; + #include /etc/nginx/common/protect_add_header.conf; + #include /etc/nginx/common/ssl.conf; + + #gzip_static on; + + # Legacy URLS + set $REWRITE_LEGACY_URLS "true"; + if ($REWRITE_LEGACY_URLS = 'true') { + rewrite ^/vue/?(.*)$ /$1 permanent; + } + + # Frontend (default) + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://frontend:3000; + proxy_redirect off; + } + + # Backend + location /graphql { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://backend:4000; + proxy_redirect off; + } + + # Backend webhooks + location /hook { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + proxy_pass http://backend:4000/hook; + proxy_redirect off; + } + + # Admin Frontend + location /admin { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection 'upgrade'; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + + # TODO: in docker environemnt we do not have the trailing slash. This needs work + proxy_pass http://admin:8080; + proxy_redirect off; + } + + # TODO this could be a performance optimization + #location /vue { + # alias /var/www/html/gradido/frontend/dist; + # index index.html; + # + # location ~* \.(png)$ { + # expires 39d; + # } + # try_files $uri $uri/ /index.html = 404; + #} + + #access_log /var/log/nginx/access.log main; +} \ No newline at end of file diff --git a/nginx/mime.types b/nginx/mime.types deleted file mode 100644 index cd3d700ea..000000000 --- a/nginx/mime.types +++ /dev/null @@ -1,88 +0,0 @@ -types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; - - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; - - image/png png; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; - image/svg+xml svg svgz; - image/webp webp; - - application/font-woff woff; - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; - application/vnd.wap.wmlc wmlc; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; - - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; - - application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; - application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; - - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; - - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; -} diff --git a/nginx/nginx.conf b/nginx/nginx.conf deleted file mode 100644 index 48d703997..000000000 --- a/nginx/nginx.conf +++ /dev/null @@ -1,98 +0,0 @@ -server { - - listen 80 ; - listen [::]:80; - server_name 0.0.0.0; - - #include /etc/nginx/common/protect.conf; - #include /etc/nginx/common/protect_add_header.conf; - #include /etc/nginx/common/ssl.conf; - - root /var/www/cakephp/webroot; - index index.php; - - location ~ \.php$ { - fastcgi_pass community-server:9000; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_param PHP_VALUE "error_log=/var/www/myapp/logs/php_errors.log"; - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - include fastcgi_params; - } - - location ~ /\.ht { - deny all; - } - - location /account { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - rewrite /account/(.*) /$1 break; - - proxy_pass http://login-server:1200; - proxy_redirect off; - } - - location /login_api { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_cache_bypass $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Host $host; - rewrite /login_api/(.*) /$1 break; - - proxy_pass http://login-server:1201; - proxy_redirect off; - } - - location / { - try_files $uri $uri/ /index.php?$args; - } - - location /vue { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://frontend:3000; - proxy_redirect off; - } - - location /admin { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://admin:8080; - proxy_redirect off; - } - -location /sockjs-node { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection 'upgrade'; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - - proxy_pass http://frontend:3000; - proxy_redirect off; - } - -# access_log /var/log/nginx/access.log main; - -} \ No newline at end of file