diff --git a/st2web/Dockerfile b/st2web/Dockerfile index 3dc81656..0c284403 100644 --- a/st2web/Dockerfile +++ b/st2web/Dockerfile @@ -76,7 +76,8 @@ RUN if [ "${ST2_VERSION#*dev}" != "${ST2_VERSION}" ]; then \ # It's a user's responsbility to pass the valid SSL certificate files: 'st2.key' and 'st2.crt', used in nginx VOLUME ["/etc/ssl/st2/"] -EXPOSE 80 -EXPOSE 443 +EXPOSE 8080 +EXPOSE 8443 STOPSIGNAL SIGTERM +RUN touch /var/run/nginx.pid && chown 101:101 /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"] diff --git a/st2web/files/st2.conf-http.patch b/st2web/files/st2.conf-http.patch index c4c8e7fe..e467518c 100644 --- a/st2web/files/st2.conf-http.patch +++ b/st2web/files/st2.conf-http.patch @@ -1,22 +1,24 @@ ---- st2.conf 2021-06-18 19:45:50.892196136 +0100 -+++ st2.http.conf 2021-06-18 19:50:00.098280995 +0100 -@@ -8,44 +8,18 @@ - +--- st2.conf 2023-09-01 16:31:41.000000000 +0100 ++++ st2.http.conf 2023-09-01 16:33:45.000000000 +0100 +@@ -7,45 +7,19 @@ + # see https://docs.stackstorm.com/install.html for details + server { - listen *:80 default_server; +- listen *:80 default_server; ++ listen *:8080 default_server; + server_tokens off; - + - add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; - + - if ($ssl_protocol = "") { - return 308 https://$host$request_uri; - } - if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { - return 405; - } - index index.html; - +- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { +- return 405; +- } +- index index.html; +- - access_log /var/log/nginx/st2webui.access.log combined; - error_log /var/log/nginx/st2webui.error.log; -} @@ -25,9 +27,9 @@ - listen *:443 ssl; - server_tokens off; - -- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { -- return 405; -- } + if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { + return 405; + } - - ssl_certificate /etc/ssl/st2/st2.crt; - ssl_certificate_key /etc/ssl/st2/st2.key; @@ -37,41 +39,41 @@ - ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; - ssl_prefer_server_ciphers on; - -- index index.html; -- + index index.html; + - access_log /var/log/nginx/ssl-st2webui.access.log combined; - error_log /var/log/nginx/ssl-st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; - + - add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY always; add_header Strict-Transport-Security "max-age=3153600;includeSubDomains"; @@ -61,7 +35,7 @@ - + rewrite ^/api/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9101/; + proxy_pass ${ST2_API_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; @@ -99,7 +73,7 @@ - + rewrite ^/stream/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9102/; + proxy_pass ${ST2_STREAM_URL}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -138,7 +112,7 @@ - + rewrite ^/auth/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9100/; + proxy_pass ${ST2_AUTH_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; - proxy_redirect off; + proxy_redirect off; \ No newline at end of file diff --git a/st2web/files/st2.conf-https.patch b/st2web/files/st2.conf-https.patch index 899093e7..eb332500 100644 --- a/st2web/files/st2.conf-https.patch +++ b/st2web/files/st2.conf-https.patch @@ -1,51 +1,86 @@ ---- st2.conf 2021-06-18 19:45:50.892196136 +0100 -+++ st2.https.conf 2021-06-18 19:45:50.884196198 +0100 -@@ -20,8 +20,8 @@ +--- st2.conf 2023-09-18 15:03:31.000000000 +0100 ++++ st2.https.conf 2023-09-18 15:12:35.000000000 +0100 +@@ -7,7 +7,7 @@ + # see https://docs.stackstorm.com/install.html for details + + server { +- listen *:80 default_server; ++ listen *:8080 default_server; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; +@@ -20,12 +20,12 @@ } index index.html; - + - access_log /var/log/nginx/st2webui.access.log combined; - error_log /var/log/nginx/st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; } - + server { +- listen *:443 ssl; ++ listen *:8443 ssl; + server_tokens off; + + if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { @@ -42,8 +42,8 @@ - + index index.html; - + - access_log /var/log/nginx/ssl-st2webui.access.log combined; - error_log /var/log/nginx/ssl-st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; - + add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; -@@ -61,7 +61,7 @@ - +@@ -61,10 +61,11 @@ + rewrite ^/api/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9101/; + proxy_pass ${ST2_API_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; -@@ -99,7 +99,7 @@ - ++ proxy_ssl_verify off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; +@@ -99,12 +100,13 @@ + rewrite ^/stream/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9102/; + proxy_pass ${ST2_STREAM_URL}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -@@ -138,7 +138,7 @@ - + proxy_read_timeout 200; + proxy_connect_timeout 200; ++ proxy_ssl_verify off; + + sendfile on; + tcp_nopush on; +@@ -138,10 +140,11 @@ + rewrite ^/auth/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9100/; + proxy_pass ${ST2_AUTH_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; ++ proxy_ssl_verify off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; +@@ -164,4 +167,4 @@ + tcp_nopush on; + tcp_nodelay on; + } +-} ++} +\ No newline at end of file