From c59189f7cd177c9d9c5b93a8cb8e17d00539b716 Mon Sep 17 00:00:00 2001 From: Devon Hudson Date: Thu, 16 May 2024 19:46:21 -0600 Subject: [PATCH] Simplify configuration of proxy test --- scripts-dev/proxy-test/docker-compose.yml | 17 +- scripts-dev/proxy-test/nginx.conf | 44 ++++++ scripts-dev/proxy-test/proxy.conf | 1 + scripts-dev/proxy-test/sygnal.yaml | 183 +--------------------- 4 files changed, 59 insertions(+), 186 deletions(-) create mode 100644 scripts-dev/proxy-test/nginx.conf create mode 100644 scripts-dev/proxy-test/proxy.conf diff --git a/scripts-dev/proxy-test/docker-compose.yml b/scripts-dev/proxy-test/docker-compose.yml index 2297dd7e..b83f242b 100644 --- a/scripts-dev/proxy-test/docker-compose.yml +++ b/scripts-dev/proxy-test/docker-compose.yml @@ -2,19 +2,24 @@ services: sygnal: image: sygnal networks: - - no-internet + no-internet: + ipv4_address: 172.28.0.2 container_name: sygnal volumes: - ./sygnal.yaml:/sygnal.yaml - - ./.json:/service_account.json:ro + - ./service_account.json:/service_account.json:ro + - ./curl.sh:/curl.sh + - ./notification.json:/notification.json + - ./proxy.conf:/etc/apt/apt.conf.d/proxy.conf ports: - 5000:5000 proxy: image: dominikbechstein/nginx-forward-proxy networks: - - no-internet - - internet + no-internet: + ipv4_address: 172.28.0.3 + internet: container_name: nginx-forward-proxy volumes: - ./nginx.conf:/usr/local/nginx/conf/nginx.conf:ro @@ -25,5 +30,9 @@ networks: no-internet: driver: bridge internal: true + ipam: + config: + - subnet: 172.28.0.0/16 + gateway: 172.28.0.1 internet: driver: bridge diff --git a/scripts-dev/proxy-test/nginx.conf b/scripts-dev/proxy-test/nginx.conf new file mode 100644 index 00000000..0a7c8a88 --- /dev/null +++ b/scripts-dev/proxy-test/nginx.conf @@ -0,0 +1,44 @@ +worker_processes auto; + +daemon off; + +events { + worker_connections 1024; +} + +http { + include mime.types; + + access_log /dev/stdout; + error_log /dev/stderr; + + server { + listen 8080; + + resolver 1.1.1.1 ipv6=off; + + proxy_connect; + proxy_connect_allow 443 563; + proxy_connect_connect_timeout 10s; + proxy_connect_read_timeout 10s; + proxy_connect_send_timeout 10s; + + proxy_hide_header Upgrade; + proxy_hide_header X-Powered-By; + + add_header Content-Security-Policy "upgrade-insecure-requests"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Cache-Control "no-transform" always; + add_header Referrer-Policy no-referrer always; + add_header X-Robots-Tag none; + + location / { + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_pass $scheme://$host; + } + } +} + diff --git a/scripts-dev/proxy-test/proxy.conf b/scripts-dev/proxy-test/proxy.conf new file mode 100644 index 00000000..59de5bd2 --- /dev/null +++ b/scripts-dev/proxy-test/proxy.conf @@ -0,0 +1 @@ +Acquire::http::Proxy "http://172.28.0.3:8080/"; diff --git a/scripts-dev/proxy-test/sygnal.yaml b/scripts-dev/proxy-test/sygnal.yaml index 6a427ca0..4d91d446 100644 --- a/scripts-dev/proxy-test/sygnal.yaml +++ b/scripts-dev/proxy-test/sygnal.yaml @@ -1,247 +1,66 @@ ## # This is a configuration for Sygnal, the reference Push Gateway for Matrix -# See: matrix.org ## - -## Logging # -# log: - # Specify a Python logging 'dictConfig', as described at: - # https://docs.python.org/3/library/logging.config.html#logging.config.dictConfig - # setup: version: 1 formatters: normal: format: "%(asctime)s [%(process)d] %(levelname)-5s %(name)s %(message)s" handlers: - # This handler prints to Standard Error - # stderr: class: "logging.StreamHandler" formatter: "normal" stream: "ext://sys.stderr" - # This handler prints to Standard Output. - # stdout: class: "logging.StreamHandler" formatter: "normal" stream: "ext://sys.stdout" - # This handler demonstrates logging to a text file on the filesystem. - # You can use logrotate(8) to perform log rotation. - # file: class: "logging.handlers.WatchedFileHandler" formatter: "normal" filename: "./sygnal.log" loggers: - # sygnal.access contains the access logging lines. - # Comment out this section if you don't want to give access logging - # any special treatment. - # sygnal.access: propagate: false handlers: ["stdout"] level: "INFO" - # sygnal contains log lines from Sygnal itself. - # You can comment out this section to fall back to the root logger. - # sygnal: propagate: false handlers: ["stderr", "file"] root: - # Specify the handler(s) to send log messages to. handlers: ["stderr"] level: "INFO" disable_existing_loggers: false - access: - # Specify whether or not to trust the IP address in the `X-Forwarded-For` - # header. In general, you want to enable this if and only if you are using a - # reverse proxy which is configured to emit it. - # x_forwarded_for: false -## HTTP Server (Matrix Push Gateway API) # -# http: - # Specify a list of interface addresses to bind to. - # - # This example listens on the IPv4 loopback device: bind_addresses: ['127.0.0.1'] - # This example listens on all IPv4 interfaces: - #bind_addresses: ['0.0.0.0'] - # This example listens on all IPv4 and IPv6 interfaces: - #bind_addresses: ['0.0.0.0', '::'] - - # Specify the port number to listen on. - # port: 5000 -## Proxying for outgoing connections # -# -# Specify the URL of a proxy to use for outgoing traffic -# (e.g. to Apple & Google) if desired. -# Currently only HTTP proxies with CONNECT capability are supported. -# -# If you do not specify a value, the `HTTPS_PROXY` environment variable will -# be used if present. Otherwise, no proxy will be used. -# -# Default is unspecified. -# -proxy: 'http://:8080' +proxy: 'http://172.28.0.3:8080' -## Metrics # -# metrics: - ## Prometheus # - # prometheus: - # Specify whether or not to enable Prometheus. - # enabled: false - # Specify an address for the Prometheus HTTP Server to listen on. - # - address: '127.0.0.1' - - # Specify a port for the Prometheus HTTP Server to listen on. - # - port: 8000 - - ## OpenTracing # - # opentracing: - # Specify whether or not to enable OpenTracing. - # enabled: false - # Specify an implementation of OpenTracing to use. Currently only 'jaeger' - # is supported. - # - implementation: jaeger - - # Specify the service name to be reported to the tracer. - # - service_name: sygnal - - # Specify configuration values to pass to jaeger_client. - # - jaeger: - sampler: - type: 'const' - param: 1 -# local_agent: -# reporting_host: '127.0.0.1' -# reporting_port: - logging: true - - ## Sentry # - # sentry: - # Specify whether or not to enable Sentry. - # enabled: false - # Specify your Sentry DSN if you enable Sentry - # - #dsn: "https://@sentry.example.org/" - -## Pushkins/Apps # -# -# Add a section for every push application here. -# Specify the pushkey for the application and also the type. -# For the type, you may specify a fully-qualified Python classname if desired. -# apps: - # This is an example APNs push configuration - # - #com.example.myapp.ios: - # type: apns - # - # # Authentication - # # - # # Two methods of authentication to APNs are currently supported. - # # - # # You can authenticate using a key: - # keyfile: my_key.p8 - # key_id: MY_KEY_ID - # team_id: MY_TEAM_ID - # topic: MY_TOPIC - # - # # Or, a certificate can be used instead: - # certfile: com.example.myApp_prod_APNS.pem - # - # # This is the maximum number of in-flight requests *for this pushkin* - # # before additional notifications will be failed. - # # (This is a robustness measure to prevent one pushkin stacking up with - # # queued requests and saturating the inbound connection queue of a load - # # balancer or reverse proxy). - # # Defaults to 512 if unset. - # # - # #inflight_request_limit: 512 - # - # # Specifies whether to use the production or sandbox APNs server. Note that - # # sandbox tokens should only be used with the sandbox server and vice versa. - # # - # # Valid options are: - # # * production - # # * sandbox - # # - # # The default is 'production'. Uncomment to use the sandbox instance. - # #platform: sandbox - # # - # # Specifies whether to convert the device push token from base 64 to hex. - # # Defaults to True, set this to False if your client library provides a - # # push token in hex format. - # #convert_device_token_to_hex: false - - # This is an example GCM/FCM push configuration. - # im.vector.app: type: gcm api_version: v1 project_id: service_account_file: /service_account.json - - # This is the maximum number of connections to GCM servers at any one time - # the default is 20. - #max_connections: 20 - - # This is the maximum number of in-flight requests *for this pushkin* - # before additional notifications will be failed. - # (This is a robustness measure to prevent one pushkin stacking up with - # queued requests and saturating the inbound connection queue of a load - # balancer or reverse proxy). - # Defaults to 512 if unset. - # - #inflight_request_limit: 512 - - # This allows you to specify additional options to send to Firebase. - # - # Of particular interest, admins who wish to support iOS apps using Firebase - # probably wish to set content-available, and may need to set mutable-content. - # (content-available allows your iOS app to be woken up by data messages, - # and mutable-content allows your notification to be modified by a - # Notification Service app extension). - # - # See https://firebase.google.com/docs/cloud-messaging/http-server-ref - # for the exhaustive list of valid options. - # - # Do not specify `data`, `priority`, `to` or `registration_ids` as they may - # be overwritten or lead to an invalid request. - # - #fcm_options: - # apns: - # payload: - # aps: - # content-available: 1 - # mutable-content: 1 - # alert: ""