From fbd1c5514345eb5183371bb408235178a3b66c56 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Thu, 7 Nov 2024 08:28:30 +0000 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20Host=20based=20tunnel=20(#22)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jacob Woffenden --- Makefile | 5 ++- src/etc/nginx/nginx.conf.template | 73 ++++++++++++++++++++++++++++--- src/usr/local/bin/entrypoint.sh | 14 ++++-- 3 files changed, 81 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 4883619..81e9e8d 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: build scan test run +.PHONY: build debug scan test run IMAGE_NAME ?= ghcr.io/ministryofjustice/analytical-platform-cloud-development-environment-nginx-proxy IMAGE_TAG ?= local @@ -6,6 +6,9 @@ IMAGE_TAG ?= local TRIVY_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-db:2 TRIVY_JAVA_DB_REPOSITORY ?= public.ecr.aws/aquasecurity/trivy-java-db:1 +debug: build + docker run --rm -it --publish 3000:3000 --entrypoint /bin/sh $(IMAGE_NAME):$(IMAGE_TAG) + run: build docker run --rm -it --publish 3000:3000 $(IMAGE_NAME):$(IMAGE_TAG) diff --git a/src/etc/nginx/nginx.conf.template b/src/etc/nginx/nginx.conf.template index e0ea23f..ac098b5 100644 --- a/src/etc/nginx/nginx.conf.template +++ b/src/etc/nginx/nginx.conf.template @@ -155,6 +155,7 @@ http { # https://user-guidance.analytical-platform.service.justice.gov.uk/apps/rshiny-app.html#finding-current-users-39-user-profiles # https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L56-L69 + # IDE server { # https://nginx.org/en/docs/http/ngx_http_core_module.html#listen # Default is *:80 @@ -203,13 +204,13 @@ http { # Root # https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L112 location / { - set_by_lua $analytical_platform_tool 'return "ANALYTICAL_PLATFORM_TOOL" '; - set_by_lua $auth0_client_id 'return "AUTH0_CLIENT_ID" '; - set_by_lua $auth0_client_secret 'return "AUTH0_CLIENT_SECRET" '; - set_by_lua $auth0_tenant_domain 'return "AUTH0_TENANT_DOMAIN" '; - set_by_lua $logout_url 'return "LOGOUT_URL" '; - set_by_lua $redirect_domain 'return "REDIRECT_DOMAIN" '; - set_by_lua $username 'return "USERNAME" '; + set_by_lua $analytical_platform_tool 'return "ANALYTICAL_PLATFORM_TOOL"'; + set_by_lua $auth0_client_id 'return "AUTH0_CLIENT_ID"'; + set_by_lua $auth0_client_secret 'return "AUTH0_CLIENT_SECRET"'; + set_by_lua $auth0_tenant_domain 'return "AUTH0_TENANT_DOMAIN"'; + set_by_lua $logout_url 'return "LOGOUT_URL"'; + set_by_lua $redirect_domain 'return "REDIRECT_DOMAIN"'; + set_by_lua $username 'return "USERNAME"'; access_by_lua_file /opt/lua-scripts/auth0-login.lua; # https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L124-L130 @@ -240,4 +241,62 @@ http { proxy_read_timeout 20d; } } + + # Tunnel + server { + # https://nginx.org/en/docs/http/ngx_http_core_module.html#listen + # Default is *:80 + # Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L72 + listen PROXY_TUNNEL_LISTEN_ADDRESS:PROXY_TUNNEL_LISTEN_PORT; + + # https://nginx.org/en/docs/ngx_core_module.html#error_log + # Default is logs/error.log error; + # Setting as per Analytical Platform: https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L74 + # TODO: surely this should be set to error? also it should stream to stdout + # error_log /var/log/nginx/error.log ERROR_LOG_LEVEL; + + # EXPERIMENTAL: https://nginx.org/en/docs/http/ngx_http_core_module.html#access_log + access_log /dev/stdout combined; + error_log /dev/stdout ERROR_LOG_LEVEL; + + # Root + # https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L112 + location / { + set_by_lua $analytical_platform_tool 'return "ANALYTICAL_PLATFORM_TOOL-tunnel"'; + set_by_lua $auth0_client_id 'return "AUTH0_CLIENT_ID"'; + set_by_lua $auth0_client_secret 'return "AUTH0_CLIENT_SECRET"'; + set_by_lua $auth0_tenant_domain 'return "AUTH0_TENANT_DOMAIN"'; + set_by_lua $logout_url 'return "LOGOUT_URL"'; + set_by_lua $redirect_domain 'return "REDIRECT_DOMAIN"'; + set_by_lua $username 'return "USERNAME"'; + access_by_lua_file /opt/lua-scripts/auth0-login.lua; + + # https://github.com/ministryofjustice/analytical-platform-nginx-proxy/blob/main/nginx-proxy/nginx.conf.template#L124-L130 + # TODO: maybe move individual tool configurations to snippets and use https://nginx.org/en/docs/ngx_core_module.html#include directive + + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass + # No default value + proxy_pass http://UPSTREAM_HOST:UPSTREAM_TUNNEL_PORT; + + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect + # Default is default + proxy_redirect http://UPSTREAM_HOST:UPSTREAM_TUNNEL_PORT/ $scheme://$http_host/; + + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_http_version + # Default is 1.0 + proxy_http_version 1.1; + + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header + # Default is "Host $proxy_host" and "Connection close" + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout + # Default is 60s + proxy_read_timeout 20d; + } + } } diff --git a/src/usr/local/bin/entrypoint.sh b/src/usr/local/bin/entrypoint.sh index a1d3ec6..07a1f29 100755 --- a/src/usr/local/bin/entrypoint.sh +++ b/src/usr/local/bin/entrypoint.sh @@ -6,8 +6,11 @@ set -e export ERROR_LOG_LEVEL="${ERROR_LOG_LEVEL:-error}" export PROXY_LISTEN_ADDRESS="${PROXY_LISTEN_ADDRESS:-"*"}" export PROXY_LISTEN_PORT="${PROXY_LISTEN_PORT:-3000}" +export PROXY_TUNNEL_LISTEN_ADDRESS="${PROXY_TUNNEL_LISTEN_ADDRESS:-"*"}" +export PROXY_TUNNEL_LISTEN_PORT="${PROXY_TUNNEL_LISTEN_PORT:-3001}" export UPSTREAM_HOST="${UPSTREAM_HOST:-localhost}" export UPSTREAM_PORT="${UPSTREAM_PORT:-8080}" +export UPSTREAM_TUNNEL_PORT="${UPSTREAM_TUNNEL_PORT:-8081}" # Auth0 export ANALYTICAL_PLATFORM_TOOL="${ANALYTICAL_PLATFORM_TOOL:-vscode}" @@ -18,9 +21,11 @@ export LOGOUT_URL="${LOGOUT_URL:-"https://google.com"}" export REDIRECT_DOMAIN="${REDIRECT_DOMAIN:-"http://localhost:3000"}" export USERNAME="${USERNAME:-analyticalplatform}" -echo "Error log level: ${ERROR_LOG_LEVEL}" -echo "Proxy address: ${PROXY_LISTEN_ADDRESS}:${PROXY_LISTEN_PORT}" -echo "Proxy Upstream: ${UPSTREAM_HOST}:${UPSTREAM_PORT}" +echo "Error log level: ${ERROR_LOG_LEVEL}" +echo "IDE proxy address: ${PROXY_LISTEN_ADDRESS}:${PROXY_LISTEN_PORT}" +echo "IDE proxy upstream: ${UPSTREAM_HOST}:${UPSTREAM_PORT}" +echo "Tunnel proxy address: ${PROXY_TUNNEL_LISTEN_ADDRESS}:${PROXY_TUNNEL_LISTEN_PORT}" +echo "Tunnel proxy upstream: ${UPSTREAM_HOST}:${UPSTREAM_TUNNEL_PORT}" echo "Createing NGINX configuration from template" cp /etc/nginx/nginx.conf.template /etc/nginx/nginx.conf @@ -29,8 +34,11 @@ echo "Replacing NGINX settings placeholders in NGINX configuration" sed -i "s/ERROR_LOG_LEVEL/${ERROR_LOG_LEVEL}/g" /etc/nginx/nginx.conf sed -i "s/PROXY_LISTEN_ADDRESS/${PROXY_LISTEN_ADDRESS}/g" /etc/nginx/nginx.conf sed -i "s/PROXY_LISTEN_PORT/${PROXY_LISTEN_PORT}/g" /etc/nginx/nginx.conf +sed -i "s/PROXY_TUNNEL_LISTEN_ADDRESS/${PROXY_TUNNEL_LISTEN_ADDRESS}/g" /etc/nginx/nginx.conf +sed -i "s/PROXY_TUNNEL_LISTEN_PORT/${PROXY_TUNNEL_LISTEN_PORT}/g" /etc/nginx/nginx.conf sed -i "s/UPSTREAM_HOST/${UPSTREAM_HOST}/g" /etc/nginx/nginx.conf sed -i "s/UPSTREAM_PORT/${UPSTREAM_PORT}/g" /etc/nginx/nginx.conf +sed -i "s/UPSTREAM_TUNNEL_PORT/${UPSTREAM_TUNNEL_PORT}/g" /etc/nginx/nginx.conf echo "Replacing Auth0 settings placeholders in NGINX configuration" sed -i "s/ANALYTICAL_PLATFORM_TOOL/${ANALYTICAL_PLATFORM_TOOL}/g" /etc/nginx/nginx.conf