Add dev template for nginx

files/nginx/odk.conf.dev.template

@@ -0,0 +1,64 @@
+server {
+  listen 8989;
+  server_name localhost;
+
+  server_tokens off;
+
+  include /usr/share/odk/nginx/common-headers.conf;
+
+  client_max_body_size 100m;
+
+  gzip on;
+  gzip_vary on;
+  gzip_min_length 1280;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv;
+
+  location /- {
+    proxy_pass http://localhost:8005;
+    proxy_redirect off;
+    proxy_set_header Host $host;
+
+    # More lax CSP for enketo-express:
+    # Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy
+    add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'none'; report-uri /csp-report";
+    #
+    # Rules set to 'none' here would fallback to default-src if excluded.
+    # They are included here to ease interpretation of violation reports.
+    #
+    # Other security headers are identical to those in common-headers.conf;
+    # We can't just include that file here though, as it will set two Content-Security-Policy* headers
+    add_header Referrer-Policy same-origin;
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-Content-Type-Options nosniff;
+  }
+
+  location ~ ^/v\d {
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_pass http://localhost:8383;
+    proxy_redirect off;
+
+    # buffer requests, but not responses, so streaming out works.
+    proxy_request_buffering on;
+    proxy_buffering off;
+    proxy_read_timeout 2m;
+  }
+
+  location / {
+    root /usr/share/nginx/html;
+
+    location /version.txt {
+      include /usr/share/odk/nginx/common-headers.conf;
+      add_header Cache-Control no-cache;
+    }
+    location /index.html {
+      include /usr/share/odk/nginx/common-headers.conf;
+      add_header Cache-Control no-cache;
+    }
+  }
+
+  location /csp-report {
+    proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY};
+  }
+}

files/nginx/setup-odk.sh

@@ -15,12 +15,17 @@ if [ "$SSL_TYPE" = "selfsign" ] && [ ! -s "$SELFSIGN_PATH/privkey.pem" ]; then
     -days 3650 -nodes -sha256
 fi
 
+TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.template
+if [ "$ENV" = "DEV" ]; then
+    TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.dev.template
+fi
+
 # start from fresh templates in case ssl type has changed
 echo "writing fresh nginx templates..."
 cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
 CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
 envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
-  < /usr/share/odk/nginx/odk.conf.template \
+  < $TEMPLATE_PATH \
   > /etc/nginx/conf.d/odk.conf
 
 if [ "$SSL_TYPE" = "letsencrypt" ]; then
@@ -38,6 +43,11 @@ else
   else
     # remove letsencrypt challenge reply, but keep 80 to 443 redirection
     perl -i -ne 'print if $. < 7 || $. > 14' /etc/nginx/conf.d/redirector.conf
+
+    if [ "$ENV" = "DEV" ]; then
+        rm -f /etc/nginx/conf.d/redirector.conf
+    fi
+
     echo "starting nginx for custom ssl and self-signed certs..."
   fi
   exec nginx -g "daemon off;"