Skip to content

Commit

Permalink
Add dev template for nginx
Browse files Browse the repository at this point in the history
  • Loading branch information
sadiqkhoja committed Oct 20, 2023
1 parent bafc5ec commit 67c6397
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 1 deletion.
64 changes: 64 additions & 0 deletions files/nginx/odk.conf.dev.template
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
server {
listen 8989;
server_name localhost;

server_tokens off;

include /usr/share/odk/nginx/common-headers.conf;

client_max_body_size 100m;

gzip on;
gzip_vary on;
gzip_min_length 1280;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv;

location /- {
proxy_pass http://localhost:8005;
proxy_redirect off;
proxy_set_header Host $host;

# More lax CSP for enketo-express:
# Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy
add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'none'; report-uri /csp-report";
#
# Rules set to 'none' here would fallback to default-src if excluded.
# They are included here to ease interpretation of violation reports.
#
# Other security headers are identical to those in common-headers.conf;
# We can't just include that file here though, as it will set two Content-Security-Policy* headers
add_header Referrer-Policy same-origin;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
}

location ~ ^/v\d {
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://localhost:8383;
proxy_redirect off;

# buffer requests, but not responses, so streaming out works.
proxy_request_buffering on;
proxy_buffering off;
proxy_read_timeout 2m;
}

location / {
root /usr/share/nginx/html;

location /version.txt {
include /usr/share/odk/nginx/common-headers.conf;
add_header Cache-Control no-cache;
}
location /index.html {
include /usr/share/odk/nginx/common-headers.conf;
add_header Cache-Control no-cache;
}
}

location /csp-report {
proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY};
}
}
12 changes: 11 additions & 1 deletion files/nginx/setup-odk.sh
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,17 @@ if [ "$SSL_TYPE" = "selfsign" ] && [ ! -s "$SELFSIGN_PATH/privkey.pem" ]; then
-days 3650 -nodes -sha256
fi

TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.template
if [ "$ENV" = "DEV" ]; then
TEMPLATE_PATH=/usr/share/odk/nginx/odk.conf.dev.template
fi

# start from fresh templates in case ssl type has changed
echo "writing fresh nginx templates..."
cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
envsubst '$SSL_TYPE $CNAME $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
< /usr/share/odk/nginx/odk.conf.template \
< $TEMPLATE_PATH \
> /etc/nginx/conf.d/odk.conf

if [ "$SSL_TYPE" = "letsencrypt" ]; then
Expand All @@ -38,6 +43,11 @@ else
else
# remove letsencrypt challenge reply, but keep 80 to 443 redirection
perl -i -ne 'print if $. < 7 || $. > 14' /etc/nginx/conf.d/redirector.conf

if [ "$ENV" = "DEV" ]; then
rm -f /etc/nginx/conf.d/redirector.conf
fi

echo "starting nginx for custom ssl and self-signed certs..."
fi
exec nginx -g "daemon off;"
Expand Down

0 comments on commit 67c6397

Please sign in to comment.