From e146ed6416762d26a3c05a4aec9fe4c2fab28f13 Mon Sep 17 00:00:00 2001 From: Dragory <2606411+Dragory@users.noreply.github.com> Date: Sat, 6 Apr 2024 18:47:09 +0300 Subject: [PATCH] refactor: remove SSL from standalone setup Since Zeppelin was only creating a self-signed certificate, this gave a false sense of security when in reality you'd always want to have a proxy with a proper certificate in front of this anyway. Additionally, generating the certificate at build time meant that the domain couldn't easily be changed/updated without rebuilding. --- .env.example | 4 +--- docker-compose.standalone.yml | 4 +--- docker/production/nginx/Dockerfile | 6 ------ docker/production/nginx/default.conf | 15 ++------------- 4 files changed, 4 insertions(+), 25 deletions(-) diff --git a/.env.example b/.env.example index 926b5d86..7878e9be 100644 --- a/.env.example +++ b/.env.example @@ -54,9 +54,7 @@ DEVELOPMENT_SSH_PASSWORD=password # NOTE: You only need to fill in these values for running the standalone production environment # ========================== -STANDALONE_DOMAIN= - -STANDALONE_WEB_PORT=443 +STANDALONE_WEB_PORT=80 # The MySQL database running in the container is exposed to the host on this port, # allowing access with database tools such as DBeaver diff --git a/docker-compose.standalone.yml b/docker-compose.standalone.yml index 5dc242e6..efcfa725 100644 --- a/docker-compose.standalone.yml +++ b/docker-compose.standalone.yml @@ -28,10 +28,8 @@ services: build: context: . dockerfile: docker/production/nginx/Dockerfile - args: - STANDALONE_DOMAIN: ${STANDALONE_DOMAIN:?Missing STANDALONE_DOMAIN} ports: - - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:443" + - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:80" migrate: depends_on: diff --git a/docker/production/nginx/Dockerfile b/docker/production/nginx/Dockerfile index c49d9c9c..23ea1013 100644 --- a/docker/production/nginx/Dockerfile +++ b/docker/production/nginx/Dockerfile @@ -1,9 +1,3 @@ FROM nginx -ARG STANDALONE_DOMAIN - -RUN apt-get update && apt-get install -y openssl -RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/zeppelin-self-signed-cert.key -out /etc/ssl/certs/zeppelin-self-signed-cert.pem -days 3650 -subj "/CN=${STANDALONE_DOMAIN}" -nodes - COPY ./docker/production/nginx/default.conf /etc/nginx/conf.d/default.conf -RUN sed -ir "s/_STANDALONE_DOMAIN_/${STANDALONE_DOMAIN}/g" /etc/nginx/conf.d/default.conf diff --git a/docker/production/nginx/default.conf b/docker/production/nginx/default.conf index dee3c84f..1144ff67 100644 --- a/docker/production/nginx/default.conf +++ b/docker/production/nginx/default.conf @@ -1,7 +1,6 @@ server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name _STANDALONE_DOMAIN_; + listen 80 default_server; + server_name _; # Using a variable here stops nginx from crashing if the dev container is restarted or becomes otherwise unavailable set $backend_upstream "http://api:3001"; @@ -21,14 +20,4 @@ server { client_max_body_size 200M; } - - ssl_certificate /etc/ssl/certs/zeppelin-self-signed-cert.pem; - ssl_certificate_key /etc/ssl/private/zeppelin-self-signed-cert.key; - - ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; - ssl_session_tickets off; - - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers off; }