refactor: remove SSL from standalone setup

Since Zeppelin was only creating a self-signed certificate, this gave a false sense of security when in reality you'd always want to have a proxy with a proper certificate in front of this anyway. Additionally, generating the certificate at build time meant that the domain couldn't easily be changed/updated without rebuilding.
2025-03-14 21:31:50 +00:00 · 2024-04-06 18:47:09 +03:00 · 2024-04-06 18:47:09 +03:00 · e146ed6416
commit e146ed6416
parent 1ef7ba8d0f
4 changed files with 4 additions and 25 deletions
--- a/.env.example
+++ b/.env.example
@ -54,9 +54,7 @@ DEVELOPMENT_SSH_PASSWORD=password
 # NOTE: You only need to fill in these values for running the standalone production environment
 # ==========================

-STANDALONE_DOMAIN=
-
-STANDALONE_WEB_PORT=443
+STANDALONE_WEB_PORT=80

 # The MySQL database running in the container is exposed to the host on this port,
 # allowing access with database tools such as DBeaver
--- a/docker-compose.standalone.yml
+++ b/docker-compose.standalone.yml
@ -28,10 +28,8 @@ services:
    build:
      context: .
      dockerfile: docker/production/nginx/Dockerfile
-      args:
-        STANDALONE_DOMAIN: ${STANDALONE_DOMAIN:?Missing STANDALONE_DOMAIN}
    ports:
-      - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:443"
+      - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:80"

  migrate:
    depends_on:
--- a/docker/production/nginx/Dockerfile
+++ b/docker/production/nginx/Dockerfile
@ -1,9 +1,3 @@
 FROM nginx

-ARG STANDALONE_DOMAIN
-
-RUN apt-get update && apt-get install -y openssl
-RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/zeppelin-self-signed-cert.key -out /etc/ssl/certs/zeppelin-self-signed-cert.pem -days 3650 -subj "/CN=${STANDALONE_DOMAIN}" -nodes
-
 COPY ./docker/production/nginx/default.conf /etc/nginx/conf.d/default.conf
-RUN sed -ir "s/_STANDALONE_DOMAIN_/${STANDALONE_DOMAIN}/g" /etc/nginx/conf.d/default.conf
--- a/docker/production/nginx/default.conf
+++ b/docker/production/nginx/default.conf
@ -1,7 +1,6 @@
 server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name _STANDALONE_DOMAIN_;
+  listen 80 default_server;
+  server_name _;

  # Using a variable here stops nginx from crashing if the dev container is restarted or becomes otherwise unavailable
  set $backend_upstream "http://api:3001";
@ -21,14 +20,4 @@ server {

    client_max_body_size 200M;
  }
-
-  ssl_certificate /etc/ssl/certs/zeppelin-self-signed-cert.pem;
-  ssl_certificate_key /etc/ssl/private/zeppelin-self-signed-cert.key;
-
-  ssl_session_timeout 1d;
-  ssl_session_cache shared:MozSSL:10m;
-  ssl_session_tickets off;
-
-  ssl_protocols TLSv1.3;
-  ssl_prefer_server_ciphers off;
 }