Move nginx config to /etc/nginx/dokku.d

[josegonzalez]

When SELinux is in use, nginx cannot read nginx.conf files in /home/dokku/*/dokku.conf. This causes routing issues, resulting in a terrible experience for our users.

We should:

• On install, update the /etc/nginx/conf.d/dokku.conf file to add include /etc/nginx/dokku.d/*.conf and include /etc/nginx/dokku.d/*/*.conf.
• On nginx config build, delete the path at /home/dokku/APP/nginx.conf and create the new file in /etc/nginx/dokku.d/APP.conf.
• Modify the generated nginx.conf to include /etc/nginx/dokku.d/APP/*.conf.
• Update the dokku-letsencrypt and dokku-redirect to handle both cases.
• Provide a helper method for presenting where the current nginx config file is.
• Add an nginx:show-conf APP command that shows the current app config.

Marking as a bug as compatibility with SELinux systems is completely broken without this.

[josegonzalez]

Note: this is a some-what BC incompatible change, due to where files get included from. We'll include both paths but warn users to move their files to the new path during a deploy.

[rbclark]

In addition to the nginx config, the location of the TLS certificates also seems to be an issue with SELinux. I ended up having to install letsencrypt and run audit2allow -a -M dokku and then semodule -i dokku.pp.

I believe the relevant policies are:

#!!!! This avc is allowed in the current policy
allow httpd_t user_home_dir_t:dir read;

#!!!! This avc can be allowed using the boolean 'httpd_read_user_content'
allow httpd_t user_home_t:dir read;

#!!!! This avc can be allowed using the boolean 'httpd_read_user_content'
allow httpd_t user_home_t:file { open read };

[josegonzalez]

Is there a way to ship that with Dokku somehow? If so, that would resolve our SELinux issues and be an alternative to moving files into the correct place...

[rbclark]

Yeah that should be possible, it would be best to avoid providing full access to the whole home directory though, I have found 2 commands that seem to setup permissions correctly where nginx can still read them.

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/home/dokku(/[^\.].*)?"
/sbin/restorecon -R /home/dokku

Based on the information provided at https://fedoraproject.org/wiki/PackagingDrafts/SELinux#File_contexts the easiest way to do this following in the RPM spec:

Requires(post): policycoreutils-python
Requires(postun): policycoreutils-python

...

%post
semanage fcontext -a -t httpd_sys_content_t "/home/dokku(/[^\.].*)?" 2>/dev/null || :
restorecon -R /home/dokku || :

%postun
if [ $1 -eq 0 ] ; then  # final removal
semanage fcontext -d -t httpd_sys_content_t "/home/dokku(/[^\.].*)?" 2>/dev/null || :
fi

The only disadvantage to this is it adds a dependency on policycoreutils-python which isn't necessary for people who are not using SELinux.

[josegonzalez]

Thats annoying, and might be OS-specific. May as well fix the underlying issue in that case...

[josegonzalez]

Updating this to be an enhancement, as we never purported to work with SELinux (though you can now with an alternative proxy implementation like openresty).