Merge a4d9dff into 4cd5de5

micro-lc · Dec 12, 2022 · e9911bd · e9911bd
2 parents 4cd5de5 + a4d9dff
commit e9911bd
Show file tree

Hide file tree

Showing 566 changed files with 40,689 additions and 48,622 deletions.
diff --git a/.docker/Dockerfile b/.docker/Dockerfile
@@ -0,0 +1,110 @@
+# Copyright 2022 Mia srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ARG NGINX_VERSION="1.23.2"
+
+###########################################
+# nginx is enhanced with security modules #
+# to generate nonces                      #
+###########################################
+
+FROM nginx:${NGINX_VERSION}-alpine AS builder
+
+ARG NGINX_DEVEL_KIT_VERSION="0.3.1"
+ARG NGINX_SET_MISC_MODULE_VERSION="0.33"
+
+RUN wget "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" && \
+  wget "https://github.com/simpl/ngx_devel_kit/archive/v${NGINX_DEVEL_KIT_VERSION}.tar.gz" -O ngx_devel_kit-${NGINX_DEVEL_KIT_VERSION}.tar.gz && \
+  wget "https://github.com/openresty/set-misc-nginx-module/archive/v${NGINX_SET_MISC_MODULE_VERSION}.tar.gz" -O set-misc-nginx-module-${NGINX_SET_MISC_MODULE_VERSION}.tar.gz;
+
+RUN tar -zxvf nginx-${NGINX_VERSION}.tar.gz
+
+WORKDIR /nginx-${NGINX_VERSION}
+
+RUN tar -xzvf ../ngx_devel_kit-${NGINX_DEVEL_KIT_VERSION}.tar.gz && \
+  tar -xzvf ../set-misc-nginx-module-${NGINX_SET_MISC_MODULE_VERSION}.tar.gz
+
+RUN ls /
+
+RUN apk add --no-cache --virtual .build-deps \
+  gcc \
+  libc-dev \
+  make \
+  openssl-dev \
+  pcre-dev \
+  zlib-dev \
+  linux-headers \
+  curl \
+  gnupg \
+  libxslt-dev \
+  gd-dev \
+  geoip-dev
+
+WORKDIR /nginx-${NGINX_VERSION}
+
+RUN echo `nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p' | grep ssl`
+
+RUN CONFARGS=$(nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p') \
+  CONFARGS=${CONFARGS/-Os -fomit-frame-pointer -g/-Os} && \
+  SET_MISC_DIR="$(pwd)/set-misc-nginx-module-${NGINX_SET_MISC_MODULE_VERSION}" && \
+  DEVEL_KIT_DIR="$(pwd)/ngx_devel_kit-${NGINX_DEVEL_KIT_VERSION}" && \
+  ./configure \
+    --with-compat $CONFARGS \
+    --add-dynamic-module=${DEVEL_KIT_DIR} \
+    --add-dynamic-module=${SET_MISC_DIR} && \
+  make -j2 && \
+  make install
+
+###########################################
+# artifact                                #
+###########################################
+
+FROM nginx:${NGINX_VERSION}-alpine
+
+COPY --from=builder /usr/lib/nginx/modules/ndk_http_module.so /etc/nginx/modules/ndk_http_module.so
+COPY --from=builder /usr/lib/nginx/modules/ngx_http_set_misc_module.so /etc/nginx/modules/ngx_http_set_misc_module.so
+
+ARG COMMIT_SHA
+ARG DESCRIPTION
+ARG VERSION
+
+LABEL name="micro-lc" \
+      description=${DESCRIPTION} \
+      eu.mia-platform.url="https://www.mia-platform.eu" \
+      eu.mia-platform.version=${VERSION}
+
+COPY packages/orchestrator/dist /usr/static
+COPY .docker/etc/nginx /etc/nginx
+COPY .docker/usr/static /usr/static
+
+RUN touch ./off \
+  && chmod o+rw ./off \
+  && echo "[micro-lc]: ${COMMIT_SHA}" >> /etc/nginx/commit.sha
+
+ENV BASE_PATH="/"
+ENV MODE="production"
+ENV CONFIG_SRC="./config.json"
+
+RUN chown nginx /etc/nginx/nginx.conf
+RUN chown -R nginx /etc/nginx/conf.d/*
+RUN chown -R nginx /usr/static/*
+
+STOPSIGNAL SIGTERM
+
+EXPOSE 8080
+
+USER nginx
+
+CMD ["/bin/sh" , "-c" , "envsubst '$$BASE_PATH $$MODE $$CONFIG_SRC' < /etc/nginx/conf.d/default.conf >> /etc/nginx/nginx.conf && exec nginx -g 'daemon off;'"]
diff --git a/.../security.d/default_content_security.conf → ...nx/cache.d/cache_control.development.conf b/.../security.d/default_content_security.conf → ...nx/cache.d/cache_control.development.conf
@@ -13,5 +13,4 @@
 # limitations under the License.
 #
 
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-add_header 'Content-Security-Policy' "default-src 'self'" always;
+add_header                        'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0' always;
diff --git a/.../fe-container/nginx/filehandle_cache.conf → ...inx/cache.d/cache_control.production.conf b/.../fe-container/nginx/filehandle_cache.conf → ...inx/cache.d/cache_control.production.conf
@@ -12,8 +12,3 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
-open_file_cache max=5000 inactive=20s;
-open_file_cache_valid 60s;
-open_file_cache_min_uses 2;
-open_file_cache_errors on;
diff --git a/.docker/etc/nginx/conf.d/default.conf b/.docker/etc/nginx/conf.d/default.conf
@@ -0,0 +1,63 @@
+# Copyright 2022 Mia srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+http {
+  client_body_temp_path               /tmp/client_temp;
+  proxy_temp_path                     /tmp/proxy_temp_path;
+  fastcgi_temp_path                   /tmp/fastcgi_temp;
+  uwsgi_temp_path                     /tmp/uwsgi_temp;
+  scgi_temp_path                      /tmp/scgi_temp;
+
+  log_format                          x_real_ip '$remote_addr $original_request_host [$time_iso8601] "$request" $status $bytes_sent '
+                                      '"$http_referer" "$http_user_agent" - $request_time - $original_request_id';
+
+  include                             /etc/nginx/variables.conf;
+  access_log                          /var/log/nginx/access.log x_real_ip buffer=32k flush=5m if=$loggable;
+
+  server_tokens                       off;
+  tcp_nopush                          on;
+  tcp_nodelay                         on;
+  sendfile                            on;
+
+  include                             /etc/nginx/mime.types;
+  include                             /etc/nginx/filehandle_cache.conf;
+  include                             /etc/nginx/real_ip.conf;
+
+  server {
+    listen                            8080 default_server;
+    listen                            [::]:8080 default_server;
+
+    root                              /usr/static;
+
+    include                           /etc/nginx/gzip_settings.conf;
+    include                           /etc/nginx/cache.d/cache_control.${MODE}.conf;
+
+    location ~ (^/|^${BASE_PATH}) {
+      set_secure_random_alphanum      $cspNonce 32;
+
+      rewrite                         ^${BASE_PATH}$ /index.html break;
+      rewrite                         ^${BASE_PATH}/?(.*) /$1 break;
+
+      sub_filter_once                 off;
+      sub_filter                      '**MICRO_LC_BASE_PATH**' '${BASE_PATH}';
+      sub_filter                      '**MICRO_LC_MODE**' '${MODE}';
+      sub_filter                      '**MICRO_LC_CONFIG_SRC**' '${CONFIG_SRC}';
+      sub_filter                      '**CSP_NONCE**' $cspNonce;
+
+      expires                         -1;
+      try_files                       $uri $uri/index.html /index.html =404;
+    }
+  }
+}
diff --git a/...r/nginx/security.d/cross-site_script.conf → .docker/etc/nginx/filehandle_cache.conf b/...r/nginx/security.d/cross-site_script.conf → .docker/etc/nginx/filehandle_cache.conf
@@ -13,5 +13,7 @@
 # limitations under the License.
 #
 
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
-add_header 'X-XSS-Protection' "1; mode=block" always;
+open_file_cache                   max=5000 inactive=20s;
+open_file_cache_valid             60s;
+open_file_cache_min_uses          2;
+open_file_cache_errors            on;
diff --git a/example/nginx/real_ip.conf → .docker/etc/nginx/gzip_settings.conf b/example/nginx/real_ip.conf → .docker/etc/nginx/gzip_settings.conf
@@ -1,4 +1,4 @@
-# Copyright 2021 Mia srl
+# Copyright 2019 Mia srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,11 +13,18 @@
 # limitations under the License.
 #
 
-set_real_ip_from 127.0.0.1; # trust localhost
-set_real_ip_from unix:; # trust local unix socket
-set_real_ip_from 10.0.0.0/8; # trust class A private networks
-set_real_ip_from 172.16.0.0/12; # trust class B private networks
-set_real_ip_from 192.168.0.0/16; # trust class C private networks
+gzip                            on;
+gzip_disable                    "msie6";
 
-real_ip_header X-Forwarded-For;
-real_ip_recursive on;
+gzip_vary         on;
+gzip_proxied      any;
+gzip_comp_level   6;
+gzip_buffers      16 8k;
+gzip_http_version 1.1;
+gzip_min_length   256;
+gzip_types        application/javascript
+                  application/json
+                  text/css
+                  text/javascript
+                  text/plain
+                  text/xml;
diff --git a/example/nginx/filehandle_cache.conf → .docker/etc/nginx/nginx.conf b/example/nginx/filehandle_cache.conf → .docker/etc/nginx/nginx.conf
@@ -1,4 +1,4 @@
-# Copyright 2021 Mia srl
+# Copyright 2019 Mia srl
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -13,7 +13,15 @@
 # limitations under the License.
 #
 
-open_file_cache max=5000 inactive=20s;
-open_file_cache_valid 60s;
-open_file_cache_min_uses 2;
-open_file_cache_errors on;
+load_module "modules/ndk_http_module.so";
+load_module "modules/ngx_http_set_misc_module.so";
+
+worker_processes 2;
+
+error_log /var/log/nginx/error.log warn;
+
+pid /tmp/nginx.pid;
+
+events {
+  worker_connections 4096;
+}
diff --git a/packages/fe-container/nginx/real_ip.conf → .docker/etc/nginx/real_ip.conf b/packages/fe-container/nginx/real_ip.conf → .docker/etc/nginx/real_ip.conf
diff --git a/packages/fe-container/nginx/variables.conf → .docker/etc/nginx/variables.conf b/packages/fe-container/nginx/variables.conf → .docker/etc/nginx/variables.conf
diff --git a/.docker/usr/static/config.json b/.docker/usr/static/config.json
@@ -0,0 +1,4 @@
+{
+  "$schema": "https://cdn.jsdelivr.net/npm/@micro-lc/interfaces@latest/schemas/v2/config.schema.json",
+  "version": 2
+}
diff --git a/.docker/usr/static/favicon.png b/.docker/usr/static/favicon.png
diff --git a/.docker/usr/static/index.html b/.docker/usr/static/index.html
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <base href="**MICRO_LC_BASE_PATH**" target="_blank" />
+  <title>Microlc</title>
+  <link rel="icon" type="image/png" href="./favicon.png" />
+  <meta
+    http-equiv="Content-Security-Policy" content="
+      default-src 'self' https: http:;
+      script-src 'self' 'unsafe-eval' 'unsafe-inline' blob:;
+      object-src 'none';
+      style-src 'self' 'unsafe-inline';
+      img-src 'self' data: https: http:;
+      font-src 'self';
+      worker-src 'self' blob:;
+      base-uri 'self';"
+    />
+  <style>
+    html, body {
+      position: relative;
+      width: 100%;
+      height: 100%;
+      margin: 0;
+      padding: 0;
+      overflow: hidden;
+    }
+    micro-lc {
+      display: inline-block;
+      position: relative;
+      height: inherit;
+      width: inherit;
+    }
+  </style>
+  <script async type="module" src="./micro-lc.**MICRO_LC_MODE**.js"></script>
+</head>
+<body>
+  <micro-lc config-src="**MICRO_LC_CONFIG_SRC**"></micro-lc>
+</body>
+</html>
diff --git a/.dockerignore b/.dockerignore
diff --git a/.eslintignore b/.eslintignore
@@ -0,0 +1,15 @@
+.pnp.*
+.yarn/*
+
+dist/
+node_modules/
+playground/
+coverage/
+mocks/
+
+.vscode/
+.idea/
+
+# there's an experimental assert
+**/packages/composer/web-test-runner.config.mjs
+**/packages/interfaces/scripts/build-cli.mjs