Skip to content

Make st2web use HTTP by default #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
May 31, 2019
Merged

Make st2web use HTTP by default #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8fa8742
Make st2web use HTTP by default
warrenvw May 28, 2019
5a2f88b
Add missing patch files
warrenvw May 29, 2019
76ad99c
Clean-up CMD
warrenvw May 29, 2019
8da0928
Remove old st2.conf.patch file
warrenvw May 29, 2019
03379ee
Fix typo in error_log value
warrenvw May 29, 2019
82291db
Update README with reference to ST2WEB_HTTPS var
warrenvw May 29, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions st2web/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ LABEL com.stackstorm.component="st2web"

ENV container docker
ENV TERM xterm
ENV ST2WEB_HTTPS 0

# Default, but overrideable env vars to be substituted in st2.template nginx conf
ENV ST2_AUTH_URL http://st2auth:9100/
Expand Down Expand Up @@ -53,23 +54,28 @@ RUN if [ "${ST2_VERSION#*dev}" != "${ST2_VERSION}" ]; then \
&& rm -f /etc/apt/sources.list.d/StackStorm_*.list

# Download st2.conf and apply patch
COPY files/st2.conf.patch /tmp
COPY files/st2.conf-http.patch /tmp
COPY files/st2.conf-https.patch /tmp
RUN if [ "${ST2_VERSION#*dev}" != "${ST2_VERSION}" ]; then \
ST2_BRANCH=master; \
else \
ST2_BRANCH=v${ST2_VERSION%.*}; \
fi \
&& echo ST2_BRANCH=${ST2_BRANCH} \
&& apt-get install -y patch gettext-base \
&& curl -sf https://raw.githubusercontent.com/StackStorm/st2/${ST2_BRANCH}/conf/nginx/st2.conf -o /etc/nginx/conf.d/st2.template \
&& patch /etc/nginx/conf.d/st2.template < /tmp/st2.conf.patch \
&& curl -sf https://raw.githubusercontent.com/StackStorm/st2/${ST2_BRANCH}/conf/nginx/st2.conf -o /etc/nginx/conf.d/st2-http.template \
&& cp /etc/nginx/conf.d/st2-http.template /etc/nginx/conf.d/st2-https.template \
&& patch /etc/nginx/conf.d/st2-http.template < /tmp/st2.conf-http.patch \
&& patch /etc/nginx/conf.d/st2-https.template < /tmp/st2.conf-https.patch \
&& rm -f /etc/nginx/conf.d/default.conf \
&& rm -f /tmp/st2.conf.patch
&& rm -f /tmp/st2.conf.patch \
&& rm -f /tmp/st2.conf-http.patch \
&& rm -f /tmp/st2.conf-https.patch

# It's a user's responsbility to pass the valid SSL certificate files: 'st2.key' and 'st2.crt', used in nginx
VOLUME ["/etc/ssl/st2/"]

EXPOSE 80
EXPOSE 443
STOPSIGNAL SIGTERM
CMD ["/bin/bash", "-c", "envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < /etc/nginx/conf.d/st2.template > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
3 changes: 3 additions & 0 deletions st2web/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,13 @@ The following environment variables are available for configuration:
- `ST2_AUTH_URL` (default: `http://st2auth:9100/`) - StackStorm Auth service
- `ST2_API_URL` (default: `http://st2api:9101/`) - StackStorm API service
- `ST2_STREAM_URL` (default: `http://st2stream:9102/`) - StackStorm Stream service
- `ST2WEB_HTTPS` (default: `0`) - Use https with st2web

> Warning! All 3 services should be DNS/network accessible for `st2web` container to start properly. Thanks to K8s pod restarts, it's not a problem.

### Secrets
> Note! You may safely ignore this section if `ST2WEB_HTTPS` is set to `0`.
Copy link
Member

@arm4b arm4b May 30, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


StackStorm Web UI uses nginx for SSL negotiation. A valid SSL certificate is required for `st2web` to run properly.
You have to share with the Docker container the following files:
- `/etc/ssl/st2/st2.crt` (required) - SSL certificate, [`ssl_certificate`](http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) nginx directive
Expand Down
86 changes: 86 additions & 0 deletions st2web/files/st2.conf-http.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
--- /etc/nginx/conf.d/st2.template 2019-05-27 14:11:20.000000000 -0700
+++ /etc/nginx/conf.d/st2.conf 2019-05-27 14:22:28.000000000 -0700
@@ -1,6 +1,6 @@
#
-# nginx configuration to expose st2 webui, redirect HTTP->HTTPS,
-# provide SSL termination, and reverse-proxy st2api and st2auth API endpoint.
+# nginx configuration to expose st2 webui, and reverse-proxy the st2api and
+# st2auth API endpoints.
# To enable:
# cp ${LOCATION}/st2.conf /etc/nginx/sites-available
# ln -l /etc/nginx/sites-available/st2.conf /etc/nginx/sites-enabled/st2.conf
@@ -9,39 +9,12 @@
server {
listen *:80 default_server;

- add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;

- if ($ssl_protocol = "") {
- return 308 https://$host$request_uri;
- }
-
- index index.html;
-
- access_log /var/log/nginx/st2webui.access.log combined;
- error_log /var/log/nginx/st2webui.error.log;
-}
-
-server {
- listen *:443 ssl;
-
- ssl on;
-
- ssl_certificate /etc/ssl/st2/st2.crt;
- ssl_certificate_key /etc/ssl/st2/st2.key;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 5m;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
- ssl_prefer_server_ciphers on;
-
index index.html;

- access_log /var/log/nginx/ssl-st2webui.access.log combined;
- error_log /var/log/nginx/ssl-st2webui.error.log;
-
- add_header Front-End-Https on;
- add_header X-Content-Type-Options nosniff;
+ access_log /proc/self/fd/1 combined;
+ error_log stderr;

location @apiError {
add_header Content-Type application/json always;
@@ -53,7 +26,7 @@

rewrite ^/api/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9101/;
+ proxy_pass ${ST2_API_URL};
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
@@ -83,7 +56,7 @@

rewrite ^/stream/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9102/;
+ proxy_pass ${ST2_STREAM_URL};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -111,7 +84,7 @@

rewrite ^/auth/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9100/;
+ proxy_pass ${ST2_AUTH_URL};
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
@@ -136,4 +109,5 @@
tcp_nopush on;
tcp_nodelay on;
}
+
}
4 changes: 2 additions & 2 deletions st2web/files/st2.conf.patch → st2web/files/st2.conf-https.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
--- /etc/nginx/conf.d/st2.template 2018-07-26 16:55:35.000000000 +0000
+++ /etc/nginx/conf.d/st2.conf 2018-07-26 17:06:30.200000000 +0000
--- /etc/nginx/conf.d/st2.template 2019-05-27 14:11:20.000000000 -0700
+++ /etc/nginx/conf.d/st2.conf 2019-05-27 14:22:11.000000000 -0700
@@ -18,8 +18,8 @@

index index.html;
Expand Down