From c0272de73193ddc1b7c366f805c11c68eb84f0e1 Mon Sep 17 00:00:00 2001 From: Noel De Martin Date: Thu, 1 Feb 2024 17:04:40 +0100 Subject: [PATCH] MOBILE-4304 ci: Configure SSL --- .github/workflows/acceptance.yml | 34 +++++++++++++++++++++++++------- Dockerfile | 9 ++++++++- nginx.conf | 16 ++++++++++++++- 3 files changed, 50 insertions(+), 9 deletions(-) diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml index 9cc0288ca..d30a6611f 100644 --- a/.github/workflows/acceptance.yml +++ b/.github/workflows/acceptance.yml @@ -41,6 +41,17 @@ jobs: working-directory: app run: npm run build:test + - name: Generate SSL certificates + working-directory: app + run: | + mkdir ./ssl + openssl req -x509 -nodes \ + -days 365 \ + -newkey rsa:2048 \ + -keyout ./ssl/certificate.key \ + -out ./ssl/certificate.crt \ + -subj="/O=Moodle" + - name: Build Behat plugin working-directory: app run: ./scripts/build-behat-plugin.js ../plugin @@ -111,11 +122,12 @@ jobs: - uses: actions/cache/save@v4 with: - key: build-${{ github.sha }} - path: | - app/node_modules/**/* - app/www/**/* - plugin/**/* + key: build-${{ github.sha }} + path: | + app/ssl/**/* + app/node_modules/**/* + app/www/**/* + plugin/**/* behat: runs-on: ubuntu-latest @@ -157,6 +169,7 @@ jobs: with: key: build-${{ github.sha }} path: | + app/ssl/**/* app/node_modules/**/* app/www/**/* plugin/**/* @@ -164,7 +177,14 @@ jobs: - name: Launch Docker images working-directory: app run: | - docker run -d --rm -p 8001:80 --name moodleapp -v ./www:/usr/share/nginx/html -v ./nginx.conf:/etc/nginx/conf.d/default.conf nginx:alpine + docker run -d --rm \ + -p 8001:443 \ + --name moodleapp \ + -v ./www:/usr/share/nginx/html \ + -v ./nginx.conf:/etc/nginx/conf.d/default.conf \ + -v ./ssl/certificate.crt:/etc/ssl/certificate.crt \ + -v ./ssl/certificate.key:/etc/ssl/certificate.key \ + nginx:alpine docker run -d --rm -p 8002:80 --name bigbluebutton moodlehq/bigbluebutton_mock:latest - name: Initialise moodle-plugin-ci @@ -184,7 +204,7 @@ jobs: DB: pgsql MOODLE_BRANCH: ${{ github.event.inputs.moodle_branch || 'main' }} MOODLE_REPO: ${{ github.event.inputs.moodle_repository || 'https://github.com/moodle/moodle.git' }} - MOODLE_BEHAT_IONIC_WWWROOT: http://localhost:8001 + MOODLE_BEHAT_IONIC_WWWROOT: https://localhost:8001 MOODLE_BEHAT_DEFAULT_BROWSER: chrome - name: Update config diff --git a/Dockerfile b/Dockerfile index a3f527cee..0a247812e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,10 +23,17 @@ ARG build_command="npm run build:prod" COPY . /app RUN ${build_command} +# Generate SSL certificate +RUN mkdir /app/ssl +RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /app/ssl/certificate.key -out /app/ssl/certificate.crt -subj="/O=Moodle" + ## SERVE STAGE FROM nginx:alpine as serve-stage # Copy assets & config COPY --from=build-stage /app/www /usr/share/nginx/html +COPY --from=build-stage /app/ssl/certificate.crt /etc/ssl/certificate.crt +COPY --from=build-stage /app/ssl/certificate.key /etc/ssl/certificate.key COPY ./nginx.conf /etc/nginx/conf.d/default.conf -HEALTHCHECK --interval=10s --timeout=4s CMD curl -f http://localhost/assets/env.json || exit 1 +EXPOSE 443 +HEALTHCHECK --interval=10s --timeout=4s CMD curl --insecure -f https://localhost/assets/env.json || exit 1 diff --git a/nginx.conf b/nginx.conf index 498543c33..3de153c87 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,9 +1,23 @@ server { - listen 0.0.0.0:80; + listen 80; + listen 443 ssl; root /usr/share/nginx/html; server_tokens off; access_log off; + # Configure SSL + if ($scheme = "http") { + return 301 https://$host$request_uri; + } + + ssl_certificate /etc/ssl/certificate.crt; + ssl_certificate_key /etc/ssl/certificate.key; + ssl_protocols TLSv1.3; + + # Enable OPFS + add_header Cross-Origin-Opener-Policy "same-origin"; + add_header Cross-Origin-Embedder-Policy "require-corp"; + location / { try_files $uri $uri/ /index.html; }