From d3d25ef1f72e22301f9ad7be3b9467e8b8a60417 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Wed, 25 Aug 2021 19:56:40 +0200 Subject: [PATCH 01/10] Update config.js --- conf/config.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf/config.js b/conf/config.js index 49c19cd..dc2c96a 100644 --- a/conf/config.js +++ b/conf/config.js @@ -126,7 +126,7 @@ const conf = convict({ }, listen_address: { format: 'ipaddress', - default: '0.0.0.0', + default: '127.0.0.1', env: 'IP_ADDRESS' }, listen_port: { @@ -147,7 +147,7 @@ const conf = convict({ }, env: { format: ['production', 'development', 'test'], - default: 'development', + default: 'production', env: 'NODE_ENV' }, max_file_size: { From 8bbcc29678b8a86787808c2ee0b68f960a929584 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Wed, 25 Aug 2021 20:49:30 +0200 Subject: [PATCH 02/10] Update config.js --- conf/config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/config.js b/conf/config.js index dc2c96a..d97654d 100644 --- a/conf/config.js +++ b/conf/config.js @@ -126,7 +126,7 @@ const conf = convict({ }, listen_address: { format: 'ipaddress', - default: '127.0.0.1', + default: '0.0.0.0', env: 'IP_ADDRESS' }, listen_port: { From 5f7d41750d2a8711ec25101abab06af7aa8f7001 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Wed, 25 Aug 2021 21:04:01 +0200 Subject: [PATCH 03/10] Fix --- conf/nginx.conf | 16 +++++----------- conf/systemd.service | 32 +++++++++++++++++++++++++++++++- 2 files changed, 36 insertions(+), 12 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 2c8ef20..0ef73f7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,16 +1,10 @@ location / { - proxy_pass http://127.0.0.1:__PORT__; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - proxy_http_version 1.1; - proxy_set_header Connection "upgrade"; - proxy_set_header Upgrade $http_upgrade; + proxy_pass http://127.0.0.1:__PORT__; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } location /api/ws { diff --git a/conf/systemd.service b/conf/systemd.service index 7374759..9f40fd9 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -6,11 +6,41 @@ After=syslog.target network.target Type=simple User=__APP__ Group=__APP__ -WorkingDirectory=__FINALPATH__ +WorkingDirectory=__FINALPATH__/ Environment="NODE_ENV=production" #Environment="__YNH_NODE_LOAD_PATH__" ExecStart=__YNH_NODE__ __FINALPATH__/server/bin/prod.js Restart=always +# Sandboxing options to harden security +# Depending on specificities of your service/app, you may need to tweak these +# .. but this should be a good baseline +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From 5123a699cfafbb7455434600fba568dd0248e801 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 07:48:47 +0200 Subject: [PATCH 04/10] Fix --- conf/config.js | 2 +- scripts/_common.sh | 41 ++++++++++++++++++++++++++++++++++++++++- scripts/install | 9 +++++++++ scripts/remove | 7 +++++++ 4 files changed, 57 insertions(+), 2 deletions(-) diff --git a/conf/config.js b/conf/config.js index d97654d..f1e57bc 100644 --- a/conf/config.js +++ b/conf/config.js @@ -106,7 +106,7 @@ const conf = convict({ }, redis_db: { format: String, - default: '', + default: '__REDIS_DB__', env: 'REDIS_DB' }, redis_event_expire: { diff --git a/scripts/_common.sh b/scripts/_common.sh index 247f831..deddb9c 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -12,7 +12,6 @@ nodejs_version=15 # dependencies used by the app #pkg_dependencies="redis-server" - #================================================= # PERSONAL HELPERS #================================================= @@ -24,3 +23,43 @@ nodejs_version=15 #================================================= # FUTURE OFFICIAL HELPERS #================================================= + +#!/bin/bash + +# get the first available redis database +# +# usage: ynh_redis_get_free_db +# | returns: the database number to use +ynh_redis_get_free_db() { + local result max db + result=$(redis-cli INFO keyspace) + + # get the num + max=$(cat /etc/redis/redis.conf | grep ^databases | grep -Eow "[0-9]+") + + db=0 + # default Debian setting is 15 databases + for i in $(seq 0 "$max") + do + if ! echo "$result" | grep -q "db$i" + then + db=$i + break 1 + fi + db=-1 + done + + test "$db" -eq -1 && ynh_die --message="No available Redis databases..." + + echo "$db" +} + +# Create a master password and set up global settings +# Please always call this script in install and restore scripts +# +# usage: ynh_redis_remove_db database +# | arg: database - the database to erase +ynh_redis_remove_db() { + local db=$1 + redis-cli -n "$db" flushall +} diff --git a/scripts/install b/scripts/install index dcc7542..732d3a1 100644 --- a/scripts/install +++ b/scripts/install @@ -69,6 +69,15 @@ ynh_script_progression --message="Installing dependencies..." --weight=20 # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version +#================================================= +# CREATE A REDIS DATABASE +#================================================= +ynh_script_progression --message="Creating a Redis database..." --weight=5 + +# Configure redis +redis_db=$(ynh_redis_get_free_db) +ynh_app_setting_set --app="$app" --key=redis_db --value="$redis_db" + #================================================= # CREATE DEDICATED USER #================================================= diff --git a/scripts/remove b/scripts/remove index dc4d988..268fe1e 100644 --- a/scripts/remove +++ b/scripts/remove @@ -51,6 +51,13 @@ ynh_script_progression --message="Removing dependencies..." --weight=1 ynh_remove_nodejs +#================================================= +# REMOVE THE REDIS DATABASE +#================================================= +ynh_script_progression --message="Removing the Redis database..." --weight=1 + +ynh_redis_remove_db "$redis_db" + #================================================= # REMOVE APP MAIN DIR #================================================= From f0f0587afd081c6d4bad52763ff746fdf3c854d7 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 07:51:09 +0200 Subject: [PATCH 05/10] Fix --- scripts/_common.sh | 2 +- scripts/install | 2 +- scripts/remove | 2 +- scripts/restore | 2 +- scripts/upgrade | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index deddb9c..77741ea 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -10,7 +10,7 @@ nodejs_version=15 # dependencies used by the app -#pkg_dependencies="redis-server" +pkg_dependencies="redis-server" #================================================= # PERSONAL HELPERS diff --git a/scripts/install b/scripts/install index 732d3a1..d791c7b 100644 --- a/scripts/install +++ b/scripts/install @@ -64,7 +64,7 @@ ynh_app_setting_set --app=$app --key=port --value=$port #================================================= ynh_script_progression --message="Installing dependencies..." --weight=20 -#ynh_install_app_dependencies $pkg_dependencies +ynh_install_app_dependencies $pkg_dependencies # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version diff --git a/scripts/remove b/scripts/remove index 268fe1e..5506f14 100644 --- a/scripts/remove +++ b/scripts/remove @@ -47,7 +47,7 @@ ynh_remove_systemd_config ynh_script_progression --message="Removing dependencies..." --weight=1 # Remove metapackage and its dependencies -#ynh_remove_app_dependencies +ynh_remove_app_dependencies ynh_remove_nodejs diff --git a/scripts/restore b/scripts/restore index 058b9ab..70bad0f 100644 --- a/scripts/restore +++ b/scripts/restore @@ -77,7 +77,7 @@ chmod +x "$final_path/server/bin/prod.js" ynh_script_progression --message="Reinstalling dependencies..." --weight=7 # Define and install dependencies -#ynh_install_app_dependencies $pkg_dependencies +ynh_install_app_dependencies $pkg_dependencies # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version diff --git a/scripts/upgrade b/scripts/upgrade index 6910e29..bcf15ec 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -103,7 +103,7 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Upgrading dependencies..." --weight=18 -#ynh_install_app_dependencies $pkg_dependencies +ynh_install_app_dependencies $pkg_dependencies # Install Nodejs ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version From 9f8e5adbe2cb6bb64a4e804c37b69079a30186d6 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 07:54:43 +0200 Subject: [PATCH 06/10] Fix --- conf/systemd.service | 2 +- scripts/install | 10 ++++++++-- scripts/upgrade | 13 +++++++++---- 3 files changed, 18 insertions(+), 7 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 9f40fd9..79f170c 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -9,7 +9,7 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ Environment="NODE_ENV=production" #Environment="__YNH_NODE_LOAD_PATH__" -ExecStart=__YNH_NODE__ __FINALPATH__/server/bin/prod.js +ExecStart=__FINALPATH__/server/bin/prod.js Restart=always # Sandboxing options to harden security diff --git a/scripts/install b/scripts/install index d791c7b..481c670 100644 --- a/scripts/install +++ b/scripts/install @@ -125,10 +125,16 @@ chown $app "$final_path/server/config.js" #============================================== ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=20 +#pushd "$final_path" +# ynh_use_nodejs +# ynh_exec_warn_less ynh_npm install +# ynh_exec_warn_less ynh_npm run build +#popd + pushd "$final_path" ynh_use_nodejs - ynh_exec_warn_less ynh_npm install - ynh_exec_warn_less ynh_npm run build + ynh_exec_warn_less ynh_exec_as $app env "$ynh_node_load_PATH" npm install + ynh_exec_warn_less ynh_exec_as $app env "$ynh_node_load_PATH" npm run build popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index bcf15ec..977ed44 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -118,11 +118,16 @@ if [ "$upgrade_type" == "UPGRADE_APP" ] then ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=16 + #pushd "$final_path" + # ynh_use_nodejs + # ynh_exec_warn_less ynh_npm install + # ynh_exec_warn_less ynh_npm run build + #popd pushd "$final_path" - ynh_use_nodejs - ynh_exec_warn_less ynh_npm install - ynh_exec_warn_less ynh_npm run build - popd + ynh_use_nodejs + ynh_exec_warn_less ynh_exec_as $app env "$ynh_node_load_PATH" npm install + ynh_exec_warn_less ynh_exec_as $app env "$ynh_node_load_PATH" npm run build +popd fi #================================================= From 73cdee2a59f637b4c7593fe6cf56726b4f04fbcb Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 08:59:41 +0200 Subject: [PATCH 07/10] Update systemd.service --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 79f170c..93d02cf 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -9,7 +9,7 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ Environment="NODE_ENV=production" #Environment="__YNH_NODE_LOAD_PATH__" -ExecStart=__FINALPATH__/server/bin/prod.js +ExecStart=__YNH_NODE__ run prod #__FINALPATH__/server/bin/prod.js Restart=always # Sandboxing options to harden security From ea1c32de2e63d138a20cfea23f2576cac7d99dc9 Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 09:07:02 +0200 Subject: [PATCH 08/10] Update systemd.service --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 93d02cf..9f40fd9 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -9,7 +9,7 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ Environment="NODE_ENV=production" #Environment="__YNH_NODE_LOAD_PATH__" -ExecStart=__YNH_NODE__ run prod #__FINALPATH__/server/bin/prod.js +ExecStart=__YNH_NODE__ __FINALPATH__/server/bin/prod.js Restart=always # Sandboxing options to harden security From 26299ecc909370222fdcad95f73f7b8b2e4b28fc Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 09:13:39 +0200 Subject: [PATCH 09/10] Update install --- scripts/install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/install b/scripts/install index 481c670..4e7e32e 100644 --- a/scripts/install +++ b/scripts/install @@ -170,6 +170,8 @@ then ynh_permission_update --permission "main" --add "visitors" fi +ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --auth_header="false" --show_tile="false" --protected="true" + #================================================= # RELOAD NGINX #================================================= From 7dc939b0f0d1109a840c008a03e0640b74737edc Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Thu, 26 Aug 2021 10:19:01 +0200 Subject: [PATCH 10/10] Update change_url --- scripts/change_url | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/change_url b/scripts/change_url index 8607037..4480004 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -29,6 +29,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +redis_db=$(ynh_app_setting_get --app=$app --key=redis_db) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP @@ -106,6 +107,7 @@ fi #================================================= ynh_script_progression --message="Adding a configuration file..." --weight=2 +domain=$new_domain ynh_add_config --template="../conf/config.js" --destination="$final_path/server/config.js" chmod 400 "$final_path/server/config.js"