From a0f6846afc7bd94eddd17371a695b6e414ef5a64 Mon Sep 17 00:00:00 2001 From: Jonny McCullagh Date: Wed, 22 Jun 2022 13:38:33 +0100 Subject: [PATCH] add letsencrypt to single docker image --- hosting/letsencrypt/certificate-renew.sh | 13 +++ hosting/letsencrypt/certificate-request.sh | 24 +++++ hosting/letsencrypt/nginx-ssl.conf | 94 ++++++++++++++++++ hosting/letsencrypt/options-ssl-nginx.conf | 13 +++ hosting/letsencrypt/ssl-dhparams.pem | 8 ++ hosting/scripts/healthcheck.sh | 33 +++++++ hosting/single/Dockerfile | 58 ++++++++---- hosting/single/README.md | 105 +++++++++++++++++++++ hosting/single/nginx.conf | 19 +++- hosting/single/runner.sh | 10 +- scripts/cleanup.sh | 2 +- 11 files changed, 352 insertions(+), 27 deletions(-) create mode 100644 hosting/letsencrypt/certificate-renew.sh create mode 100644 hosting/letsencrypt/certificate-request.sh create mode 100644 hosting/letsencrypt/nginx-ssl.conf create mode 100644 hosting/letsencrypt/options-ssl-nginx.conf create mode 100644 hosting/letsencrypt/ssl-dhparams.pem create mode 100644 hosting/scripts/healthcheck.sh create mode 100644 hosting/single/README.md diff --git a/hosting/letsencrypt/certificate-renew.sh b/hosting/letsencrypt/certificate-renew.sh new file mode 100644 index 0000000000..a87571884c --- /dev/null +++ b/hosting/letsencrypt/certificate-renew.sh @@ -0,0 +1,13 @@ +#!/bin/bash +CUSTOM_DOMAIN="$1" + +if [[ ! -z "${CUSTOM_DOMAIN}" ]]; then + certbot certonly --webroot --webroot-path="/var/www/html" \ + --register-unsafely-without-email \ + --domains $CUSTOM_DOMAIN \ + --rsa-key-size 4096 \ + --agree-tos \ + --force-renewal + + nginx -s reload +fi \ No newline at end of file diff --git a/hosting/letsencrypt/certificate-request.sh b/hosting/letsencrypt/certificate-request.sh new file mode 100644 index 0000000000..d029da265f --- /dev/null +++ b/hosting/letsencrypt/certificate-request.sh @@ -0,0 +1,24 @@ +#!/bin/bash +CUSTOM_DOMAIN="$1" +# Request from Lets Encrypt +certbot certonly --webroot --webroot-path="/var/www/html" \ + --register-unsafely-without-email \ + --domains $CUSTOM_DOMAIN \ + --rsa-key-size 4096 \ + --agree-tos \ + --force-renewal + +if (($? != 0)); then + echo "ERROR: certbot request failed for $CUSTOM_DOMAIN use http on port 80 - exiting" + nginx -s stop + exit 1 +else + cp /app/letsencrypt/options-ssl-nginx.conf /etc/letsencrypt/options-ssl-nginx.conf + cp /app/letsencrypt/ssl-dhparams.pem /etc/letsencrypt/ssl-dhparams.pem + cp /app/letsencrypt/nginx-ssl.conf /etc/nginx/sites-available/nginx-ssl.conf + sed -i 's/CUSTOM_DOMAIN/$CUSTOM_DOMAIN/g' /etc/nginx/sites-available/nginx-ssl.conf + ln -s /etc/nginx/sites-available/nginx-ssl.conf /etc/nginx/sites-enabled/nginx-ssl.conf + + echo "INFO: restart nginx after certbot request" + nginx -s reload +fi diff --git a/hosting/letsencrypt/nginx-ssl.conf b/hosting/letsencrypt/nginx-ssl.conf new file mode 100644 index 0000000000..c1a1d91917 --- /dev/null +++ b/hosting/letsencrypt/nginx-ssl.conf @@ -0,0 +1,94 @@ +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + ssl_certificate /etc/letsencrypt/live/CUSTOM_DOMAIN/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/CUSTOM_DOMAIN/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + client_max_body_size 1000m; + ignore_invalid_headers off; + proxy_buffering off; + # port_in_redirect off; + + location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/html; + break; + } + location = /.well-known/acme-challenge/ { + return 404; + } + + location /app { + proxy_pass http://127.0.0.1:4001; + } + + location = / { + proxy_pass http://127.0.0.1:4001; + } + + location ~ ^/(builder|app_) { + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:4001; + } + + location ~ ^/api/(system|admin|global)/ { + proxy_pass http://127.0.0.1:4002; + } + + location /worker/ { + proxy_pass http://127.0.0.1:4002; + rewrite ^/worker/(.*)$ /$1 break; + } + + location /api/ { + # calls to the API are rate limited with bursting + limit_req zone=ratelimit burst=20 nodelay; + + # 120s timeout on API requests + proxy_read_timeout 120s; + proxy_connect_timeout 120s; + proxy_send_timeout 120s; + + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:4001; + } + + location /db/ { + proxy_pass http://127.0.0.1:5984; + rewrite ^/db/(.*)$ /$1 break; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + proxy_pass http://127.0.0.1:9000; + } + + client_header_timeout 60; + client_body_timeout 60; + keepalive_timeout 60; + + # gzip + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; +} diff --git a/hosting/letsencrypt/options-ssl-nginx.conf b/hosting/letsencrypt/options-ssl-nginx.conf new file mode 100644 index 0000000000..52fdfde245 --- /dev/null +++ b/hosting/letsencrypt/options-ssl-nginx.conf @@ -0,0 +1,13 @@ +# This file contains important security parameters. If you modify this file +# manually, Certbot will be unable to automatically provide future security +# updates. Instead, Certbot will print and log an error message with a path to +# the up-to-date file that you will need to refer to when manually updating +# this file. + +ssl_session_cache shared:le_nginx_SSL:10m; +ssl_session_timeout 1440m; + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers off; + +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; diff --git a/hosting/letsencrypt/ssl-dhparams.pem b/hosting/letsencrypt/ssl-dhparams.pem new file mode 100644 index 0000000000..088f9673dc --- /dev/null +++ b/hosting/letsencrypt/ssl-dhparams.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- \ No newline at end of file diff --git a/hosting/scripts/healthcheck.sh b/hosting/scripts/healthcheck.sh new file mode 100644 index 0000000000..fa6f511eb9 --- /dev/null +++ b/hosting/scripts/healthcheck.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +healthy=true + +if [[ $(curl -Lfk -s -w "%{http_code}\n" http://localhost/ -o /dev/null) -ne 200 ]]; then + echo 'ERROR: Budibase is not running'; + healthy=false +fi + +if [[ $(curl -s -w "%{http_code}\n" http://localhost:4001/health -o /dev/null) -ne 200 ]]; then + echo 'ERROR: Budibase backend is not running'; + healthy=false +fi + +if [[ $(curl -s -w "%{http_code}\n" http://localhost:4002/health -o /dev/null) -ne 200 ]]; then + echo 'ERROR: Budibase worker is not running'; + healthy=false +fi + +if [[ $(curl -s -w "%{http_code}\n" http://localhost:5984/ -o /dev/null) -ne 200 ]]; then + echo 'ERROR: CouchDB is not running'; + healthy=false +fi +if [[ $(redis-cli -a $REDIS_PASSWORD --no-auth-warning ping) != 'PONG' ]]; then + echo 'ERROR: Redis is down'; + healthy=false +fi +# mino, clouseau, + +if [ $healthy == true ]; then + exit 0 +else + exit 1 +fi diff --git a/hosting/single/Dockerfile b/hosting/single/Dockerfile index 495f7ef246..fe20eff0b7 100644 --- a/hosting/single/Dockerfile +++ b/hosting/single/Dockerfile @@ -1,7 +1,7 @@ FROM node:14-slim as build # install node-gyp dependencies -RUN apt-get update && apt-get install -y --no-install-recommends g++ make python +RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends apt-utils g++ make python # add pin script WORKDIR / @@ -25,28 +25,31 @@ ARG TARGETARCH amd64 COPY --from=build /app /app COPY --from=build /worker /worker -ENV DEPLOYMENT_ENVIRONMENT=docker \ - POSTHOG_TOKEN=phc_fg5I3nDOf6oJVMHSaycEhpPdlgS8rzXG2r6F2IpxCHS \ +ENV \ + APP_PORT=4001 \ + ARCHITECTURE=amd \ + BUDIBASE_ENVIRONMENT=PRODUCTION \ + CLUSTER_PORT=80 \ COUCHDB_PASSWORD=budibase \ COUCHDB_USER=budibase \ COUCH_DB_URL=http://budibase:budibase@localhost:5984 \ - BUDIBASE_ENVIRONMENT=PRODUCTION \ - MINIO_URL=http://localhost:9000 \ - REDIS_URL=localhost:6379 \ - WORKER_URL=http://localhost:4002 \ + CUSTOM_DOMAIN=budi001.custom.com \ + DEPLOYMENT_ENVIRONMENT=docker \ INTERNAL_API_KEY=budibase \ JWT_SECRET=testsecret \ MINIO_ACCESS_KEY=budibase \ MINIO_SECRET_KEY=budibase \ - SELF_HOSTED=1 \ - CLUSTER_PORT=10000 \ + MINIO_URL=http://localhost:9000 \ + POSTHOG_TOKEN=phc_fg5I3nDOf6oJVMHSaycEhpPdlgS8rzXG2r6F2IpxCHS \ REDIS_PASSWORD=budibase \ - APP_PORT=4001 \ - WORKER_PORT=4002 + REDIS_URL=localhost:6379 \ + SELF_HOSTED=1 \ + WORKER_PORT=4002 \ + WORKER_URL=http://localhost:4002 # install base dependencies RUN apt-get update && \ - apt-get install software-properties-common wget -y && \ + apt-get install -y software-properties-common wget nginx && \ apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && \ apt-get update @@ -54,15 +57,14 @@ RUN apt-get update && \ WORKDIR /nodejs RUN curl -sL https://deb.nodesource.com/setup_16.x -o /tmp/nodesource_setup.sh && \ bash /tmp/nodesource_setup.sh && \ - apt-get install libaio1 nodejs nginx openjdk-8-jdk redis-server unzip -y && \ + apt-get install -y libaio1 nodejs nginx openjdk-8-jdk redis-server unzip && \ npm install --global yarn pm2 # setup nginx ADD hosting/single/nginx.conf /etc/nginx -RUN mkdir /etc/nginx/logs && \ - useradd www && \ - touch /etc/nginx/logs/error.log && \ - touch /etc/nginx/logs/nginx.pid +RUN mkdir -p /var/log/nginx && \ + touch /var/log/nginx/error.log && \ + touch /var/run/nginx.pid WORKDIR / RUN mkdir -p scripts/integrations/oracle @@ -95,14 +97,34 @@ RUN chmod +x install.sh && ./install.sh WORKDIR / ADD hosting/single/runner.sh . RUN chmod +x ./runner.sh +ADD hosting/scripts/healthcheck.sh . +RUN chmod +x ./healthcheck.sh # cleanup cache RUN yarn cache clean -f -EXPOSE 10000 +EXPOSE 80 +EXPOSE 443 VOLUME /opt/couchdb/data VOLUME /minio +# setup letsencrypt certificate +RUN apt-get install -y certbot python3-certbot-nginx +ADD hosting/letsencrypt /app/letsencrypt +RUN chmod +x /app/letsencrypt/certificate-request.sh /app/letsencrypt/certificate-renew.sh +# Remove cached files +RUN rm -rf \ + /root/.cache \ + /root/.npm \ + /root/.pip \ + /usr/local/share/doc \ + /usr/share/doc \ + /usr/share/man \ + /var/lib/apt/lists/* \ + /tmp/* + +HEALTHCHECK --interval=15s --timeout=15s --start-period=45s CMD "/healthcheck.sh" + # must set this just before running ENV NODE_ENV=production WORKDIR / diff --git a/hosting/single/README.md b/hosting/single/README.md new file mode 100644 index 0000000000..d62359a628 --- /dev/null +++ b/hosting/single/README.md @@ -0,0 +1,105 @@ +# Docker Single Image for Budibase + +## Overview +As an alternative to running several docker containers via docker-compose, the files under ./hosting/single can be used to build a docker image containing all of the Budibase components (minio, couch, clouseau etc). +We call this the 'single image' container as the Dockerfile adds all the components to a single docker image. + + +## Usage + +- Amend Environment Variables +- Build Requirements +- Build the Image +- Run the Container + +### Amend Environment Variables + +Edit the Dockerfile in this directory amending the environment variables to suit your usage. Pay particular attention to changing passwords. +The CUSTOM_DOMAIN variable will be used to request a certificate from LetsEncrypt and if successful you can point traffic to port 443. If you choose to use the CUSTOM_DOMAIN variable ensure that the DNS for your custom domain points to the public IP address where you are running Budibase - otherwise the certificate issuance will fail. +If you have other arrangements for a proxy in front of the single image container you can omit the CUSTOM_DOMAIN environment variable and the request to LetsEncrypt will be skipped. You can then point traffic to port 80. + +### Build Requirements +We would suggest building the image with 6GB of RAM and 20GB of free disk space for build artifacts. The resulting image size will use approx 2GB of disk space. + +### Build the Image +The guidance below is based on building the Budibase single image on Debian 11. If you use another distro or OS you will need to amend the commands to suit. +Install Node +Budibase requires a recent version of node (14+) than is in the base Debian repos so: + +``` +curl -sL https://deb.nodesource.com/setup_16.x | sudo bash - +apt install -y nodejs +node -v +``` +Install yarn and lerna: +``` +npm install -g yarn jest lerna +``` +Install Docker +``` +apt install -y docker.io +apt install -y python3-pip +pip3 install docker-compose +``` +Check the versions of each installed version. This process was tested with the version numbers below so YMMV using anything else: + +- Docker: 20.10.5 +- docker-compose: 1.29.2 +- node: 16.15.1 +- yarn: 1.22.19 +- lerna: 5.1.4 + +Clone the Budibase repo +``` +git clone https://github.com/Budibase/budibase.git +cd budibase +``` +Node setup: +``` +node ./hosting/scripts/setup.js +yarn +yarn bootstrap +yarn build +``` + +Build the image from the Dockerfile: + +``` +yarn build:docker:single +``` +If the docker build step fails run that step again manually with: +``` +docker build --no-cache -t budibase:latest -f ./hosting/single/Dockerfile . +``` + +### Run the Container +``` +docker run -d -p 80:80 -p 443:443 --name budibase budibase:latest +``` +Where: +- -d runs the container in detached mode +- -p forwards ports from your host to the ports inside the container. If you are already using port 80 on your host for something else you can try running with an alternative port e.g. `-p 8080:80` +- --name is the name for the container as shown in `docker ps` and can be used with other docker commands e.g. `docker restart budibase` + +When the container runs you should be able to access the container over http at your host address e.g. http://1.2.3.4/ or using your custom domain e.g. https://my.custom.domain/ + +When the Budibase UI appears you will be prompted to create an account to get started. + +### Check +There are many things that could go wrong so if your container is not building or running as expected please check the following before opening a support issue. +Verify the healthcheck status of the container: +``` +docker ps +``` +Check the container logs: +``` +docker logs budibase +``` + + +### Support +This single image build is still a work-in-progress so if you open an issue please provide the following information: +- The OS and OS version you are building on +- The versions you are using of docker, docker-compose, yarn, node, lerna +- For build errors please provide zipped output +- For container errors please provide zipped container logs diff --git a/hosting/single/nginx.conf b/hosting/single/nginx.conf index 86938ced4e..42d20dd14a 100644 --- a/hosting/single/nginx.conf +++ b/hosting/single/nginx.conf @@ -1,6 +1,6 @@ -user www www; -error_log /etc/nginx/logs/error.log; -pid /etc/nginx/logs/nginx.pid; +user www-data www-data; +error_log /var/log/nginx/error.log; +pid /var/run/nginx.pid; worker_processes auto; worker_rlimit_nofile 8192; @@ -33,14 +33,23 @@ http { } server { - listen 10000 default_server; - listen [::]:10000 default_server; + listen 80 default_server; + listen [::]:80 default_server; server_name _; client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; # port_in_redirect off; + location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/html; + break; + } + location = /.well-known/acme-challenge/ { + return 404; + } + location /app { proxy_pass http://127.0.0.1:4001; } diff --git a/hosting/single/runner.sh b/hosting/single/runner.sh index fab8431796..fe71d4c915 100644 --- a/hosting/single/runner.sh +++ b/hosting/single/runner.sh @@ -2,6 +2,11 @@ redis-server --requirepass $REDIS_PASSWORD & /opt/clouseau/bin/clouseau & /minio/minio server /minio & /docker-entrypoint.sh /opt/couchdb/bin/couchdb & +/etc/init.d/nginx restart +if [[ ! -z "${CUSTOM_DOMAIN}" ]]; then + /app/letsencrypt/certificate-request.sh ${CUSTOM_DOMAIN} +fi + /etc/init.d/nginx restart pushd app pm2 start --name app "yarn run:docker" @@ -10,7 +15,6 @@ pushd worker pm2 start --name worker "yarn run:docker" popd sleep 10 -URL=http://${COUCHDB_USER}:${COUCHDB_PASSWORD}@localhost:5984 -curl -X PUT ${URL}/_users -curl -X PUT ${URL}/_replicator +curl -X PUT ${COUCH_DB_URL}/_users +curl -X PUT ${COUCH_DB_URL}/_replicator sleep infinity \ No newline at end of file diff --git a/scripts/cleanup.sh b/scripts/cleanup.sh index 94a3d7e2be..76723c7c5b 100644 --- a/scripts/cleanup.sh +++ b/scripts/cleanup.sh @@ -13,4 +13,4 @@ do mv /$keepDir $dir/ 2>/dev/null done cd $dir -NODE_ENV=production yarn +NODE_ENV=production yarn \ No newline at end of file