diff --git a/hosting/letsencrypt/certificate-request.sh b/hosting/letsencrypt/certificate-request.sh index d029da265f..ef260d17dd 100644 --- a/hosting/letsencrypt/certificate-request.sh +++ b/hosting/letsencrypt/certificate-request.sh @@ -16,7 +16,7 @@ else cp /app/letsencrypt/options-ssl-nginx.conf /etc/letsencrypt/options-ssl-nginx.conf cp /app/letsencrypt/ssl-dhparams.pem /etc/letsencrypt/ssl-dhparams.pem cp /app/letsencrypt/nginx-ssl.conf /etc/nginx/sites-available/nginx-ssl.conf - sed -i 's/CUSTOM_DOMAIN/$CUSTOM_DOMAIN/g' /etc/nginx/sites-available/nginx-ssl.conf + sed -i "s/CUSTOM_DOMAIN/$CUSTOM_DOMAIN/g" /etc/nginx/sites-available/nginx-ssl.conf ln -s /etc/nginx/sites-available/nginx-ssl.conf /etc/nginx/sites-enabled/nginx-ssl.conf echo "INFO: restart nginx after certbot request" diff --git a/hosting/letsencrypt/nginx-ssl.conf b/hosting/letsencrypt/nginx-ssl.conf index c1a1d91917..50c5e0198a 100644 --- a/hosting/letsencrypt/nginx-ssl.conf +++ b/hosting/letsencrypt/nginx-ssl.conf @@ -6,6 +6,7 @@ server { ssl_certificate_key /etc/letsencrypt/live/CUSTOM_DOMAIN/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; @@ -91,4 +92,5 @@ server { gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + } diff --git a/hosting/scripts/healthcheck.sh b/hosting/scripts/healthcheck.sh index fa6f511eb9..80f2ece0b6 100644 --- a/hosting/scripts/healthcheck.sh +++ b/hosting/scripts/healthcheck.sh @@ -25,6 +25,13 @@ if [[ $(redis-cli -a $REDIS_PASSWORD --no-auth-warning ping) != 'PONG' ]]; then healthy=false fi # mino, clouseau, +nginx -t -q +NGINX_STATUS=$? + +if [[ $NGINX_STATUS -gt 0 ]]; then + echo 'ERROR: Nginx config problem'; + healthy=false +fi if [ $healthy == true ]; then exit 0 diff --git a/hosting/single/Dockerfile b/hosting/single/Dockerfile index 24e90fc818..1b97c200eb 100644 --- a/hosting/single/Dockerfile +++ b/hosting/single/Dockerfile @@ -33,7 +33,7 @@ ENV \ COUCHDB_PASSWORD=budibase \ COUCHDB_USER=budibase \ COUCH_DB_URL=http://budibase:budibase@localhost:5984 \ - CUSTOM_DOMAIN=budi001.custom.com \ + # CUSTOM_DOMAIN=budi001.custom.com \ DEPLOYMENT_ENVIRONMENT=docker \ INTERNAL_API_KEY=budibase \ JWT_SECRET=testsecret \ @@ -62,6 +62,7 @@ RUN curl -sL https://deb.nodesource.com/setup_16.x -o /tmp/nodesource_setup.sh & # setup nginx ADD hosting/single/nginx.conf /etc/nginx +ADD hosting/single/default /etc/nginx/sites-enabled RUN mkdir -p /var/log/nginx && \ touch /var/log/nginx/error.log && \ touch /var/run/nginx.pid diff --git a/hosting/single/default b/hosting/single/default new file mode 100644 index 0000000000..964313fa73 --- /dev/null +++ b/hosting/single/default @@ -0,0 +1,94 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + client_max_body_size 1000m; + ignore_invalid_headers off; + proxy_buffering off; + # port_in_redirect off; + + location ^~ /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/html; + break; + } + location = /.well-known/acme-challenge/ { + return 404; + } + + location /app { + proxy_pass http://127.0.0.1:4001; + } + + location = / { + proxy_pass http://127.0.0.1:4001; + } + + location ~ ^/(builder|app_) { + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://127.0.0.1:4001; + } + + location ~ ^/api/(system|admin|global)/ { + proxy_pass http://127.0.0.1:4002; + } + + location /worker/ { + proxy_pass http://127.0.0.1:4002; + rewrite ^/worker/(.*)$ /$1 break; + } + + location /api/ { + # calls to the API are rate limited with bursting + limit_req zone=ratelimit burst=20 nodelay; + + # 120s timeout on API requests + proxy_read_timeout 120s; + proxy_connect_timeout 120s; + proxy_send_timeout 120s; + + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_pass http://127.0.0.1:4001; + } + + location /db/ { + proxy_pass http://127.0.0.1:5984; + rewrite ^/db/(.*)$ /$1 break; + } + + location / { + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_connect_timeout 300; + proxy_http_version 1.1; + proxy_set_header Connection ""; + chunked_transfer_encoding off; + proxy_pass http://127.0.0.1:9000; + } + + client_header_timeout 60; + client_body_timeout 60; + keepalive_timeout 60; + + # gzip + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; + + + +} diff --git a/hosting/single/nginx.conf b/hosting/single/nginx.conf index 42d20dd14a..1e5d1c20d2 100644 --- a/hosting/single/nginx.conf +++ b/hosting/single/nginx.conf @@ -32,94 +32,6 @@ http { default "upgrade"; } - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - client_max_body_size 1000m; - ignore_invalid_headers off; - proxy_buffering off; - # port_in_redirect off; + include /etc/nginx/sites-enabled/*; - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/www/html; - break; - } - location = /.well-known/acme-challenge/ { - return 404; - } - - location /app { - proxy_pass http://127.0.0.1:4001; - } - - location = / { - proxy_pass http://127.0.0.1:4001; - } - - location ~ ^/(builder|app_) { - proxy_http_version 1.1; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://127.0.0.1:4001; - } - - location ~ ^/api/(system|admin|global)/ { - proxy_pass http://127.0.0.1:4002; - } - - location /worker/ { - proxy_pass http://127.0.0.1:4002; - rewrite ^/worker/(.*)$ /$1 break; - } - - location /api/ { - # calls to the API are rate limited with bursting - limit_req zone=ratelimit burst=20 nodelay; - - # 120s timeout on API requests - proxy_read_timeout 120s; - proxy_connect_timeout 120s; - proxy_send_timeout 120s; - - proxy_http_version 1.1; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_pass http://127.0.0.1:4001; - } - - location /db/ { - proxy_pass http://127.0.0.1:5984; - rewrite ^/db/(.*)$ /$1 break; - } - - location / { - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_connect_timeout 300; - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; - proxy_pass http://127.0.0.1:9000; - } - - client_header_timeout 60; - client_body_timeout 60; - keepalive_timeout 60; - - # gzip - gzip on; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; - } }