From a5fd3f0ebee196ef1d7e9d881a46bd5a5eb8f555 Mon Sep 17 00:00:00 2001 From: Conor Wyse Date: Thu, 13 Feb 2020 11:41:55 +0100 Subject: [PATCH 01/11] Use a more generic name for the Docker registry By using a Jenkins env var we can have the same (or very similar) Jenkinsfiles in the 'secure' and 'master' branches. --- Jenkinsfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 40498ac9..4f71e1a7 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -14,6 +14,7 @@ def tryStep(String message, Closure block, Closure tearDown = null) { } } +String IMAGE_NAME = "${DOCKER_REGISTRY_NO_PROTOCOL}/fixxx/schuldhulp:${env.BUILD_NUMBER}" node { stage("Checkout") { @@ -37,7 +38,7 @@ node { sh 'echo SOURCE_COMMIT := $commit_id >> .build' println commit_id echo 'end git version' - def image = docker.build("build.app.amsterdam.nl:5000/fixxx/schuldhulp:${env.BUILD_NUMBER}") + def image = docker.build("${IMAGE_NAME}") image.push() } @@ -53,7 +54,7 @@ if (BRANCH == "master") { node { stage('Push acceptance image') { tryStep "image tagging", { - def image = docker.image("build.app.amsterdam.nl:5000/fixxx/schuldhulp:${env.BUILD_NUMBER}") + def image = docker.image("${IMAGE_NAME}") image.pull() image.push("acceptance") image.push("production") @@ -82,7 +83,7 @@ if (BRANCH == "master") { node { stage('Push production image') { tryStep "image tagging", { - def image = docker.image("build.app.amsterdam.nl:5000/fixxx/schuldhulp:${env.BUILD_NUMBER}") + def image = docker.image("${IMAGE_NAME}") image.pull() image.push("production") image.push("latest") From f17e747b82d2fb64458b415284defc44da9653d2 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Tue, 25 Aug 2020 11:32:38 +0200 Subject: [PATCH 02/11] Use master branch for deployments --- Jenkinsfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Jenkinsfile b/Jenkinsfile index 8cfd9b84..e7d8df5e 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -47,7 +47,7 @@ node { String BRANCH = "${env.BRANCH_NAME}" -if (BRANCH == "dpsecure") { +if (BRANCH == "master") { node { stage('Push acceptance image') { From 07427d185e88c8504f82c23268efb18c0c7815e5 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Wed, 16 Sep 2020 16:13:53 +0200 Subject: [PATCH 03/11] Seperate IP addresses for Allegro production and test --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index df426aea..24567f7a 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -5,7 +5,8 @@ echo "Environment: $APP_ENV" set -u -echo "10.16.136.56 schuldhulp.sociaal.amsterdam.nl schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts From ddd2e9487c9e21608f713636c62dd384ee576db7 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Fri, 25 Sep 2020 09:03:04 +0200 Subject: [PATCH 04/11] Add empty Access-Control-Allow-Origin header so Datapunt load ballancer will not this header with wildcard specification --- docker/nginx/vhost.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docker/nginx/vhost.conf b/docker/nginx/vhost.conf index 6242b51e..04eda541 100644 --- a/docker/nginx/vhost.conf +++ b/docker/nginx/vhost.conf @@ -3,6 +3,10 @@ server { listen 0.0.0.0:80; root /srv/app/public; + # Sent empty access control header + # If we don't sent this empty header Datapunt loadballancer will add an Access-Control-Allow-Origin: * header, which is a security risk + add_header Access-Control-Allow-Origin " "; + location / { try_files $uri /index.php$is_args$args; } @@ -33,6 +37,10 @@ server { root /srv/app/public; + # Sent empty access control header + # If we don't sent this empty header Datapunt loadballancer will add an Access-Control-Allow-Origin: * header, which is a security risk + add_header Access-Control-Allow-Origin " "; + ssl on; ssl_certificate /srv/localhost.crt; From 748cb538e4d47f805a47b3730ddd64ab635e6395 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Fri, 25 Sep 2020 09:46:36 +0200 Subject: [PATCH 05/11] Add Access-Control-Allow-Origin based on environment to prevent issues with invalid headers --- docker-entrypoint.sh | 2 +- docker/nginx/vhost-acceptance.conf | 72 ++++++++++++++++++++++++++++++ docker/nginx/vhost-dev.conf | 68 ++++++++++++++++++++++++++++ docker/nginx/vhost-production.conf | 72 ++++++++++++++++++++++++++++++ docker/nginx/vhost.conf | 8 ---- 5 files changed, 213 insertions(+), 9 deletions(-) create mode 100644 docker/nginx/vhost-acceptance.conf create mode 100644 docker/nginx/vhost-dev.conf create mode 100644 docker/nginx/vhost-production.conf diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 24567f7a..782fc30f 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -32,7 +32,7 @@ chown -R www-data:www-data var rm /etc/nginx/conf.d/default.conf cp docker/nginx/nginx.conf /etc/nginx/nginx.conf -cp docker/nginx/vhost.conf /etc/nginx/conf.d/vhost.conf +cp docker/nginx/vhost-$APP_ENV.conf /etc/nginx/conf.d/vhost.conf cp docker/nginx/localhost.crt /srv/localhost.crt cp docker/nginx/localhost.key /srv/localhost.key diff --git a/docker/nginx/vhost-acceptance.conf b/docker/nginx/vhost-acceptance.conf new file mode 100644 index 00000000..dfdbb492 --- /dev/null +++ b/docker/nginx/vhost-acceptance.conf @@ -0,0 +1,72 @@ +server { + server_name _; + listen 0.0.0.0:80; + root /srv/app/public; + + add_header Access-Control-Allow-Origin https://acc.schulddossier.amsterdam.nl; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} + +server { + server_name _; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + root /srv/app/public; + + add_header Access-Control-Allow-Origin https://acc.schulddossier.amsterdam.nl; + + ssl on; + + ssl_certificate /srv/localhost.crt; + ssl_certificate_key /srv/localhost.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} diff --git a/docker/nginx/vhost-dev.conf b/docker/nginx/vhost-dev.conf new file mode 100644 index 00000000..6242b51e --- /dev/null +++ b/docker/nginx/vhost-dev.conf @@ -0,0 +1,68 @@ +server { + server_name _; + listen 0.0.0.0:80; + root /srv/app/public; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} + +server { + server_name _; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + root /srv/app/public; + + ssl on; + + ssl_certificate /srv/localhost.crt; + ssl_certificate_key /srv/localhost.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} diff --git a/docker/nginx/vhost-production.conf b/docker/nginx/vhost-production.conf new file mode 100644 index 00000000..03cf9651 --- /dev/null +++ b/docker/nginx/vhost-production.conf @@ -0,0 +1,72 @@ +server { + server_name _; + listen 0.0.0.0:80; + root /srv/app/public; + + add_header Access-Control-Allow-Origin https://schulddossier.amsterdam.nl; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} + +server { + server_name _; + + listen 443 ssl http2; + listen [::]:443 ssl http2; + + root /srv/app/public; + + add_header Access-Control-Allow-Origin https://schulddossier.amsterdam.nl; + + ssl on; + + ssl_certificate /srv/localhost.crt; + ssl_certificate_key /srv/localhost.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + location / { + try_files $uri /index.php$is_args$args; + } + + location ~ ^/index\.php(/|$) { + fastcgi_pass 127.0.0.1:9000; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; + fastcgi_param DOCUMENT_ROOT $realpath_root; + internal; + } + + location ~ \.php$ { + return 404; + } + + error_log /srv/app/var/log/nginx-schulddossier_error.log; + access_log /srv/app/var/log/nginx-schulddossier_access.log; +} diff --git a/docker/nginx/vhost.conf b/docker/nginx/vhost.conf index 04eda541..6242b51e 100644 --- a/docker/nginx/vhost.conf +++ b/docker/nginx/vhost.conf @@ -3,10 +3,6 @@ server { listen 0.0.0.0:80; root /srv/app/public; - # Sent empty access control header - # If we don't sent this empty header Datapunt loadballancer will add an Access-Control-Allow-Origin: * header, which is a security risk - add_header Access-Control-Allow-Origin " "; - location / { try_files $uri /index.php$is_args$args; } @@ -37,10 +33,6 @@ server { root /srv/app/public; - # Sent empty access control header - # If we don't sent this empty header Datapunt loadballancer will add an Access-Control-Allow-Origin: * header, which is a security risk - add_header Access-Control-Allow-Origin " "; - ssl on; ssl_certificate /srv/localhost.crt; From 0eacb47363d01d12b0e2fb4cbc665f956ac51bd9 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Mon, 26 Oct 2020 13:01:46 +0100 Subject: [PATCH 06/11] Change Allegro ft host for testing new connection --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 782fc30f..658cbfe7 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -5,7 +5,8 @@ echo "Environment: $APP_ENV" set -u -echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +#echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts From 5d17f725f640ee4dd307a00b69789b6bc8373783 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Tue, 27 Oct 2020 14:28:06 +0100 Subject: [PATCH 07/11] Change Allegro ft host for testing new connection --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 658cbfe7..cb0df48c 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -6,7 +6,8 @@ echo "Environment: $APP_ENV" set -u #echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts -echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +#echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts From 3f4e247c69259348d1e280a77d0556fa9b4850f9 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Thu, 29 Oct 2020 08:47:31 +0100 Subject: [PATCH 08/11] Rollback changes for new Allegro connection --- docker-entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index cb0df48c..38ef2afb 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -5,9 +5,9 @@ echo "Environment: $APP_ENV" set -u -#echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts -#echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts -echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +#echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 1 +#echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 2 echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts From eeb5ddc31cd4eded3f736de76f77a5cca2f2ae55 Mon Sep 17 00:00:00 2001 From: Dave Neijsen Date: Tue, 24 Nov 2020 13:15:38 +0100 Subject: [PATCH 09/11] Use generic CMDB deployment --- Jenkinsfile | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index e7d8df5e..4a376e39 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -64,10 +64,11 @@ if (BRANCH == "master") { stage("Deploy to ACC") { tryStep "deployment", { build job: 'Subtask_Openstack_Playbook', - parameters: [ - [$class: 'StringParameterValue', name: 'INVENTORY', value: 'acceptance'], - [$class: 'StringParameterValue', name: 'PLAYBOOK', value: 'deploy-schuldhulp.yml'], - ] + parameters: [ + [$class: 'StringParameterValue', name: 'INVENTORY', value: 'acceptance'], + [$class: 'StringParameterValue', name: 'PLAYBOOK', value: 'deploy.yml'], + [$class: 'StringParameterValue', name: 'PLAYBOOKPARAMS', value: "-e cmdb_id=app_schuldhulp"] + ] } } } @@ -92,10 +93,11 @@ if (BRANCH == "master") { stage("Deploy") { tryStep "deployment", { build job: 'Subtask_Openstack_Playbook', - parameters: [ - [$class: 'StringParameterValue', name: 'INVENTORY', value: 'production'], - [$class: 'StringParameterValue', name: 'PLAYBOOK', value: 'deploy-schuldhulp.yml'], - ] + parameters: [ + [$class: 'StringParameterValue', name: 'INVENTORY', value: 'production'], + [$class: 'StringParameterValue', name: 'PLAYBOOK', value: 'deploy.yml'], + [$class: 'StringParameterValue', name: 'PLAYBOOKPARAMS', value: "-e cmdb_id=app_schuldhulp"] + ] } } } From 5dd07c9eb6f6617508dba80aa23f65df955bf509 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Thu, 26 Nov 2020 12:04:46 +0100 Subject: [PATCH 10/11] Change hostfile for new env --- docker-entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 38ef2afb..4971ef4c 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -5,9 +5,9 @@ echo "Environment: $APP_ENV" set -u -echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts +#echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts #echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 1 -#echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 2 +echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 2 echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts From daee0bb408afe88370d336268c10917e1ad72054 Mon Sep 17 00:00:00 2001 From: Maarten de Keizer Date: Fri, 4 Dec 2020 20:14:32 +0100 Subject: [PATCH 11/11] Change IP address in hostfile for Allegro production --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 4971ef4c..c302798b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -8,7 +8,8 @@ set -u #echo "10.16.136.56 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts #echo "10.205.130.12 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 1 echo "10.204.22.40 schuldhulp-ft.sociaal.amsterdam.nl" >> /etc/hosts # hent change 2 -echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts +#echo "10.16.130.3 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts +echo "10.204.22.39 schuldhulp.sociaal.amsterdam.nl" >> /etc/hosts echo 'Dumping hosts file:' cat /etc/hosts