Skip to content

Commit

Permalink
Remove nginx config
Browse files Browse the repository at this point in the history
  • Loading branch information
ahosgood committed Nov 7, 2024
1 parent a5859ca commit 3e291e4
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 97 deletions.
44 changes: 11 additions & 33 deletions docker/tna-python/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ EXPOSE 443/tcp
# live-ness of an application - this idea is
# based on a GOV.UK proposal:
# https://github.com/alphagov/govuk-rfcs/blob/main/rfc-141-application-healthchecks.md
# This goes directly to the app, rather than
# through nginx
# ==========================================
HEALTHCHECK CMD curl --fail http://localhost:8080/healthcheck/live/ || exit 1

Expand Down Expand Up @@ -97,18 +95,18 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Update the package index files and install
# specific versions of libcurl4, curl, build
# essentials (which then enables us to later
# install Poetry), as well as both nginx and
# ufw - after this, clean and remove all the
# apt registries to avoid the possibility of
# additional installations later on
# install Poetry) after which go on to clean
# and remove all the apt registries to avoid
# the possibility of additional applications
# being installed later on
# ==========================================
RUN set -eux; \
\
export DEBIAN_FRONTEND=noninteractive; \
\
apt-get update; \
apt-get -y upgrade; \
apt-get install -y --no-install-recommends libcurl4=7.88.1-10+deb12u7 curl=7.88.1-10+deb12u7 build-essential=12.9 libmagic-dev=1:5.44-3 nginx=1.22.1-9 nginx-common=1.22.1-9 ufw=0.36.2-1 iptables=1.8.9-2; \
apt-get install -y --no-install-recommends libcurl4=7.88.1-10+deb12u7 curl=7.88.1-10+deb12u7 build-essential=12.9 libmagic-dev=1:5.44-3; \
\
apt-get clean; \
apt-get autoremove -y --purge; \
Expand Down Expand Up @@ -144,29 +142,6 @@ ENV HOME=/home/app
# ==========================================
ENV NVM_DIR="$HOME/.nvm"

# ==========================================
# Update the firewall rule to allow only for
# HTTPS, then create an SSL certificate that
# we can use locally in nginx to secure this
# container
# ==========================================
RUN ufw allow 'Nginx HTTPS'; \
mkdir /etc/nginx/ssl; \
openssl req -x509 -noenc -newkey rsa:2048 -keyout /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/req.pem -days 90 -subj "/C=GB/ST=London/L=Kew/O=The National Archives/OU=Digital/CN=localhost"; \
chmod 644 /etc/nginx/ssl/key.pem

# ==========================================
# Copy in the nginx configuration file which
# allows us to use a reverse proxy and serve
# the app securely through HTTPS
# ==========================================
COPY lib/nginx.conf /etc/nginx/nginx.conf

# ==========================================
# Test the installed nginx configuration
# ==========================================
RUN nginx -t

# ==========================================
# Install Poetry in the suggested manner and
# nvm so we can build static assets like CSS
Expand Down Expand Up @@ -211,15 +186,18 @@ FROM "$USER_IMAGE"
# Install the latest LTS version of Node.js,
# but keeping within the releases code-named
# "jod" (v22.x)
# (Install the previous LTS release, just in
# case some applicaitons still use it)
# ==========================================
# hadolint ignore=SC1091
RUN . "$NVM_DIR/nvm.sh"; \
nvm install lts/iron; \
nvm install lts/jod; \
nvm alias default lts/jod

# ==========================================
# Create a directory for our SSL certificate
# files
# ==========================================
RUN mkdir /home/app/ssl

# ==========================================
# Into our .local/bin/ directory copy in the
# bash scripts we need in order to build and
Expand Down
46 changes: 31 additions & 15 deletions docker/tna-python/bin/tna-run
Original file line number Diff line number Diff line change
Expand Up @@ -52,19 +52,7 @@ DEFAULT_THREADS=$((DEFAULT_WORKERS * 2))
[[ -z $WORKERS ]] && WORKERS=$DEFAULT_WORKERS
[[ -z $THREADS ]] && THREADS=$DEFAULT_THREADS

if [ "$ENVIRONMENT" == 'production' ]
then
# Production environment
[[ -z $LOG_LEVEL ]] && LOG_LEVEL=warn
[[ -z $TIMEOUT ]] && TIMEOUT=30
[[ -z $KEEP_ALIVE ]] && KEEP_ALIVE=30
elif [ "$ENVIRONMENT" == 'staging' ]
then
# Staging environment
[[ -z $LOG_LEVEL ]] && LOG_LEVEL=debug
[[ -z $TIMEOUT ]] && TIMEOUT=30
[[ -z $KEEP_ALIVE ]] && KEEP_ALIVE=30
elif [ "$ENVIRONMENT" == 'develop' ]
if [ "$ENVIRONMENT" == 'develop' ]
then
# Development environment
echo "ENVIRONMENT is develop"
Expand All @@ -88,7 +76,7 @@ then
if poetry show flask ;
then
echo "Flask found, starting server"
poetry run flask --app "$APPLICATION" run --debug --host 0.0.0.0 --port 8080
poetry run flask --app "$APPLICATION" run --debug --host 0.0.0.0 --port 8080 --reload
fi
echo "Flask not found"

Expand All @@ -104,13 +92,41 @@ then
# Fall back to using Gunicorn
echo "No framework found, using Gunicorn to serve development application"
poetry run gunicorn "$APPLICATION" --workers "$WORKERS" --threads "$THREADS" --log-level "$LOG_LEVEL" --timeout "$TIMEOUT" --keep-alive "$KEEP_ALIVE" --bind 0.0.0.0:8080 --worker-class="$WORKER_CLASS" --reload
elif [ "$ENVIRONMENT" == 'production' ]
then
# Production environment
[[ -z $LOG_LEVEL ]] && LOG_LEVEL=warn
[[ -z $TIMEOUT ]] && TIMEOUT=30
[[ -z $KEEP_ALIVE ]] && KEEP_ALIVE=30
elif [ "$ENVIRONMENT" == 'staging' ]
then
# Staging environment
[[ -z $LOG_LEVEL ]] && LOG_LEVEL=debug
[[ -z $TIMEOUT ]] && TIMEOUT=30
[[ -z $KEEP_ALIVE ]] && KEEP_ALIVE=30
else
# All other environments
[[ -z $LOG_LEVEL ]] && LOG_LEVEL=info
[[ -z $TIMEOUT ]] && TIMEOUT=30
[[ -z $KEEP_ALIVE ]] && KEEP_ALIVE=5
fi

# Check for SSL certificates
if [ ! -f "/home/app/ssl/key.pem" ]
then
echo "/home/app/ssl/key.pem does not exist";
exit 1
fi

if [ ! -f "/home/app/ssl/cert.pem" ]
then
echo "/home/app/ssl/cert.pem does not exist";
exit 1
fi

# Ensure the SSL key file can be read
chmod 644 /home/app/ssl/key.pem

# Start the server
echo "Starting $ENVIRONMENT server"
poetry run gunicorn "$APPLICATION" --workers "$WORKERS" --threads "$THREADS" --log-level "$LOG_LEVEL" --timeout "$TIMEOUT" --keep-alive "$KEEP_ALIVE" --access-logfile - --bind 0.0.0.0:8080 --worker-class="$WORKER_CLASS"
poetry run gunicorn "$APPLICATION" --workers "$WORKERS" --threads "$THREADS" --log-level "$LOG_LEVEL" --timeout "$TIMEOUT" --keep-alive "$KEEP_ALIVE" --access-logfile - --bind 0.0.0.0:8080 --worker-class="$WORKER_CLASS" --keyfile=/home/app/ssl/key.pem --certfile=/home/app/ssl/cert.pem
49 changes: 0 additions & 49 deletions docker/tna-python/lib/nginx.conf

This file was deleted.

0 comments on commit 3e291e4

Please sign in to comment.