diff --git a/.github/workflows/docker.yaml b/.github/workflows/deploy.yaml similarity index 77% rename from .github/workflows/docker.yaml rename to .github/workflows/deploy.yaml index 70811e4..a1419ab 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/deploy.yaml @@ -41,3 +41,11 @@ jobs: - name: 🚢 Push image run: ./scripts/push + + - name: Install doctl + uses: digitalocean/action-doctl@v2 + with: + token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }} + + - name: Deploy + run: doctl apps create-deployment ${{ secrets.DIGITALOCEAN_APP_ID }} --force-rebuild=true diff --git a/Dockerfile b/Dockerfile index bcc29b3..86c35ce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,6 +12,5 @@ VOLUME /run/proxy COPY build /usr/share/nginx/html COPY proxy/nginx.conf /etc/nginx/nginx.conf.template COPY proxy/bin /usr/local/bin -COPY proxy/ssl /usr/local/share/ssl ENTRYPOINT ["/usr/local/bin/seroviz-proxy"] diff --git a/README.md b/README.md index 70b64a4..ea4664b 100644 --- a/README.md +++ b/README.md @@ -47,66 +47,68 @@ API JSON schema specifications. Generated types are saved into `src/generated.d. ## Deployment ### Docker -The app is deployed using a Dockerised `nginx` server which also proxies the `serovizr` API. +The app is deployed using a Dockerised `nginx` server. See the [proxy/README.md](proxy/README.md) for details. * To build the Docker image run `.scripts/build`. * To push an image to DockerHub run `./scripts/push` -* To start a copy of the app locally with a self-signed SSL certificate run `./scripts/run`. +* To start a copy of the Dockerised app locally run `./scripts/run`. ### Secrets Secrets (at the moment this is just the real SSL private key and certificate) are stored in HashiCorp Cloud Vault. To access the secrets in Vault, you need to create an account with [HashiCorp Cloud](https://portal.cloud.hashicorp.com/sign-in) and ask Alex to add you to the organization. -To deploy the app, ensure that you have the `hcp` CLI installed on your machine. -Installation instructions [here](https://developer.hashicorp.com/hcp/docs/cli/install). - ### Deploying the app -The app is deployed onto an EC2 instance called `seroviz`. You will need to ask Alex for AWS console access, -and to add your IP to the inbound security rules for ssh access. - -Then: -1. Retrieve `hcp` service principal credentials by running *on your own machine* (after `hcp auth login`): - ```shell - hcp vs secrets open production_id --app=seroviz - hcp vs secrets open production_secret --app=seroviz - ``` -1. ssh onto the server -1. Navigate to the `seroviz` directory -1. Run: - ```shell - ./scripts/clear-docker.sh - ./scripts/deploy - ``` - - The `deploy` script will prompt you for the client id and secret from step 1. - - You can also export these as environment variables which may be more convenient in case deployment fails - for any reason and has to be re-run: - ```shell - CLIENT_ID= - CLIENT_SECRET= - ``` - -### Setting up a new EC2 instance -(unless otherwise specified, all steps are run on the remote machine) -* Install `git`: - ```shell - sudo yum -y install git - ``` -* Install Docker, following instructions [here](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/install-docker.html). -* Install the `hcp cli` for secret retrieval by following the [instructions](https://developer.hashicorp.com/hcp/docs/cli/install) for Amazon Linux. -* On your own machine, install the `hcp cli` if you haven't already, and retrieve the production service principal id and secret, stored at `production_id` and `production_secret`: - ```shell - hcp vs secrets open production_id --app=seroviz - hcp vs secrets open production_secret --app=seroviz - ``` -* On the remote server, clone this GitHub repo using https: - ```shell - git clone https://github.com/seroanalytics/seroviz.git - ``` -* Follow the instructions above to deploy the app +The app is deployed on DigitalOcean's App Platform. The Seroviz app has 2 services, +each deployed using Docker images. One is this app, and the other is the [serovizr API](https://github.com/seroanalytics/serovizr). +The app topology should look like this: + +```yaml +alerts: +- rule: DEPLOYMENT_FAILED +- rule: DOMAIN_FAILED +domains: +- domain: seroviz.seroanalytics.org + type: PRIMARY +features: +- buildpack-stack=ubuntu-22 +ingress: + rules: + - component: + name: serovizr + match: + path: + prefix: /api + - component: + name: seroviz + match: + path: + prefix: / +name: seroviz +region: lon +services: +- http_port: 8888 + image: + registry: seroanalytics + registry_type: DOCKER_HUB + repository: serovizr + tag: main + instance_count: 1 + instance_size_slug: apps-s-1vcpu-0.5gb + name: serovizr +- http_port: 80 + image: + registry: seroanalytics + registry_type: DOCKER_HUB + repository: seroviz + tag: main + instance_count: 1 + instance_size_slug: apps-s-1vcpu-0.5gb + name: seroviz +``` + +The domain and SSL are also configured on DigitalOcean under the Networking section. ## Domain name The domain name `seroanalytics.org` is registered with NameCheap. diff --git a/proxy/README.md b/proxy/README.md index b8ca2fb..b965359 100644 --- a/proxy/README.md +++ b/proxy/README.md @@ -14,41 +14,4 @@ docker run seroviz-proxy seroanalytics.org ## SSL certificates -The server will not start until the files `/run/proxy/certificate.pem` and `/run/proxy/key.pem` exist - -you can get these into the container however you like; the proxy will poll for them and start within a second of them appearing. - -The production SSl key and certificate are stored on the [Vault cloud platform](https://www.hashicorp.com/products/vault). You will -need an account and to be added to the `seroanalytics` project to access these secrets. - -## Self-signed certificate - -For testing it is useful to use a self-signed certificate. These are not in any way secure. -To generate a self-signed certificate, there is a utility in the proxy container self-signed-certificate that will -generate one on demand after receiving key components of the CSR. - -There is a self-signed certificate in the repo for testing generated with (on metal) - -``` -./proxy/bin/self-signed-certificate proxy/ssl GB London LSHTM seroanalytics localhost -``` - -These can be used in the container by execing `self-signed-certificate /run/proxy` in the container while it polls for certificates. -Alternatively, to generate certificates with a custom CSR (which takes a couple of seconds) you can exec something like: - -``` -self-signed-certificate GB London LSHTM seroanalytics seroanalytics.org -``` - -## dhparams (Diffie-Hellman key exchange parameters) - -We require a `dhparams.pem` file (see [here](https://security.stackexchange.com/questions/94390/whats-the-purpose-of-dh-parameters)) for details. -The file in this directory is built into the Docker image, but can be overwritten when deploying the app, by copying your own into the container at `/run/proxy/dhparams.pem` before -getting the certificates in place. - -To regenerate the file in this directory, run - -``` -./proxy/bin/dhparams proxy/ssl -``` - -This takes quite a while to run (several minutes). +The proxy just serves the app on port 80. SSL must be handled at the point of deployment. diff --git a/proxy/bin/dhparams b/proxy/bin/dhparams deleted file mode 100755 index c65bc97..0000000 --- a/proxy/bin/dhparams +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash -set -e - -if [ "$#" -eq 1 ]; then - DEST=$1 -else - echo "Usage:" - echo " dhparams DEST" -fi - -mkdir -p $DEST -openssl dhparam -out $DEST/dhparam.pem 4096 diff --git a/proxy/bin/self-signed-certificate b/proxy/bin/self-signed-certificate deleted file mode 100755 index d1b4f99..0000000 --- a/proxy/bin/self-signed-certificate +++ /dev/null @@ -1,33 +0,0 @@ -#!/usr/bin/env bash -set -eu - -if [ "$#" -eq 1 ]; then - DEST="$1" - cp /usr/local/share/ssl/key.pem $DEST - cp /usr/local/share/ssl/certificate.pem $DEST - exit 0 -elif [ "$#" -eq 6 ]; then - DEST="$1" - COUNTRY="$2" - LOCATION="$3" - ORG="$4" - ORG_UNIT="$5" - COMMON="$6" -else - echo "Usage:" - echo " self-signed-certificate DEST" - echo " self-signed-certificate DEST COUNTRY LOCATION ORG ORG_UNIT COMMON" - exit 1 -fi - -SUBJ="/C=$COUNTRY/L=$LOCATION/O=$ORG/OU=$ORG_UNIT/CN=$COMMON" - -mkdir -p $DEST -openssl req -x509 \ - -newkey rsa:4096 \ - -sha256 \ - -subj "$SUBJ" \ - -days 365 \ - -nodes \ - -keyout $DEST/key.pem \ - -out $DEST/certificate.pem diff --git a/proxy/bin/seroviz-proxy b/proxy/bin/seroviz-proxy index 5193528..d03c610 100755 --- a/proxy/bin/seroviz-proxy +++ b/proxy/bin/seroviz-proxy @@ -9,42 +9,10 @@ else exit 1 fi -echo "We will listen on ports 80 (http) and 443 (https)" +echo "We will listen on port 80 (http)" echo "with hostname $HTTP_HOST" envsubst '$HTTP_HOST' \ < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf -# These paths must match the paths as used in the nginx.conf -PATH_CONFIG=/run/proxy -PATH_CERT="$PATH_CONFIG/certificate.pem" -PATH_KEY="$PATH_CONFIG/key.pem" -PATH_DHPARAM="$PATH_CONFIG/dhparam.pem" - -mkdir -p $PATH_CONFIG - -# We'll copy this one directly into place - if the user wants to -# override it they should just copy theirs in place before the -# certificate. -cp /usr/local/share/ssl/dhparam.pem $PATH_DHPARAM - -if [[ -v "SSL_KEY" ]]; then - echo "Found SSL_KEY in env. Copying into place." - echo "$SSL_KEY" > $PATH_KEY - chmod 600 $PATH_KEY -fi - -if [[ -v "SSL_CERT" ]]; then - echo "Found SSL_CERT in env. Copying into place." - echo "$SSL_CERT" > $PATH_CERT - chmod 644 $PATH_CERT -fi - -while [ ! -e $PATH_CERT ] || [ ! -e $PATH_KEY ]; do - # Wait for the ssl certificates to be copied in or generated - echo "Waiting for certificates at $PATH_CERT and $PATH_KEY" - sleep 1 -done - -echo "Certificate files detected. Running nginx" exec nginx -g "daemon off;" diff --git a/proxy/nginx.conf b/proxy/nginx.conf index 6b11cda..248b28a 100644 --- a/proxy/nginx.conf +++ b/proxy/nginx.conf @@ -21,57 +21,16 @@ http { access_log /var/log/nginx/access.log main; sendfile on; - #tcp_nopush on; keepalive_timeout 65; - # Main server configuration. See below for redirects. server { - listen 443 ssl; + listen 80; server_name localhost ${HTTP_HOST}; - # Enable HTTP Strict Transport Security (HSTS) - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - # https://scotthelme.co.uk/content-security-policy-an-introduction/ - # https://content-security-policy.com/examples/nginx/ - # add_header Content-Security-Policy "default-src 'self';" always; - # However, this one does work: - add_header Content-Security-Policy "default-src https:; script-src ${HTTP_HOST}; style-src 'self' 'unsafe-inline'; img-src 'self' ${HTTP_HOST} blob: data:;" always; - - # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options - # https://geekflare.com/add-x-frame-options-nginx/ - add_header X-Frame-Options "SAMEORIGIN"; - - # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options - add_header X-Content-Type-Options "nosniff" always; - - # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ - add_header Referrer-Policy 'origin' always; - - # https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ - # Actual values adopted from securityheaders.com :) - add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" always; - - # Certificate - ssl_certificate /run/proxy/certificate.pem; - ssl_certificate_key /run/proxy/key.pem; - - # SSL settings as recommended by this generator - # https://ssl-config.mozilla.org/ - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_session_cache shared:SSL:10m; - ssl_dhparam /run/proxy/dhparam.pem; - root /usr/share/nginx/html; index index.html index.htm; - location /api { - proxy_pass http://serovizr:8888; - } - # Don't cache these files location ~* \.(?:manifest|appcache|html?|xml|json)$ { expires -1; @@ -96,15 +55,4 @@ http { try_files $uri $uri/ /index.html; } } - - # Redirect all http requests to the SSL endpoint and the correct domain name - server { - listen 80 default_server; - listen [::]:80 default_server; - server_name _; - - location / { - return 301 https://${HTTP_HOST}$request_uri; - } - } } diff --git a/proxy/ssl/certificate.pem b/proxy/ssl/certificate.pem deleted file mode 100644 index 3c6e12a..0000000 --- a/proxy/ssl/certificate.pem +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFlTCCA32gAwIBAgIUSOzD2mGy7lc+3tubBUx1PiF+tXEwDQYJKoZIhvcNAQEL -BQAwWjELMAkGA1UEBhMCR0IxDzANBgNVBAcMBkxvbmRvbjEOMAwGA1UECgwFTFNI -VE0xFjAUBgNVBAsMDXNlcm9hbmFseXRpY3MxEjAQBgNVBAMMCWxvY2FsaG9zdDAe -Fw0yNDA4MjkxMTUyNTNaFw0yNTA4MjkxMTUyNTNaMFoxCzAJBgNVBAYTAkdCMQ8w -DQYDVQQHDAZMb25kb24xDjAMBgNVBAoMBUxTSFRNMRYwFAYDVQQLDA1zZXJvYW5h -bHl0aWNzMRIwEAYDVQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4IC -DwAwggIKAoICAQC/JxptnfXJNhm7tb5DyX2Hda7Tnax6mDlR8EhL4vmaDPxvZI+J -+RT9qQxw00O54ocjFEr/Q+d/AGEPHtkOnrKVesJRNE7x7YzbEF7/R4eei9cFN2jl -45kb4ZhQcQIc6Sxn1pCVb2RV0fK9u0Gb1eljPE1SAD8g1tfxb8urhrcsmxbqme3b -NZqxyddc5LR9uGRs2P3uo9xaHLS2c00XmP1yIoQ9Zun3MkrtZZlVZfNIu30V2sZk -dwFgQTRKHj32Yr++IR+Vz8MOO344/Jvq+CywHofbNRDluKGZkR0ftRdT+5wGf1HQ -O3EOl9Q3Q+ciundQ1Uw5deG4i8nNjfJc3zPe5P8+NTj2Hmyr/KqKpsD6sPDANJbK -RytJ04+oqL6s+vjMCzydJ/4nBF9XEQV4bUqBtTjMY06AFUYxm97kaqYX2LZORfRI -oGc03Ixp0mbCCfI2V5k2OzAnKFlmZSL8MSCn969qXUSTg7jy2p7rnxu5PyniPFmp -NCjTV/XU5jlDSpggfbZp4npUL2rvqzy1AqvTfiDLVeDJngyuPspL8yV8uv97+o7X -i2bgxPKR3HFVibsEIxpmb8zqMWYdncrys/rvG9aHYc7mPqbdQDAIBoUETpnaeKgn -akj1rXj2u/ZcEdTfWDqDLlhLinMqrFYNus7/ezqHlcajog5w908N2YgmgQIDAQAB -o1MwUTAdBgNVHQ4EFgQUbLweHtGGEEU3uCZcXcz99J5JOxAwHwYDVR0jBBgwFoAU -bLweHtGGEEU3uCZcXcz99J5JOxAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B -AQsFAAOCAgEAHmgHsnPxCMGR96yEOHHBRshiVNMO43xpT/c9lECH79AOKiIhli4b -x4dOZkVequ1c7tszkMkv3zYZwenE5tKTnBRLcjHTcqu6EV1rQq+4Sxq+9MqPUsdw -0bFmA11Qx9dMVgs7KTXVVFLGLd8ZZcuh9lrnKVuvL+aC0qawn9xErl1SvSuGo28R -fM1jK1soODTOPCOYnooN4QZCxYFHcb6ex/oDCi9yg6svpAWEAMGX5Re7Bp60Fk41 -pfG0lJBgZ7xCT7MyBGZasw2jvyD7U6wnacaySUDPrNxff3f7Q8Dj1EyZ0H2ljn2X -U5q1hpepgZwcj7gU0Gf7oa9EPJ6Uk4hb0rN9LPzhbflCDYfISg0eQWNIzabYHQgK -9MmEf0zrYB/dSRJ93k7uveLeLo6bwIVyTim/wgBKUyXJUVQwP+XL1vEg76uNo6wF -bh5sUGYuxKokCurlJAGYUNe3YQDKfDcJGpzhKwOsjlyYz0v4zTwXetzpyWpCAZEH -ixnmqpssOQ0h5zIfF7HJc2VX5/V7NT5qa018Or9tts5BCcIJfTHDZYI7ZrCzkqRi -olSjC2/Xqo7FP2IOuQrMqAKb3p+oFSjqOhW1i28DGpiFhtQtKSd3kMHdQh8zCIZ2 -xqMi0v4gu8ndrtbx3FWOk+eMW882OBTIPwIlj1FpqCYxFO/al56+m64= ------END CERTIFICATE----- diff --git a/proxy/ssl/dhparam.pem b/proxy/ssl/dhparam.pem deleted file mode 100644 index e849f70..0000000 --- a/proxy/ssl/dhparam.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN DH PARAMETERS----- -MIICCAKCAgEA2hUhMmBO1EETW6Qj+97bizOoEp9YZmSkC4hWPQFPnKhQE0BG4100 -GtUkHfL+wRLRhaqaJh6H9SnKmFLsUNj4WNX+k+N4GnkkDgb0aYa0cIxB42OjQTbl -3jYjL3QhsGULNGALl1vd9mY8JkFr1xo4QrNNFQRfwm2QnBGuBhCzGEqhE8C+BTcZ -IjWLixpy6CFoJhYD0bCqjIIBleHiAw6RPYjfhx3C7jAfaFt0ETHU26PveIXlp0Sm -EdUmCLnmZmjQZTcGCQDNBl9vAZk7it5G6tZgAQ+E64zc2FuRpH+RFB6HznE6jvKB -dnQwiR6hs0JU++vmhENVTlblMzwcksQ1Brfw1YSnkzfkn71r6ZchG0SA2Y8jQ80R -Di2xdMZZZFS5PSzux9WHRx5DSSuW20DhzMo6u8vLs1SLuGrpLUTbd29fURckUIod -YXU9IMq3iK1MTNMjlA6pwmq0Ef/2hnsvQYQAvYsS7H+zbiO40ftggthVVCdvTAS3 -yWpis1wI+XbqDUsfghTpgqO2KXC/D9ZI9V635klq8FUDslC/BzDvGUg1KmolXgjl -+24r6GEA4CgQFf3gFnTgqbqawYx6hDjtakpCj+ePGAfXAI1UjBHku2FYHNSxsZl/ -Wj+F/bloVt+JOyCPOKTe7Zbnuawwe2x3nPO9ypC6n8B1yvG4+ykm4kcCAQI= ------END DH PARAMETERS----- diff --git a/proxy/ssl/key.pem b/proxy/ssl/key.pem deleted file mode 100644 index 7c7a323..0000000 --- a/proxy/ssl/key.pem +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC/JxptnfXJNhm7 -tb5DyX2Hda7Tnax6mDlR8EhL4vmaDPxvZI+J+RT9qQxw00O54ocjFEr/Q+d/AGEP -HtkOnrKVesJRNE7x7YzbEF7/R4eei9cFN2jl45kb4ZhQcQIc6Sxn1pCVb2RV0fK9 -u0Gb1eljPE1SAD8g1tfxb8urhrcsmxbqme3bNZqxyddc5LR9uGRs2P3uo9xaHLS2 -c00XmP1yIoQ9Zun3MkrtZZlVZfNIu30V2sZkdwFgQTRKHj32Yr++IR+Vz8MOO344 -/Jvq+CywHofbNRDluKGZkR0ftRdT+5wGf1HQO3EOl9Q3Q+ciundQ1Uw5deG4i8nN -jfJc3zPe5P8+NTj2Hmyr/KqKpsD6sPDANJbKRytJ04+oqL6s+vjMCzydJ/4nBF9X -EQV4bUqBtTjMY06AFUYxm97kaqYX2LZORfRIoGc03Ixp0mbCCfI2V5k2OzAnKFlm -ZSL8MSCn969qXUSTg7jy2p7rnxu5PyniPFmpNCjTV/XU5jlDSpggfbZp4npUL2rv -qzy1AqvTfiDLVeDJngyuPspL8yV8uv97+o7Xi2bgxPKR3HFVibsEIxpmb8zqMWYd -ncrys/rvG9aHYc7mPqbdQDAIBoUETpnaeKgnakj1rXj2u/ZcEdTfWDqDLlhLinMq -rFYNus7/ezqHlcajog5w908N2YgmgQIDAQABAoICAAL9sC+3fVCt99KHNjA5GJgx -pBVJVgPaj9Ng2pQTu9MDDEGhcw9bfi5hvRE4YF/0mTz4J1wYZ8ibJ3RNPSP54Xfj -jSNoZD+r7KyXqbGIoN4pwxOWBv5e30bPiDq3qUrtbpg8Lsm5zcSmgEv4oGmOnAQ6 -nbKbEKHOyXT3NPqCJSmtuRAdbbp5+573y6wB+PLae2QfyT8OTGdoDtSn1/SsMbNd -x9AupQSiTQgV0y5XW1UfuDtgRO2uQNoiLGNoVvuc7AdkHQqIRFLxD8lBkZ59o4mz -cUMsW29JbOo6Wi3EdNZHx/dAOiteEhItLRZwHxoc4mWkRW5aPPiOY7oDdDUAuemR -DIiBdmjM3S/X5+Z+r9+ya1Q1Wp8lBAuUN8bz67e+V2tIGsA5i5YRTfnUEglfhKZd -o3sy3farwc/1yKLJEIJAB9FNEFss5asX0us4yZvPZhE87PmfWPYpiaxM7lDIsfE4 -w/JAaSs5TfTfUGkaJwk54ncPa9PMNIjoyZ+MybsLwjvdKUq7//5TqKgVKTv5954G -LAKQOTPz6p8SM67LXS96IjT/fUvTwvnGg755xr/U4j/pitKrHHN/yapiHqoFcWWw -FfWFgwycsMdLKQ4bNXBGkQHo+WPO3UwLhO08DJ11jfwvakc2sLqgO9T9mzh9oMqD -PNqU8O28E4OhRI0bFv75AoIBAQDUogbVYZ+hNy0oaCNHePYHT53Ov96gOPP5YTO9 -ZWySVRecvDFH36BRpqbOR/hzo5hvMLPz83VbjkHRv2Tscz7CRvwTU7ZCrsVuItjk -d2mp24iecPHWvXWCE5BDNv57ieP6wUrQVgu6JECX2SViUUbL/WQmHA5CwcrbRXka -4q/gQYeMMGnILVfc6dOFj2r2MboWKnq0+YkEiIbc+Yssiu9g3ECmsRtHi/9tFdw8 -JITkKJjV2mBor6YzV4v2vt3q6YQYVsJ+sHw+LwPby78Q7c50NefSPC9fdT6Pwbmt -EiA0t1IsukvwcjEpBC777eeE6/a+8A15ixA3N3gcsJhLucsZAoIBAQDmI447HNRV -1Kza4GQgNMByaPFhVhq0/mYOGhFtntcwixWG7W8OrFEdPxFsWaKpf/7jsGgmqyhr -cDa0ySKN7PPE22WTJf0T8AEhyhLRX0amFQBA2SjR2sMVSpFsUXBNy3YZXlWNDj5G -Fmz6tfFeXVyoMkIuBsuVleVng1PxNs71T1u74j/QZARYf/0Z/+3JN0pQ9ITkPah7 -/4CJ9IlNKshFkZ1TkFmMJSPljSNBsOfp5vmGtq/yt7dKEFC8c+iSVUHo6A/+7RQN -yf8f4ZzeHOYcebw2HGL+OZUbNKHDtplK28XNPOzdsi5nL5Rx/rZwUQegL+9WnZ8W -ReCOw9qtPwupAoIBAAJ9DvVqWhLp8WZaqacJfF+jh+ZGipV3dSuC/rcFu9qOkmMs -NKtxq4+pEqSxZO/9hygt+r0tKT90D8MjqUu3IZHmgMa9IRHwt7DNSZqK5zqsrhGk -or/vobNvBS40M5BAkeF6Z6S+jQ6VpAfi67QV3W0/vu9PPr97QyOD0aIF6ycFvU9f -ta05EqEsP2R9xDOza0kdICiEDx11d5aYeQ+BZMHOchdBVV9l/QxKyDQP/VoqO3et -QZmYDKrnKGUv4KsCJqCeS1JuQFX9+N6WqNrK3bKwetEUET3dwmiuTL0AzE2xo42Q -dJkQzRB80wvxwdblaBLd/lpgzUTIKmizjGS+fOkCggEBANSrMrppj8apO/sftScV -2GlhlP3P5eov1PtfF4/nYxAW1xPSwfgbQPH34A/yXSCpiU+7KuPg8v8luUgjPm1M -9I+L9zeduVr9RO6GoBEfLFg5u/wxMUmMEQ7R08T3FQKu7DnRNNmeuelmu9qK27vK -Jt+/YezKlsNqu42GjMGxVlrWtPzQvQvEAUgPLkMigAibsW9SJqQMXnAH0i6p7V+E -E4JGZ85a7IVXpO5yGIySAB3kNd5JYBq5rwUgQpuDuP3RD5E9MdrwFsIPUlWR1bZj -mjniPQz7+nbXm3SClKIZUVsd8JISpQjRqZPtIg6dxNXR62waH+A41FRuym7jimbi -hdECggEBAMYWD9w6Fh8eaz3DoHMYwEEfU08FLOvYQeAV0goG8C6f58b6/A/5sr7y -WSao+xm5clEQU7+jBxp4eUkeSTWNmE6GuYdIVSIgo8rCBSKhoReO94uj7ljVqGcz -Szl1Syr+pAJ6EfXCbdZsBtNcPlTzM04Vir8KE5hbTY3QED+X+j9nF8fsNSIWvFZn -Q4XXIJVEPxVIDlEFfznzERH84KFDnXVDeWHxTMF3pBJplENKVaOvziZSbmCEKI32 -A8e83gw9RSncfraG1uUdN0OfEEFtTyvEUAaFBdmAYPhalfJITjIcRXrK14ciysoy -Nz0rn9GQHsP0VtFK5J3P21Ct2ryut10= ------END PRIVATE KEY----- diff --git a/scripts/deploy b/scripts/deploy deleted file mode 100755 index ddfb711..0000000 --- a/scripts/deploy +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/env bash -set -e - -NETWORK=seroviz_nw -TAG=seroanalytics/seroviz:main -API_TAG=seroanalytics/serovizr:main - -docker pull $TAG -docker pull $API_TAG - -function cleanupDocker() { - docker kill seroviz > /dev/null 2>&1 || true - docker kill serovizr > /dev/null 2>&1 || true - docker rm seroviz > /dev/null 2>&1 || true - docker rm serovizr > /dev/null 2>&1 || true - docker network rm $NETWORK > /dev/null 2>&1 || true -} - -function logout() { - hcp auth logout -} - -trap cleanup ERR -function cleanup() { - logout - cleanupDocker -} - -trap logout EXIT - -if [[ ! -v "CLIENT_ID" ]]; then - echo Please provide production client id from Vault. - echo -e To read this from Vault on another machine, run: - echo "" - echo -e "\t hcp vs secrets open production_id --app=seroviz" - echo "" - read -r CLIENT_ID -fi - -if [[ ! -v "CLIENT_SECRET" ]]; then - echo Please provide production client secret from Vault - echo -e To read this from Vault on another machine, run: - echo "" - echo -e "\t hcp vs secrets open production_secret --app=seroviz" - echo "" - read -r CLIENT_SECRET -fi - -hcp auth login --client-id="$CLIENT_ID" --client-secret="$CLIENT_SECRET" - -cleanupDocker - -docker network create $NETWORK -docker run -d -p 8888:8888 --network=$NETWORK --name serovizr $API_TAG -docker run -d -p 80:80 -p 443:443 --network=$NETWORK --name seroviz $TAG seroviz.seroanalytics.org - -TEMP_KEY=$(mktemp -q) -hcp vs secrets open ssl_key --app seroviz --out-file=$TEMP_KEY -docker cp $TEMP_KEY seroviz:/run/proxy/key.pem - -TEMP_INT_1=$(mktemp -q) -hcp vs secrets open ssl_intermediate_1 --app seroviz --out-file=$TEMP_INT_1 -TEMP_INT_2=$(mktemp -q) -hcp vs secrets open ssl_intermediate_2 --app seroviz --out-file=$TEMP_INT_2 -TEMP_INT_3=$(mktemp -q) -hcp vs secrets open ssl_intermediate_3 --app seroviz --out-file=$TEMP_INT_3 -TEMP_INT_CERT=$(mktemp -q) -hcp vs secrets open ssl_cert --app seroviz --out-file=$TEMP_INT_CERT - -TEMP_BUNDLE=$(mktemp -q) -cat $TEMP_INT_CERT $TEMP_INT_1 $TEMP_INT_2 $TEMP_INT_3 >> $TEMP_BUNDLE -docker cp $TEMP_BUNDLE seroviz:/run/proxy/certificate.pem diff --git a/scripts/mkcert b/scripts/mkcert new file mode 100755 index 0000000..f13fdfb --- /dev/null +++ b/scripts/mkcert @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +set -e + + +TEMP_INT_1=$(mktemp -q) +hcp vs secrets open ssl_intermediate_1 --app seroviz --out-file=$TEMP_INT_1 +TEMP_INT_2=$(mktemp -q) +hcp vs secrets open ssl_intermediate_2 --app seroviz --out-file=$TEMP_INT_2 +TEMP_INT_3=$(mktemp -q) +hcp vs secrets open ssl_intermediate_3 --app seroviz --out-file=$TEMP_INT_3 +TEMP_INT_CERT=$(mktemp -q) +hcp vs secrets open ssl_cert --app seroviz --out-file=$TEMP_INT_CERT + +TEMP_BUNDLE=$(mktemp -q) +cat $TEMP_INT_CERT $TEMP_INT_1 $TEMP_INT_2 $TEMP_INT_3 >> $TEMP_BUNDLE +cat $TEMP_BUNDLE diff --git a/scripts/run b/scripts/run index 5e46f8d..2046ffb 100755 --- a/scripts/run +++ b/scripts/run @@ -4,10 +4,5 @@ set -ex HERE=$(dirname $0) . $HERE/common -NETWORK=seroviz_nw -docker network create $NETWORK - -docker run -d -p 8888:8888 --network=$NETWORK --name serovizr seroanalytics/serovizr:$SEROVIZR_VERSION -docker run -d -p 80:80 -p 443:443 --network=$NETWORK --name seroviz $DOCKER_COMMIT_TAG localhost -docker exec seroviz self-signed-certificate /run/proxy +docker run -d -p 80:80 --name seroviz $DOCKER_COMMIT_TAG localhost diff --git a/scripts/smoke-test b/scripts/smoke-test index 075ba37..2b646ac 100755 --- a/scripts/smoke-test +++ b/scripts/smoke-test @@ -8,7 +8,7 @@ wait_for() echo "waiting up to $TIMEOUT seconds for app" start_ts=$(date +%s) for i in $(seq $TIMEOUT); do - result="$(curl --write-out %{http_code} --silent --output /dev/null --insecure https://localhost 2>/dev/null)" + result="$(curl --write-out %{http_code} --silent --output /dev/null --insecure http://localhost 2>/dev/null)" if [[ $result -eq "200" ]]; then end_ts=$(date +%s) echo "App available after $((end_ts - start_ts)) seconds" diff --git a/src/index.tsx b/src/index.tsx index 5700665..e85b588 100644 --- a/src/index.tsx +++ b/src/index.tsx @@ -11,7 +11,7 @@ const root = ReactDOM.createRoot( const getApiUrl = () => { if (process.env.NODE_ENV === "development") { - return "http://localhost:8888/api"; + return "http://localhost:8888"; } return `https://${window.location.host}/api`; }; diff --git a/test/setupIntegrationTests.ts b/test/setupIntegrationTests.ts index 3045778..3679bbc 100644 --- a/test/setupIntegrationTests.ts +++ b/test/setupIntegrationTests.ts @@ -1,2 +1,2 @@ -export const apiUrl = 'http://localhost:8888/api'; +export const apiUrl = 'http://localhost:8888'; (global as any).apiUrl = apiUrl;