Mirroristas/planetmint
2
0
Fork 0
mirror of https://github.com/planetmint/planetmint.git synced 2026-03-13 20:04:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial Migration

Browse Source
This commit is contained in:
Sangat Das
2022-01-13 16:29:35 +00:00
parent 3ad513ed14
commit ed1d4b82ad
454 changed files with 42542 additions and 723 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
k8s/nginx-https/container/Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM nginx:stable
LABEL maintainer "contact@ipdb.global"
WORKDIR /
RUN apt-get update \
&& apt-get -y upgrade \
&& apt-get autoremove \
&& apt-get clean
COPY nginx.conf.threescale.template /etc/nginx/nginx-threescale.conf
COPY nginx.conf.template /etc/nginx/nginx.conf
COPY nginx_entrypoint.bash /
EXPOSE 80 443 27017 9986 26656
ENTRYPOINT ["/nginx_entrypoint.bash"]

22
k8s/nginx-https/container/README.md Normal file
View File

@@ -0,0 +1,22 @@
<!---
Copyright © 2020 Interplanetary Database Association e.V.,
Planetmint and IPDB software contributors.
SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
Code is Apache-2.0 and docs are CC-BY-4.0
--->
## Nginx container for Secure WebSocket Support
### Step 1: Build and Push the Latest Container
Use the `docker_build_and_push.bash` script to build the latest docker image
and upload it to Docker Hub.
Ensure that the image tag is updated to a new version number to properly
reflect any changes made to the container.
### Note about testing Websocket connections:
You can test the WebSocket server by using
[wsc](https://www.npmjs.com/package/wsc) tool with a command like:
`wsc -er wss://localhost:9985/api/v1/streams/valid_transactions`.

10
k8s/nginx-https/container/docker_build_and_push.bash Executable file
View File

@@ -0,0 +1,10 @@
#!/bin/bash
# Copyright © 2020 Interplanetary Database Association e.V.,
# Planetmint and IPDB software contributors.
# SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
# Code is Apache-2.0 and docs are CC-BY-4.0
docker build -t bigchaindb/nginx_https:2.2.2 .
docker push bigchaindb/nginx_https:2.2.2

201
k8s/nginx-https/container/nginx.conf.template Normal file
View File

@@ -0,0 +1,201 @@
# Frontend API server that:
# 1. Acts as the HTTPS termination point.
# 2. Authorizes HTTP requests with secret token header
# and forwards to BDB backend.
# 3. Forwards BDB WS requests to BDB backend.
# 4. Does health check with LB.
worker_processes 2;
daemon off;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /dev/stderr;
events {
# Each worker handles up to 512 connections. Increase this for heavy
# workloads.
worker_connections 512;
accept_mutex on;
use epoll;
}
http {
access_log /dev/stdout combined buffer=16k flush=5s;
# Allow 10 req/sec from the same IP address, and store the counters in a
# `zone` or shared memory location tagged as 'one'.
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
# Enable logging when requests are being throttled.
limit_req_log_level notice;
# HTTP status code that is returned to the client; 429 is for TooManyRequests,
# ref. RFC 6585
limit_req_status 429;
# Limit requests from the same client, allow `burst` to 20 r/s,
# `nodelay` or drop connection immediately in case it exceeds this
# threshold.
limit_req zone=one burst=20 nodelay;
# `slowloris` attack mitigation settings.
client_body_timeout 10s;
client_header_timeout 10s;
# Do not expose nginx data/version number in error response and header
server_tokens off;
# To prevent cross-site scripting
add_header X-XSS-Protection "1; mode=block";
# DNS resolver to use for all the backend names specified in this configuration.
resolver DNS_SERVER valid=30s ipv6=off;
keepalive_timeout 60s;
# The following map blocks enable lazy-binding to the backend at runtime,
# rather than binding as soon as NGINX starts.
map $remote_addr $bdb_backend {
default PLANETMINT_BACKEND_HOST;
}
# Frontend server for the external clients; acts as HTTPS termination point.
server {
listen NODE_FRONTEND_PORT ssl;
server_name "NODE_FQDN";
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
underscores_in_headers on;
# Forward websockets directly to backend BDB.
location /api/v1/streams/valid_transactions {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://$bdb_backend:PLANETMINT_WS_PORT;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Forward other URL paths as per business logic/use case to BDB or
# OpenResty instance.
location / {
set $auth_check 1; #Flag to authorize POST requests
proxy_ignore_client_abort on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# max client request body size: avg transaction size.
client_max_body_size 15k;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-Secret-Access-Token,User-Agent';
add_header 'Access-Control-Max-Age' 43200;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
if ( $http_x_secret_access_token != "SECRET_ACCESS_TOKEN" ) {
set $auth_check 0;
}
if ($request_method = POST ) {
set $auth_check "${auth_check}1";
}
if ( $auth_check = "01" ) {
return 403;
}
# No auth for GETs, forward directly to BDB.
if ($request_method = GET) {
proxy_pass http://$bdb_backend:PLANETMINT_API_PORT;
}
if ($request_method = POST ) {
proxy_pass http://$bdb_backend:PLANETMINT_API_PORT;
}
# Only return this reponse if request_method is neither POST|GET|OPTIONS
if ($request_method !~ ^(GET|OPTIONS|POST)$) {
return 444;
}
}
}
# Frontend server for the load balancer to respond to health checks.
server {
listen HEALTH_CHECK_PORT;
location = /health {
return 200;
}
}
# Frontend server for the external clients; returns a pretty error message
# when an HTTP request is sent instead of HTTPS.
server {
listen 80;
server_name "NODE_FQDN";
location / {
add_header Upgrade "TLS/1.2, HTTP/1.1" always;
default_type text/plain;
return 426 'Consider using the HTTPS protocol next time!';
}
}
}
# NGINX stream block for TCP and UDP proxies.
stream {
log_format bdb_log '[$time_iso8601] $realip_remote_addr $remote_addr '
'$proxy_protocol_addr $proxy_protocol_port '
'$protocol $status $session_time $bytes_sent '
'$bytes_received "$upstream_addr" "$upstream_bytes_sent" '
'"$upstream_bytes_received" "$upstream_connect_time" ';
access_log /dev/stdout bdb_log buffer=16k flush=5s;
# Define a zone 'two' of size 10 megabytes to store the counters
# that hold number of TCP connections from a specific IP address.
limit_conn_zone $binary_remote_addr zone=two:10m;
# Enable logging when connections are being throttled.
limit_conn_log_level notice;
# Allow 256 connections from the same IP address.
limit_conn two 256;
# DNS resolver to use for all the backend names specified in this configuration.
resolver DNS_SERVER valid=30s ipv6=off;
# The following map blocks enable lazy-binding to the backend at runtime,
# rather than binding as soon as NGINX starts.
map $remote_addr $bdb_backend {
default PLANETMINT_BACKEND_HOST;
}
# Server to forward connection to nginx instance hosting
# tendermint node public key.
server {
listen TM_PUB_KEY_ACCESS_PORT;
proxy_pass $bdb_backend:TM_PUB_KEY_ACCESS_PORT;
}
# Server to forward p2p connections to Tendermint instance.
server {
listen TM_P2P_PORT so_keepalive=3m:1m:5;
preread_timeout 60s;
tcp_nodelay on;
proxy_pass $bdb_backend:TM_P2P_PORT;
}
}

198
k8s/nginx-https/container/nginx.conf.threescale.template Normal file
View File

@@ -0,0 +1,198 @@
# Frontend API server that:
# 1. Acts as the HTTPS termination point.
# 2. Forwards BDB HTTP requests to OpenResty backend.
# 3. Forwards BDB WS requests to BDB backend.
# 4. Does health check with LB.
worker_processes 2;
daemon off;
user nobody nogroup;
pid /tmp/nginx.pid;
error_log /dev/stderr;
events {
# Each worker handles up to 512 connections. Increase this for heavy
# workloads.
worker_connections 512;
accept_mutex on;
use epoll;
}
http {
access_log /dev/stdout combined buffer=16k flush=5s;
# Allow 10 req/sec from the same IP address, and store the counters in a
# `zone` or shared memory location tagged as 'one'.
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
# Enable logging when requests are being throttled.
limit_req_log_level notice;
# HTTP status code that is returned to the client; 429 is for TooManyRequests,
# ref. RFC 6585
limit_req_status 429;
# Limit requests from the same client, allow `burst` to 20 r/s,
# `nodelay` or drop connection immediately in case it exceeds this
# threshold.
limit_req zone=one burst=20 nodelay;
# `slowloris` attack mitigation settings.
client_body_timeout 10s;
client_header_timeout 10s;
# Do not expose nginx data/version number in error response and header
server_tokens off;
# To prevent cross-site scripting
add_header X-XSS-Protection "1; mode=block";
# DNS resolver to use for all the backend names specified in this configuration.
resolver DNS_SERVER valid=30s ipv6=off;
keepalive_timeout 60s;
# The following map blocks enable lazy-binding to the backend at runtime,
# rather than binding as soon as NGINX starts.
map $remote_addr $bdb_backend {
default PLANETMINT_BACKEND_HOST;
}
map $remote_addr $openresty_backend {
default OPENRESTY_BACKEND_HOST;
}
# Frontend server for the external clients; acts as HTTPS termination point.
server {
listen NODE_FRONTEND_PORT ssl;
server_name "NODE_FQDN";
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cert.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
underscores_in_headers on;
# Forward websockets directly to backend BDB.
location /api/v1/streams/valid_transactions {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://$bdb_backend:PLANETMINT_WS_PORT;
proxy_read_timeout 600s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Forward other URL paths as per business logic/use case to BDB or
# OpenResty instance.
location / {
proxy_ignore_client_abort on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# max client request body size: avg transaction size.
client_max_body_size 15k;
# No auth for GETs, forward directly to BDB.
if ($request_method = GET) {
proxy_pass http://$bdb_backend:PLANETMINT_API_PORT;
}
# POST requests get forwarded to OpenResty instance. Enable CORS too.
if ($request_method = POST ) {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
proxy_pass http://$openresty_backend:OPENRESTY_BACKEND_PORT;
}
# OPTIONS requests handling for CORS.
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,app_key,app_id';
add_header 'Access-Control-Max-Age' 43200;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
# Only return this reponse if request_method is neither POST|GET|OPTIONS
if ($request_method !~ ^(GET|OPTIONS|POST)$) {
return 444;
}
}
}
# Frontend server for the load balancer to respond to health checks.
server {
listen HEALTH_CHECK_PORT;
location = /health {
return 200;
}
}
# Frontend server for the external clients; returns a pretty error message
# when an HTTP request is sent instead of HTTPS.
server {
listen 80;
server_name "NODE_FQDN";
location / {
add_header Upgrade "TLS/1.2, HTTP/1.1" always;
default_type text/plain;
return 426 'Consider using the HTTPS protocol next time!';
}
}
}
# NGINX stream block for TCP and UDP proxies.
stream {
log_format bdb_log '[$time_iso8601] $realip_remote_addr $remote_addr '
'$proxy_protocol_addr $proxy_protocol_port '
'$protocol $status $session_time $bytes_sent '
'$bytes_received "$upstream_addr" "$upstream_bytes_sent" '
'"$upstream_bytes_received" "$upstream_connect_time" ';
access_log /dev/stdout bdb_log buffer=16k flush=5s;
# Define a zone 'two' of size 10 megabytes to store the counters
# that hold number of TCP connections from a specific IP address.
limit_conn_zone $binary_remote_addr zone=two:10m;
# Enable logging when connections are being throttled.
limit_conn_log_level notice;
# Allow 256 connections from the same IP address.
limit_conn two 256;
# DNS resolver to use for all the backend names specified in this configuration.
resolver DNS_SERVER valid=30s ipv6=off;
# The following map blocks enable lazy-binding to the backend at runtime,
# rather than binding as soon as NGINX starts.
map $remote_addr $bdb_backend {
default PLANETMINT_BACKEND_HOST;
}
# Server to forward connection to nginx instance hosting
# tendermint node public key.
server {
listen TM_PUB_KEY_ACCESS_PORT;
proxy_pass $bdb_backend:TM_PUB_KEY_ACCESS_PORT;
}
# Server to forward p2p connections to Tendermint instance.
server {
listen TM_P2P_PORT so_keepalive=3m:1m:5;
preread_timeout 60s;
tcp_nodelay on;
proxy_pass $bdb_backend:TM_P2P_PORT;
}
}

102
k8s/nginx-https/container/nginx_entrypoint.bash Executable file
View File

@@ -0,0 +1,102 @@
#!/bin/bash
# Copyright © 2020 Interplanetary Database Association e.V.,
# Planetmint and IPDB software contributors.
# SPDX-License-Identifier: (Apache-2.0 AND CC-BY-4.0)
# Code is Apache-2.0 and docs are CC-BY-4.0
set -euo pipefail
# Authorization Modes
threescale_auth_mode="threescale"
secret_token_auth_mode="secret-token"
# Cluster vars
node_fqdn=`printenv NODE_FQDN`
node_frontend_port=`printenv NODE_FRONTEND_PORT`
# NGINX vars
dns_server=`printenv DNS_SERVER`
health_check_port=`printenv HEALTH_CHECK_PORT`
authorization_mode=`printenv AUTHORIZATION_MODE`
# MongoDB vars
mongo_backend_host=`printenv MONGODB_BACKEND_HOST`
mongo_backend_port=`printenv MONGODB_BACKEND_PORT`
# OpenResty vars
openresty_backend_host=`printenv OPENRESTY_BACKEND_HOST`
openresty_backend_port=`printenv OPENRESTY_BACKEND_PORT`
# Planetmint vars
bdb_backend_host=`printenv PLANETMINT_BACKEND_HOST`
bdb_api_port=`printenv PLANETMINT_API_PORT`
bdb_ws_port=`printenv PLANETMINT_WS_PORT`
# Tendermint vars
tm_pub_key_access_port=`printenv TM_PUB_KEY_ACCESS_PORT`
tm_p2p_port=`printenv TM_P2P_PORT`
# sanity check
if [[ -z "${node_frontend_port:?NODE_FRONTEND_PORT not specified. Exiting!}" || \
-z "${mongo_backend_host:?MONGODB_BACKEND_HOST not specified. Exiting!}" || \
-z "${mongo_backend_port:?MONGODB_BACKEND_PORT not specified. Exiting!}" || \
-z "${openresty_backend_port:?OPENRESTY_BACKEND_PORT not specified. Exiting!}" || \
-z "${openresty_backend_host:?OPENRESTY_BACKEND_HOST not specified. Exiting!}" || \
-z "${bdb_backend_host:?PLANETMINT_BACKEND_HOST not specified. Exiting!}" || \
-z "${bdb_api_port:?PLANETMINT_API_PORT not specified. Exiting!}" || \
-z "${bdb_ws_port:?PLANETMINT_WS_PORT not specified. Exiting!}" || \
-z "${dns_server:?DNS_SERVER not specified. Exiting!}" || \
-z "${health_check_port:?HEALTH_CHECK_PORT not specified. Exiting!}" || \
-z "${node_fqdn:?NODE_FQDN not specified. Exiting!}" || \
-z "${tm_pub_key_access_port:?TM_PUB_KEY_ACCESS_PORT not specified. Exiting!}" || \
-z "${tm_p2p_port:?TM_P2P_PORT not specified. Exiting!}" ]]; then
echo "Missing required environment variables. Exiting!"
exit 1
else
echo NODE_FQDN="$node_fqdn"
echo NODE_FRONTEND_PORT="$node_frontend_port"
echo DNS_SERVER="$dns_server"
echo HEALTH_CHECK_PORT="$health_check_port"
echo MONGODB_BACKEND_HOST="$mongo_backend_host"
echo MONGODB_BACKEND_PORT="$mongo_backend_port"
echo OPENRESTY_BACKEND_HOST="$openresty_backend_host"
echo OPENRESTY_BACKEND_PORT="$openresty_backend_port"
echo PLANETMINT_BACKEND_HOST="$bdb_backend_host"
echo PLANETMINT_API_PORT="$bdb_api_port"
echo PLANETMINT_WS_PORT="$bdb_ws_port"
echo TM_PUB_KEY_ACCESS_PORT="$tm_pub_key_access_port"
echo TM_P2P_PORT="$tm_p2p_port"
fi
if [[ ${authorization_mode} == ${secret_token_auth_mode} ]]; then
NGINX_CONF_FILE=/etc/nginx/nginx.conf
secret_access_token=`printenv SECRET_ACCESS_TOKEN`
sed -i "s|SECRET_ACCESS_TOKEN|${secret_access_token}|g" ${NGINX_CONF_FILE}
elif [[ ${authorization_mode} == ${threescale_auth_mode} ]]; then
NGINX_CONF_FILE=/etc/nginx/nginx-threescale.conf
sed -i "s|OPENRESTY_BACKEND_PORT|${openresty_backend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|OPENRESTY_BACKEND_HOST|${openresty_backend_host}|g" ${NGINX_CONF_FILE}
else
echo "Unrecognised authorization mode: ${authorization_mode}. Exiting!"
exit 1
fi
# configure the nginx.conf file with env variables
sed -i "s|NODE_FQDN|${node_fqdn}|g" ${NGINX_CONF_FILE}
sed -i "s|NODE_FRONTEND_PORT|${node_frontend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_HOST|${mongo_backend_host}|g" ${NGINX_CONF_FILE}
sed -i "s|MONGODB_BACKEND_PORT|${mongo_backend_port}|g" ${NGINX_CONF_FILE}
sed -i "s|PLANETMINT_BACKEND_HOST|${bdb_backend_host}|g" ${NGINX_CONF_FILE}
sed -i "s|PLANETMINT_API_PORT|${bdb_api_port}|g" ${NGINX_CONF_FILE}
sed -i "s|PLANETMINT_WS_PORT|${bdb_ws_port}|g" ${NGINX_CONF_FILE}
sed -i "s|DNS_SERVER|${dns_server}|g" ${NGINX_CONF_FILE}
sed -i "s|HEALTH_CHECK_PORT|${health_check_port}|g" ${NGINX_CONF_FILE}
sed -i "s|TM_PUB_KEY_ACCESS_PORT|${tm_pub_key_access_port}|g" ${NGINX_CONF_FILE}
sed -i "s|TM_P2P_PORT|${tm_p2p_port}|g" ${NGINX_CONF_FILE}
# start nginx
echo "INFO: starting nginx..."
exec nginx -c ${NGINX_CONF_FILE}