[enh] Change configuration to have HTTPS only

2024-09-03 18:26:35 +02:00 · 2017-02-14 11:22:33 +01:00 · 2017-02-14 11:22:33 +01:00 · 821d2e2c8c
commit 821d2e2c8c
parent bc48fbbcad
4 changed files with 46 additions and 18 deletions
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -4,7 +4,7 @@ location / {
       proxy_set_header        Host            $http_host;
       proxy_set_header        X-NgninX-Porxy  true;

-       proxy_pass http://localhost:9220;
+       proxy_pass             http://localhost:YNH_EXAMPLE_PORT;
       proxy_redirect          off;

       # Socket.io support
@ -12,11 +12,28 @@ location / {
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";

-       location ^~ /api/ {
-             proxy_pass             http://YNH_EXAMPLE_DOMAIN:YNH_EXAMPLE_PORT/;
-       }
+	location ~ \.(js|css|woff|woff2|ttf) {
+		proxy_pass http://localhost:9220;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+	}
+	
+	location /cesium {
+		proxy_pass http://localhost:9220;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+		# Include SSOWAT user panel.
+		include conf.d/yunohost_panel.conf.inc;
+	}
+
+	location /webui {
+		proxy_pass http://localhost:9220/;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+		# Include SSOWAT user panel.
+		include conf.d/yunohost_panel.conf.inc;
+	}
+
+	location ~ /webmin {
+		proxy_pass http://localhost:9220$uri;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+	}

-       # Include SSOWAT user panel.
-       include conf.d/yunohost_panel.conf.inc;
 }
-
--- a/manifest.json
+++ b/manifest.json
@ -35,7 +35,7 @@
                "name": "path",
                "type": "path",
                "ask": {
-                    "en": "Path on which install the web admin (installable only on root path)",
+                    "en": "Path on which install the web admin (installable only on root path for now)",
                    "fr": "Chemin sur lequel ajouter l’administration web (installable uniquement à la racine)"
                },
                "example": "/",
@ -66,8 +66,8 @@
                    "en": "Port of synchronization",
                    "fr": "Port de synchronisation"
                },
-                "example": "8999",
-                "default": "8999"
+                "example": "10900",
+                "default": "10900"
            },
            {   
                "name": "salt",
--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@ -10,6 +10,14 @@ wget -nc --quiet $url -P /tmp
 deb="/tmp/duniter-server-$version-linux-$arch.deb"
 sudo dpkg -i $deb > /dev/null
 sudo rm -f $deb
+
+# Fix https://github.com/duniter/cesium/issues/330
+sudo sed -i "s@443===@443==@g" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/dist_js/cesium*
+sudo sed -i "s@port === 443@port == 443@g" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/dist_js/cesium*
+
+# Force Cesium to use local instance
+sudo sed -i "s@\"host\".*@\"host\": \"$domain\",@" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/config.js
+sudo sed -i "s@\"port\".*@\"port\": \"443\"@" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/config.js
 }

 CONFIG_SSOWAT_FOR_RESTRICTED_ACCESS () {
@ -17,10 +25,10 @@ CONFIG_SSOWAT_FOR_RESTRICTED_ACCESS () {
 sudo yunohost app addaccess $app -u $admin

 # Allow only allowed users to access admin panel
-ynh_app_setting_set "$app" protected_uris "/" 
+ynh_app_setting_set "$app" protected_uris "/webui","/webmin","/cesium"

-# SSOwat Configuration
-#ynh_app_setting_set "$app" unprotected_uris "/api/"
+# Duniter is public app, with only some parts restricted in nginx.conf
+sudo yunohost app setting $app unprotected_uris -v "/"
 }

 CONFIG_NGINX_FOR_WEB_ADMIN () {
--- a/scripts/install
+++ b/scripts/install
@ -24,7 +24,7 @@ sudo yunohost app checkurl "${domain}${path}" -a "$app" \

 # Check path is root
 if [[ $path != '/' ]]; then
-  ynh_die "Web admin can only be installed on root path for now"
+  ynh_die "Duniter can only be installed on root path for now"
 fi

 # Check port availability
@ -52,18 +52,21 @@ if [[ $arch != "x64" && $arch != "armv7l" ]]; then
 	ynh_die "$arch is not supported." 2
 fi

-# Open port on firewall
-sudo yunohost firewall allow TCP $port > /dev/null 2>&1
-
 # Store config on YunoHost instance
 ynh_app_setting_set $app port $port
 ynh_app_setting_set $app arch $arch
 ynh_app_setting_set "$app" admin "$admin"

+# Open port on firewall
+sudo yunohost firewall allow TCP $port > /dev/null 2>&1
+
 INSTALL_DUNITER_DEBIAN_PACKAGE

 # Configure Duniter node
-sudo $app config --autoconf --remoteh $domain --port $port --remotep $port --salt $salt --passwd $password
+sudo $app config --ipv4 127.0.0.1 --port $port --remoteh $domain --remotep 443 --noupnp --salt $salt --passwd $password
+
+# Reset Duniter node's existing data (blockchain, not conf)
+sudo $app reset data > /dev/null

 # Synchronize Duniter node
 echo "Synchronizing with $sync_node:$sync_port. It may take a while."