From 821d2e2c8c6ba044420c0592658d79c3b893d09d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Moreau?= <cem.moreau@gmail.com>
Date: Tue, 14 Feb 2017 11:22:33 +0100
Subject: [PATCH] [enh] Change configuration to have HTTPS only

---
 conf/nginx.conf      | 31 ++++++++++++++++++++++++-------
 manifest.json        |  6 +++---
 scripts/functions.sh | 14 +++++++++++---
 scripts/install      | 13 ++++++++-----
 4 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/conf/nginx.conf b/conf/nginx.conf
index a226ce6..ed569f7 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -4,7 +4,7 @@ location / {
        proxy_set_header        Host            $http_host;
        proxy_set_header        X-NgninX-Porxy  true;
 
-       proxy_pass http://localhost:9220;
+       proxy_pass             http://localhost:YNH_EXAMPLE_PORT;
        proxy_redirect          off;
 
        # Socket.io support
@@ -12,11 +12,28 @@ location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
 
-       location ^~ /api/ {
-             proxy_pass             http://YNH_EXAMPLE_DOMAIN:YNH_EXAMPLE_PORT/;
-       }
+	location ~ \.(js|css|woff|woff2|ttf) {
+		proxy_pass http://localhost:9220;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+	}
+	
+	location /cesium {
+		proxy_pass http://localhost:9220;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+		# Include SSOWAT user panel.
+		include conf.d/yunohost_panel.conf.inc;
+	}
+
+	location /webui {
+		proxy_pass http://localhost:9220/;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+		# Include SSOWAT user panel.
+		include conf.d/yunohost_panel.conf.inc;
+	}
+
+	location ~ /webmin {
+		proxy_pass http://localhost:9220$uri;
+		access_by_lua_file /usr/share/ssowat/access.lua;
+	}
 
-       # Include SSOWAT user panel.
-       include conf.d/yunohost_panel.conf.inc;
 }
-
diff --git a/manifest.json b/manifest.json
index 0913bff..cbb45c0 100644
--- a/manifest.json
+++ b/manifest.json
@@ -35,7 +35,7 @@
                 "name": "path",
                 "type": "path",
                 "ask": {
-                    "en": "Path on which install the web admin (installable only on root path)",
+                    "en": "Path on which install the web admin (installable only on root path for now)",
                     "fr": "Chemin sur lequel ajouter l’administration web (installable uniquement à la racine)"
                 },
                 "example": "/",
@@ -66,8 +66,8 @@
                     "en": "Port of synchronization",
                     "fr": "Port de synchronisation"
                 },
-                "example": "8999",
-                "default": "8999"
+                "example": "10900",
+                "default": "10900"
             },
             {   
                 "name": "salt",
diff --git a/scripts/functions.sh b/scripts/functions.sh
index 6de4a7f..d12dbb0 100644
--- a/scripts/functions.sh
+++ b/scripts/functions.sh
@@ -10,6 +10,14 @@ wget -nc --quiet $url -P /tmp
 deb="/tmp/duniter-server-$version-linux-$arch.deb"
 sudo dpkg -i $deb > /dev/null
 sudo rm -f $deb
+
+# Fix https://github.com/duniter/cesium/issues/330
+sudo sed -i "s@443===@443==@g" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/dist_js/cesium*
+sudo sed -i "s@port === 443@port == 443@g" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/dist_js/cesium*
+
+# Force Cesium to use local instance
+sudo sed -i "s@\"host\".*@\"host\": \"$domain\",@" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/config.js
+sudo sed -i "s@\"port\".*@\"port\": \"443\"@" /opt/duniter/sources/node_modules/duniter-ui/public/cesium/config.js
 }
 
 CONFIG_SSOWAT_FOR_RESTRICTED_ACCESS () {
@@ -17,10 +25,10 @@ CONFIG_SSOWAT_FOR_RESTRICTED_ACCESS () {
 sudo yunohost app addaccess $app -u $admin
 
 # Allow only allowed users to access admin panel
-ynh_app_setting_set "$app" protected_uris "/" 
+ynh_app_setting_set "$app" protected_uris "/webui","/webmin","/cesium"
 
-# SSOwat Configuration
-#ynh_app_setting_set "$app" unprotected_uris "/api/"
+# Duniter is public app, with only some parts restricted in nginx.conf
+sudo yunohost app setting $app unprotected_uris -v "/"
 }
 
 CONFIG_NGINX_FOR_WEB_ADMIN () {
diff --git a/scripts/install b/scripts/install
index 8199055..17dc5cd 100755
--- a/scripts/install
+++ b/scripts/install
@@ -24,7 +24,7 @@ sudo yunohost app checkurl "${domain}${path}" -a "$app" \
 
 # Check path is root
 if [[ $path != '/' ]]; then
-  ynh_die "Web admin can only be installed on root path for now"
+  ynh_die "Duniter can only be installed on root path for now"
 fi
 
 # Check port availability
@@ -52,18 +52,21 @@ if [[ $arch != "x64" && $arch != "armv7l" ]]; then
 	ynh_die "$arch is not supported." 2
 fi
 
-# Open port on firewall
-sudo yunohost firewall allow TCP $port > /dev/null 2>&1
-
 # Store config on YunoHost instance
 ynh_app_setting_set $app port $port
 ynh_app_setting_set $app arch $arch
 ynh_app_setting_set "$app" admin "$admin"
 
+# Open port on firewall
+sudo yunohost firewall allow TCP $port > /dev/null 2>&1
+
 INSTALL_DUNITER_DEBIAN_PACKAGE
 
 # Configure Duniter node
-sudo $app config --autoconf --remoteh $domain --port $port --remotep $port --salt $salt --passwd $password
+sudo $app config --ipv4 127.0.0.1 --port $port --remoteh $domain --remotep 443 --noupnp --salt $salt --passwd $password
+
+# Reset Duniter node's existing data (blockchain, not conf)
+sudo $app reset data > /dev/null
 
 # Synchronize Duniter node
 echo "Synchronizing with $sync_node:$sync_port. It may take a while."