diff --git a/st2web/Dockerfile b/st2web/Dockerfile index 3dc81656..6972c1bc 100644 --- a/st2web/Dockerfile +++ b/st2web/Dockerfile @@ -23,6 +23,8 @@ ENV ST2WEB_HTTPS 0 ENV ST2_AUTH_URL http://st2auth:9100/ ENV ST2_API_URL http://st2api:9101/ ENV ST2_STREAM_URL http://st2stream:9102/ +ENV ST2_PORT_HTTP 80 +ENV ST2_PORT_HTTPS 443 # Generate UTF-8 locale RUN apt-get -qq update \ @@ -78,5 +80,8 @@ VOLUME ["/etc/ssl/st2/"] EXPOSE 80 EXPOSE 443 +EXPOSE 8080 +EXPOSE 8443 STOPSIGNAL SIGTERM -CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"] +RUN touch /var/run/nginx.pid && chown 999:999 /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid +CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL} ${ST2_PORT_HTTP} ${ST2_PORT_HTTPS}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"] diff --git a/st2web/README.md b/st2web/README.md index 776eb9fd..8e05e433 100644 --- a/st2web/README.md +++ b/st2web/README.md @@ -11,9 +11,19 @@ The following environment variables are available for configuration: - `ST2_API_URL` (default: `http://st2api:9101/`) - StackStorm API service - `ST2_STREAM_URL` (default: `http://st2stream:9102/`) - StackStorm Stream service - `ST2WEB_HTTPS` (default: `0`) - Use https with st2web +- `ST2_PORT_HTTP` (default: `80`) - Port to listen for HTTP traffic +- `ST2_PORT_HTTPS` (default: `443`) - Port to listen for HTTPS traffic > Warning! All 3 services should be DNS/network accessible for `st2web` container to start properly. Thanks to K8s pod restarts, it's not a problem. +### Running as Non-Root + +To run the `st2web` as non-root, pass the following config options: + +* `ST2_PORT_HTTP` - should be set as `8080` +* `ST2_PORT_HTTPS` - should be set as `8443` +* Run the container as `uid`/`gid` - `999:999` + ### Secrets > Note! You may safely ignore this section if `ST2WEB_HTTPS` is set to `0`. diff --git a/st2web/files/st2.conf-http.patch b/st2web/files/st2.conf-http.patch index c4c8e7fe..6b40a8e0 100644 --- a/st2web/files/st2.conf-http.patch +++ b/st2web/files/st2.conf-http.patch @@ -1,22 +1,24 @@ ---- st2.conf 2021-06-18 19:45:50.892196136 +0100 -+++ st2.http.conf 2021-06-18 19:50:00.098280995 +0100 -@@ -8,44 +8,18 @@ - +--- st2.conf 2023-09-01 16:31:41.000000000 +0100 ++++ st2.http.conf 2023-09-01 16:33:45.000000000 +0100 +@@ -7,45 +7,19 @@ + # see https://docs.stackstorm.com/install.html for details + server { - listen *:80 default_server; +- listen *:80 default_server; ++ listen *:${ST2_PORT_HTTP} default_server; + server_tokens off; - + - add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; - + - if ($ssl_protocol = "") { - return 308 https://$host$request_uri; - } - if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { - return 405; - } - index index.html; - +- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { +- return 405; +- } +- index index.html; +- - access_log /var/log/nginx/st2webui.access.log combined; - error_log /var/log/nginx/st2webui.error.log; -} @@ -25,9 +27,9 @@ - listen *:443 ssl; - server_tokens off; - -- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { -- return 405; -- } + if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { + return 405; + } - - ssl_certificate /etc/ssl/st2/st2.crt; - ssl_certificate_key /etc/ssl/st2/st2.key; @@ -37,39 +39,39 @@ - ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; - ssl_prefer_server_ciphers on; - -- index index.html; -- + index index.html; + - access_log /var/log/nginx/ssl-st2webui.access.log combined; - error_log /var/log/nginx/ssl-st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; - + - add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY always; add_header Strict-Transport-Security "max-age=3153600;includeSubDomains"; @@ -61,7 +35,7 @@ - + rewrite ^/api/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9101/; + proxy_pass ${ST2_API_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; @@ -99,7 +73,7 @@ - + rewrite ^/stream/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9102/; + proxy_pass ${ST2_STREAM_URL}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -138,7 +112,7 @@ - + rewrite ^/auth/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9100/; + proxy_pass ${ST2_AUTH_URL}; proxy_read_timeout 90; diff --git a/st2web/files/st2.conf-https.patch b/st2web/files/st2.conf-https.patch index 899093e7..6f4bee5e 100644 --- a/st2web/files/st2.conf-https.patch +++ b/st2web/files/st2.conf-https.patch @@ -1,51 +1,86 @@ ---- st2.conf 2021-06-18 19:45:50.892196136 +0100 -+++ st2.https.conf 2021-06-18 19:45:50.884196198 +0100 -@@ -20,8 +20,8 @@ +--- st2.conf 2023-09-18 15:03:31.000000000 +0100 ++++ st2.https.conf 2023-09-18 15:12:35.000000000 +0100 +@@ -7,7 +7,7 @@ + # see https://docs.stackstorm.com/install.html for details + + server { +- listen *:80 default_server; ++ listen *:${ST2_PORT_HTTP} default_server; + + add_header Front-End-Https on; + add_header X-Content-Type-Options nosniff; +@@ -20,12 +20,12 @@ } index index.html; - + - access_log /var/log/nginx/st2webui.access.log combined; - error_log /var/log/nginx/st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; } - + server { +- listen *:443 ssl; ++ listen *:${ST2_PORT_HTTPS} ssl; + server_tokens off; + + if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) { @@ -42,8 +42,8 @@ - + index index.html; - + - access_log /var/log/nginx/ssl-st2webui.access.log combined; - error_log /var/log/nginx/ssl-st2webui.error.log; + access_log /proc/self/fd/1 combined; + error_log stderr; - + add_header Front-End-Https on; add_header X-Content-Type-Options nosniff; -@@ -61,7 +61,7 @@ - +@@ -61,10 +61,11 @@ + rewrite ^/api/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9101/; + proxy_pass ${ST2_API_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; -@@ -99,7 +99,7 @@ - ++ proxy_ssl_verify off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; +@@ -99,12 +100,13 @@ + rewrite ^/stream/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9102/; + proxy_pass ${ST2_STREAM_URL}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -@@ -138,7 +138,7 @@ - + proxy_read_timeout 200; + proxy_connect_timeout 200; ++ proxy_ssl_verify off; + + sendfile on; + tcp_nopush on; +@@ -138,10 +140,11 @@ + rewrite ^/auth/(.*) /$1 break; - + - proxy_pass http://127.0.0.1:9100/; + proxy_pass ${ST2_AUTH_URL}; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_redirect off; ++ proxy_ssl_verify off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; +@@ -164,4 +167,4 @@ + tcp_nopush on; + tcp_nodelay on; + } +-} ++} +\ No newline at end of file