Merge branch 'next' into envsbust-awk

alxndrsn · Dec 10, 2024 · d24a9e9 · d24a9e9
2 parents af73093 + 20878c7
commit d24a9e9
Show file tree

Hide file tree

Showing 15 changed files with 202 additions and 32 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -30,11 +30,11 @@ jobs:
             docker compose up -d
             CONTAINER_NAME=$(docker inspect -f '{{.Name}}' $(docker compose ps -q nginx) | cut -c2-)
             docker run --network container:$CONTAINER_NAME \
-              appropriate/curl -4 --insecure --retry 30 --retry-delay 10 --retry-connrefused https://localhost/ \
+              appropriate/curl -4 --insecure --retry 30 --retry-delay 10 --retry-connrefused https://localhost/ -H 'Host: local' \
               | tee /dev/tty \
               | grep -q 'ODK Central'
             docker run --network container:$CONTAINER_NAME \
-              appropriate/curl -4 --insecure --retry 20 --retry-delay 2 --retry-connrefused https://localhost/v1/projects \
+              appropriate/curl -4 --insecure --retry 20 --retry-delay 2 --retry-connrefused https://localhost/v1/projects -H 'Host: local' \
               | tee /dev/tty \
               | grep -q '\[\]'
       - run:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -26,7 +26,7 @@ jobs:
         submodules: recursive
     - uses: actions/setup-node@v4
       with:
-        node-version: 20.17.0
+        node-version: 22.12.0
     - run: cd test/nginx && npm i
     - run: cd test/nginx && ./run-tests.sh
 

diff --git a/client b/client
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -108,7 +108,7 @@ services:
       options:
         max-file: "30"
   pyxform:
-    image: 'ghcr.io/getodk/pyxform-http:v2.1.1'
+    image: 'ghcr.io/getodk/pyxform-http:v3.0.0'
     restart: always
   secrets:
     volumes:

diff --git a/enketo.dockerfile b/enketo.dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/enketo/enketo:7.4.0
+FROM ghcr.io/enketo/enketo:7.5.0
 
 ENV ENKETO_SRC_DIR=/srv/src/enketo/packages/enketo-express
 WORKDIR ${ENKETO_SRC_DIR}

diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
@@ -1,3 +1,12 @@
+server {
+  listen 443 default_server ssl;
+
+  ssl_certificate /etc/nginx/ssl/nginx.default.crt;
+  ssl_certificate_key /etc/nginx/ssl/nginx.default.key;
+
+  return 421;
+}
+
 server {
   listen 443 ssl;
   server_name ${DOMAIN};

diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf
@@ -1,8 +1,9 @@
 server {
     # Listen on plain old HTTP and catch all requests so they can be redirected
     # to HTTPS instead.
-    listen 80 default_server reuseport;
-    listen [::]:80 default_server reuseport;
+    listen 80 reuseport;
+    listen [::]:80 reuseport;
+    server_name ${DOMAIN};
 
     # Anything requesting this particular URL should be served content from
     # Certbot's folder so the HTTP-01 ACME challenges can be completed for the
@@ -18,3 +19,10 @@ server {
         return 301 https://$http_host$request_uri;
     }
 }
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 421;
+}
diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh
@@ -10,6 +10,15 @@ fi
   < /usr/share/odk/nginx/client-config.json.template \
   > /usr/share/nginx/html/client-config.json
 
+# Generate self-signed keys for the incorrect (catch-all) HTTPS listener.  This
+# cert should never be seen by legitimate users, so it's not a big deal that
+# it's self-signed and won't expire for 1,000 years.
+mkdir -p /etc/nginx/ssl
+openssl req -x509 -nodes -newkey rsa:2048 \
+    -subj "/" \
+    -keyout /etc/nginx/ssl/nginx.default.key \
+    -out    /etc/nginx/ssl/nginx.default.crt \
+    -days 365000
 
 DH_PATH=/etc/dh/nginx.pem
 if [ "$SSL_TYPE" != "upstream" ] && [ ! -s "$DH_PATH" ]; then
@@ -29,7 +38,9 @@ fi
 # start from fresh templates in case ssl type has changed
 echo "writing fresh nginx templates..."
 # redirector.conf gets deleted if using upstream SSL so copy it back
-cp /usr/share/odk/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
+envsubst '$DOMAIN' \
+  < /usr/share/odk/nginx/redirector.conf \
+  > /etc/nginx/conf.d/redirector.conf
 
 CERT_DOMAIN=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
 /scripts/envsub.awk \

diff --git a/nginx.dockerfile b/nginx.dockerfile
@@ -1,4 +1,4 @@
-FROM node:20.17.0-slim AS intermediate
+FROM node:22.12.0-slim AS intermediate
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \

diff --git a/secrets.dockerfile b/secrets.dockerfile
@@ -1,3 +1,3 @@
-FROM node:20.17.0-slim
+FROM node:22.12.0-slim
 
 COPY files/enketo/generate-secrets.sh ./
diff --git a/server b/server
diff --git a/service.dockerfile b/service.dockerfile
@@ -1,4 +1,4 @@
-ARG node_version=20.17.0
+ARG node_version=22.12.0
 
 
 

diff --git a/test/nginx/mock-http-server/package-lock.json b/test/nginx/mock-http-server/package-lock.json
diff --git a/test/nginx/run-tests.sh b/test/nginx/run-tests.sh
@@ -34,7 +34,7 @@ wait_for_http_response  5 localhost:8383/health 200
 log "Waiting for mock enketo..."
 wait_for_http_response  5 localhost:8005/health 200
 log "Waiting for nginx..."
-wait_for_http_response 90 localhost:9000 301
+wait_for_http_response 90 localhost:9000 421
 
 npm run test:nginx
Original file line number	Diff line number	Diff line change
		@@ -1,4 +1,4 @@
		ARG node_version=20.17.0
		ARG node_version=22.12.0



Expand Down