From 55bee7422d324cd4d6c59a95186d407089796dd4 Mon Sep 17 00:00:00 2001
From: Tom Wiesing <tkw01536@gmail.com>
Date: Sat, 17 Sep 2022 15:23:27 +0200
Subject: [PATCH] component/web: Add http and https variants

---
 README.md                                     |  2 +-
 .../component/web/{web.env => web-http.env}   |  2 +-
 .../component/web/web-http/docker-compose.yml | 30 +++++++++++++
 .../web/{stack => web-http}/global.conf       |  0
 .../web/{stack => web-http}/proxy.conf        |  0
 internal/component/web/web-https.env          |  2 +
 .../{stack => web-https}/docker-compose.yml   |  0
 internal/component/web/web-https/global.conf  |  4 ++
 internal/component/web/web-https/proxy.conf   | 19 +++++++++
 internal/component/web/web.go                 | 42 ++++++++++++++-----
 10 files changed, 88 insertions(+), 13 deletions(-)
 rename internal/component/web/{web.env => web-http.env} (50%)
 create mode 100644 internal/component/web/web-http/docker-compose.yml
 rename internal/component/web/{stack => web-http}/global.conf (100%)
 rename internal/component/web/{stack => web-http}/proxy.conf (100%)
 create mode 100644 internal/component/web/web-https.env
 rename internal/component/web/{stack => web-https}/docker-compose.yml (100%)
 create mode 100644 internal/component/web/web-https/global.conf
 create mode 100644 internal/component/web/web-https/proxy.conf

diff --git a/README.md b/README.md
index 97e9d4c..f45a02a 100644
--- a/README.md
+++ b/README.md
@@ -79,7 +79,7 @@ These are:
 
   - This will delegate individual hostnames to appropriate docker containers, see [this blog post](http://jasonwilder.com/blog/2014/03/25/automated-nginx-reverse-proxy-for-docker/) for an overview.
   - Optionally makes use of [docker-letsencrypt-nginx-proxy-companion](https://github.com/nginx-proxy/docker-letsencrypt-nginx-proxy-companion) to automatically provision and renew HTTPS certificates.
-  - See [distillery/resources/compose/web](embed/resources/compose/web) for implementation details.
+  - See [internal/component/web](internal/component/web) for implementation details.
 
 - [MariaDB](https://mariadb.org/) - an SQL server
 
diff --git a/internal/component/web/web.env b/internal/component/web/web-http.env
similarity index 50%
rename from internal/component/web/web.env
rename to internal/component/web/web-http.env
index dee5c8d..1eed846 100644
--- a/internal/component/web/web.env
+++ b/internal/component/web/web-http.env
@@ -1,2 +1,2 @@
 DEFAULT_HOST=${DEFAULT_HOST}
-HTTPS_METHOD=${HTTPS_METHOD}
\ No newline at end of file
+HTTPS_METHOD=nohttps
\ No newline at end of file
diff --git a/internal/component/web/web-http/docker-compose.yml b/internal/component/web/web-http/docker-compose.yml
new file mode 100644
index 0000000..f4c2113
--- /dev/null
+++ b/internal/component/web/web-http/docker-compose.yml
@@ -0,0 +1,30 @@
+version: "3.7"
+
+services:
+  nginx-proxy:
+    image: ghcr.io/nginx-proxy/nginx-proxy:alpine
+    environment:
+      - DEFAULT_HOST=${DEFAULT_HOST}
+      - HTTPS_METHOD=${HTTPS_METHOD}
+    ports:
+      - "80:80"
+    volumes:
+      - "vhost:/etc/nginx/vhost.d"
+      - "./global.conf:/etc/nginx/conf.d/global.conf:ro"
+      - "./proxy.conf:/etc/nginx/proxy.conf:ro"
+      - "htpasswd:/etc/nginx/htpasswd"
+      - "html:/usr/share/nginx/html"
+      - "/var/run/docker.sock:/tmp/docker.sock:ro"
+    restart: always
+    networks:
+      - default
+
+volumes:
+  vhost:
+  html:
+  htpasswd:
+
+networks:
+  default:
+    name: distillery
+    external: true
diff --git a/internal/component/web/stack/global.conf b/internal/component/web/web-http/global.conf
similarity index 100%
rename from internal/component/web/stack/global.conf
rename to internal/component/web/web-http/global.conf
diff --git a/internal/component/web/stack/proxy.conf b/internal/component/web/web-http/proxy.conf
similarity index 100%
rename from internal/component/web/stack/proxy.conf
rename to internal/component/web/web-http/proxy.conf
diff --git a/internal/component/web/web-https.env b/internal/component/web/web-https.env
new file mode 100644
index 0000000..00e84d1
--- /dev/null
+++ b/internal/component/web/web-https.env
@@ -0,0 +1,2 @@
+DEFAULT_HOST=${DEFAULT_HOST}
+HTTPS_METHOD=redirect
\ No newline at end of file
diff --git a/internal/component/web/stack/docker-compose.yml b/internal/component/web/web-https/docker-compose.yml
similarity index 100%
rename from internal/component/web/stack/docker-compose.yml
rename to internal/component/web/web-https/docker-compose.yml
diff --git a/internal/component/web/web-https/global.conf b/internal/component/web/web-https/global.conf
new file mode 100644
index 0000000..2f73621
--- /dev/null
+++ b/internal/component/web/web-https/global.conf
@@ -0,0 +1,4 @@
+# Nginx Configuration File
+# These should match with distillery/resources/compose/barrel/conf/wisski.ini.
+ 
+client_max_body_size 1000m;
diff --git a/internal/component/web/web-https/proxy.conf b/internal/component/web/web-https/proxy.conf
new file mode 100644
index 0000000..59fec40
--- /dev/null
+++ b/internal/component/web/web-https/proxy.conf
@@ -0,0 +1,19 @@
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack (see README for details)
+proxy_set_header Proxy "";
+
+# Timeouts for the proxy connection - in sync with the appropriate max_execution time.
+proxy_connect_timeout 3000s;
+proxy_read_timeout 3000s;
+proxy_send_timeout 3000s;
diff --git a/internal/component/web/web.go b/internal/component/web/web.go
index 4bc7882..601cdae 100644
--- a/internal/component/web/web.go
+++ b/internal/component/web/web.go
@@ -6,7 +6,9 @@ import (
 	"github.com/FAU-CDI/wisski-distillery/internal/component"
 )
 
-// Web implements the web component
+// Web implements the ingress gateway for the distillery.
+//
+// It consists of an nginx docker container and an optional letsencrypt container.
 type Web struct {
 	component.ComponentBase
 }
@@ -15,24 +17,42 @@ func (Web) Name() string {
 	return "web"
 }
 
-//go:embed all:stack
-//go:embed web.env
-var resources embed.FS
-
 func (web Web) Stack() component.Installable {
-	HTTPS_METHOD := "nohttp"
 	if web.Config.HTTPSEnabled() {
-		HTTPS_METHOD = "redirect"
+		return web.stackHTTPS()
+	} else {
+		return web.stackHTTP()
 	}
+}
 
+//go:embed all:web-https
+//go:embed web-https.env
+var httpsResources embed.FS
+
+func (web Web) stackHTTPS() component.Installable {
 	return web.MakeStack(component.Installable{
-		Resources:   resources,
-		ContextPath: "stack",
-		EnvPath:     "web.env",
+		Resources:   httpsResources,
+		ContextPath: "web-https",
+		EnvPath:     "web-https.env",
+
+		EnvContext: map[string]string{
+			"DEFAULT_HOST": web.Config.DefaultDomain,
+		},
+	})
+}
+
+//go:embed all:web-http
+//go:embed web-http.env
+var httpResources embed.FS
+
+func (web Web) stackHTTP() component.Installable {
+	return web.MakeStack(component.Installable{
+		Resources:   httpResources,
+		ContextPath: "web-http",
+		EnvPath:     "web-http.env",
 
 		EnvContext: map[string]string{
 			"DEFAULT_HOST": web.Config.DefaultDomain,
-			"HTTPS_METHOD": HTTPS_METHOD,
 		},
 	})
 }