Docker: Add apache configs for the gui containers

OpenConext · Apr 3, 2024 · e4e7715 · e4e7715
1 parent 5c1c8f4
commit e4e7715
Show file tree

Hide file tree

Showing 4 changed files with 149 additions and 0 deletions.
diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile
@@ -1,2 +1,3 @@
 FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
+COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf
 COPY ./build/ /var/www/
diff --git a/account-gui/docker/conf/000-default.conf b/account-gui/docker/conf/000-default.conf
@@ -0,0 +1,59 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/myconext
+RewriteCond %{REQUEST_URI} !^/mobile
+RewriteCond %{REQUEST_URI} !^/tiqr
+RewriteCond %{REQUEST_URI} !^/config
+RewriteCond %{REQUEST_URI} !^/register
+RewriteCond %{REQUEST_URI} !^/doLogin
+RewriteCond %{REQUEST_URI} !^/doLogout
+RewriteCond %{REQUEST_URI} !^/create-from-institution-login
+RewriteCond %{REQUEST_URI} !^/saml
+RewriteCond %{REQUEST_URI} !^/actuator
+RewriteCond %{REQUEST_URI} !^/internal
+RewriteCond %{REQUEST_URI} !^/fonts
+RewriteCond %{REQUEST_URI} !^/.well-known
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /myconext/api http://myconext:8080/myconext/api retry=0
+ProxyPassReverse /myconext/api http://myconext:8080/myconext/api
+
+ProxyPass /mobile http://myconext:8080/mobile retry=0
+ProxyPassReverse /mobile http://myconext:8080/mobile
+
+ProxyPass /tiqr http://myconext:8080/tiqr retry=0
+ProxyPassReverse /tiqr http://myconext:8080/tiqr
+
+ProxyPass /saml/guest-idp http://myconext:8080/saml/guest-idp retry=0
+ProxyPassReverse /saml/guest-idp http://myconext:8080/saml/guest-idp
+
+ProxyPass /actuator http://myconext:8080/internal retry=0
+ProxyPass /internal http://myconext:8080/internal retry=0
+ProxyPass /config http://myconext:8080/config retry=0
+ProxyPass /register http://myconext:8080/register retry=0
+ProxyPass /doLogin http://myconext:8080/doLogin retry=0
+ProxyPass /doLogout http://myconext:8080/doLogout retry=0
+ProxyPass /create-from-institution-login http://myconext:8080/create-from-institution-login retry=0
+
+DocumentRoot "/var/www"
+
+<Directory "/var/www">
+  Require all granted
+  Options     -Indexes
+</Directory>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "same-origin"
+Header always set X-Content-Type-Options "nosniff"
+
+
diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile
@@ -1,2 +1,4 @@
 FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest
 COPY ./build/ /var/www/
+COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf
+
diff --git a/myconext-gui/docker/conf/000-default.conf b/myconext-gui/docker/conf/000-default.conf
@@ -0,0 +1,87 @@
+ServerName https://${HTTPD_SERVERNAME}
+RewriteEngine on
+
+RewriteCond %{REQUEST_URI} !\.html$
+RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$
+RewriteCond %{REQUEST_URI} !\.svg$
+RewriteCond %{REQUEST_URI} !\.png$
+RewriteCond %{REQUEST_URI} !\.ico$
+RewriteCond %{REQUEST_URI} !\.woff$
+RewriteCond %{REQUEST_URI} !\.woff2$
+RewriteCond %{REQUEST_URI} !\.ttf$
+RewriteCond %{REQUEST_URI} !\.eot$
+RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$
+RewriteCond %{REQUEST_URI} !^/myconext
+RewriteCond %{REQUEST_URI} !^/tiqr
+RewriteCond %{REQUEST_URI} !^/actuator
+RewriteCond %{REQUEST_URI} !^/internal
+RewriteCond %{REQUEST_URI} !^/config
+RewriteCond %{REQUEST_URI} !^/login
+RewriteCond %{REQUEST_URI} !^/startSSO
+RewriteCond %{REQUEST_URI} !^/fonts
+RewriteCond %{REQUEST_URI} !^/.well-known
+RewriteRule (.*) /index.html [L]
+
+ProxyPass /Shibboleth.sso !
+
+ProxyPass /myconext/api http://myconext:8080/myconext/api
+ProxyPassReverse /myconext/api http://myconext:8080/myconext/api
+
+ProxyPass /tiqr http://myconext:8080/tiqr
+ProxyPassReverse /tiqr http://myconext:8080/tiqr
+
+ProxyPass /internal http://myconext:8080/internal
+ProxyPass /actuator http://myconext:8080/internal 
+ProxyPass /login http://myconext:8080/login
+ProxyPass /startSSO http://myconext:8080/startSSO
+ProxyPass /config http://myconext:8080/config
+
+<Location />
+  AuthType shibboleth
+  ShibUseHeaders On
+  ShibRequireSession On
+  Require valid-user
+</Location>
+
+DocumentRoot "/var/www"
+
+<Directory "/var/www">
+  Require all granted
+  Options     -Indexes
+</Directory>
+
+# Public endpoints
+<Location ~ "/(config|register|404)">
+  Require all granted
+</Location>
+
+# After logout / delete
+<Location ~ "/landing(.*)">
+  Require all granted
+</Location>
+
+<Location ~ "/create-from-institution(.*)">
+  Require all granted
+</Location>
+
+<Location ~ "/internal/">
+  Require all granted
+</Location>
+
+# Svelte resources
+<Location ~ "(.*)(eot|svg|ttf|woff2|woff|js|js\.map|css|css\.map|png|jpg|ico)$">
+  Require all granted
+</Location>
+
+<Location ~ "/.well-known/">
+  Require all granted
+</Location>
+
+<Location ~ "/(asset-)?manifest.json$">
+  Require all granted
+</Location>
+
+Header always set X-Frame-Options "DENY"
+Header always set Referrer-Policy "same-origin"
+Header always set X-Content-Type-Options "nosniff"
+