From e4e7715743f551019544b1f0c99154a85e1a59d5 Mon Sep 17 00:00:00 2001 From: Bart Geesink Date: Wed, 3 Apr 2024 15:15:58 +0200 Subject: [PATCH] Docker: Add apache configs for the gui containers --- account-gui/docker/Dockerfile | 1 + account-gui/docker/conf/000-default.conf | 59 +++++++++++++++ myconext-gui/docker/Dockerfile | 2 + myconext-gui/docker/conf/000-default.conf | 87 +++++++++++++++++++++++ 4 files changed, 149 insertions(+) create mode 100644 account-gui/docker/conf/000-default.conf create mode 100644 myconext-gui/docker/conf/000-default.conf diff --git a/account-gui/docker/Dockerfile b/account-gui/docker/Dockerfile index fc665ace..815fb316 100644 --- a/account-gui/docker/Dockerfile +++ b/account-gui/docker/Dockerfile @@ -1,2 +1,3 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest +COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf COPY ./build/ /var/www/ diff --git a/account-gui/docker/conf/000-default.conf b/account-gui/docker/conf/000-default.conf new file mode 100644 index 00000000..d6a38e6a --- /dev/null +++ b/account-gui/docker/conf/000-default.conf @@ -0,0 +1,59 @@ +ServerName https://${HTTPD_SERVERNAME} +RewriteEngine on +RewriteCond %{REQUEST_URI} !\.html$ +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/myconext +RewriteCond %{REQUEST_URI} !^/mobile +RewriteCond %{REQUEST_URI} !^/tiqr +RewriteCond %{REQUEST_URI} !^/config +RewriteCond %{REQUEST_URI} !^/register +RewriteCond %{REQUEST_URI} !^/doLogin +RewriteCond %{REQUEST_URI} !^/doLogout +RewriteCond %{REQUEST_URI} !^/create-from-institution-login +RewriteCond %{REQUEST_URI} !^/saml +RewriteCond %{REQUEST_URI} !^/actuator +RewriteCond %{REQUEST_URI} !^/internal +RewriteCond %{REQUEST_URI} !^/fonts +RewriteCond %{REQUEST_URI} !^/.well-known +RewriteRule (.*) /index.html [L] + +ProxyPass /myconext/api http://myconext:8080/myconext/api retry=0 +ProxyPassReverse /myconext/api http://myconext:8080/myconext/api + +ProxyPass /mobile http://myconext:8080/mobile retry=0 +ProxyPassReverse /mobile http://myconext:8080/mobile + +ProxyPass /tiqr http://myconext:8080/tiqr retry=0 +ProxyPassReverse /tiqr http://myconext:8080/tiqr + +ProxyPass /saml/guest-idp http://myconext:8080/saml/guest-idp retry=0 +ProxyPassReverse /saml/guest-idp http://myconext:8080/saml/guest-idp + +ProxyPass /actuator http://myconext:8080/internal retry=0 +ProxyPass /internal http://myconext:8080/internal retry=0 +ProxyPass /config http://myconext:8080/config retry=0 +ProxyPass /register http://myconext:8080/register retry=0 +ProxyPass /doLogin http://myconext:8080/doLogin retry=0 +ProxyPass /doLogout http://myconext:8080/doLogout retry=0 +ProxyPass /create-from-institution-login http://myconext:8080/create-from-institution-login retry=0 + +DocumentRoot "/var/www" + + + Require all granted + Options -Indexes + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "same-origin" +Header always set X-Content-Type-Options "nosniff" + + diff --git a/myconext-gui/docker/Dockerfile b/myconext-gui/docker/Dockerfile index fc665ace..a46e57c8 100644 --- a/myconext-gui/docker/Dockerfile +++ b/myconext-gui/docker/Dockerfile @@ -1,2 +1,4 @@ FROM ghcr.io/openconext/openconext-basecontainers/apache2-shibboleth:latest COPY ./build/ /var/www/ +COPY ./docker/conf/000-default.conf /etc/apache2/sites-enabled/000-default.conf + diff --git a/myconext-gui/docker/conf/000-default.conf b/myconext-gui/docker/conf/000-default.conf new file mode 100644 index 00000000..e810606b --- /dev/null +++ b/myconext-gui/docker/conf/000-default.conf @@ -0,0 +1,87 @@ +ServerName https://${HTTPD_SERVERNAME} +RewriteEngine on + +RewriteCond %{REQUEST_URI} !\.html$ +RewriteCond %{REQUEST_URI} !\.(js|css)(\.map)?$ +RewriteCond %{REQUEST_URI} !\.svg$ +RewriteCond %{REQUEST_URI} !\.png$ +RewriteCond %{REQUEST_URI} !\.ico$ +RewriteCond %{REQUEST_URI} !\.woff$ +RewriteCond %{REQUEST_URI} !\.woff2$ +RewriteCond %{REQUEST_URI} !\.ttf$ +RewriteCond %{REQUEST_URI} !\.eot$ +RewriteCond %{REQUEST_URI} !^/(asset-)?manifest.json$ +RewriteCond %{REQUEST_URI} !^/myconext +RewriteCond %{REQUEST_URI} !^/tiqr +RewriteCond %{REQUEST_URI} !^/actuator +RewriteCond %{REQUEST_URI} !^/internal +RewriteCond %{REQUEST_URI} !^/config +RewriteCond %{REQUEST_URI} !^/login +RewriteCond %{REQUEST_URI} !^/startSSO +RewriteCond %{REQUEST_URI} !^/fonts +RewriteCond %{REQUEST_URI} !^/.well-known +RewriteRule (.*) /index.html [L] + +ProxyPass /Shibboleth.sso ! + +ProxyPass /myconext/api http://myconext:8080/myconext/api +ProxyPassReverse /myconext/api http://myconext:8080/myconext/api + +ProxyPass /tiqr http://myconext:8080/tiqr +ProxyPassReverse /tiqr http://myconext:8080/tiqr + +ProxyPass /internal http://myconext:8080/internal +ProxyPass /actuator http://myconext:8080/internal +ProxyPass /login http://myconext:8080/login +ProxyPass /startSSO http://myconext:8080/startSSO +ProxyPass /config http://myconext:8080/config + + + AuthType shibboleth + ShibUseHeaders On + ShibRequireSession On + Require valid-user + + +DocumentRoot "/var/www" + + + Require all granted + Options -Indexes + + +# Public endpoints + + Require all granted + + +# After logout / delete + + Require all granted + + + + Require all granted + + + + Require all granted + + +# Svelte resources + + Require all granted + + + + Require all granted + + + + Require all granted + + +Header always set X-Frame-Options "DENY" +Header always set Referrer-Policy "same-origin" +Header always set X-Content-Type-Options "nosniff" +