From aaf26cc22704903cd77f205b019044280da0c37e Mon Sep 17 00:00:00 2001 From: gwuah Date: Mon, 26 Feb 2024 21:06:53 +0100 Subject: [PATCH] feat: enforce https for all operations --- dockerproxy/main.go | 30 ++++++++++++++++++++---- etc/docker/daemon.json | 4 ++-- fly.toml | 53 ++++++++++++++++++++++++------------------ 3 files changed, 59 insertions(+), 28 deletions(-) diff --git a/dockerproxy/main.go b/dockerproxy/main.go index df3f20f..8ccfa17 100644 --- a/dockerproxy/main.go +++ b/dockerproxy/main.go @@ -39,6 +39,7 @@ var ( noDockerd = os.Getenv("NO_DOCKERD") == "1" noAuth = os.Getenv("NO_AUTH") == "1" noAppName = os.Getenv("NO_APP_NAME") == "1" + noHttps = os.Getenv("NO_HTTPS") == "1" // build variables gitSha string @@ -103,9 +104,9 @@ func main() { httpMux := http.NewServeMux() - httpMux.Handle("/", handlers.LoggingHandler(log.Writer(), authRequest(proxy()))) - httpMux.Handle("/flyio/v1/prune", handlers.LoggingHandler(log.Writer(), authRequest(pruneHandler(dockerClient)))) - httpMux.Handle("/flyio/v1/extendDeadline", handlers.LoggingHandler(log.Writer(), authRequest(extendDeadline()))) + httpMux.Handle("/", wrapCommonMiddlewares(dockerProxy())) + httpMux.Handle("/flyio/v1/prune", wrapCommonMiddlewares(pruneHandler(dockerClient))) + httpMux.Handle("/flyio/v1/extendDeadline", wrapCommonMiddlewares((extendDeadline()))) httpServer := &http.Server{ Addr: ":8080", @@ -212,7 +213,7 @@ func extendDeadline() http.Handler { }) } -func proxy() http.Handler { +func dockerProxy() http.Handler { reverseProxy := httputil.NewSingleHostReverseProxy(&url.URL{ Scheme: DOCKER_SCHEME, Host: DOCKER_LISTENER, @@ -240,3 +241,24 @@ func pruneHandler(client *client.Client) http.HandlerFunc { w.WriteHeader(http.StatusOK) }) } + +func upgradeToHTTPs(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if !noHttps && r.Header.Get("X-Forwarded-Proto") == "http" { + http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusMovedPermanently) + return + } + h.ServeHTTP(w, r) + }) +} + +func wrapCommonMiddlewares(h http.Handler) http.Handler { + return handlers.LoggingHandler( + log.Writer(), + upgradeToHTTPs( + authRequest( + h, + ), + ), + ) +} diff --git a/etc/docker/daemon.json b/etc/docker/daemon.json index 14c20d4..f02aaf5 100644 --- a/etc/docker/daemon.json +++ b/etc/docker/daemon.json @@ -10,8 +10,8 @@ "size": 24 } ], - "debug": true, - "log-level": "debug", + "debug": false, + "log-level": "info", "features": { "buildkit": true }, diff --git a/fly.toml b/fly.toml index 2f74a9d..0b43d7d 100644 --- a/fly.toml +++ b/fly.toml @@ -1,31 +1,40 @@ -# fly.toml file generated for rchab on 2021-01-08T16:05:33-05:00 +app = 'rchab' +primary_region = 'ams' +kill_signal = 'SIGINT' +kill_timeout = '5s' -app = "rchab" +[build] -kill_signal = "SIGINT" -kill_timeout = 5 +[env] + ALLOW_ORG_SLUG = 'fly' + DATA_DIR = '/data' + LOG_LEVEL = 'info' [[mounts]] -source = "data" -destination = "/data" + source = 'data' + destination = '/data' -[[services]] -internal_port = 8080 -protocol = "tcp" +[http_service] + internal_port = 8080 + force_https = true + auto_stop_machines = false + auto_start_machines = true + min_machines_running = 0 + processes = ['app'] -[services.concurrency] -hard_limit = 25 -soft_limit = 20 + [http_service.http_options] + h2_backend = true + + [http_service.tls_options] + alpn = ['h2'] -[[services.ports]] -handlers = ["tls"] -port = 10000 -[env] -ALLOW_ORG_SLUG = "fly" -LOG_LEVEL = "debug" -DATA_DIR = "/data" -[metrics] -port = 9323 -path = "/metrics" +[[vm]] + memory = '4gb' + cpu_kind = 'shared' + cpus = 4 + +[[metrics]] + port = 9323 + path = '/metrics'