Improvement of the docker stack

Dockerfile

@@ -1,34 +1,34 @@
+# syntax=docker/dockerfile:1
 # Use the official Nginx image as the base image
 FROM nginx:alpine
 
-# Install curl, jq, and tar for fetching, parsing, and extracting
-RUN apk add --no-cache git curl tar gettext
+ARG LINSTOR_GUI_VERSION=v1.8.1
+
+# Install curl and tar for fetching and extracting
+RUN apk add --no-cache curl tar gettext
 
 # Remove default Nginx configuration
 RUN rm /etc/nginx/conf.d/default.conf
 
-# Copy the Nginx configuration template
-COPY nginx.conf.template /etc/nginx/nginx.conf.template
-
-COPY . .
+# Copy Nginx configuration templates
+COPY nginx.conf.* /etc/nginx/
 
 # Copy the entrypoint script
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 RUN chmod +x /docker-entrypoint.sh
 
-# Set default value for LB_GATEWAY_API_HOST
-ENV LB_GATEWAY_API_HOST=http://localhost:8080
+# Set default value
+ENV LB_GATEWAY_API_HOST=http://localhost:8080 \
+    EXTERNAL_HTTPS_PORT=8443
 
-# Download the corresponding tarball
-RUN LATEST_TAG=$(git describe --tags --abbrev=0 | sed 's/^v//') && \
-    echo "Latest Tag: $LATEST_TAG" && \
-    curl -L -o linstor-gui-$LATEST_TAG.tar.gz  https://pkg.linbit.com//downloads/linstor/linstor-gui-$LATEST_TAG.tar.gz && \
+# Download the corresponding tarball from github
+RUN curl -L -o linstor-gui-${LINSTOR_GUI_VERSION}.tar.gz https://github.com/LINBIT/linstor-gui/releases/download/${LINSTOR_GUI_VERSION}/linstor-gui-${LINSTOR_GUI_VERSION}.tar.gz && \
     mkdir -p /usr/share/nginx/html && \
-    tar -xzf linstor-gui-$LATEST_TAG.tar.gz -C /usr/share/nginx/html --strip-components=2 && \
-    rm linstor-gui-$LATEST_TAG.tar.gz
+    tar -xzf linstor-gui-${LINSTOR_GUI_VERSION}.tar.gz -C /usr/share/nginx/html && \
+    rm linstor-gui-${LINSTOR_GUI_VERSION}.tar.gz
 
-# Expose port 8000
-EXPOSE 8000
+# Expose http and https port
+EXPOSE 8080 8443
 
 # Use the entrypoint script
 ENTRYPOINT ["/docker-entrypoint.sh"]

README.md

@@ -24,15 +24,49 @@ sudo apt install linstor-gui
 
 ### Running in a Docker container
 
-```
-docker build -t linstor-gui .
+```bash
+export DOCKER_BUILDKIT=1
+
+# docker-compose build
+docker build --no-cache \
+             --build-arg="LINSTOR_GUI_VERSION=v1.8.1" \
+             --tag linstor-gui .
 
+# docker-compose up
 docker run \
-  -p 8000:8000 \
+  -p 8080:8080 \
   -e LB_LINSTOR_API_HOST=http://192.168.123.105:3370 \
   -e LB_GATEWAY_API_HOST=http://192.168.123.105:8080 \
   linstor-gui
+```
+
+* Optionnal add HTTPS support
+
+```bash
+$ mkdir -p volumes/ssl
+
+# create autosigned cert
+$ openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \
+              -keyout ./volumes/ssl/linstor-gui.key \
+              -out ./volumes/ssl/linstor-gui.crt
+
+# create diffie hellman
+$ openssl dhparam -out ./volumes/ssl/dh.pem 2048
+```
 
+```diff
+--- docker-compose.yml.old
++++ docker-compose.yml
+...
+    environment:
+    ...
++     - EXTERNAL_HTTPS_PORT=443 #default 8443
+    ports:
+      - "80:8080"
++     - "443:8443"
++   volumes:
++     - ./volumes/ssl:/opt/ssl:ro
+...
 ```
 
 LB_LINSTOR_API_HOST is required, LB_GATEWAY_API_HOST is optional, default is `http://localhost:8080`.

docker-compose.yml

@@ -0,0 +1,20 @@
+services:
+  linstor-gui:
+    image: linstor-gui:1.8.1
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        - LINSTOR_GUI_VERSION=v1.8.1    
+    environment:
+      - LB_LINSTOR_API_HOST=http://10.20.45.199:3369
+      - LB_GATEWAY_API_HOST=http://10.20.45.199:3369
+    ports:
+      - "8080:8080"
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "--fail", "http://127.0.0.1:8080/health"]
+      start_period: 10s
+      interval: 5s
+      timeout: 1s
+      retries: 3

docker-entrypoint.sh

@@ -1,13 +1,21 @@
 #!/bin/sh
 set -e
 
+# Use correct Nginx config http or https
+if [ -e /opt/ssl/linstor-gui.crt ]; then
+    NGINX_TEMPLATE_FILE=/etc/nginx/nginx.conf.ssl.template
+else
+    NGINX_TEMPLATE_FILE=/etc/nginx/nginx.conf.template
+fi
+
 # Replace placeholders in the Nginx config template
-envsubst "$(env | sed -e 's/=.*//' -e 's/^/$/g')" < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf.tmp
+envsubst "$(env | sed -e 's/=.*//' -e 's/^/$/g')" < ${NGINX_TEMPLATE_FILE} > /etc/nginx/nginx.conf.tmp
 
 # Use awk to replace the placeholder values
 awk '{
-    gsub(/LB_LINSTOR_API_HOST/, ENVIRON["LB_LINSTOR_API_HOST"]);
-    gsub(/LB_GATEWAY_API_HOST/, ENVIRON["LB_GATEWAY_API_HOST"]);
+    gsub(/__LB_LINSTOR_API_HOST__/, ENVIRON["LB_LINSTOR_API_HOST"]);
+    gsub(/__LB_GATEWAY_API_HOST__/, ENVIRON["LB_GATEWAY_API_HOST"]);
+    gsub(/__EXTERNAL_HTTPS_PORT__/, ENVIRON["EXTERNAL_HTTPS_PORT"]);
     print
 }' /etc/nginx/nginx.conf.tmp > /etc/nginx/nginx.conf
 

nginx.conf.ssl.template

@@ -0,0 +1,82 @@
+worker_processes auto;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    sendfile        on;
+    keepalive_timeout  65;
+    server_tokens off;
+
+    # Redirect HTTP -> HTTPS
+    server {
+        listen 8080;
+        server_name localhost;
+
+        # the default location redirects to https
+        location / {
+            return 301 https://$host:__EXTERNAL_HTTPS_PORT__$request_uri;
+        }
+
+	# Healtcheck
+        location /health {
+          stub_status on;
+          access_log off;
+          allow 127.0.0.1;
+          deny all;
+        }
+    }
+
+    # SSL configuration
+    server {
+        listen 8443 ssl default_server;
+
+        ssl_certificate             "/opt/ssl/linstor-gui.crt";
+        ssl_certificate_key         "/opt/ssl/linstor-gui.key";
+        ssl_protocols               TLSv1.2;
+        ssl_dhparam                 /opt/ssl/dh.pem;
+        ssl_prefer_server_ciphers   on;
+        ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+        ssl_stapling                on;
+        ssl_stapling_verify         on;
+        ssl_session_cache           none;
+        ssl_session_tickets         off;
+
+        root /usr/share/nginx/html;
+        index index.html;
+
+        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+        add_header X-Frame-Options "DENY";
+
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        location /v1 {
+            proxy_pass __LB_LINSTOR_API_HOST__;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        location /metrics {
+            proxy_pass __LB_LINSTOR_API_HOST__;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        location /api/v2 {
+            proxy_pass __LB_GATEWAY_API_HOST__;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}

nginx.conf.template

@@ -10,32 +10,44 @@ http {
 
     sendfile        on;
     keepalive_timeout  65;
+    server_tokens off;
 
     server {
-        listen 8000;
+        listen 8080;
         server_name localhost;
 
         root /usr/share/nginx/html;
         index index.html;
 
+        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+        add_header X-Frame-Options "DENY";
+
         location / {
             try_files $uri $uri/ /index.html;
         }
 
+	# Healtcheck
+        location /health {
+          stub_status on;
+          access_log off;
+          allow 127.0.0.1;
+          deny all;
+        }
+
         location /v1 {
-            proxy_pass LB_LINSTOR_API_HOST;
+            proxy_pass __LB_LINSTOR_API_HOST__;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
         }
 
         location /metrics {
-            proxy_pass LB_LINSTOR_API_HOST;
+            proxy_pass __LB_LINSTOR_API_HOST__;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
         }
 
         location /api/v2 {
-            proxy_pass LB_GATEWAY_API_HOST;
+            proxy_pass __LB_GATEWAY_API_HOST__;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
         }