From f77ff50150e6ff5d1f2b03c4f465846d5bb49a96 Mon Sep 17 00:00:00 2001 From: vnugent Date: Fri, 7 Jun 2024 15:45:56 -0400 Subject: Squashed commit of the following: commit 8ed4663e539d9c2ea58aaad02a1fc2896956f6b6 Author: vnugent Date: Fri Jun 7 15:43:48 2024 -0400 fix: invalid chars in status cookie name commit 9d1df65d99732a68b4fe96dcc75273442cbd322f Author: vnugent Date: Thu Jun 6 21:31:30 2024 -0400 fix: Some container fixes and compatability commit 5ecd6b39cccdc9500540b10685605b5fcba61f69 Author: vnugent Date: Thu Jun 6 17:19:48 2024 -0400 Update and expose storage config for container commit 3a62bafd210a2e00d23d3df773e47011e09eba6e Author: vnugent Date: Thu Jun 6 16:18:36 2024 -0400 ci: build admin lib before building front-end commit 35920ad6c8596fc14bcfed66303511e8c249be8d Author: vnugent Date: Thu Jun 6 15:56:36 2024 -0400 ci: Local vite config, force set lib versions commit 3c228b3cc5172fae398af8de72b64bd780ace20c Author: vnugent Date: Wed Jun 5 19:55:39 2024 -0400 ci: Update packages and add container build commit 21d2719701f851d4a555c363b141f289f14a5192 Author: vnugent Date: Wed Jun 5 15:58:07 2024 -0400 fix: #1 new channel page when hitting new button commit eefba88ac4e2c70517aa71c79ed94c346f9de554 Author: vnugent Date: Wed Jun 5 15:26:15 2024 -0400 chore: Package updates commit 9eed4022a79f2cba139c9f8a359bfc8c1f9c31c5 Author: vnugent Date: Wed Jun 5 14:44:08 2024 -0400 ci: Stage blocking changes --- ci/config-templates/CMNext-template.json | 41 +++++ .../Essentials.Accounts-template.json | 76 +++++++++ ci/config-templates/PageRouter-template.json | 7 + ci/config-templates/SessionProvider-template.json | 25 +++ ci/config-templates/config-template.json | 169 +++++++++++++++++++++ ci/config-templates/routes.xml | 46 ++++++ 6 files changed, 364 insertions(+) create mode 100644 ci/config-templates/CMNext-template.json create mode 100644 ci/config-templates/Essentials.Accounts-template.json create mode 100644 ci/config-templates/PageRouter-template.json create mode 100644 ci/config-templates/SessionProvider-template.json create mode 100644 ci/config-templates/config-template.json create mode 100644 ci/config-templates/routes.xml (limited to 'ci/config-templates') diff --git a/ci/config-templates/CMNext-template.json b/ci/config-templates/CMNext-template.json new file mode 100644 index 0000000..486f68a --- /dev/null +++ b/ci/config-templates/CMNext-template.json @@ -0,0 +1,41 @@ +{ + //Enables debug logging + "debug": ${DEBUG_PLUGINS}, + + "post_endpoint": { + "path": "/api/blog/posts" + }, + + "channel_endpoint": { + "path": "/api/blog/channels" + }, + + "content_endpoint": { + "path": "/api/blog/content", + "max_content_length": ${MAX_CONTENT_LENGTH} + }, + + "blog_channels": { + //The index file for storing channel configuration + "index_file_name": "${CHANNEL_INDEX_FILE}" + }, + + "storage": { + + "custom_storage_assembly": "${STORAGE_CUSTOM_ASSEMBLY}", + + "type": "${STORAGE_TYPE}", //s3 | ftp + + //storage config + "server_address": "${STORAGE_SERVER_ADDRESS}", + "access_key": "${STORAGE_USERNAME}", + "bucket": "${STORAGE_BUCKET}", + "use_ssl": ${STORAGE_USE_SSL}, + "Region": "${S3_REGION}" + }, + + "secrets": { + //Set the vault path to the s3 secret + "storage_secret": "${STORAGE_SECRET}" + } +} \ No newline at end of file diff --git a/ci/config-templates/Essentials.Accounts-template.json b/ci/config-templates/Essentials.Accounts-template.json new file mode 100644 index 0000000..4ca914c --- /dev/null +++ b/ci/config-templates/Essentials.Accounts-template.json @@ -0,0 +1,76 @@ +{ + "debug": ${DEBUG_PLUGINS}, + + //endpoints + + "login_endpoint": { + "path": "/api/account/login", + "max_login_attempts": ${MAX_LOGIN_ATTEMPS}, //10 failed attempts in 10 minutes + "failed_attempt_timeout_sec": 600 //10 minutes + }, + + "keepalive_endpoint": { + "path": "/api/account/keepalive", + //Regen token every 10 mins along with cookies + "token_refresh_sec": 600 //10 minutes + }, + + "profile_endpoint": { + "path": "/api/account/profile" + }, + + "password_endpoint": { + "path": "/api/account/reset" + }, + + "mfa_endpoint": { + "path": "/api/account/mfa" + }, + + "logout_endpoint": { + "path": "/api/account/logout" + }, + + "pki_auth_endpoint": { + "path": "/api/account/pki", + "jwt_time_dif_sec": 30, + "max_login_attempts": 10, + "failed_attempt_timeout_sec": 600, + //Configures the PATCH and DELETE methods to update the user's stored key when logged in + "enable_key_update": true + }, + + //If mfa is defined, configures mfa enpoints and enables mfa logins + "mfa": { + "upgrade_expires_secs": 180, + "nonce_size": 64, + + //Defines totp specific arguments + "totp": { + "digits": 6, + "issuer": "CMNext", + "period_secs": 30, + "algorithm": "sha1", + "secret_size": 32, + "window_size": 2 + } + }, + + //Defines the included account provider + "account_security": { + //Time in seconds before a session is considered expired + "session_valid_for_sec": 3600, + //Path/domain for all security cookies + "cookie_domain": "", + "cookie_path": "/", + "status_cookie_name": "cmnli", //front-end cookie name must match to detect login status + "otp_header_name": "X-Web-Token", //Front-end header name must match + "otp_time_diff_sec": 30, + "otp_key_size": 64, + "pubkey_cookie_name": "cmn-id", + "pubkey_signing_key_size": 32, + "strict_origin": false, + "strict_path": true, //Can be enabled if front-end is running on the same server + //"allowed_origins": [""] + } +} \ No newline at end of file diff --git a/ci/config-templates/PageRouter-template.json b/ci/config-templates/PageRouter-template.json new file mode 100644 index 0000000..86a51f8 --- /dev/null +++ b/ci/config-templates/PageRouter-template.json @@ -0,0 +1,7 @@ +{ + "debug": ${DEBUG_PLUGINS}, + "store": { + //All builds require the routes.xml file in the config directory even after variable substitution + "route_file": "config/routes.xml" + } +} \ No newline at end of file diff --git a/ci/config-templates/SessionProvider-template.json b/ci/config-templates/SessionProvider-template.json new file mode 100644 index 0000000..de3bce1 --- /dev/null +++ b/ci/config-templates/SessionProvider-template.json @@ -0,0 +1,25 @@ +{ + + "debug": ${DEBUG_PLUGINS}, + + //Provider assemblies to load + "provider_assemblies": [ "VNLib.Plugins.Sessions.VNCache.dll" ], + + //Web session provider, valid format for VNCache and also memory sessions + "web": { + //Cache system key prefix + "cache_prefix": "websessions", + //The session cookie name + "cookie_name": "cmnext-ses", + //Size in bytes for generated session ids + "cookie_size": 40, + //time (in seconds) a session is valid for + "valid_for_sec": 3600, + //The maxium number of connections waiting for the cache server responses + "max_waiting_connections": 100, + //Enforce strict cross-origin session checks + "strict_cors": true, + ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen) + "strict_tls_protocol": true + } +} \ No newline at end of file diff --git a/ci/config-templates/config-template.json b/ci/config-templates/config-template.json new file mode 100644 index 0000000..bd67020 --- /dev/null +++ b/ci/config-templates/config-template.json @@ -0,0 +1,169 @@ +{ + + //Host application config, config is loaded as a read-only DOM that is available + //to the host and loaded child plugins, all elements are available to plugins via the 'HostConfig' property + + "http": { + //The defaut HTTP version to being requests with (does not support http/2 yet) + "default_version": "HTTP/1.1", + //The maxium size (in bytes) of response messges that will be compressed + "compression_limit": 512000000, + //Minium response size (in bytes) to compress + "compression_minimum": 2048, + //The size of the buffer to use when parsing multipart/form data uploads + "multipart_max_buf_size": 8192, + //The maxium ammount of data (in bytes) allows for mulitpart/form data file uploads + "multipart_max_size": 80240, + //Absolute maximum size (in bytes) of the request entity body (exludes headers) + "max_entity_size": ${MAX_CONTENT_LENGTH}, + //Keepalive ms for HTTP1.1 keepalive connections + "keepalive_ms": 1000000, + //The buffer size to use when parsing headers (also the maxium request header size allowed) + "header_buf_size": 8128, + //The maxium number of headers allowed in an HTTP request message + "max_request_header_count": 50, + //The maxium number of allowed network connections, before 503s will be issued automatically and connections closed + "max_connections": 5000, + //The size in bytes of the buffer to use when writing response messages + "response_buf_size": 65536, + //time (in ms) to wait for a response from an active connection in recv mode, before dropping it + "recv_timeout_ms": 5000, + //Time in ms to wait for the client to accept transport data before terminating the connection + "send_timeout_ms": 60000, + //The size (in bytes) of the buffer used to store all response header data + "response_header_buf_size": 16384, + //Max number of file uploads allowed per request + "max_uploads_per_request": 10 + }, + + //Compression is installed in the container at lib/ directory along with the native library supporting gzip and brotli + "compression_lib": "lib/vnlib.net.compression/VNLib.Net.Compression.dll", + + //Setup the native lib + "vnlib.net.compression": { + "lib_path": "${COMPRESSION_LIB_PATH}", + "level": 1 + }, + + //Maxium ammount of time a request is allowed to be processed (includes loading or waiting for sessions) before operations will be cancelled and a 503 returned + "max_execution_time_ms": 20000, + + //Collection of objects to define hosts+interfaces to build server listeners from + "virtual_hosts": [ + { + + "trace": ${HTTP_TRACE_ON}, + + //The interface to bind to, you may not mix TLS and non-TLS connections on the same interface + "interface": { + "address": "0.0.0.0", + "port": 8080 + }, + + //Collection of "trusted" servers to allow proxy header support from + "downstream_servers": ${HTTP_DOWNSTREAM_SERVERS}, + + //The hostname to listen for, "*" as wildcard, and "[system]" as the default hostname for the current machine + "hostname": "*", + "path": "dist/", + + //A list of file extensions to deny access to, if a resource is requested and has one of the following extensions, a 404 is returned + "deny_extensions": [ ".ts", ".json", ".htaccess", ".php" ], + //The default file extensions to append to a resource that does not have a file extension + "default_files": [ "index.html" ], + + //A list of error file objects, files are loaded into memory (and watched for changes) and returned when the specified error code occurs + "error_files": [], + + //The default + "cache_default_sec": 864000, + + "ssl": ${SSL_JSON}, + } + ], + + + //Defines the directory where plugin's are to be loaded from + "plugins": { + //Hot-reload creates collectable assemblies that allow full re-load support in the host application, should only be used for development purposes! + "hot_reload": false, + "path": "plugins/", + "config_dir": "config/", + "assets": "plugins/assets/" + }, + + "sys_log": { + "path": "data/logs/sys-log.txt", + "flush_sec": 5, + "retained_files": 31, + "file_size_limit": 10485760, + "interval": "infinite" + }, + + "app_log": { + "path": "data/logs/app-log.txt", + "flush_sec": 5, + "retained_files": 31, + "file_size_limit": 10485760, + "interval": "infinite" + }, + + //HASHICORP VAULT + "hashicorp_vault": { + "url": "${HC_VAULT_ADDR}", + "token": "${HC_VAULT_TOKEN}", + "trust_certificate": ${HC_VAULT_TRUST_CERT}, + }, + + //SQL CONFIG + "sql": { + "provider": "${SQL_LIB_PATH}", + "connection_string": "${SQL_CONNECTION_STRING}" + }, + + //VNCACHE global config + //Enable vncache as the providers above rely on the object caching server + "cache": { + + "assembly_name": "${CACHE_ASM_PATH}", + "url": "${REDIS_CONNECTION_STRING}", + + //Max size (in bytes) of allowed data to be stored in each user's session object + "max_object_size": 8128, + + //Request timeout + "request_timeout_sec": 10, + + //Time delay between cluster node discovery + "discovery_interval_sec": 120, + + //Initial nodes to discover from + "initial_nodes": ${VNCACHE_INITIAL_NODES}, + + //Disable TLS + "use_tls": false, + + //Setting this value to true will cause the cache store to load a memory-only instance, without remote backing + "memory_only": ${MEMCACHE_ONLY}, + + //enable memory cache + "memory_cache": { + "buckets": 20, + "bucket_size": 5000, + "max_age_sec": 600, + "refresh_interval_sec": 60, + "zero_all": false, + "max_object_size": 8128 + } + }, + + "secrets": { + //Special key used by the loading library for access to the PasswordHashing library to pepper password hashes + "passwords": "${PASSWORD_PEPPER}", + "db_password": "${DATABASE_PASSWORD}", + "client_private_key": "${VNCACHE_CLIENT_PRIVATE_KEY}", + "cache_public_key": "${VNCACHE_CACHE_PUBLIC_KEY}", + "redis_password": "${REDIS_PASSWORD}" + } +} + diff --git a/ci/config-templates/routes.xml b/ci/config-templates/routes.xml new file mode 100644 index 0000000..85f9830 --- /dev/null +++ b/ci/config-templates/routes.xml @@ -0,0 +1,46 @@ + + + + + + + + + + + * + + + /assets/* + + + + + * + / + index.html + + + + + * + /* + / + + + + + + \ No newline at end of file -- cgit