diff options
author | vnugent <public@vaughnnugent.com> | 2024-05-23 18:17:56 -0400 |
---|---|---|
committer | vnugent <public@vaughnnugent.com> | 2024-05-23 18:17:56 -0400 |
commit | 5b6b4c06bc4b974e1839ca47c91dd6c903f119fd (patch) | |
tree | 35d9b34ec412c4c75f2fbc6b13b9122baf88b717 /ci/container | |
parent | c7c9e8a441e99e1dc79e2a690d83281af463d817 (diff) |
build(server): Update Docker config to support new vars
Diffstat (limited to 'ci/container')
-rw-r--r-- | ci/container/Dockerfile | 37 | ||||
-rw-r--r-- | ci/container/config-templates/Essentials.Accounts-template.json | 2 | ||||
-rw-r--r-- | ci/container/config-templates/PageRouter-template.json | 2 | ||||
-rw-r--r-- | ci/container/config-templates/SessionProvider-template.json | 8 | ||||
-rw-r--r-- | ci/container/config-templates/SimpleBookmark-template.json | 2 | ||||
-rw-r--r-- | ci/container/docker-compose.yaml | 28 |
6 files changed, 50 insertions, 29 deletions
diff --git a/ci/container/Dockerfile b/ci/container/Dockerfile index 4580e48..33de6f1 100644 --- a/ci/container/Dockerfile +++ b/ci/container/Dockerfile @@ -55,8 +55,8 @@ ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 ENV VNLIB_ARGON2_DLL_PATH=/app/lib/libargon2.so #set default env variables -ENV MAX_BOOKMARKS=5000 -ENV REG_TOKEN_DURATION_MIN=360 +ENV MAX_BOOKMARKS=5000 \ + REG_TOKEN_DURATION_MIN=360 #SQL Config ENV SQL_LIB_PATH=VNLib.Plugins.Extensions.Sql.SQLite.dll @@ -66,29 +66,34 @@ ENV SQL_CONNECTION_STRING="Data Source=data/simple-bookmark.db;" ENV MAX_LOGIN_ATTEMPS=10 #HC Vault -ENV HC_VAULT_ADDR="" -ENV HC_VAULT_TOKEN="" -ENV HC_VAULT_TRUST_CERT=false +ENV HC_VAULT_ADDR="" \ + HC_VAULT_TOKEN="" \ + HC_VAULT_TRUST_CERT=false #VNCACHE (default to memory only) -ENV CACHE_ASM_PATH=VNLib.Data.Caching.Providers.VNCache.dll -ENV MEMCACHE_ONLY=true -ENV REDIS_CONNECTION_STRING="" -ENV VNCACHE_INITIAL_NODES=[] +ENV CACHE_ASM_PATH=VNLib.Data.Caching.Providers.VNCache.dll \ + MEMCACHE_ONLY=true \ + REDIS_CONNECTION_STRING="" \ + VNCACHE_INITIAL_NODES=[] #SECRETS -ENV PASSWORD_PEPPER="" -ENV DATABASE_PASSWORD="" -ENV REDIS_PASSWORD="" -ENV VNCACHE_CLIENT_PRIVATE_KEY="" -ENV VNCACHE_CACHE_PUBLIC_KEY="" +ENV PASSWORD_PEPPER="" \ + DATABASE_PASSWORD="" \ + REDIS_PASSWORD="" \ + VNCACHE_CLIENT_PRIVATE_KEY="" \ + VNCACHE_CACHE_PUBLIC_KEY="" + #HTTP/PROXY Config -ENV HTTP_DOWNSTREAM_SERVERS=[] -ENV HTTP_TRACE_ON=false +ENV HTTP_DOWNSTREAM_SERVERS=[] \ + HTTP_TRACE_ON=false + #set default certificate files to the self signed ones created in the build container ENV SSL_JSON='{"cert": "ssl/cert.pem", "privkey":"ssl/key.pem"}' +#disable plugin debugging by default +ENV DEBUG_PLUGINS=false + #run the init script within dumb-init ENTRYPOINT ["dumb-init", "--"] CMD ["ash", "./run.sh"] diff --git a/ci/container/config-templates/Essentials.Accounts-template.json b/ci/container/config-templates/Essentials.Accounts-template.json index 6e36986..68568a9 100644 --- a/ci/container/config-templates/Essentials.Accounts-template.json +++ b/ci/container/config-templates/Essentials.Accounts-template.json @@ -1,5 +1,5 @@ { - "debug": false, + "debug": ${DEBUG_PLUGINS}, //endpoints diff --git a/ci/container/config-templates/PageRouter-template.json b/ci/container/config-templates/PageRouter-template.json index 7cfdf24..98dded3 100644 --- a/ci/container/config-templates/PageRouter-template.json +++ b/ci/container/config-templates/PageRouter-template.json @@ -1,5 +1,5 @@ { - "debug": false, + "debug": ${DEBUG_PLUGINS}, "store": { "route_file": "static/routes.xml" } diff --git a/ci/container/config-templates/SessionProvider-template.json b/ci/container/config-templates/SessionProvider-template.json index e281edf..328f06f 100644 --- a/ci/container/config-templates/SessionProvider-template.json +++ b/ci/container/config-templates/SessionProvider-template.json @@ -1,6 +1,6 @@ { - "debug": false, + "debug": ${DEBUG_PLUGINS}, //Provider assemblies to load "provider_assemblies": [ "VNLib.Plugins.Sessions.VNCache.dll" ], @@ -16,6 +16,10 @@ //time (in seconds) a session is valid for "valid_for_sec": 3600, //The maxium number of connections waiting for the cache server responses - "max_waiting_connections": 100 + "max_waiting_connections": 100, + //Enforce strict cross-origin session checks + "strict_cors": true, + ///Enforces strict TLS to help prevent tls downgrades based on stored session variables (privacy note: this can be leaked through brute-forced if session id is stolen) + "strict_tls_protocol": true } }
\ No newline at end of file diff --git a/ci/container/config-templates/SimpleBookmark-template.json b/ci/container/config-templates/SimpleBookmark-template.json index 610673e..8736d8d 100644 --- a/ci/container/config-templates/SimpleBookmark-template.json +++ b/ci/container/config-templates/SimpleBookmark-template.json @@ -1,7 +1,7 @@ { //Comments are allowed - "debug": false, //Enables obnoxious debug logging + "debug": ${DEBUG_PLUGINS}, //Enables obnoxious debug logging "bm_endpoint": { diff --git a/ci/container/docker-compose.yaml b/ci/container/docker-compose.yaml index 63de647..2840160 100644 --- a/ci/container/docker-compose.yaml +++ b/ci/container/docker-compose.yaml @@ -19,24 +19,33 @@ services: environment: MAX_BOOKMARKS: "5000" REG_TOKEN_DURATION_MIN: "360" #6 hours + #SQL Config SQL_LIB_PATH: "VNLib.Plugins.Extensions.Sql.SQLite.dll" SQL_CONNECTION_STRING: "Data Source=data/simple-bookmark.db;" - #HC Vault - HC_VAULT_ADDR: "" - HC_VAULT_TOKEN: "" - HC_VAULT_TRUST_CERT: "false" + + #HC Vault client config + #HC_VAULT_ADDR: "" + #HC_VAULT_TOKEN: "" + #HC_VAULT_TRUST_CERT: "false" + #VNCACHE (default to memory only) CACHE_ASM_PATH: "VNLib.Data.Caching.Providers.VNCache.dll" MEMCACHE_ONLY: "true" REDIS_CONNECTION_STRING: "" #at least one node required if MEMCACHE_ONLY is false VNCACHE_INITIAL_NODES: "[]" - #ACCOUNTS + + #Accounts plugin config MAX_LOGIN_ATTEMPS: "10" #SECRETS - PASSWORD_PEPPER: "" #A base64 encoded secret is required. raw string, vault://, file:// allowed + #All secrets may be a raw value, read from a file, + #an environment variable, or a vault path + # file://mysecret.txt reads the secret from a file (case sensitive) + # env://MY_SECRET reads the secret from an environment variable (case sensitive) + # vault://kv/data/secret?secret=value reads the value of the mysecret key in the secret/data path + PASSWORD_PEPPER: "" #Must be a base64 encoded value, of realtivley any size DATABASE_PASSWORD: "" REDIS_PASSWORD: "" #if MEMCACHE_ONLY is false, then the following keys are required to connect to a VNCACHE cluster @@ -44,8 +53,11 @@ services: VNCACHE_CACHE_PUBLIC_KEY: "" #HTTP - HTTP_DOWNSTREAM_SERVERS: '[]' - HTTP_TRACE_ON: "false" + HTTP_DOWNSTREAM_SERVERS: '[]' #a comma separated list of downstream ip addresses + HTTP_TRACE_ON: "false" #enable http trace logging, requires --debug CLI flag + + #Very Verbose plugin logging, required --debug CLI flag, prints literally everything to the logger + DEBUG_PLUGINS: "false" SERVER_ARGS: "--setup" #remove the setup flag after you are done setting up the server |