From 36d91f883587153df5bcbf1a79a295b0aaaee9dc Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:15:20 +0000 Subject: [PATCH 01/10] new instance: stream.whateveritworks.org --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 75c5a40..420b3ec 100644 --- a/README.md +++ b/README.md @@ -204,5 +204,4 @@ Community hosted instances: | URL | Country | Info | |-----------------------------|---------|------| | [safetwitch.projectsegfau.lt](https://safetwitch.projectsegfau.lt/) | 🇺🇸 🇮🇳 🇱🇺 | #2 | - - +| [stream.whateveritworks.org](https://stream.whateveritworks.org) | :DE: | Hosted on Hetzner/Dedicated Server with Encryption at rest \ No newline at end of file From 81923312f2675eeb55ecda2c86678e022a93afb9 Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:16:11 +0000 Subject: [PATCH 02/10] Delete 'docker/Dockerfile' --- docker/Dockerfile | 31 ------------------------------- 1 file changed, 31 deletions(-) delete mode 100644 docker/Dockerfile diff --git a/docker/Dockerfile b/docker/Dockerfile deleted file mode 100644 index 754a655..0000000 --- a/docker/Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -# Multi-stage -# 1) Node image for building frontend assets -# 2) nginx stage to serve frontend assets - -# Name the node stage "builder" -FROM docker.io/node:16 AS builder -# Set working directory -WORKDIR /app - -ENV SAFETWITCH_BACKEND_DOMAIN SAFETWITCH_BACKEND_DOMAIN_PLACEHOLDER -ENV SAFETWITCH_INSTANCE_DOMAIN SAFETWITCH_INSTANCE_DOMAIN_PLACEHOLDER -ENV SAFETWITCH_HTTPS SAFETWITCH_HTTPS_PLACEHOLDER -# Copy all files from current directory to working dir in image -COPY . . -# install node modules and build assets -RUN npm i && npm run build - -# nginx state for serving content -FROM docker.io/nginx:alpine -COPY ./nginx.conf /etc/nginx/nginx.conf -# Set working directory to nginx asset directory -RUN mkdir /app -# Copy static assets from builder stage -COPY --from=builder /app/dist /app -# Containers run nginx with global directives and daemon off -EXPOSE 80 - -# Overriding the default NGINX container behavior -COPY ./substitute_environment_variables.sh ./substitute_environment_variables.sh -RUN chmod +x /substitute_environment_variables.sh -ENTRYPOINT ["/substitute_environment_variables.sh"] \ No newline at end of file From 8f8bf84ebcdfc9dacc58cac67f6175a6989900ce Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:16:26 +0000 Subject: [PATCH 03/10] Delete 'docker/docker-compose.yml' --- docker/docker-compose.yml | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 docker/docker-compose.yml diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml deleted file mode 100644 index d1c44ad..0000000 --- a/docker/docker-compose.yml +++ /dev/null @@ -1,15 +0,0 @@ -version: "3.9" -services: - frontend: - build: - context: "../" - dockerfile: ./docker/Dockerfile - ports: - - "8080:80" - environment: - - SAFETWITCH_BACKEND_DOMAIN=localhost:7000 - - SAFETWITCH_INSTANCE_DOMAIN=localhost:80 - - SAFETWITCH_HTTPS=false - - SAFETWITCH_DEFAULT_LOCALE=en - - SAFETWITCH_FALLBACK_LOCALE=ja - From 99235ca70a95fe879e87a7d3f6e3cb29ecfe1593 Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:16:52 +0000 Subject: [PATCH 04/10] Create Dockerfile --- Dockerfile | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..754a655 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,31 @@ +# Multi-stage +# 1) Node image for building frontend assets +# 2) nginx stage to serve frontend assets + +# Name the node stage "builder" +FROM docker.io/node:16 AS builder +# Set working directory +WORKDIR /app + +ENV SAFETWITCH_BACKEND_DOMAIN SAFETWITCH_BACKEND_DOMAIN_PLACEHOLDER +ENV SAFETWITCH_INSTANCE_DOMAIN SAFETWITCH_INSTANCE_DOMAIN_PLACEHOLDER +ENV SAFETWITCH_HTTPS SAFETWITCH_HTTPS_PLACEHOLDER +# Copy all files from current directory to working dir in image +COPY . . +# install node modules and build assets +RUN npm i && npm run build + +# nginx state for serving content +FROM docker.io/nginx:alpine +COPY ./nginx.conf /etc/nginx/nginx.conf +# Set working directory to nginx asset directory +RUN mkdir /app +# Copy static assets from builder stage +COPY --from=builder /app/dist /app +# Containers run nginx with global directives and daemon off +EXPOSE 80 + +# Overriding the default NGINX container behavior +COPY ./substitute_environment_variables.sh ./substitute_environment_variables.sh +RUN chmod +x /substitute_environment_variables.sh +ENTRYPOINT ["/substitute_environment_variables.sh"] \ No newline at end of file From b2fc949de7e669c4d9215d131e3b4c1f979f31a5 Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:27:13 +0000 Subject: [PATCH 05/10] harden docker Signed-off-by: xbdm --- docker-compose.yml | 49 +++++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 14 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 52e0234..d7f406c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,20 +1,41 @@ -version: "3.9" +version: "3.7" + services: - frontend: - image: codeberg.org/dragongoose/safetwitch + safetwitch-frontend: + container_name: safetwitch-frontend + hostname: safetwitch-frontend + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID + restart: always + image: codeberg.org/dragongoose/safetwitch:latest ports: - - "8080:80" - environment: - - SAFETWITCH_BACKEND_DOMAIN=localhost:7000 - - SAFETWITCH_INSTANCE_DOMAIN=localhost:80 - - SAFETWITCH_HTTPS=false + - "127.0.0.1:8280:80" + environment: + - SAFETWITCH_BACKEND_DOMAIN=changethis + - SAFETWITCH_INSTANCE_DOMAIN=changethis + - SAFETWITCH_HTTPS=true - SAFETWITCH_DEFAULT_LOCALE=en - - SAFETWITCH_FALLBACK_LOCALE=ja - backend: - image: codeberg.org/dragongoose/safetwitch-backend + - SAFETWITCH_FALLBACK_LOCALE=en + + safetwitch-backend: + container_name: safetwitch-backend + hostname: safetwitch-backend + user: 65534:65534 + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + restart: always + image: codeberg.org/dragongoose/safetwitch-backend:latest ports: - - "7000:7000" + - "127.0.0.1:7100:7000" environment: - PORT=7000 - - URL=http://localhost:7000 - + - URL=https://changethis \ No newline at end of file From d0392f3b205c6e1b6e36e35a5148bfd7f7a61178 Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:30:49 +0000 Subject: [PATCH 06/10] Update 'stream-nginx.conf' --- nginx.conf | 17 ----------------- stream-nginx.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 17 deletions(-) delete mode 100644 nginx.conf create mode 100644 stream-nginx.conf diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 74c8ba2..0000000 --- a/nginx.conf +++ /dev/null @@ -1,17 +0,0 @@ -events {} -http { - include mime.types; - - server { - listen 80; - access_log off; - error_log off; - - - location / { - root /app; - index index.html; - try_files $uri $uri/ /index.html; - } - } -} \ No newline at end of file diff --git a/stream-nginx.conf b/stream-nginx.conf new file mode 100644 index 0000000..a173dc2 --- /dev/null +++ b/stream-nginx.conf @@ -0,0 +1,42 @@ +server { + server_name changethis; + + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:8280; + } +} + +server { + listen 80; + listen [::]:80; + server_name changethis; + return 301 https://changethis$request_uri; + } From eef2969914e1df49479bb5492410eeff04569e37 Mon Sep 17 00:00:00 2001 From: xbdm Date: Fri, 14 Jul 2023 21:33:24 +0000 Subject: [PATCH 07/10] Create backend nginx.conf Signed-off-by: xbdm --- streamapi-nginx.conf | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 streamapi-nginx.conf diff --git a/streamapi-nginx.conf b/streamapi-nginx.conf new file mode 100644 index 0000000..41f3aea --- /dev/null +++ b/streamapi-nginx.conf @@ -0,0 +1,42 @@ +server { + server_name changethis; + + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + + add_header strict_sni on; + add_header strict_sni_header on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy upgrade-insecure-requests; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "DENY"; + add_header Clear-Site-Data "cookies"; + add_header Referrer-Policy "no-referrer"; + add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; + resolver 1.1.1.1; + + ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem; + ssl_stapling on; + ssl_stapling_verify on; + + access_log /dev/null; + error_log /dev/null; + + location / { + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:7100; + } +} + +server { + listen 80; + listen [::]:80; + server_name changethis; + return 301 https://changethis$request_uri; + } From 6383a202ef121fb08763ec2daa5b47667fc8b3ca Mon Sep 17 00:00:00 2001 From: xbdm Date: Sat, 15 Jul 2023 16:48:37 +0000 Subject: [PATCH 08/10] Create default nginx.conf again --- nginx.conf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 nginx.conf diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..74c8ba2 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,17 @@ +events {} +http { + include mime.types; + + server { + listen 80; + access_log off; + error_log off; + + + location / { + root /app; + index index.html; + try_files $uri $uri/ /index.html; + } + } +} \ No newline at end of file From ee6bfec9509b7081a11a0fb1c341ea4f6b40d61c Mon Sep 17 00:00:00 2001 From: xbdm Date: Sat, 15 Jul 2023 16:53:25 +0000 Subject: [PATCH 09/10] Update stream-nginx.conf and rename to frontend-nginx.conf This change is make it easier for the self-host user, my bad. --- stream-nginx.conf => frontend-nginx.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename stream-nginx.conf => frontend-nginx.conf (100%) diff --git a/stream-nginx.conf b/frontend-nginx.conf similarity index 100% rename from stream-nginx.conf rename to frontend-nginx.conf From 19cadf69f37ede91023e57e2a545e95655170e8b Mon Sep 17 00:00:00 2001 From: xbdm Date: Sat, 15 Jul 2023 16:54:06 +0000 Subject: [PATCH 10/10] Update streamapi-nginx.conf and rename to backend-nginx.conf This change is make it easier for the self-host user, my bad. --- streamapi-nginx.conf => backend-nginx.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename streamapi-nginx.conf => backend-nginx.conf (100%) diff --git a/streamapi-nginx.conf b/backend-nginx.conf similarity index 100% rename from streamapi-nginx.conf rename to backend-nginx.conf