From 130021681232bbc08c86085a7aef869cc69ec8c4 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 13:21:03 +0100 Subject: [PATCH 1/9] fix path in /app for k8s --- hosting/kubernetes/nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index 2bf512964b..7a84c0ee2e 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -45,7 +45,7 @@ http { add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { - proxy_pass http://app-service:4002; + proxy_pass http://app-service.budibase.svc.cluster.local:4002; rewrite ^/app/(.*)$ /$1 break; } From b2c4b60aff26aa615fff359c46f3138d169b79d2 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 13:22:14 +0100 Subject: [PATCH 2/9] fix for csp for images --- hosting/kubernetes/nginx/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index 7a84c0ee2e..688b72a4df 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -42,7 +42,7 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { proxy_pass http://app-service.budibase.svc.cluster.local:4002; From 8f668eac856d573ca32600e2d27f1792df4858a1 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 13:23:53 +0100 Subject: [PATCH 3/9] add csp update for nginx in self host --- hosting/proxy/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf index 7a8a44e2d8..06283d579b 100644 --- a/hosting/proxy/nginx.conf +++ b/hosting/proxy/nginx.conf @@ -46,7 +46,7 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { proxy_pass http://app-service:4002; From 0716df50981729d8820395bf9517150a4b862410 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Fri, 11 Feb 2022 12:32:57 +0000 Subject: [PATCH 4/9] Fixing issue with CLI not updating proxy images. --- packages/cli/src/hosting/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cli/src/hosting/index.js b/packages/cli/src/hosting/index.js index ecf3b710b2..2b147810b4 100644 --- a/packages/cli/src/hosting/index.js +++ b/packages/cli/src/hosting/index.js @@ -15,7 +15,7 @@ const makeEnv = require("./makeEnv") const axios = require("axios") const AnalyticsClient = require("../analytics/Client") -const BUDIBASE_SERVICES = ["app-service", "worker-service"] +const BUDIBASE_SERVICES = ["app-service", "worker-service", "proxy-service"] const ERROR_FILE = "docker-error.log" const FILE_URLS = [ "https://raw.githubusercontent.com/Budibase/budibase/master/hosting/docker-compose.yaml", From a78dd38a586926f68b649b0f1c94a9370ffb76e9 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Fri, 11 Feb 2022 13:23:15 +0000 Subject: [PATCH 5/9] Fixing img-src for self host. --- hosting/proxy/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf index 06283d579b..4212a9e515 100644 --- a/hosting/proxy/nginx.conf +++ b/hosting/proxy/nginx.conf @@ -46,7 +46,7 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { proxy_pass http://app-service:4002; From 082be8ef67edc933152a0f476c419832d4f571f9 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 15:13:31 +0100 Subject: [PATCH 6/9] fix port redirection issue --- hosting/kubernetes/nginx/nginx.conf | 8 ++++++++ hosting/proxy/nginx.conf | 2 ++ 2 files changed, 10 insertions(+) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index 688b72a4df..1598bf9909 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -25,6 +25,7 @@ http { client_max_body_size 1k; ignore_invalid_headers off; proxy_buffering off; + port_in_redirect off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' @@ -36,6 +37,7 @@ http { server { listen 10000 default_server; + listen [::]:10000 default_server; server_name _; # Security Headers @@ -50,6 +52,12 @@ http { } location = / { + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://app-service.budibase.svc.cluster.local:4002; } diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf index 06283d579b..b7ea9011c9 100644 --- a/hosting/proxy/nginx.conf +++ b/hosting/proxy/nginx.conf @@ -25,6 +25,7 @@ http { client_max_body_size 1k; ignore_invalid_headers off; proxy_buffering off; + port_in_redirect off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -37,6 +38,7 @@ http { server { listen 10000 default_server; + listen [::]:10000 default_server; server_name _; client_max_body_size 1000m; ignore_invalid_headers off; From e1f78a326b9816ed610f8438475a61e49f14b295 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 15:39:18 +0100 Subject: [PATCH 7/9] set correct port for worker --- hosting/kubernetes/nginx/nginx.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index 1598bf9909..d88831e1c8 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -76,11 +76,11 @@ http { } location ~ ^/api/(system|admin|global)/ { - proxy_pass http://worker-service.budibase.svc.cluster.local:4003; + proxy_pass http://worker-service.budibase.svc.cluster.local:4001; } location /worker/ { - proxy_pass http://worker-service.budibase.svc.cluster.local:4003; + proxy_pass http://worker-service.budibase.svc.cluster.local:4001; rewrite ^/worker/(.*)$ /$1 break; } From 27c0eafaf9e647393b2af5f3b7033dc2c0540735 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 16:05:35 +0100 Subject: [PATCH 8/9] CSP fixes --- hosting/kubernetes/nginx/nginx.conf | 4 ++-- hosting/proxy/nginx.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index d88831e1c8..14593b6648 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -22,7 +22,7 @@ http { # buffering client_body_buffer_size 1K; client_header_buffer_size 1k; - client_max_body_size 1k; + client_max_body_size 10M; ignore_invalid_headers off; proxy_buffering off; port_in_redirect off; @@ -44,7 +44,7 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { proxy_pass http://app-service.budibase.svc.cluster.local:4002; diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf index db5b907395..d07e5b0d44 100644 --- a/hosting/proxy/nginx.conf +++ b/hosting/proxy/nginx.conf @@ -48,7 +48,7 @@ http { add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; - add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline' 'unsafe-eval' 'self' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data:; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; location /app { proxy_pass http://app-service:4002; From 57e554a98bc4f2eb31b921edc8e96afb38f378a1 Mon Sep 17 00:00:00 2001 From: Martin McKeaveney Date: Fri, 11 Feb 2022 19:04:27 +0100 Subject: [PATCH 9/9] fixes for k8s --- hosting/kubernetes/nginx/nginx.conf | 16 +++++++++++----- hosting/proxy/nginx.conf | 14 +++++++++++--- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/hosting/kubernetes/nginx/nginx.conf b/hosting/kubernetes/nginx/nginx.conf index 14593b6648..9d03aaab18 100644 --- a/hosting/kubernetes/nginx/nginx.conf +++ b/hosting/kubernetes/nginx/nginx.conf @@ -25,7 +25,6 @@ http { client_max_body_size 10M; ignore_invalid_headers off; proxy_buffering off; - port_in_redirect off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' @@ -39,6 +38,7 @@ http { listen 10000 default_server; listen [::]:10000 default_server; server_name _; + port_in_redirect off; # Security Headers add_header X-Frame-Options SAMEORIGIN always; @@ -71,7 +71,13 @@ http { proxy_pass http://app-service.budibase.svc.cluster.local:4002; } - location ^/(builder|app_) { + location ~ ^/(builder|app_) { + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://app-service.budibase.svc.cluster.local:4002; } @@ -113,11 +119,11 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; + proxy_set_header Connection ""; + proxy_http_version 1.1; + chunked_transfer_encoding off; proxy_connect_timeout 300; - proxy_http_version 1.1; - proxy_set_header Connection ""; - chunked_transfer_encoding off; proxy_pass http://minio-service.budibase.svc.cluster.local:9000; } diff --git a/hosting/proxy/nginx.conf b/hosting/proxy/nginx.conf index d07e5b0d44..ff12e2f49e 100644 --- a/hosting/proxy/nginx.conf +++ b/hosting/proxy/nginx.conf @@ -24,8 +24,6 @@ http { client_header_buffer_size 1k; client_max_body_size 1k; ignore_invalid_headers off; - proxy_buffering off; - port_in_redirect off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -43,6 +41,7 @@ http { client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; + port_in_redirect off; # Security Headers add_header X-Frame-Options SAMEORIGIN always; @@ -56,6 +55,7 @@ http { } location = / { + port_in_redirect off; proxy_pass http://app-service:4002; } @@ -64,6 +64,7 @@ http { } location /builder/ { + port_in_redirect off; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; @@ -73,7 +74,14 @@ http { proxy_pass http://app-service:4002; } - location ^/(builder|app_) { + location ~ ^/(builder|app_) { + port_in_redirect off; + proxy_http_version 1.1; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://app-service:4002; }