add docker compose for nginx and add cert generator

johnnzhou · johnnzhou · commit d82865bfd901 · 2025-04-21T00:10:12.000-07:00
diff --git a/Dockerfile b/Dockerfile
diff --git a/Makefile b/Makefile
@@ -9,6 +9,8 @@ CURRENT_DIR=$(shell pwd)
 clean:
 	@echo "Clean"
 	rm -rf build
+	docker volume rm ccn-coverage-vis_certs
+	docker rmi $(docker images --filter=reference='ccn-coverage-vis*' -q)
 
 .PHONY: build
 build:
diff --git a/README.md b/README.md
@@ -10,17 +10,10 @@ To install this service, the fist time, you will need to:
 
 1. Required tools and versions:
     1. Install `node` and `npm` according to the directions at https://nodejs.org/en/download/package-manager 
-    2. Install `pm2` using: `npm install pm2 -g` (as per https://www.npmjs.com/package/pm2#installing-pm2)
 2. Clone the service: `https://github.com/Local-Connectivity-Lab/ccn-coverage-vis` 
-2. Configure:
+3. Configure:
     1. `cd cd ccn-coverage-vis`     
     1. Edit `src/utils/config.ts` and set the correct URL for your API host (if you're testing or you're deploying to a new URL).
-4. Deploy as below.
-5. When starting the ccn-coverage-vis service the first time, use:
-    ```
-    pm2 start --name "Vis Server" npm -- run start
-    ```
-    This will register ccn-coverage-vis with [PM2](https://pm2.keymetrics.io/docs/usage/quick-start/).
 
 
 ## Deploying
@@ -135,6 +128,3 @@ npm install
   - Toggle Active
 - Better compatibility with local development
 
-# Maybe
-
-- More map information
diff --git a/cert.dockerfile b/cert.dockerfile
@@ -0,0 +1,10 @@
+FROM ubuntu:latest
+
+WORKDIR /
+
+RUN apt-get update && apt-get install -y openssl
+
+COPY scripts/generate-certs.sh .
+
+RUN chmod +x generate-certs.sh
+CMD ["./generate-certs.sh"]
diff --git a/configs/nginx.conf b/configs/nginx.conf
@@ -0,0 +1,56 @@
+# HTTP server - redirects to HTTPS
+server {
+    listen 80;
+    server_name localhost;
+    
+    # Redirect all HTTP requests to HTTPS
+    return 301 https://$host$request_uri;
+}
+
+# HTTPS server
+server {
+    listen 443 ssl;
+    server_name localhost;
+    
+    # SSL certificate configuration
+    ssl_certificate /etc/nginx/ssl/certs/certificate.pem;
+    ssl_certificate_key /etc/nginx/ssl/certs/private-key.pem;
+    
+    # SSL protocols and ciphers for improved security
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    
+    # HSTS (HTTP Strict Transport Security)
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    
+    # Compression settings for better performance
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 10240;
+    gzip_proxied expired no-cache no-store private auth;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml application/javascript;
+    gzip_disable "MSIE [1-6]\.";
+
+    # Caching settings for static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        root /usr/share/nginx/html;
+        expires 1y;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+        try_files $uri =404;
+    }
+
+    location / {
+        root /usr/share/nginx/html;
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Error pages
+    error_page 404 /index.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -0,0 +1,21 @@
+services:
+  cert-generator:
+    build:
+      context: .
+      dockerfile: cert.dockerfile
+    volumes:
+      - certs:/certs
+    
+  web:
+    build:
+      context: .
+      dockerfile: vis.dockerfile
+    volumes:
+      - certs:/etc/nginx/ssl/certs
+    ports:
+      - 443:443
+    depends_on:
+      - cert-generator
+
+volumes:
+  certs:
diff --git a/pm2-running-services.png b/pm2-running-services.png
diff --git a/scripts/generate-certs.sh b/scripts/generate-certs.sh
@@ -0,0 +1,74 @@
+#!/bin/bash
+
+# Set variables
+PRIMARY_DOMAIN="ccn-coverage-vis"
+CERT_DIR="/certs"  # Use absolute path
+DAYS_VALID=365
+
+# Add all domains that might be used to access your service
+DOMAINS=(
+  "$PRIMARY_DOMAIN"
+  "localhost"
+  "127.0.0.1"
+)
+
+# Create directory for certificates if it doesn't exist
+mkdir -p $CERT_DIR
+
+echo "Generating self-signed certificates..."
+
+# Generate private key
+openssl genrsa -out $CERT_DIR/private-key.pem 2048
+
+# Create config file for SAN support
+cat > $CERT_DIR/openssl.cnf << EOF
+[req]
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+prompt = no
+
+[req_distinguished_name]
+CN = $PRIMARY_DOMAIN
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+EOF
+
+# Add all domains to the config file
+for i in "${!DOMAINS[@]}"; do
+  echo "DNS.$((i+1)) = ${DOMAINS[$i]}" >> $CERT_DIR/openssl.cnf
+done
+
+# Generate a CSR with the config
+openssl req -new -key $CERT_DIR/private-key.pem -out $CERT_DIR/csr.pem -config $CERT_DIR/openssl.cnf
+
+# Generate the self-signed certificate
+openssl x509 -req -days $DAYS_VALID -in $CERT_DIR/csr.pem -signkey $CERT_DIR/private-key.pem -out $CERT_DIR/certificate.pem -extensions v3_req -extfile $CERT_DIR/openssl.cnf
+
+# Create a full chain file
+cat $CERT_DIR/certificate.pem > $CERT_DIR/fullchain.pem
+
+# Set proper permissions (readable by all)
+chmod 644 $CERT_DIR/private-key.pem
+chmod 644 $CERT_DIR/certificate.pem
+chmod 644 $CERT_DIR/fullchain.pem
+
+# Try to generate PKCS12 file but don't fail if it doesn't work
+openssl pkcs12 -export -out $CERT_DIR/certificate.pfx -inkey $CERT_DIR/private-key.pem -in $CERT_DIR/certificate.pem -passout pass: || echo "PKCS12 export failed, but continuing"
+
+# Verify file creation and permissions
+echo "Certificates generated successfully in $CERT_DIR directory!"
+echo "Files generated with permissions:"
+ls -la $CERT_DIR/
+
+# Verify certificate content
+echo "Verifying certificate:"
+openssl x509 -in $CERT_DIR/certificate.pem -text -noout | head -n 15
+
+# Verify private key
+echo "Verifying private key:"
+openssl rsa -in $CERT_DIR/private-key.pem -check -noout || echo "Private key verification failed"
diff --git a/vis.dockerfile b/vis.dockerfile
@@ -0,0 +1,27 @@
+FROM node:22-slim AS build
+
+WORKDIR /usr/src/app
+
+COPY package*.json ./
+COPY tsconfig.json ./
+COPY scripts/setup.sh ./scripts/
+
+RUN chmod +x ./scripts/setup.sh
+RUN ./scripts/setup.sh
+
+RUN npm ci
+
+COPY . .
+
+RUN npm run build
+
+RUN npm prune --production
+
+FROM nginx:stable
+
+COPY --from=build /usr/src/app/build /usr/share/nginx/html
+COPY configs/nginx.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 443
+
+CMD ["nginx", "-g", "daemon off;"]
