From 558ab44d3f44bc498337d2ab725c7ebfd7bcaf31 Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Mon, 6 Oct 2025 23:31:20 +0000 Subject: [PATCH] Minimize differences between devcontainer and production --- .devcontainer/Dockerfile | 11 +- .devcontainer/TODO.txt | 1 + .devcontainer/devcontainer.json | 8 +- .../resources/devcontainer-Dockerfile | 9 +- .../services/config/nginx/netalertx.conf | 25 - .../config/nginx/netalertx.conf.template | 118 +++++ .../python/backend-extra-launch-parameters | 1 - .../services/config/php/php-fpm.d/www.conf | 495 ------------------ ...rate-dockerfile.sh => generate-configs.sh} | 34 +- .devcontainer/scripts/restart-backend.sh | 26 - .devcontainer/scripts/setup.sh | 56 +- .devcontainer/scripts/start-nginx.sh | 5 - .devcontainer/scripts/stream-logs.sh | 40 -- .vscode/tasks.json | 32 +- Dockerfile | 2 +- docker-compose.hardened.yaml | 39 ++ docker-compose.unproxied.yaml | 21 + install/production-filesystem/README.md | 2 +- .../{.git-placeholder => .dockerignore} | 0 install/production-filesystem/entrypoint.sh | 10 + .../services/config/nginx/README.md | 9 + .../netalertx.conf} | 23 +- .../services/config/nginx/netalertx.conf | 61 --- .../config/nginx/netalertx.conf.template | 113 ++++ .../services/start-backend.sh | 5 + .../services/start-crond.sh | 12 +- .../services/start-nginx.sh | 40 +- .../services/start-php-fpm.sh | 9 +- 28 files changed, 477 insertions(+), 730 deletions(-) create mode 100644 .devcontainer/TODO.txt delete mode 100755 .devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf create mode 100644 .devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template delete mode 100644 .devcontainer/resources/devcontainer-overlay/services/config/nginx/python/backend-extra-launch-parameters delete mode 100644 .devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf rename .devcontainer/scripts/{generate-dockerfile.sh => generate-configs.sh} (50%) delete mode 100755 .devcontainer/scripts/restart-backend.sh delete mode 100755 .devcontainer/scripts/start-nginx.sh delete mode 100755 .devcontainer/scripts/stream-logs.sh create mode 100644 docker-compose.hardened.yaml create mode 100644 docker-compose.unproxied.yaml rename install/production-filesystem/app/log/plugins/{.git-placeholder => .dockerignore} (100%) create mode 100644 install/production-filesystem/services/config/nginx/README.md rename install/production-filesystem/services/config/nginx/{nginx.conf => conf.active/netalertx.conf} (80%) delete mode 100644 install/production-filesystem/services/config/nginx/netalertx.conf create mode 100644 install/production-filesystem/services/config/nginx/netalertx.conf.template diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 482ac79d..42ab0eee 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -73,7 +73,7 @@ ENV PYTHONUNBUFFERED=1 RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \ iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ - nginx sudo shadow && \ + envsubst nginx sudo shadow && \ rm -Rf /var/cache/apk/* && \ rm -Rf /etc/nginx && \ addgroup -g 20211 netalertx && \ @@ -165,7 +165,7 @@ ENTRYPOINT [ "/bin/sh", "/entrypoint.sh" ] # Devcontainer build stage (do not build directly) # This file is combined with the root /Dockerfile by -# .devcontainer/scripts/generate-dockerfile.sh +# .devcontainer/scripts/generate-configs.sh # The generator appends this stage to produce .devcontainer/Dockerfile. # Prefer to place dev-only setup here; use setup.sh only for runtime fixes. @@ -174,10 +174,14 @@ ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages ENV PATH=/services:${PATH} ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d +ENV LISTEN_ADDR=0.0.0.0 +ENV PORT=20211 +ENV NETALERTX_DEBUG=1 COPY .devcontainer/resources/devcontainer-overlay/ / # Install common tools, create user, and set up sudo -RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov +RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt + RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \ cp -a /usr/lib/php83/modules/. /services/php/modules/ # Install debugpy in the virtualenv if present, otherwise into system python3 @@ -189,4 +193,3 @@ RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || python -m pip install -U pytest pytest-cov ENTRYPOINT ["/bin/sh","-c","sleep infinity"] - \ No newline at end of file diff --git a/.devcontainer/TODO.txt b/.devcontainer/TODO.txt new file mode 100644 index 00000000..c66a887e --- /dev/null +++ b/.devcontainer/TODO.txt @@ -0,0 +1 @@ +When in devcontainer mode, need an env that doesn't kill all services when started from /entrypoint diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e1c275b7..676d21a6 100755 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -23,7 +23,7 @@ // "--network=host", ], // ATTENTION: If running with --network=host, COMMENT `forwardPorts` OR ELSE THERE WILL BE NO WEBUI! - "forwardPorts": [20211, 20212, 9003, 9000, 5678], + "forwardPorts": [20211, 20212, 9003,5678], "portsAttributes": { // the ports we care about "20211": { "label": "Frontend:Nginx+PHP" @@ -34,9 +34,6 @@ "9003": { "label": "PHP Debug:Xdebug" }, - "9000": { - "label": "PHP-FPM:FastCGI" - }, "5678": { "label": "Python Debug:debugpy" } @@ -64,7 +61,8 @@ "esbenp.prettier-vscode", "eamodio.gitlens", "alexcvzz.vscode-sqlite", - "yzhang.markdown-all-in-one" + "yzhang.markdown-all-in-one", + "mkhl.shfmt" ], "settings": { "terminal.integrated.cwd": "${containerWorkspaceFolder}", diff --git a/.devcontainer/resources/devcontainer-Dockerfile b/.devcontainer/resources/devcontainer-Dockerfile index 9aa88fc8..3bb285ce 100755 --- a/.devcontainer/resources/devcontainer-Dockerfile +++ b/.devcontainer/resources/devcontainer-Dockerfile @@ -1,6 +1,6 @@ # Devcontainer build stage (do not build directly) # This file is combined with the root /Dockerfile by -# .devcontainer/scripts/generate-dockerfile.sh +# .devcontainer/scripts/generate-configs.sh # The generator appends this stage to produce .devcontainer/Dockerfile. # Prefer to place dev-only setup here; use setup.sh only for runtime fixes. @@ -9,10 +9,14 @@ ENV INSTALL_DIR=/app ENV PYTHONPATH=/workspaces/NetAlertX/test:/workspaces/NetAlertX/server:/app:/app/server:/opt/venv/lib/python3.12/site-packages ENV PATH=/services:${PATH} ENV PHP_INI_SCAN_DIR=/services/config/php/conf.d:/etc/php83/conf.d +ENV LISTEN_ADDR=0.0.0.0 +ENV PORT=20211 +ENV NETALERTX_DEBUG=1 COPY .devcontainer/resources/devcontainer-overlay/ / # Install common tools, create user, and set up sudo -RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov +RUN apk add --no-cache git nano vim jq php83-pecl-xdebug py3-pip nodejs sudo gpgconf pytest pytest-cov fish shfmt + RUN install -d -o netalertx -g netalertx -m 755 /services/php/modules && \ cp -a /usr/lib/php83/modules/. /services/php/modules/ # Install debugpy in the virtualenv if present, otherwise into system python3 @@ -24,4 +28,3 @@ RUN /bin/sh -c '(/opt/venv/bin/python3 -m pip install --no-cache-dir debugpy) || python -m pip install -U pytest pytest-cov ENTRYPOINT ["/bin/sh","-c","sleep infinity"] - \ No newline at end of file diff --git a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf deleted file mode 100755 index fb522d14..00000000 --- a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf +++ /dev/null @@ -1,25 +0,0 @@ -log_format netalertx '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; -access_log /app/log/nginx-access.log netalertx buffer=100k flush=1s; -error_log /app/log/nginx-error.log warn; - -server { - listen 20211 default_server; - root /app/front; - index index.php; - - add_header X-Forwarded-Prefix "/netalertx" always; - - location ~* \.php$ { - add_header Cache-Control "no-store"; - fastcgi_pass 0.0.0.0:9000; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param PHP_VALUE "xdebug.remote_enable=1"; - fastcgi_connect_timeout 75; - fastcgi_send_timeout 600; - fastcgi_read_timeout 600; - } -} diff --git a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template new file mode 100644 index 00000000..1b1a5a15 --- /dev/null +++ b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template @@ -0,0 +1,118 @@ +# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh +# Generated from: install/production-filesystem/services/config/nginx/netalertx.conf.template + +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /app/log/nginx-error.log warn; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + + # Mapping of temp paths for various nginx modules. + client_body_temp_path /services/run/tmp/client_body; + proxy_temp_path /services/run/tmp/proxy; + fastcgi_temp_path /services/run/tmp/fastcgi; + uwsgi_temp_path /services/run/tmp/uwsgi; + scgi_temp_path /services/run/tmp/scgi; + + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /services/config/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 1m; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + + # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. + # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. + ssl_protocols TLSv1.2 TLSv1.3; + + # Path of the file with Diffie-Hellman parameters for EDH ciphers. + # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` + #ssl_dhparam /etc/ssl/nginx/dh2048.pem; + + # Specifies that our cipher suits should be preferred over client ciphers. + # Default is 'off'. + ssl_prefer_server_ciphers on; + + # Enables a shared SSL cache with size that can hold around 8000 sessions. + # Default is 'none'. + ssl_session_cache shared:SSL:2m; + + # Specifies a time during which a client may reuse the session parameters. + # Default is '5m'. + ssl_session_timeout 1h; + + # Disable TLS session tickets (they are insecure). Default is 'on'. + ssl_session_tickets off; + + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /app/log/nginx-access.log main; + + + # Virtual host config + server { + listen 0.0.0.0:20211 default_server; + large_client_header_buffers 4 16k; + root /app/front; + index index.php; + add_header X-Forwarded-Prefix "/app" always; + proxy_set_header X-Forwarded-Prefix "/app"; + + location ~* \.php$ { + # Set Cache-Control header to prevent caching on the first load + add_header Cache-Control "no-store"; + fastcgi_pass unix:/services/run/php.sock; + include /services/config/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + + fastcgi_param PHP_VALUE "xdebug.remote_enable=1"; + fastcgi_connect_timeout 75; + fastcgi_send_timeout 600; + fastcgi_read_timeout 600; + } + } +} diff --git a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/python/backend-extra-launch-parameters b/.devcontainer/resources/devcontainer-overlay/services/config/nginx/python/backend-extra-launch-parameters deleted file mode 100644 index 06cac053..00000000 --- a/.devcontainer/resources/devcontainer-overlay/services/config/nginx/python/backend-extra-launch-parameters +++ /dev/null @@ -1 +0,0 @@ --m debugpy --listen 0.0.0.0:5678 \ No newline at end of file diff --git a/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf b/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf deleted file mode 100644 index 8dd84845..00000000 --- a/.devcontainer/resources/devcontainer-overlay/services/config/php/php-fpm.d/www.conf +++ /dev/null @@ -1,495 +0,0 @@ -; NetAlertX php-fpm www.conf -; -; Commented out user/group -; No further changes - -; Start a new pool named 'www'. -; the variable $pool can be used in any directive and will be replaced by the -; pool name ('www' here) -[www] - -; Per pool prefix -; It only applies on the following directives: -; - 'access.log' -; - 'slowlog' -; - 'listen' (unixsocket) -; - 'chroot' -; - 'chdir' -; - 'php_values' -; - 'php_admin_values' -; When not set, the global prefix (or /usr) applies instead. -; Note: This directive can also be relative to the global prefix. -; Default Value: none -;prefix = /path/to/pools/$pool - -; Unix user/group of the child processes. This can be used only if the master -; process running user is root. It is set after the child process is created. -; The user and group can be specified either by their name or by their numeric -; IDs. -; Note: If the user is root, the executable needs to be started with -; --allow-to-run-as-root option to work. -; Default Values: The user is set to master process running user by default. -; If the group is not set, the user's group is used. -; user = nobody -; group = nobody - -; The address on which to accept FastCGI requests. -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Note: This value is mandatory. -listen = 0.0.0.0:9000 - -; Set listen(2) backlog. -; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD) -;listen.backlog = 511 - -; Set permissions for unix socket, if one is used. In Linux, read/write -; permissions must be set in order to allow connections from a web server. Many -; BSD-derived systems allow connections regardless of permissions. The owner -; and group can be specified either by name or by their numeric IDs. -; Default Values: Owner is set to the master process running user. If the group -; is not set, the owner's group is used. Mode is set to 0660. -;listen.owner = nobody -;listen.group = nobody -;listen.mode = 0660 - -; When POSIX Access Control Lists are supported you can set them using -; these options, value is a comma separated list of user/group names. -; When set, listen.owner and listen.group are ignored -;listen.acl_users = -;listen.acl_groups = - -; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. -; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original -; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address -; must be separated by a comma. If this value is left blank, connections will be -; accepted from any ip address. -; Default Value: any -;listen.allowed_clients = 127.0.0.1 - -; Set the associated the route table (FIB). FreeBSD only -; Default Value: -1 -;listen.setfib = 1 - -; Specify the nice(2) priority to apply to the pool processes (only if set) -; The value can vary from -19 (highest priority) to 20 (lower priority) -; Note: - It will only work if the FPM master process is launched as root -; - The pool processes will inherit the master process priority -; unless it specified otherwise -; Default Value: no set -; process.priority = -19 - -; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or -; PROC_TRACE_CTL procctl for FreeBSD) even if the process user -; or group is different than the master process user. It allows to create process -; core dump and ptrace the process for the pool user. -; Default Value: no -; process.dumpable = yes - -; Choose how the process manager will control the number of child processes. -; Possible Values: -; static - a fixed number (pm.max_children) of child processes; -; dynamic - the number of child processes are set dynamically based on the -; following directives. With this process management, there will be -; always at least 1 children. -; pm.max_children - the maximum number of children that can -; be alive at the same time. -; pm.start_servers - the number of children created on startup. -; pm.min_spare_servers - the minimum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is less than this -; number then some children will be created. -; pm.max_spare_servers - the maximum number of children in 'idle' -; state (waiting to process). If the number -; of 'idle' processes is greater than this -; number then some children will be killed. -; pm.max_spawn_rate - the maximum number of rate to spawn child -; processes at once. -; ondemand - no children are created at startup. Children will be forked when -; new requests will connect. The following parameter are used: -; pm.max_children - the maximum number of children that -; can be alive at the same time. -; pm.process_idle_timeout - The number of seconds after which -; an idle process will be killed. -; Note: This value is mandatory. -pm = dynamic - -; The number of child processes to be created when pm is set to 'static' and the -; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'. -; This value sets the limit on the number of simultaneous requests that will be -; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. -; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP -; CGI. The below defaults are based on a server without much resources. Don't -; forget to tweak pm.* to fit your needs. -; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand' -; Note: This value is mandatory. -pm.max_children = 10 - -; The number of child processes created on startup. -; Note: Used only when pm is set to 'dynamic' -; Default Value: (min_spare_servers + max_spare_servers) / 2 -pm.start_servers = 2 - -; The desired minimum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.min_spare_servers = 1 - -; The desired maximum number of idle server processes. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -pm.max_spare_servers = 3 - -; The number of rate to spawn child processes at once. -; Note: Used only when pm is set to 'dynamic' -; Note: Mandatory when pm is set to 'dynamic' -; Default Value: 32 -;pm.max_spawn_rate = 32 - -; The number of seconds after which an idle process will be killed. -; Note: Used only when pm is set to 'ondemand' -; Default Value: 10s -;pm.process_idle_timeout = 10s; - -; The number of requests each child process should execute before respawning. -; This can be useful to work around memory leaks in 3rd party libraries. For -; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. -; Default Value: 0 -;pm.max_requests = 500 - -; The URI to view the FPM status page. If this value is not set, no URI will be -; recognized as a status page. It shows the following information: -; pool - the name of the pool; -; process manager - static, dynamic or ondemand; -; start time - the date and time FPM has started; -; start since - number of seconds since FPM has started; -; accepted conn - the number of request accepted by the pool; -; listen queue - the number of request in the queue of pending -; connections (see backlog in listen(2)); -; max listen queue - the maximum number of requests in the queue -; of pending connections since FPM has started; -; listen queue len - the size of the socket queue of pending connections; -; idle processes - the number of idle processes; -; active processes - the number of active processes; -; total processes - the number of idle + active processes; -; max active processes - the maximum number of active processes since FPM -; has started; -; max children reached - number of times, the process limit has been reached, -; when pm tries to start more children (works only for -; pm 'dynamic' and 'ondemand'); -; Value are updated in real time. -; Example output: -; pool: www -; process manager: static -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 62636 -; accepted conn: 190460 -; listen queue: 0 -; max listen queue: 1 -; listen queue len: 42 -; idle processes: 4 -; active processes: 11 -; total processes: 15 -; max active processes: 12 -; max children reached: 0 -; -; By default the status page output is formatted as text/plain. Passing either -; 'html', 'xml' or 'json' in the query string will return the corresponding -; output syntax. Example: -; http://www.foo.bar/status -; http://www.foo.bar/status?json -; http://www.foo.bar/status?html -; http://www.foo.bar/status?xml -; -; By default the status page only outputs short status. Passing 'full' in the -; query string will also return status for each pool process. -; Example: -; http://www.foo.bar/status?full -; http://www.foo.bar/status?json&full -; http://www.foo.bar/status?html&full -; http://www.foo.bar/status?xml&full -; The Full status returns for each process: -; pid - the PID of the process; -; state - the state of the process (Idle, Running, ...); -; start time - the date and time the process has started; -; start since - the number of seconds since the process has started; -; requests - the number of requests the process has served; -; request duration - the duration in µs of the requests; -; request method - the request method (GET, POST, ...); -; request URI - the request URI with the query string; -; content length - the content length of the request (only with POST); -; user - the user (PHP_AUTH_USER) (or '-' if not set); -; script - the main script called (or '-' if not set); -; last request cpu - the %cpu the last request consumed -; it's always 0 if the process is not in Idle state -; because CPU calculation is done when the request -; processing has terminated; -; last request memory - the max amount of memory the last request consumed -; it's always 0 if the process is not in Idle state -; because memory calculation is done when the request -; processing has terminated; -; If the process is in Idle state, then informations are related to the -; last request the process has served. Otherwise informations are related to -; the current request being served. -; Example output: -; ************************ -; pid: 31330 -; state: Running -; start time: 01/Jul/2011:17:53:49 +0200 -; start since: 63087 -; requests: 12808 -; request duration: 1250261 -; request method: GET -; request URI: /test_mem.php?N=10000 -; content length: 0 -; user: - -; script: /home/fat/web/docs/php/test_mem.php -; last request cpu: 0.00 -; last request memory: 0 -; -; Note: There is a real-time FPM status monitoring sample web page available -; It's available in: /usr/share/php83/fpm/status.html -; -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;pm.status_path = /status - -; The address on which to accept FastCGI status request. This creates a new -; invisible pool that can handle requests independently. This is useful -; if the main pool is busy with long running requests because it is still possible -; to get the status before finishing the long running requests. -; -; Valid syntaxes are: -; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on -; a specific port; -; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on -; a specific port; -; 'port' - to listen on a TCP socket to all addresses -; (IPv6 and IPv4-mapped) on a specific port; -; '/path/to/unix/socket' - to listen on a unix socket. -; Default Value: value of the listen option -;pm.status_listen = 127.0.0.1:9001 - -; The ping URI to call the monitoring page of FPM. If this value is not set, no -; URI will be recognized as a ping page. This could be used to test from outside -; that FPM is alive and responding, or to -; - create a graph of FPM availability (rrd or such); -; - remove a server from a group if it is not responding (load balancing); -; - trigger alerts for the operating team (24/7). -; Note: The value must start with a leading slash (/). The value can be -; anything, but it may not be a good idea to use the .php extension or it -; may conflict with a real PHP file. -; Default Value: not set -;ping.path = /ping - -; This directive may be used to customize the response of a ping request. The -; response is formatted as text/plain with a 200 response code. -; Default Value: pong -;ping.response = pong - -; The access log file -; Default: not set -;access.log = log/php83/$pool.access.log - -; The access log format. -; The following syntax is allowed -; %%: the '%' character -; %C: %CPU used by the request -; it can accept the following format: -; - %{user}C for user CPU only -; - %{system}C for system CPU only -; - %{total}C for user + system CPU (default) -; %d: time taken to serve the request -; it can accept the following format: -; - %{seconds}d (default) -; - %{milliseconds}d -; - %{milli}d -; - %{microseconds}d -; - %{micro}d -; %e: an environment variable (same as $_ENV or $_SERVER) -; it must be associated with embraces to specify the name of the env -; variable. Some examples: -; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e -; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e -; %f: script filename -; %l: content-length of the request (for POST request only) -; %m: request method -; %M: peak of memory allocated by PHP -; it can accept the following format: -; - %{bytes}M (default) -; - %{kilobytes}M -; - %{kilo}M -; - %{megabytes}M -; - %{mega}M -; %n: pool name -; %o: output header -; it must be associated with embraces to specify the name of the header: -; - %{Content-Type}o -; - %{X-Powered-By}o -; - %{Transfert-Encoding}o -; - .... -; %p: PID of the child that serviced the request -; %P: PID of the parent of the child that serviced the request -; %q: the query string -; %Q: the '?' character if query string exists -; %r: the request URI (without the query string, see %q and %Q) -; %R: remote IP address -; %s: status (response code) -; %t: server time the request was received -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsulated in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %T: time the log has been written (the request has finished) -; it can accept a strftime(3) format: -; %d/%b/%Y:%H:%M:%S %z (default) -; The strftime(3) format must be encapsulated in a %{}t tag -; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t -; %u: remote user -; -; Default: "%R - %u %t \"%m %r\" %s" -;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%" - -; A list of request_uri values which should be filtered from the access log. -; -; As a security precuation, this setting will be ignored if: -; - the request method is not GET or HEAD; or -; - there is a request body; or -; - there are query parameters; or -; - the response code is outwith the successful range of 200 to 299 -; -; Note: The paths are matched against the output of the access.format tag "%r". -; On common configurations, this may look more like SCRIPT_NAME than the -; expected pre-rewrite URI. -; -; Default Value: not set -;access.suppress_path[] = /ping -;access.suppress_path[] = /health_check.php - -; The log file for slow requests -; Default Value: not set -; Note: slowlog is mandatory if request_slowlog_timeout is set -;slowlog = log/php83/$pool.slow.log - -; The timeout for serving a single request after which a PHP backtrace will be -; dumped to the 'slowlog' file. A value of '0s' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_slowlog_timeout = 0 - -; Depth of slow log stack trace. -; Default Value: 20 -;request_slowlog_trace_depth = 20 - -; The timeout for serving a single request after which the worker process will -; be killed. This option should be used when the 'max_execution_time' ini option -; does not stop script execution for some reason. A value of '0' means 'off'. -; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) -; Default Value: 0 -;request_terminate_timeout = 0 - -; The timeout set by 'request_terminate_timeout' ini option is not engaged after -; application calls 'fastcgi_finish_request' or when application has finished and -; shutdown functions are being called (registered via register_shutdown_function). -; This option will enable timeout limit to be applied unconditionally -; even in such cases. -; Default Value: no -;request_terminate_timeout_track_finished = no - -; Set open file descriptor rlimit. -; Default Value: system defined value -;rlimit_files = 1024 - -; Set max core size rlimit. -; Possible Values: 'unlimited' or an integer greater or equal to 0 -; Default Value: system defined value -;rlimit_core = 0 - -; Chroot to this directory at the start. This value must be defined as an -; absolute path. When this value is not set, chroot is not used. -; Note: you can prefix with '$prefix' to chroot to the pool prefix or one -; of its subdirectories. If the pool prefix is not set, the global prefix -; will be used instead. -; Note: chrooting is a great security feature and should be used whenever -; possible. However, all PHP paths will be relative to the chroot -; (error_log, sessions.save_path, ...). -; Default Value: not set -;chroot = - -; Chdir to this directory at the start. -; Note: relative path can be used. -; Default Value: current directory or / when chroot -;chdir = /var/www - -; Redirect worker stdout and stderr into main error log. If not set, stdout and -; stderr will be redirected to /dev/null according to FastCGI specs. -; Note: on highloaded environment, this can cause some delay in the page -; process time (several ms). -; Default Value: no -;catch_workers_output = yes - -; Decorate worker output with prefix and suffix containing information about -; the child that writes to the log and if stdout or stderr is used as well as -; log level and time. This options is used only if catch_workers_output is yes. -; Settings to "no" will output data as written to the stdout or stderr. -; Default value: yes -;decorate_workers_output = no - -; Clear environment in FPM workers -; Prevents arbitrary environment variables from reaching FPM worker processes -; by clearing the environment in workers before env vars specified in this -; pool configuration are added. -; Setting to "no" will make all environment variables available to PHP code -; via getenv(), $_ENV and $_SERVER. -; Default Value: yes -;clear_env = no - -; Limits the extensions of the main script FPM will allow to parse. This can -; prevent configuration mistakes on the web server side. You should only limit -; FPM to .php extensions to prevent malicious users to use other extensions to -; execute php code. -; Note: set an empty value to allow all extensions. -; Default Value: .php -;security.limit_extensions = .php .php3 .php4 .php5 .php7 - -; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from -; the current environment. -; Default Value: clean env -;env[HOSTNAME] = $HOSTNAME -;env[PATH] = /usr/local/bin:/usr/bin:/bin -;env[TMP] = /tmp -;env[TMPDIR] = /tmp -;env[TEMP] = /tmp - -; Additional php.ini defines, specific to this pool of workers. These settings -; overwrite the values previously defined in the php.ini. The directives are the -; same as the PHP SAPI: -; php_value/php_flag - you can set classic ini defines which can -; be overwritten from PHP call 'ini_set'. -; php_admin_value/php_admin_flag - these directives won't be overwritten by -; PHP call 'ini_set' -; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. - -; Defining 'extension' will load the corresponding shared extension from -; extension_dir. Defining 'disable_functions' or 'disable_classes' will not -; overwrite previously defined php.ini values, but will append the new value -; instead. - -; Note: path INI options can be relative and will be expanded with the prefix -; (pool, global or /usr) - -; Default Value: nothing is defined by default except the values in php.ini and -; specified at startup with the -d argument -;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com -;php_flag[display_errors] = off -;php_admin_value[error_log] = /var/log/php83/$pool.error.log -;php_admin_flag[log_errors] = on -;php_admin_value[memory_limit] = 32M diff --git a/.devcontainer/scripts/generate-dockerfile.sh b/.devcontainer/scripts/generate-configs.sh similarity index 50% rename from .devcontainer/scripts/generate-dockerfile.sh rename to .devcontainer/scripts/generate-configs.sh index c4f24652..519ccd0c 100755 --- a/.devcontainer/scripts/generate-dockerfile.sh +++ b/.devcontainer/scripts/generate-configs.sh @@ -10,13 +10,15 @@ # but remove the COPY . ${INSTALL_DIR}/ command from it. This avoids # overwriting /app (which uses symlinks to the workspace) and preserves # debugging capabilities inside the devcontainer. - +echo "Generating .devcontainer/Dockerfile" SCRIPT_DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)" DEVCONTAINER_DIR="${SCRIPT_DIR%/scripts}" ROOT_DIR="${DEVCONTAINER_DIR%/.devcontainer}" OUT_FILE="${DEVCONTAINER_DIR}/Dockerfile" +echo "Adding base Dockerfile from $ROOT_DIR..." + echo "# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh" > "$OUT_FILE" echo "" >> "$OUT_FILE" echo "# ---/Dockerfile---" >> "$OUT_FILE" @@ -27,6 +29,36 @@ echo "" >> "$OUT_FILE" echo "# ---/resources/devcontainer-Dockerfile---" >> "$OUT_FILE" echo "" >> "$OUT_FILE" +echo "Adding devcontainer-Dockerfile from $DEVCONTAINER_DIR/resources..." cat "${DEVCONTAINER_DIR}/resources/devcontainer-Dockerfile" >> "$OUT_FILE" echo "Generated $OUT_FILE using root dir $ROOT_DIR" >&2 + +# Generate devcontainer nginx config from production template +echo "Generating devcontainer nginx config" +NGINX_TEMPLATE="${ROOT_DIR}/install/production-filesystem/services/config/nginx/netalertx.conf.template" +NGINX_OUT="${DEVCONTAINER_DIR}/resources/devcontainer-overlay/services/config/nginx/netalertx.conf.template" + +# Create output directory if it doesn't exist +mkdir -p "$(dirname "$NGINX_OUT")" + +# Start with header comment +cat > "$NGINX_OUT" << 'EOF' +# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-configs.sh +# Generated from: install/production-filesystem/services/config/nginx/netalertx.conf.template + +EOF + +# Process the template: replace listen directive and inject Xdebug params +sed 's/${LISTEN_ADDR}:${PORT}/0.0.0.0:20211/g' "$NGINX_TEMPLATE" | \ +awk ' +/fastcgi_param SCRIPT_NAME \$fastcgi_script_name;/ { + print $0 + print "" + print " fastcgi_param PHP_VALUE \"xdebug.remote_enable=1\";" + next +} +{ print } +' >> "$NGINX_OUT" + +echo "Generated $NGINX_OUT from $NGINX_TEMPLATE" >&2 diff --git a/.devcontainer/scripts/restart-backend.sh b/.devcontainer/scripts/restart-backend.sh deleted file mode 100755 index efd4bab4..00000000 --- a/.devcontainer/scripts/restart-backend.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh -# Start (or restart) the NetAlertX Python backend under debugpy in background. -# This script is invoked by the VS Code task "Restart GraphQL". -# It exists to avoid complex inline command chains that were being mangled by the task runner. - -set -e - -LOG_DIR=/app/log -APP_DIR=/app/server -PY=python3 -PORT_DEBUG=5678 - -# Kill any prior debug/run instances -sudo killall python3 2>/dev/null || true -sleep 2 - -echo ''|tee $LOG_DIR/stdout.log $LOG_DIR/stderr.log $LOG_DIR/app.log - -cd "$APP_DIR" - -# Launch using absolute module path for clarity; rely on cwd for local imports -setsid nohup "${PY}" -m debugpy --listen "0.0.0.0:${PORT_DEBUG}" /app/server/__main__.py \ - 1>>"$LOG_DIR/stdout.log" \ - 2>>"$LOG_DIR/stderr.log" & -PID=$! -sleep 2 diff --git a/.devcontainer/scripts/setup.sh b/.devcontainer/scripts/setup.sh index b7eccb61..d229fb3f 100755 --- a/.devcontainer/scripts/setup.sh +++ b/.devcontainer/scripts/setup.sh @@ -60,20 +60,20 @@ isRamDisk() { # Setup source directory configure_source() { echo "[1/4] Configuring System..." - echo " -> Setting up /services permissions" + echo " -> Setting up /services permissions" sudo chown -R netalertx /services echo "[2/4] Configuring Source..." - echo " -> Cleaning up previous instances" + echo " -> Cleaning up previous instances" test -e ${NETALERTX_LOG} && sudo umount "${NETALERTX_LOG}" 2>/dev/null || true test -e ${NETALERTX_API} && sudo umount "${NETALERTX_API}" 2>/dev/null || true test -e ${NETALERTX_APP} && sudo rm -Rf ${NETALERTX_APP}/ - echo " -> Linking source to ${NETALERTX_APP}" + echo " -> Linking source to ${NETALERTX_APP}" sudo ln -s ${SOURCE_DIR}/ ${NETALERTX_APP} - echo " -> Mounting ramdisks for /log and /api" + echo " -> Mounting ramdisks for /log and /api" mkdir -p ${NETALERTX_LOG} ${NETALERTX_API} sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_LOG}" sudo mount -o uid=$(id -u netalertx),gid=$(id -g netalertx),mode=775 -t tmpfs -o size=256M tmpfs "${NETALERTX_API}" @@ -82,19 +82,27 @@ configure_source() { # tmpfs mounts configured with netalertx ownership and 775 permissions above touch /app/log/nginx_error.log - echo " -> Empty log"|tee ${INSTALL_DIR}/log/app.log \ + echo " -> Empty log"|tee ${INSTALL_DIR}/log/app.log \ ${INSTALL_DIR}/log/app_front.log \ ${INSTALL_DIR}/log/stdout.log touch ${INSTALL_DIR}/log/stderr.log \ ${INSTALL_DIR}/log/execution_queue.log echo 0>${INSTALL_DIR}/log/db_is_locked.log + for f in ${INSTALL_DIR}/log/*.log; do + sudo chown netalertx:www-data $f + sudo chmod 664 $f + echo "" > $f + done + mkdir -p /app/log/plugins sudo chown -R netalertx:www-data ${INSTALL_DIR} - - killall python &>/dev/null - sleep 1 + while `ps ax | grep -v grep | grep python3 > /dev/null`; do + killall python3 &>/dev/null + sleep 0.2 + done + } # configure_php: configure PHP-FPM and enable dev debug options @@ -106,34 +114,24 @@ configure_php() { # start_services: start crond, PHP-FPM, nginx and the application start_services() { - echo "[4/4] Starting services..." + echo "[4/4] Starting services" - echo " -> Starting CronD (${SYSTEM_SERVICES_CROND}...)" - setsid nohup /services/start-crond.sh &>/dev/null & - - echo " -> Starting PHP-FPM (${SYSTEM_SERVICES_PHP_FOLDER}...)" - setsid nohup /services/start-php-fpm.sh &>/dev/null & - - # Wait for the previous nginx processes to exit and for the port to free up - tries=0 - while ss -ltn | grep -q ":${PORT}[[:space:]]" && [ $tries -lt 10 ]; do - echo " -> Waiting for port ${PORT} to free..." - sleep 0.2 - tries=$((tries+1)) - done + chmod +x /entrypoint.sh + setsid bash /entrypoint.sh& sleep 1 - echo " -> Starting Nginx (${NETALERTX_FRONT}...)" - setsid nohup /services/start-nginx.sh &>/dev/null & - echo " -> Starting Backend (${NETALERTX_SERVER}...)" - setsid nohup /services/start-backend.sh >/dev/null 2>&1 & - sleep 2 } - -echo "$(git rev-parse --short=8 HEAD)">/app/.VERSION +sudo chmod 755 /app/ +echo "Development $(git rev-parse --short=8 HEAD)"| sudo tee /app/.VERSION # Run the main function main +# create a services readme file +echo "This folder is auto-generated by the container and devcontainer setup.sh script." > /services/README.md +echo "Any changes here will be lost on rebuild. To make permanent changes, edit files in .devcontainer or production filesystem and rebuild the container." >> /services/README.md +echo "Only make temporary/test changes in this folder, then perform a rebuild to reset." >> /services/README.md + + diff --git a/.devcontainer/scripts/start-nginx.sh b/.devcontainer/scripts/start-nginx.sh deleted file mode 100755 index b8395c70..00000000 --- a/.devcontainer/scripts/start-nginx.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - - -#Logging handled in nginx.conf -nginx -c "/services/nginx/nginx.conf" -g "daemon off;" 2>&1 >/dev/null \ No newline at end of file diff --git a/.devcontainer/scripts/stream-logs.sh b/.devcontainer/scripts/stream-logs.sh deleted file mode 100755 index f9864b29..00000000 --- a/.devcontainer/scripts/stream-logs.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh -# Stream NetAlertX logs to stdout so the Dev Containers output channel shows them. -# This script waits briefly for the files to appear and then tails them with -F. - -LOG_FILES="/app/log/app.log /app/log/db_is_locked.log /app/log/execution_queue.log /app/log/app_front.log /app/log/app.php_errors.log /app/log/IP_changes.log /app/stderr.log /app/stdout.log" - -wait_for_files() { - # Wait up to ~10s for at least one of the files to exist - attempts=0 - while [ $attempts -lt 20 ]; do - for f in $LOG_FILES; do - if [ -f "$f" ]; then - return 0 - fi - done - attempts=$((attempts+1)) - sleep 0.5 - done - return 1 -} - -if wait_for_files; then - echo "Starting log stream for:" - for f in $LOG_FILES; do - [ -f "$f" ] && echo " $f" - done - - # Use tail -F where available. If tail -F isn't supported, tail -f is used as fallback. - # Some minimal images may have busybox tail without -F; this handles both. - if tail --version >/dev/null 2>&1; then - # GNU tail supports -F - tail -n +1 -F $LOG_FILES - else - # Fallback to -f for busybox; will exit if files rotate or do not exist initially - tail -n +1 -f $LOG_FILES - fi -else - echo "No log files appeared after wait; exiting stream script." - exit 0 -fi diff --git a/.vscode/tasks.json b/.vscode/tasks.json index e226c9ba..cd4afe1c 100755 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -2,9 +2,9 @@ "version": "2.0.0", "tasks": [ { - "label": "[Any POSIX] Generate Dockerfile", + "label": "[Any POSIX] Generate Devcontiner Configs", "type": "shell", - "command": "${workspaceFolder:NetAlertX}/.devcontainer/scripts/generate-dockerfile.sh", + "command": ".devcontainer/scripts/generate-configs.sh", "presentation": { "echo": true, "reveal": "always", @@ -16,9 +16,6 @@ "kind": "build", "isDefault": false }, - "options": { - "cwd": "${workspaceFolder:NetAlertX}" - }, "icon": { "id": "tools", "color": "terminal.ansiYellow" @@ -39,9 +36,6 @@ "kind": "build", "isDefault": false }, - "options": { - "cwd": "${workspaceFolder:NetAlertX}" - }, "icon": { "id": "trash", "color": "terminal.ansiRed" @@ -50,9 +44,9 @@ { "label": "[Dev Container] Re-Run Startup Script", "type": "shell", - "command": "./isDevContainer.sh || exit 1;${workspaceFolder:NetAlertX}/.devcontainer/scripts/setup.sh", + "command": "./isDevContainer.sh || exit 1;/workspaces/NetAlertX/.devcontainer/scripts/setup.sh", "options": { - "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { "echo": true, @@ -70,9 +64,9 @@ { "label": "[Dev Container] Start Backend (Python)", "type": "shell", - "command": "./isDevContainer.sh || exit 1; killall python2>/dev/null; /services/start-backend.sh", + "command": "./isDevContainer.sh || exit 1; /services/start-backend.sh", "options": { - "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { "echo": true, @@ -90,9 +84,9 @@ { "label": "[Dev Container] Start CronD (Scheduler)", "type": "shell", - "command": "./isDevContainer.sh || exit 1; killall crond>/dev/null; /services/start-crond.sh", + "command": "./isDevContainer.sh || exit 1; /services/start-crond.sh", "options": { - "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { "echo": true, @@ -110,9 +104,9 @@ { "label": "[Dev Container] Start Frontend (nginx and PHP-FPM)", "type": "shell", - "command": "./isDevContainer.sh || exit 1; killall php-fpm83 nginx 2>/dev/null||true; sleep 1; /services/start-php-fpm.sh & /services/start-nginx.sh &", + "command": "./isDevContainer.sh || exit 1; /services/start-php-fpm.sh & /services/start-nginx.sh &", "options": { - "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { @@ -133,7 +127,7 @@ "type": "shell", "command": "./isDevContainer.sh || exit 1; pkill -f 'php-fpm83|nginx|crond|python3' || true", "options": { - "cwd": "${workspaceFolder:NetAlertX}/.devcontainer/scripts" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { "echo": true, @@ -150,9 +144,9 @@ { "label": "[Dev Container] List NetAlertX Ports", "type": "shell", - "command": "./scripts/list-ports.sh", + "command": "list-ports.sh", "options": { - "cwd": "${workspaceFolder:NetAlertX}" + "cwd": "/workspaces/NetAlertX/.devcontainer/scripts" }, "presentation": { "echo": true, diff --git a/Dockerfile b/Dockerfile index 6f3cdc35..af7b4a8a 100755 --- a/Dockerfile +++ b/Dockerfile @@ -70,7 +70,7 @@ ENV PYTHONUNBUFFERED=1 RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \ iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ - nginx sudo shadow && \ + envsubst nginx sudo shadow && \ rm -Rf /var/cache/apk/* && \ rm -Rf /etc/nginx && \ addgroup -g 20211 netalertx && \ diff --git a/docker-compose.hardened.yaml b/docker-compose.hardened.yaml new file mode 100644 index 00000000..7205c704 --- /dev/null +++ b/docker-compose.hardened.yaml @@ -0,0 +1,39 @@ +version: '3.8' + +services: + netalertx: + build: + context: . + dockerfile: Dockerfile + image: netalertx:latest + container_name: netalertx_internal + read_only: true + tmpfs: + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/run + - /app/log + - /tmp + networks: + - netalertx_net + environment: + - NETALERTX_MODE=hardened + - GRAPHQL_PORT=25378 + restart: unless-stopped + + proxy: + image: nginx:alpine + container_name: netalertx_proxy + + ports: + - "20211:25377" + - "20212:25378" + networks: + - netalertx_net + depends_on: + - netalertx + restart: unless-stopped + +networks: + netalertx_net: + diff --git a/docker-compose.unproxied.yaml b/docker-compose.unproxied.yaml new file mode 100644 index 00000000..892b4b41 --- /dev/null +++ b/docker-compose.unproxied.yaml @@ -0,0 +1,21 @@ +version: '3.8' + +services: + netalertx: + build: + context: . + dockerfile: Dockerfile + image: netalertx:latest + container_name: netalertx_unproxied + read_only: true + tmpfs: + - /etc/nginx/conf.d + - /var/cache/nginx + - /var/run + - /app/log + - /tmp + network_mode: "host" + environment: + - NETALERTX_MODE=unproxied + - GRAPHQL_PORT=20212 + restart: unless-stopped diff --git a/install/production-filesystem/README.md b/install/production-filesystem/README.md index d4ee2b68..8cc255e0 100644 --- a/install/production-filesystem/README.md +++ b/install/production-filesystem/README.md @@ -6,7 +6,7 @@ This is the default filesystem for NetAlertX. it contains - `/opt/venv/lib/python3.12/site-packages/aiofreebox` - this holds a certificate used by aiofreebox package, which interacts with freebox OS. - `/services` - a directory where all scripts which control system executions are held - `/services/config` - a directory which holds all configuration files and `conf.d` folders used in the production image. - - `/services/config/cond` - `crond` daemon config. + - `/services/config/crond` - `crond` daemon config. - `/services/config/nginx` - `nginx` conf files. - `/services/config/php` - php conf file. - `/services/config/php/php-fpm.d` - a `.d` style directory, debugger parameters or other configurations can be dropped in here. diff --git a/install/production-filesystem/app/log/plugins/.git-placeholder b/install/production-filesystem/app/log/plugins/.dockerignore similarity index 100% rename from install/production-filesystem/app/log/plugins/.git-placeholder rename to install/production-filesystem/app/log/plugins/.dockerignore diff --git a/install/production-filesystem/entrypoint.sh b/install/production-filesystem/entrypoint.sh index 927b93be..d727266e 100644 --- a/install/production-filesystem/entrypoint.sh +++ b/install/production-filesystem/entrypoint.sh @@ -70,6 +70,16 @@ add_service "/services/start-php-fpm.sh" "php-fpm" add_service "/services/start-nginx.sh" "nginx" add_service "/services/start-backend.sh" "backend" + +# if NETALERTX_DEBUG=1 then we will not kill any services if one fails. We will just wait for all to exit. +if [ "${NETALERTX_DEBUG:-0}" -eq 1 ]; then + echo "NETALERTX_DEBUG is set to 1, will not shut down other services if one fails." + wait + exit $? +fi + + +# This is the default action while [ -n "${SERVICES}" ]; do for entry in ${SERVICES}; do pid="${entry%%:*}" diff --git a/install/production-filesystem/services/config/nginx/README.md b/install/production-filesystem/services/config/nginx/README.md new file mode 100644 index 00000000..f1e3b020 --- /dev/null +++ b/install/production-filesystem/services/config/nginx/README.md @@ -0,0 +1,9 @@ +Nginx's conf is in /services/config/nginx/conf.active. This is the default configuration when run as a read-only container without a mount. + +With a tmpfs mount on /services/config/nginx.conf.active, the nginx template will be rewritten to allow ENV customization of listen address and port. + +The act of running /services/start-nginx.sh writes a new nginx.conf file, using envsubst, then starts nginx based on the parameters in that file. + +Defaults: +LISTEN_ADDR=0.0.0.0 +PORT=20211 \ No newline at end of file diff --git a/install/production-filesystem/services/config/nginx/nginx.conf b/install/production-filesystem/services/config/nginx/conf.active/netalertx.conf similarity index 80% rename from install/production-filesystem/services/config/nginx/nginx.conf rename to install/production-filesystem/services/config/nginx/conf.active/netalertx.conf index f87b0d0d..d62f60f4 100644 --- a/install/production-filesystem/services/config/nginx/nginx.conf +++ b/install/production-filesystem/services/config/nginx/conf.active/netalertx.conf @@ -14,6 +14,8 @@ events { } http { + + # Mapping of temp paths for various nginx modules. client_body_temp_path /services/run/tmp/client_body; proxy_temp_path /services/run/tmp/proxy; fastcgi_temp_path /services/run/tmp/fastcgi; @@ -94,6 +96,23 @@ http { access_log /app/log/nginx-access.log main; - # Includes virtual hosts configs. - include /services/config/nginx/netalertx.conf; + # Virtual host config + server { + listen 0.0.0.0:20211 default_server; + root /app/front; + index index.php; + add_header X-Forwarded-Prefix "/app" always; + + location ~* \.php$ { + # Set Cache-Control header to prevent caching on the first load + add_header Cache-Control "no-store"; + fastcgi_pass unix:/services/run/php.sock; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_connect_timeout 75; + fastcgi_send_timeout 600; + fastcgi_read_timeout 600; + } + } } diff --git a/install/production-filesystem/services/config/nginx/netalertx.conf b/install/production-filesystem/services/config/nginx/netalertx.conf deleted file mode 100644 index 0bd679a9..00000000 --- a/install/production-filesystem/services/config/nginx/netalertx.conf +++ /dev/null @@ -1,61 +0,0 @@ -# map $request_uri $auth_result { -# default ""; -# ~^/api/ /auth_result; -# } - -# log_format auth_request_log '$remote_addr - $remote_user [$time_local] ' -# '"$request" $status $body_bytes_sent ' -# '"$http_referer" "$http_user_agent" ' -# '$auth_result'; - -server { - listen 0.0.0.0:20211 default_server; - root /app/front; - index index.php; - add_header X-Forwarded-Prefix "/app" always; - - # # Authentication endpoint - # location = /auth { - # internal; - # proxy_pass http://127.0.0.1/php/templates/auth.php; - # proxy_set_header Content-Length ""; - # proxy_pass_request_body off; - # } - - # # Whitelisting IP addresses and CORS for /api/ - # location /api/ { - # auth_request /auth; - # access_log /var/log/nginx/auth_request.log auth_request_log; - - # # Enable CORS for specific frontend domain - # add_header 'Access-Control-Allow-Origin' 'http://192.168.1.82:20211' always; - # add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; - # add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; - # add_header 'Access-Control-Allow-Credentials' 'true' always; - - # if ($request_method = 'OPTIONS') { - # return 204; - # } - - # error_page 401 = @unauthorized; - - # # Other headers and configurations - # try_files $uri $uri/ =404; - # } - - # location @unauthorized { - # return 401; - # } - - location ~* \.php$ { - # Set Cache-Control header to prevent caching on the first load - add_header Cache-Control "no-store"; - fastcgi_pass unix:/services/run/php.sock; - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_connect_timeout 75; - fastcgi_send_timeout 600; - fastcgi_read_timeout 600; - } -} diff --git a/install/production-filesystem/services/config/nginx/netalertx.conf.template b/install/production-filesystem/services/config/nginx/netalertx.conf.template new file mode 100644 index 00000000..50c6ea5e --- /dev/null +++ b/install/production-filesystem/services/config/nginx/netalertx.conf.template @@ -0,0 +1,113 @@ +# Set number of worker processes automatically based on number of CPU cores. +worker_processes auto; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /app/log/nginx-error.log warn; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + + # Mapping of temp paths for various nginx modules. + client_body_temp_path /services/run/tmp/client_body; + proxy_temp_path /services/run/tmp/proxy; + fastcgi_temp_path /services/run/tmp/fastcgi; + uwsgi_temp_path /services/run/tmp/uwsgi; + scgi_temp_path /services/run/tmp/scgi; + + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /services/config/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 1m; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + + # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2. + # TIP: If you're not obligated to support ancient clients, remove TLSv1.1. + ssl_protocols TLSv1.2 TLSv1.3; + + # Path of the file with Diffie-Hellman parameters for EDH ciphers. + # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048` + #ssl_dhparam /etc/ssl/nginx/dh2048.pem; + + # Specifies that our cipher suits should be preferred over client ciphers. + # Default is 'off'. + ssl_prefer_server_ciphers on; + + # Enables a shared SSL cache with size that can hold around 8000 sessions. + # Default is 'none'. + ssl_session_cache shared:SSL:2m; + + # Specifies a time during which a client may reuse the session parameters. + # Default is '5m'. + ssl_session_timeout 1h; + + # Disable TLS session tickets (they are insecure). Default is 'on'. + ssl_session_tickets off; + + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /app/log/nginx-access.log main; + + + # Virtual host config + server { + listen ${LISTEN_ADDR}:${PORT} default_server; + large_client_header_buffers 4 16k; + root /app/front; + index index.php; + add_header X-Forwarded-Prefix "/app" always; + proxy_set_header X-Forwarded-Prefix "/app"; + + location ~* \.php$ { + # Set Cache-Control header to prevent caching on the first load + add_header Cache-Control "no-store"; + fastcgi_pass unix:/services/run/php.sock; + include /services/config/nginx/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_connect_timeout 75; + fastcgi_send_timeout 600; + fastcgi_read_timeout 600; + } + } +} diff --git a/install/production-filesystem/services/start-backend.sh b/install/production-filesystem/services/start-backend.sh index ccaaabd6..b6d62db0 100755 --- a/install/production-filesystem/services/start-backend.sh +++ b/install/production-filesystem/services/start-backend.sh @@ -1,5 +1,10 @@ #!/bin/bash cd "${NETALERTX_APP}" || exit 1 +while $(ps ax | grep -v grep | grep python3 >/dev/null); do + killall python3 &>/dev/null + sleep 0.2 +done +echo "python3 $(cat /services/config/python/backend-extra-launch-parameters 2>/dev/null) -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2)" exec python3 $(cat /services/config/python/backend-extra-launch-parameters 2>/dev/null) -m server > >(tee /app/log/stdout.log) 2> >(tee /app/log/stderr.log >&2) diff --git a/install/production-filesystem/services/start-crond.sh b/install/production-filesystem/services/start-crond.sh index 8c18c975..8f166f07 100755 --- a/install/production-filesystem/services/start-crond.sh +++ b/install/production-filesystem/services/start-crond.sh @@ -16,11 +16,19 @@ forward_signal() { fi } +while $(ps ax | grep -v -e grep -e '.sh' | grep crond >/dev/null); do + killall crond &>/dev/null + sleep 0.2 +done + trap cleanup EXIT trap forward_signal INT TERM -/usr/sbin/crond -c "${SYSTEM_SERVICES_CROND}" -f -L "${LOG_CROND}" >> "${LOG_CROND}" 2>&1 & +echo "/usr/sbin/crond -c \"${SYSTEM_SERVICES_CROND}\" -f -L \"${LOG_CROND}\" >>\"${LOG_CROND}\" 2>&1 &" + +/usr/sbin/crond -c "${SYSTEM_SERVICES_CROND}" -f -L "${LOG_CROND}" >>"${LOG_CROND}" 2>&1 & crond_pid=$! wait "${crond_pid}" -exit $? \ No newline at end of file +echo -ne " done" +exit $? diff --git a/install/production-filesystem/services/start-nginx.sh b/install/production-filesystem/services/start-nginx.sh index 8b12af49..01074930 100755 --- a/install/production-filesystem/services/start-nginx.sh +++ b/install/production-filesystem/services/start-nginx.sh @@ -4,6 +4,8 @@ set -euo pipefail LOG_DIR=${NETALERTX_APP} RUN_DIR=${SYSTEM_SERVICES_RUN} TMP_DIR=${SYSTEM_SERVICES_RUN_TMP} +SYSTEM_NGINX_CONFIG_TEMPLATE="/services/config/nginx/netalertx.conf.template" +SYSTEM_NGINX_CONFIG_FILE="/services/config/nginx/conf.active/netalertx.conf" # Create directories if they don't exist mkdir -p "${LOG_DIR}" "${RUN_DIR}" "${TMP_DIR}" @@ -13,25 +15,45 @@ echo "Starting nginx..." nginx_pid="" cleanup() { - status=$? - echo "nginx stopped! (exit ${status})" + status=$? + echo "nginx stopped! (exit ${status})" } forward_signal() { - if [[ -n "${nginx_pid}" ]]; then - kill -TERM "${nginx_pid}" 2>/dev/null || true - fi + if [[ -n "${nginx_pid}" ]]; then + kill -TERM "${nginx_pid}" 2>/dev/null || true + fi } + +# When in devcontainer we must kill any existing nginx processes +while $(ps ax | grep -v -e "grep" -e "nginx.sh" | grep nginx >/dev/null); do + killall nginx &>/dev/null || true + sleep 0.2 +done + +if ! envsubst '${LISTEN_ADDR} ${PORT}'< "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${SYSTEM_NGINX_CONFIG_FILE}" 2>/dev/null; then + echo "Note: Unable to write to ${SYSTEM_NGINX_CONFIG_FILE}. Using default configuration." +fi + trap cleanup EXIT trap forward_signal INT TERM + + # Execute nginx with overrides +# echo the full nginx command then run it +echo "nginx command:" +echo " nginx \ + -p \"${RUN_DIR}/\" \ + -c \"${SYSTEM_NGINX_CONFIG_FILE}\" \ + -g \"error_log ${NETALERTX_LOG}/nginx-error.log; pid ${RUN_DIR}/nginx.pid; daemon off;\" &" nginx \ - -p "${RUN_DIR}/" \ - -c "${SYSTEM_NGINX_CONFIG_FILE}" \ - -g "error_log ${NETALERTX_LOG}/nginx-error.log; pid ${RUN_DIR}/nginx.pid; daemon off;" & + -p "${RUN_DIR}/" \ + -c "${SYSTEM_NGINX_CONFIG_FILE}" \ + -g "error_log ${NETALERTX_LOG}/nginx-error.log; pid ${RUN_DIR}/nginx.pid; daemon off;" & nginx_pid=$! wait "${nginx_pid}" -exit $? \ No newline at end of file +echo -ne " done" +exit $? diff --git a/install/production-filesystem/services/start-php-fpm.sh b/install/production-filesystem/services/start-php-fpm.sh index d343fcdd..99de494d 100755 --- a/install/production-filesystem/services/start-php-fpm.sh +++ b/install/production-filesystem/services/start-php-fpm.sh @@ -16,11 +16,18 @@ forward_signal() { fi } +while $(ps ax | grep -v grep | grep php-fpm83 >/dev/null); do + killall php-fpm83 &>/dev/null + sleep 0.2 +done + trap cleanup EXIT trap forward_signal INT TERM -/usr/sbin/php-fpm83 -y "${PHP_FPM_CONFIG_FILE}" -F >> "${LOG_APP_PHP_ERRORS}" 2>&1 & +echo "/usr/sbin/php-fpm83 -y \"${PHP_FPM_CONFIG_FILE}\" -F >>\"${LOG_APP_PHP_ERRORS}\" 2>&1 &" +/usr/sbin/php-fpm83 -y "${PHP_FPM_CONFIG_FILE}" -F >>"${LOG_APP_PHP_ERRORS}" 2>&1 & php_fpm_pid=$! wait "${php_fpm_pid}" +echo -ne " done" exit $?