Merge remote-tracking branch 'origin/next' into next

.infra/.env_server

@@ -1,7 +1,8 @@
 LBA_NAME=lba
 LBA_SERVER_PORT={{ vault[env_type].LBA_SERVER_PORT }}
 LBA_ENV={{ env_type }}
-LBA_PUBLIC_URL={{ vault[env_type].LBA_PUBLIC_URL }}
+LBA_PUBLIC_URL="{{ vault[env_type].LBA_PUBLIC_URL }}"
+LBA_ALIAS_PUBLIC_URL={{ vault[env_type].LBA_ALIAS_PUBLIC_URL }}
 LBA_OUTPUT_DIR=.local/output
 LBA_DISABLE_PROCESSORS=0
 LBA_LOG_LEVEL=info

.infra/ansible/deploy.yml

@@ -4,6 +4,11 @@
   gather_facts: false
   vars_files:
     - "../vault/vault.yml"
+  handlers:
+    - name: restart-fail2ban
+      service:
+        name: fail2ban
+        state: restarted
   tasks:
     - include_tasks: ./tasks/files_copy.yml
 
@@ -96,6 +101,21 @@
         chdir: /opt/app
         cmd: "sudo /opt/app/tools/ssl/renew-certificate.sh {{dns_name}}"
 
+    - name: "Verification des certificats SSL"
+      shell:
+        chdir: /opt/app
+        cmd: "sudo /opt/app/tools/ssl/renew-certificate.sh labonnealternance.pole-emploi.fr"
+      when: env_type == "production"
+
+    - name: Add cron to renew pole-emploi cert
+      ansible.builtin.cron:
+        name: "renew-certificate"
+        minute: "0"
+        hour: "2"
+        weekday: "1"
+        job: "bash /opt/app/tools/ssl/renew-certificate.sh labonnealternance.pole-emploi.fr >> /var/log/cron.log 2>&1; /opt/app/tools/monitoring/export-cron-status-prom.sh -c 'Renew certificate Pole Emploi' -v $?"
+      when: env_type == "production"
+
     - name: "Setup de la Metabase"
       shell:
         chdir: /opt/app

.infra/env.ini

@@ -4,14 +4,16 @@ app_version=latest
 [production]
 149.202.54.205
 [production:vars]
-dns_name=labonnealternance-develop.apprentissage.beta.gouv.fr
+dns_name=labonnealternance.apprentissage.beta.gouv.fr
 host_name=lba-production
+alias_dns_name=labonnealternance.pole-emploi.fr
 env_type=production
 
 [recette]
 51.75.246.6
 [recette:vars]
 dns_name=labonnealternance-recette.apprentissage.beta.gouv.fr
+alias_dns_name=lba-recette.apprentissage.beta.gouv.fr
 host_name=lba-recette
 env_type=recette
 

.infra/files/configs/reverse_proxy/extra-conf.d/alias.conf.template

@@ -0,0 +1,72 @@
+# Nginx configuration for both HTTP and SSL
+# Defaults values https://github.com/coreruleset/modsecurity-docker/blob/ef9432b6d2e08370a55879543f3f042c757c29c3/v3-nginx/Dockerfile
+
+
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+map $request_uri $https_only {
+  "~^/.well-known/acme-challenge/"  false;
+  "~^/healthz$"      false;
+  default           true;
+}
+
+server {
+    listen ${PORT};
+
+    server_name {{ alias_dns_name }};
+
+    include includes/location_acme.conf;
+    include includes/location_maintenance.conf;
+
+    set $always_redirect ${NGINX_ALWAYS_TLS_REDIRECT};
+
+    if ($https_only = false) {
+      set $always_redirect false;
+    }
+
+    if ($always_redirect = true) {
+      return 301 https://$host$request_uri;
+    }
+
+    include locations/*.conf;
+}
+
+# Use map to allow starting reverse_proxy without SSL ssl_certificate
+# This will allow certbot to create one and trigger reload
+map $host $fullchainAlias {
+    default       /etc/nginx/ssl/live/{{ alias_dns_name }}/fullchain.pem;
+}
+map $host $privkeyAlias {
+    default       /etc/nginx/ssl/live/{{ alias_dns_name }}/privkey.pem;
+}
+
+server {
+    listen ${SSL_PORT} ssl;
+
+    server_name {{ alias_dns_name }};
+
+    ssl_certificate $fullchainAlias;
+    ssl_certificate_key $privkeyAlias;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    ssl_dhparam /etc/ssl/certs/dhparam-${PROXY_SSL_DH_BITS}.pem;
+
+    ssl_protocols ${PROXY_SSL_PROTOCOLS};
+    ssl_ciphers ${PROXY_SSL_CIPHERS};
+    ssl_prefer_server_ciphers ${PROXY_SSL_PREFER_CIPHERS};
+
+    ssl_stapling ${PROXY_SSL_OCSP_STAPLING};
+    ssl_stapling_verify ${PROXY_SSL_OCSP_STAPLING};
+
+    ssl_verify_client ${PROXY_SSL_VERIFY};
+
+    include includes/location_acme.conf;
+    include includes/location_maintenance.conf;
+    include includes/location_monitoring.conf;
+    include locations/*.conf;
+}

.infra/files/fail2ban/jail.d/nginx.local

@@ -1,5 +1,5 @@
 [whitelist]
-ignoreip = 213.91.3.170 213.91.3.180 onisep.fr brevo.com 171.33.105.206
+ignoreip = 213.91.3.170 213.91.3.180 91.173.13.14 onisep.fr brevo.com 171.33.105.206
 
 [nginx-req-limit]
 enabled = true

.talismanrc

@@ -10,15 +10,17 @@ fileignoreconfig:
 - filename: .github/workflows/release.yml
   checksum: 04cd4e69c67ffb0baa69892cb715aab8221d10587af0b2f27af38b2d4a968b93
 - filename: .infra/.env_server
-  checksum: 618e1aad8e37a060c78ddca285899ae61cd2a6c584895a3c4dfd54f392ed6112
+  checksum: aab1ecd35161750c0cc60ab49274fe67c54d54e65309d324daa95d666a6355cb
 - filename: .infra/env.ini
-  checksum: 46009eb5ccdcc992bfcc93feb40bb6e5dbaad5b57bec5a47ed4122a7ebbd243f
+  checksum: 8a4a01117d2fb9a54092d62cc5e07fd9418b2777cfbed8453571fe093b6a833a
 - filename: .infra/files/configs/mongodb/seed.gpg
   checksum: 7141d3836a9746d58ca3331b6ce2911a3b260131d47af6e402d39962c411eac8
+- filename: .infra/files/configs/reverse_proxy/extra-conf.d/alias.conf.template
+  checksum: 07875ae04a27fc2220ddf4d0010225d7f62529187328c93d6dbc8d008eb27ff7
 - filename: .infra/vault/vault.yml
   checksum: be891b8d48595418ff79b33c402b28e0f824471459af9e57801e3131e1d28e5a
 - filename: server/.env.test
-  checksum: a25dd7f90a3bff45f97f82e253b830f54ca74ba81b7eab485c899ad5edf3d770
+  checksum: c5b14d25731246734d6f024cf0b36936cdf1c84195d9096f379f9adccb85740b
 - filename: server/src/common/model/constants/referrers.ts
   checksum: a7205e7da4dca56dc3f989bc4fbbec4ed10c46b963446005a0b0356b0cae3a3d
 - filename: server/src/common/model/schema/_shared/mongoose-paginate.ts

server/.env.test

@@ -2,6 +2,7 @@ LBA_NAME=lba
 LBA_SERVER_PORT=5000
 LBA_ENV=local
 LBA_PUBLIC_URL=http://localhost:3000
+LBA_PUBLIC_URL=""
 LBA_OUTPUT_DIR=.local/output
 LBA_DISABLE_PROCESSORS=0
 LBA_LOG_LEVEL=fatal

server/src/common/utils/isOriginLocal.ts

@@ -4,15 +4,7 @@ import config from "../../config"
  * @description : préciser l'usage de cet utils
  */
 
-const localOrigin = [
-  "https://labonnealternance.beta.pole-emploi.fr",
-  "https://labonnealternance.pole-emploi.fr",
-  "https://labonnealternance.apprentissage.beta.gouv.fr",
-  "https://labonnealternance-recette.apprentissage.beta.gouv.fr",
-  "http://localhost:3003",
-  "http://localhost:3000",
-  "http://localhost",
-]
+const localOrigin = [config.publicUrl, config.aliasPublicUrl].filter(Boolean)
 
 const localOriginRegexp = /^https:\/\/labonnealternance(.*).apprentissage.beta.gouv.fr(.*)/i
 const recetteRegexp = /^https:\/\/labonnealternance-recette.apprentissage.beta.gouv.fr(.*)/i
@@ -39,4 +31,4 @@ const isOriginLocal = (origin) => {
   }
 }
 
-export { isOriginLocal }
+export { isOriginLocal, localOrigin }

server/src/config.ts

@@ -6,6 +6,7 @@ const config = {
   port: env.get("LBA_SERVER_PORT").required().asPortNumber(),
   env: env.get("LBA_ENV").required().asEnum(["local", "recette", "production", "preview"]),
   publicUrl: env.get("LBA_PUBLIC_URL").required().asString(),
+  aliasPublicUrl: env.get("LBA_ALIAS_PUBLIC_URL").required().asString(),
   outputDir: env.get("LBA_OUTPUT_DIR").required().asString(),
   formationsEndPoint: "/api/v1/entity/formations",
   maxApplicationPerDay: 100,

server/src/http/server.ts

@@ -10,6 +10,8 @@ import { OpenAPIV3_1 } from "openapi-types"
 import { generateOpenApiSchema } from "shared/helpers/openapi/generateOpenapi"
 import { SecurityScheme } from "shared/routes/common.routes"
 
+import { localOrigin } from "@/common/utils/isOriginLocal"
+
 import config from "../config"
 import { initBrevoWebhooks } from "../services/brevo.service"
 
@@ -95,16 +97,15 @@ export async function bind(app: Server) {
 
   app.decorate("auth", (strategy: SecurityScheme) => auth(strategy))
 
-  // TODO_AB To check
-  // app.register(fastifyCors, {
-  //   origin: "*",
-  // })
-
   if (config.env === "local") {
     app.register(fastifyCors, {
       origin: config.publicUrl,
       credentials: true,
     })
+  } else {
+    app.register(fastifyCors, {
+      origin: localOrigin,
+    })
   }
 
   app.register(