ozone-his · rbuisson · Jan 9, 2024 · Jan 9, 2024 · Jan 9, 2024 · rbuisson
diff --git a/README.md b/README.md
@@ -12,7 +12,7 @@ It may take some time to setup Ozone for the first time, so hang tight :hourglas
 
 When ready Gitpod will launch the tab for OpenMRS 3.
 
-## (option 2) Try Ozone locally using the embedded Apache 2 proxy
+## (option 2) Try Ozone locally using the embedded Nginx reverse proxy
 
 Clone the repo
 ```bash

diff --git a/docker-compose-openmrs.yml b/docker-compose-openmrs.yml
@@ -35,8 +35,6 @@ services:
     networks:
       - ozone
       - web
-    ports:
-      - "8080:8080"
     restart: unless-stopped
     volumes:
       - "openmrs-data:/openmrs/data"

diff --git a/docker-compose-superset.yml b/docker-compose-superset.yml
@@ -26,8 +26,6 @@ services:
     networks:
       - ozone
       - web
-    ports:
-      - "8088:8088"
     restart: unless-stopped
     volumes:
       - ${SUPERSET_CONFIG_PATH}/:/etc/superset/

diff --git a/proxy/Dockerfile b/proxy/Dockerfile
@@ -1,8 +1,6 @@
-FROM httpd:2.4-alpine
+FROM nginx:1.25-alpine
 
-RUN apk add curl iproute2 iputils less nano tree ca-certificates lsof --no-cache
+ENV FRAME_ANCESTORS ""
 
-COPY resources/httpd.conf /usr/local/apache2/conf/httpd.conf
-COPY resources/proxy-rules /usr/local/apache2/conf/proxy-rules
-COPY resources/tls/cert.pem resources/tls/privkey.pem resources/tls/chain.pem /etc/tls/
-EXPOSE 8069/tcp
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY default.conf.template /etc/nginx/templates/
diff --git a/proxy/confs/000-80.conf b/proxy/confs/000-80.conf
diff --git a/proxy/confs/010-443.conf b/proxy/confs/010-443.conf
diff --git a/proxy/confs/030-8069.conf b/proxy/confs/030-8069.conf
diff --git a/proxy/confs/040-8081.conf b/proxy/confs/040-8081.conf
diff --git a/proxy/confs/050-8088.conf b/proxy/confs/050-8088.conf
diff --git a/proxy/default.conf.template b/proxy/default.conf.template
@@ -0,0 +1,175 @@
+map $request_uri $csp_header {
+  default "default-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; img-src 'self' data:; frame-ancestors 'self' ${FRAME_ANCESTORS};";
+  "~^/openmrs/(?:admin|dictionary|module|patientDashboard.form)/" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self'; frame-ancestors 'self';";
+  "~^/openmrs/owa" "default-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; base-uri 'self'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self';";
+}
+
+map $http_x_forwarded_proto $forwarded_proto {
+  "~.*" $http_x_forwarded_proto;
+  default    $scheme;
+}
+
+map $http_x_real_ip $forwarded_ip {
+  "~.*"  $http_x_real_ip;
+  default $remote_addr;
+}
+
+map $forwarded_proto $var_proxy_cookie_flags {
+  https   "JSESSIONID secure samesite=strict";
+  default "off";
+}
+
+upstream frontend {
+  # always assume the frontend will be available
+  server frontend max_fails=0;
+}
+
+upstream backend {
+  server openmrs:8080 max_fails=0;
+}
+
+upstream odoo {
+  server odoo:8069 max_fails=0;
+}
+upstream odoochat {
+  server odoo:8072  max_fails=0;
+}
+
+
+
+upstream senaite {
+  server senaite:8080 max_fails=0;
+}
+
+upstream superset {
+  server superset:8088 max_fails=0;
+}
+
+server {
+  listen       80;
+
+  add_header X-XSS-Protection "1; mode=block";
+  add_header Content-Security-Policy $csp_header;
+  add_header X-Content-Type-Options nosniff;
+
+  proxy_set_header      HOST $host;
+  proxy_set_header      X-Forwarded-Proto $forwarded_proto;
+  proxy_set_header      X-Real-IP $forwarded_ip;
+  proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+  # if serving this via HTTPS, the following is recommended
+  # proxy_cookie_flags      $var_proxy_cookie_flags;
+  proxy_http_version    1.1;
+
+  gzip on;
+  gzip_vary on;
+  # 1 KiB
+  gzip_min_length 1024;
+  gzip_proxied any;
+  gzip_http_version 1.0;
+  gzip_types  font/eot
+              font/otf
+              font/ttf
+              image/svg+xml
+              text/css
+              text/javascript
+              text/plain
+              text/xml
+              application/atom+xml
+              application/geo+json
+              application/importmap+json
+              application/javascript
+              application/x-javascript
+              application/json
+              application/ld+json
+              application/fhir+json
+              application/fhir+xml
+              application/manifest+json
+              application/rdf+xml
+              application/rss+xml
+              application/xhtml+xml
+              application/xml;
+
+  # all redirects are relative to the gateway
+  absolute_redirect off;
+
+  location = /openmrs/spa {
+    return 301 /openmrs/spa/;
+  }
+
+  location /openmrs/spa/ {
+    proxy_pass http://frontend/;
+    proxy_redirect http://$host/ /openmrs/spa/;
+  }
+
+  location /openmrs {
+    proxy_pass http://backend;
+  }
+
+  location = / {
+    return 301 /openmrs/spa/;
+  }
+}
+
+server {
+    listen 8069;
+    server_name localhost;
+
+    # Increase proxy buffer size
+    proxy_buffers 16 64k;
+    proxy_buffer_size 128k;
+    # Force timeouts if the backend dies
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+    # Enable data compression
+    gzip on;
+    gzip_min_length 1100;
+    gzip_buffers 4 32k;
+    gzip_types text/plain text/xml text/css text/less application/x-javascript application/xml application/json application/javascript;
+    gzip_vary on;
+
+    # Proxy header and settings
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+
+
+    # Cache static data
+    location ~* /web/static/ {
+        proxy_cache_valid 200 60m;
+        proxy_buffering on;
+        expires 864000;
+        proxy_pass http://odoo;
+    }
+
+    location / {
+            proxy_pass http://odoo;
+            # The following makes the timeout broader
+            proxy_read_timeout 30000;
+            proxy_redirect off;
+    }
+
+    location /longpolling {
+            proxy_pass http://odoochat;
+    }
+}
+
+server {
+    listen 8088;
+    location / {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://superset;
+    }
+}
+
+server {
+    listen 8081;
+    location / {
+        proxy_set_header        Host            $http_host;
+        proxy_set_header        X-Real-IP       $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        rewrite                 ^(.*)$ /VirtualHostBase/$scheme/$host/senaite/VirtualHostRoot/$1 break;
+        proxy_pass              http://senaite;
+    }
+}
diff --git a/proxy/docker-compose.yml b/proxy/docker-compose.yml
@@ -7,7 +7,6 @@ services:
       context: ./
       args:
         TIMEZONE: "${TIMEZONE}"
-    command: "httpd-foreground ${PROXY_TLS:-}"
     healthcheck:
       test:
         - CMD
@@ -18,9 +17,9 @@ services:
       ozone:
     ports:
       - "${PROXY_PUBLIC_PORT:-80}:80"
-      - "${PROXY_PUBLIC_PORT_TLS:-443}:443"
       - "8069:8069"
       - "8081:8081"
+      - "8088:8088"
     volumes:
       - "./confs:/usr/local/apache2/conf/extra"
       - "${PROXY_TLS_CERTS_PATH:-proxy-tls-certs}:/etc/tls"

diff --git a/proxy/nginx.conf b/proxy/nginx.conf
@@ -0,0 +1,30 @@
+user  nobody;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile      on;
+  tcp_nopush    on;
+  tcp_nodelay   on;
+
+  keepalive_timeout  65;
+
+  include /etc/nginx/conf.d/*.conf;
+}