diff --git a/client b/client index 70ec99f0..681f5671 160000 --- a/client +++ b/client @@ -1 +1 @@ -Subproject commit 70ec99f02885a06e37709db6319bfdf96fac84eb +Subproject commit 681f56713d5f9d4541b066b31e7a36efb0f7bfef diff --git a/docker-compose.yml b/docker-compose.yml index 3520b781..0d7eb059 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: POSTGRES_DATABASE: odk restart: always mail: - image: "itsissa/namshi-smtp:4.89-2.deb9u5" + image: "itsissa/namshi-smtp:4.92-8.deb10u6" volumes: - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro @@ -35,6 +35,8 @@ services: - SYSADMIN_EMAIL=${SYSADMIN_EMAIL} command: [ "./wait-for-it.sh", "postgres:5432", "--", "./start-odk.sh" ] restart: always + logging: + driver: local nginx: build: context: . @@ -52,8 +54,12 @@ services: healthcheck: test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ] restart: always + logging: + driver: local + options: + max-file: "30" pyxform: - image: 'getodk/pyxform-http:v1.5.1' + image: 'ghcr.io/getodk/pyxform-http:v1.6.0' restart: always secrets: volumes: diff --git a/enketo.dockerfile b/enketo.dockerfile index a4afdc3e..26eac125 100644 --- a/enketo.dockerfile +++ b/enketo.dockerfile @@ -1,4 +1,4 @@ -FROM enketo/enketo-express:2.7.3 +FROM ghcr.io/enketo/enketo-express:3.0.1 ENV ENKETO_SRC_DIR=/srv/src/enketo_express WORKDIR ${ENKETO_SRC_DIR} @@ -15,11 +15,11 @@ COPY files/enketo/config.json.template ${ENKETO_SRC_DIR}/config/config.json COPY files/enketo/start-enketo.sh ${ENKETO_SRC_DIR}/start-enketo.sh RUN apt-get update; apt-get install gettext-base -RUN grunt -RUN npm install --production +RUN npm install +RUN grunt +RUN npm prune --production EXPOSE 8005 CMD ./start-enketo.sh - diff --git a/files/nginx/odk-setup.sh b/files/nginx/odk-setup.sh index 7a6a9085..4a29ad23 100644 --- a/files/nginx/odk-setup.sh +++ b/files/nginx/odk-setup.sh @@ -24,7 +24,7 @@ CNAME=$([ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \ if [ "$SSL_TYPE" = "letsencrypt" ] then echo "starting nginx with certbot.." - /bin/bash /scripts/entrypoint.sh + /bin/bash /scripts/start_nginx_certbot.sh elif [ "$SSL_TYPE" = "upstream" ] then perl -i -ne 's/listen 443.*/listen 80;/; print if ! /ssl_/' /etc/nginx/conf.d/odk.conf diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 3bacaae2..d614b1fc 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -4,13 +4,17 @@ server { ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem; ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_dhparam /etc/dh/nginx.pem; server_tokens off; - add_header Strict-Transport-Security "max-age=31536000"; + add_header Strict-Transport-Security "max-age=63072000" always; + + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; client_max_body_size 100m; @@ -45,6 +49,13 @@ server { location / { root /usr/share/nginx/html; + + location /version.txt { + add_header Cache-Control no-cache; + } + location /index.html { + add_header Cache-Control no-cache; + } } } diff --git a/files/service/crontab b/files/service/crontab index b772aa06..08c13375 100644 --- a/files/service/crontab +++ b/files/service/crontab @@ -1,2 +1,3 @@ +0 3 * * * root /usr/odk/run-analytics.sh 0 2 * * * root /usr/odk/run-backup.sh 0 1 * * 0 root /usr/odk/reap-sessions.sh diff --git a/files/service/pm2.config.js b/files/service/pm2.config.js new file mode 100644 index 00000000..3bbf62dd --- /dev/null +++ b/files/service/pm2.config.js @@ -0,0 +1,17 @@ +module.exports = { + apps: [{ + name: 'service', + script: './lib/bin/run-server.js', + + // the default is 1600ms; we aren't that impatient: + kill_timeout: 30000, + + // log to stdout/stderr: + out_file: '/proc/1/fd/1', + error_file: '/proc/1/fd/2', + + // per Unitech/pm2#2045 this resolves a conflict w node-config: + instance_var: 'INSTANCE_ID' + }] +}; + diff --git a/files/service/scripts/run-analytics.sh b/files/service/scripts/run-analytics.sh new file mode 100755 index 00000000..3358c65f --- /dev/null +++ b/files/service/scripts/run-analytics.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +cd /usr/odk +/usr/local/bin/node lib/bin/run-analytics.js >/proc/1/fd/1 2>/proc/1/fd/2 + diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 34e2fca7..e13acd98 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -18,6 +18,5 @@ fi echo "using $WORKER_COUNT worker(s) based on available memory ($MEMTOT).." echo "starting server." -mkdir -p /var/log/odk -node node_modules/naught/lib/main.js start --remove-old-ipc true --worker-count $WORKER_COUNT --daemon-mode false --log /var/log/odk/naught.log --stdout /proc/1/fd/1 --stderr /proc/1/fd/2 lib/bin/run-server.js +pm2-runtime ./pm2.config.js --instances $WORKER_COUNT diff --git a/nginx.dockerfile b/nginx.dockerfile index b9421bae..2e3b0412 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,11 +1,11 @@ -FROM node:12.6.0 as intermediate +FROM node:14.17.6 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh RUN files/prebuild/build-frontend.sh -FROM staticfloat/nginx-certbot@sha256:113300163d871119a261738964d7d8f24a478a605d56888a82e9f45fb353698d +FROM jonasal/nginx-certbot:2.4 EXPOSE 80 EXPOSE 443 diff --git a/server b/server index 59556ece..61b1848b 160000 --- a/server +++ b/server @@ -1 +1 @@ -Subproject commit 59556ecea91f0a25678cd6da0084adb7e66ca099 +Subproject commit 61b1848ba169eb455477ebeb79f0ea745e6eb478 diff --git a/service.dockerfile b/service.dockerfile index 68f201e6..24b8ec49 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -FROM node:12.6.0 +FROM node:14.17.6 WORKDIR /usr/odk @@ -11,9 +11,11 @@ COPY files/service/crontab /etc/cron.d/odk COPY server/package*.json ./ RUN npm install --production +RUN npm install pm2 -g COPY server/ ./ COPY files/service/scripts/ ./ +COPY files/service/pm2.config.js ./ COPY files/service/config.json.template /usr/share/odk/ COPY files/service/odk-cmd /usr/bin/