From b105743365e628303644aa4a0a9f2a986baea1e0 Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 11 Aug 2021 12:51:43 -0700 Subject: [PATCH 01/14] service: switch from naught to pm2 for nodejs process/cluster mgmt. --- files/service/pm2.config.js | 17 +++++++++++++++++ files/service/scripts/start-odk.sh | 3 +-- service.dockerfile | 2 ++ 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 files/service/pm2.config.js diff --git a/files/service/pm2.config.js b/files/service/pm2.config.js new file mode 100644 index 00000000..3bbf62dd --- /dev/null +++ b/files/service/pm2.config.js @@ -0,0 +1,17 @@ +module.exports = { + apps: [{ + name: 'service', + script: './lib/bin/run-server.js', + + // the default is 1600ms; we aren't that impatient: + kill_timeout: 30000, + + // log to stdout/stderr: + out_file: '/proc/1/fd/1', + error_file: '/proc/1/fd/2', + + // per Unitech/pm2#2045 this resolves a conflict w node-config: + instance_var: 'INSTANCE_ID' + }] +}; + diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 34e2fca7..e13acd98 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -18,6 +18,5 @@ fi echo "using $WORKER_COUNT worker(s) based on available memory ($MEMTOT).." echo "starting server." -mkdir -p /var/log/odk -node node_modules/naught/lib/main.js start --remove-old-ipc true --worker-count $WORKER_COUNT --daemon-mode false --log /var/log/odk/naught.log --stdout /proc/1/fd/1 --stderr /proc/1/fd/2 lib/bin/run-server.js +pm2-runtime ./pm2.config.js --instances $WORKER_COUNT diff --git a/service.dockerfile b/service.dockerfile index 68f201e6..cf7feb80 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -11,9 +11,11 @@ COPY files/service/crontab /etc/cron.d/odk COPY server/package*.json ./ RUN npm install --production +RUN npm install pm2 -g COPY server/ ./ COPY files/service/scripts/ ./ +COPY files/service/pm2.config.js ./ COPY files/service/config.json.template /usr/share/odk/ COPY files/service/odk-cmd /usr/bin/ From e0dbb2e6a6f11fc6427ee688e592191f02cd18d3 Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 11 Aug 2021 13:39:50 -0700 Subject: [PATCH 02/14] service: upgrade to node 14.17.4 for now. need to do .5 before release. * but the docker images aren't yet ready. --- service.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service.dockerfile b/service.dockerfile index cf7feb80..1df5a847 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -FROM node:12.6.0 +FROM node:14.17.4 WORKDIR /usr/odk From 9a2c5ffa84b8744d945ccdc95d8899aa795919dc Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 11 Aug 2021 16:10:08 -0700 Subject: [PATCH 03/14] mail: patch exim4 for security updates. --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3520b781..86d2907b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -10,7 +10,7 @@ services: POSTGRES_DATABASE: odk restart: always mail: - image: "itsissa/namshi-smtp:4.89-2.deb9u5" + image: "itsissa/namshi-smtp:4.92-8.deb10u6" volumes: - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro From 87ad90a5d45122c5e9caae6068e59c6b7f8935a0 Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 11 Aug 2021 18:02:35 -0700 Subject: [PATCH 04/14] nginx: update nginx-certbot to new fork. * i tried to switch to alpine linux but it wouldn't cooperate w the lua module deps. --- files/nginx/odk-setup.sh | 2 +- nginx.dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/files/nginx/odk-setup.sh b/files/nginx/odk-setup.sh index 7a6a9085..4a29ad23 100644 --- a/files/nginx/odk-setup.sh +++ b/files/nginx/odk-setup.sh @@ -24,7 +24,7 @@ CNAME=$([ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \ if [ "$SSL_TYPE" = "letsencrypt" ] then echo "starting nginx with certbot.." - /bin/bash /scripts/entrypoint.sh + /bin/bash /scripts/start_nginx_certbot.sh elif [ "$SSL_TYPE" = "upstream" ] then perl -i -ne 's/listen 443.*/listen 80;/; print if ! /ssl_/' /etc/nginx/conf.d/odk.conf diff --git a/nginx.dockerfile b/nginx.dockerfile index b9421bae..cbde0cc8 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -5,7 +5,7 @@ RUN files/prebuild/write-version.sh RUN files/prebuild/build-frontend.sh -FROM staticfloat/nginx-certbot@sha256:113300163d871119a261738964d7d8f24a478a605d56888a82e9f45fb353698d +FROM jonasal/nginx-certbot:2.4 EXPOSE 80 EXPOSE 443 From 2d0cea4159f59a4b3e757436220ebd50b55058ed Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 11 Aug 2021 18:02:52 -0700 Subject: [PATCH 05/14] nginx: also update frontend intermediate-build node image. --- nginx.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.dockerfile b/nginx.dockerfile index cbde0cc8..3465ee68 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,4 +1,4 @@ -FROM node:12.6.0 as intermediate +FROM node:14.17.4 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh From 7fd7cb2985a31259a2e384b31fd3f2b7f991517b Mon Sep 17 00:00:00 2001 From: Issa Tseng Date: Wed, 22 Sep 2021 13:06:27 -0700 Subject: [PATCH 06/14] deps: upgrade from node v14.17.4 to v14.17.6. --- nginx.dockerfile | 2 +- service.dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/nginx.dockerfile b/nginx.dockerfile index 3465ee68..2e3b0412 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,4 +1,4 @@ -FROM node:14.17.4 as intermediate +FROM node:14.17.6 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh diff --git a/service.dockerfile b/service.dockerfile index 1df5a847..24b8ec49 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -FROM node:14.17.4 +FROM node:14.17.6 WORKDIR /usr/odk From a0cd70524613c147cd13554d7270668a8095eaab Mon Sep 17 00:00:00 2001 From: Yaw Anokwa Date: Fri, 17 Sep 2021 15:55:37 -0700 Subject: [PATCH 07/14] Upgrade to Enketo v3.0.0 --- enketo.dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/enketo.dockerfile b/enketo.dockerfile index a4afdc3e..e96fcb0f 100644 --- a/enketo.dockerfile +++ b/enketo.dockerfile @@ -1,4 +1,4 @@ -FROM enketo/enketo-express:2.7.3 +FROM ghcr.io/enketo/enketo-express:3.0.0 ENV ENKETO_SRC_DIR=/srv/src/enketo_express WORKDIR ${ENKETO_SRC_DIR} @@ -15,11 +15,11 @@ COPY files/enketo/config.json.template ${ENKETO_SRC_DIR}/config/config.json COPY files/enketo/start-enketo.sh ${ENKETO_SRC_DIR}/start-enketo.sh RUN apt-get update; apt-get install gettext-base -RUN grunt -RUN npm install --production +RUN npm install +RUN grunt +RUN npm prune --production EXPOSE 8005 CMD ./start-enketo.sh - From f04973425aeadaec5eb966e92f353a36144c9199 Mon Sep 17 00:00:00 2001 From: Yaw Anokwa Date: Wed, 1 Sep 2021 14:20:28 -0700 Subject: [PATCH 08/14] Upgrade to pyxform v1.6.0 --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3520b781..1a9fdb56 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -53,7 +53,7 @@ services: test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ] restart: always pyxform: - image: 'getodk/pyxform-http:v1.5.1' + image: 'ghcr.io/getodk/pyxform-http:v1.6.0' restart: always secrets: volumes: From f197e5ab8c2d01c3052bacac2a12f414893f2b4e Mon Sep 17 00:00:00 2001 From: Yaw Anokwa Date: Wed, 1 Sep 2021 15:59:04 -0700 Subject: [PATCH 09/14] Enable local driver for log rotation --- docker-compose.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 1a9fdb56..bef96e60 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -35,6 +35,8 @@ services: - SYSADMIN_EMAIL=${SYSADMIN_EMAIL} command: [ "./wait-for-it.sh", "postgres:5432", "--", "./start-odk.sh" ] restart: always + logging: + driver: local nginx: build: context: . @@ -52,6 +54,10 @@ services: healthcheck: test: [ "CMD-SHELL", "nc -z localhost 80 || exit 1" ] restart: always + logging: + driver: local + options: + max-file: "30" pyxform: image: 'ghcr.io/getodk/pyxform-http:v1.6.0' restart: always From fc9844d97a54cef204fab15cfc3a6b3a691fa968 Mon Sep 17 00:00:00 2001 From: Kathleen Tuite Date: Tue, 21 Sep 2021 09:32:12 -0700 Subject: [PATCH 10/14] cron job for running analytics script once a day --- files/service/crontab | 1 + files/service/scripts/run-analytics.sh | 5 +++++ 2 files changed, 6 insertions(+) create mode 100755 files/service/scripts/run-analytics.sh diff --git a/files/service/crontab b/files/service/crontab index b772aa06..08c13375 100644 --- a/files/service/crontab +++ b/files/service/crontab @@ -1,2 +1,3 @@ +0 3 * * * root /usr/odk/run-analytics.sh 0 2 * * * root /usr/odk/run-backup.sh 0 1 * * 0 root /usr/odk/reap-sessions.sh diff --git a/files/service/scripts/run-analytics.sh b/files/service/scripts/run-analytics.sh new file mode 100755 index 00000000..3358c65f --- /dev/null +++ b/files/service/scripts/run-analytics.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +cd /usr/odk +/usr/local/bin/node lib/bin/run-analytics.js >/proc/1/fd/1 2>/proc/1/fd/2 + From e886261dd39ff8e28693b9089d02be106cef0e28 Mon Sep 17 00:00:00 2001 From: Yaw Anokwa Date: Sat, 25 Sep 2021 12:05:11 -0700 Subject: [PATCH 11/14] Prevent exploitable TLS v1.0 and cross-frame scripting --- files/nginx/odk.conf.template | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 3bacaae2..3e41049f 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -4,13 +4,17 @@ server { ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem; ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem; - ssl_protocols TLSv1.2 TLSv1.1 TLSv1; - ssl_prefer_server_ciphers on; - ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; + # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6 + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + ssl_dhparam /etc/dh/nginx.pem; server_tokens off; - add_header Strict-Transport-Security "max-age=31536000"; + add_header Strict-Transport-Security "max-age=63072000" always; + + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; client_max_body_size 100m; From 2d814e7ab22bf89bef9f21d6c2af0d5059d5ab70 Mon Sep 17 00:00:00 2001 From: Matthew White Date: Mon, 27 Sep 2021 16:11:04 -0400 Subject: [PATCH 12/14] Add Cache-Control header for /version.txt and /index.html This commit aims to prevent excessive caching of /version.txt and /index.html. Browsers will still be able to cache these files, but they must revalidate them with each request. Prior to this commit, I noticed the following behavior: - Open Frontend in a browser (I used Firefox). - Change the source, then rebuild. This will change /version.txt. - However, if you click on the Version link in the help dropdown, the old /version.txt is shown in a new tab. - Only if you refresh the new tab is the new /version.txt is shown. getodk/central-frontend#496 only works if requesting /version.txt returns the current version, reflecting any change. Adding the Cache-Control header for /version.txt seems to resolve this issue. I also added it for /index.html, which should make it unnecessary to ever force-refresh /index.html in a browser. I think Cache-Control is useful for these two files, but I don't think that it is useful for other files: - CSS and JS files from Vue will have a hash in their filenames that will change as the associated source changes. - We use a query string for cache-busting when requesting icon files. --- files/nginx/odk.conf.template | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template index 3e41049f..d614b1fc 100644 --- a/files/nginx/odk.conf.template +++ b/files/nginx/odk.conf.template @@ -49,6 +49,13 @@ server { location / { root /usr/share/nginx/html; + + location /version.txt { + add_header Cache-Control no-cache; + } + location /index.html { + add_header Cache-Control no-cache; + } } } From 8a1cac9cdf4d2b1c36092787099c1bedf9e56506 Mon Sep 17 00:00:00 2001 From: Yaw Anokwa Date: Tue, 28 Sep 2021 11:59:39 -0700 Subject: [PATCH 13/14] Upgrade to Enketo v3.0.1 --- enketo.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enketo.dockerfile b/enketo.dockerfile index e96fcb0f..26eac125 100644 --- a/enketo.dockerfile +++ b/enketo.dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/enketo/enketo-express:3.0.0 +FROM ghcr.io/enketo/enketo-express:3.0.1 ENV ENKETO_SRC_DIR=/srv/src/enketo_express WORKDIR ${ENKETO_SRC_DIR} From 4c698a92c1d7d4f335db4fa4f2ebe97c1d6f7f7b Mon Sep 17 00:00:00 2001 From: Matthew White Date: Thu, 30 Sep 2021 14:54:53 -0400 Subject: [PATCH 14/14] Update submodules for v1.3 --- client | 2 +- server | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/client b/client index 70ec99f0..681f5671 160000 --- a/client +++ b/client @@ -1 +1 @@ -Subproject commit 70ec99f02885a06e37709db6319bfdf96fac84eb +Subproject commit 681f56713d5f9d4541b066b31e7a36efb0f7bfef diff --git a/server b/server index 59556ece..61b1848b 160000 --- a/server +++ b/server @@ -1 +1 @@ -Subproject commit 59556ecea91f0a25678cd6da0084adb7e66ca099 +Subproject commit 61b1848ba169eb455477ebeb79f0ea745e6eb478