Beautify changes by @revant (#20)

* feat: add gevent to worker image

* feat: real_ip configuration for nginx

* Return `healthcheck.sh` just for tests

Co-authored-by: Lev Vereshchagin <mail@vrslev.com>

build/nginx/nginx-template.conf

@@ -6,6 +6,12 @@ upstream socketio-server {
 	server ${SOCKETIO} fail_timeout=0;
 }
 
+# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme.
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+	default $scheme;
+	https https;
+}
+
 server {
 	listen 8080;
 	server_name $http_host;
@@ -21,6 +27,10 @@ server {
 	add_header X-XSS-Protection "1; mode=block";
 	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";
 
+	set_real_ip_from ${UPSTREAM_REAL_IP_ADDRESS};
+	real_ip_header ${UPSTREAM_REAL_IP_HEADER};
+	real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE};
+
 	location /assets {
 		try_files $uri =404;
 	}
@@ -32,6 +42,8 @@ server {
 
 	location /socket.io {
 		proxy_http_version 1.1;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER};
@@ -55,8 +67,8 @@ server {
 	}
 
 	location @webserver {
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 		proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER};
 		proxy_set_header Host $host;
 		proxy_set_header X-Use-X-Accel-Redirect True;

build/worker/Dockerfile

@@ -16,7 +16,7 @@ WORKDIR /home/frappe/frappe-bench
 
 RUN pip install --no-cache-dir -U pip wheel \
     && python -m venv env \
-    && env/bin/pip install --no-cache-dir -U pip wheel
+    && env/bin/pip install --no-cache-dir -U pip wheel gevent
 USER root
 
 
@@ -85,7 +85,7 @@ RUN apt-get update \
     xvfb \
     libfontconfig \
     wkhtmltopdf \
-    # For healthcheck.sh in helm chart
+    # For healthcheck
     wait-for-it \
     jq \
     # other
@@ -95,8 +95,8 @@ USER frappe
 
 COPY pretend-bench.sh /usr/local/bin/bench
 COPY push_backup.py /usr/local/bin/push-backup
-# healthcheck.sh used in helm chart
-COPY configure.py patched_bench_helper.py healthcheck.sh /usr/local/bin/
+COPY configure.py patched_bench_helper.py /usr/local/bin/
+COPY gevent_patch.py /opt/patches/
 
 WORKDIR /home/frappe/frappe-bench/sites
 

build/worker/gevent_patch.py

@@ -0,0 +1,3 @@
+import gevent.monkey
+
+gevent.monkey.patch_all()

compose.yaml

@@ -34,6 +34,9 @@ services:
       BACKEND: backend:8000
       SOCKETIO: websocket:9000
       FRAPPE_SITE_NAME_HEADER: ${FRAPPE_SITE_NAME_HEADER:-$$host}
+      UPSTREAM_REAL_IP_ADDRESS: ${UPSTREAM_REAL_IP_ADDRESS:-127.0.0.1}
+      UPSTREAM_REAL_IP_HEADER: ${UPSTREAM_REAL_IP_HEADER:-X-Forwarded-For}
+      UPSTREAM_REAL_IP_RECURSIVE: ${UPSTREAM_REAL_IP_RECURSIVE:-off}
     volumes:
       - sites:/usr/share/nginx/html/sites
       - assets:/usr/share/nginx/html/assets

example.env

@@ -20,9 +20,22 @@ REDIS_SOCKETIO=
 # Only with HTTPS override
 LETSENCRYPT_EMAIL=mail@example.com
 
-# This environment variable is not required. Default value is `$$host` which resolves site by host.
-# For example, if your host is `example.com`, site's name should be `example.com`,
-# or if host is `127.0.0.1` (local debugging), it should be `127.0.0.1` This variable allows
-# to override described behavior. Let's say you create site named `mysite`
+# These environment variables are not required.
+
+# Default value is `$$host` which resolves site by host. For example, if your host is `example.com`,
+# site's name should be `example.com`, or if host is `127.0.0.1` (local debugging), it should be `127.0.0.1`.
+# This variable allows to override described behavior. Let's say you create site named `mysite`
 # and do want to access it by `127.0.0.1` host. Than you would set this variable to `mysite`.
 FRAPPE_SITE_NAME_HEADER=
+
+# Default value is `127.0.0.1`. Set IP address as our trusted upstream address.
+UPSTREAM_REAL_IP_ADDRESS=
+
+# Default value is `X-Forwarded-For`. Set request header field whose value will be used to replace the client address
+UPSTREAM_REAL_IP_HEADER=
+
+# Allowed values are on|off. Default value is `off`. If recursive search is disabled,
+# the original client address that matches one of the trusted addresses
+# is replaced by the last address sent in the request header field defined by the real_ip_header directive.
+# If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field.
+UPSTREAM_REAL_IP_RECURSIVE=

tests/main.py

@@ -155,9 +155,10 @@ def create_containers():
 @log("Check if Python services have connections")
 def ping_links_in_backends():
     for service in BACKEND_SERVICES:
+        docker_compose("cp", "tests/healthcheck.sh", f"{service}:/tmp/")
         for _ in range(10):
             try:
-                docker_compose_exec(service, "healthcheck.sh")
+                docker_compose_exec(service, "bash", "/tmp/healthcheck.sh")
                 break
             except subprocess.CalledProcessError:
                 sleep(1)