From c2d57c8ce0371dd0b1c32426ea46e008d861acce Mon Sep 17 00:00:00 2001 From: Revant Nandgaonkar Date: Sun, 20 Feb 2022 21:29:26 +0530 Subject: [PATCH] Beautify changes by @revant (#20) * feat: add gevent to worker image * feat: real_ip configuration for nginx * Return `healthcheck.sh` just for tests Co-authored-by: Lev Vereshchagin --- build/nginx/nginx-template.conf | 16 ++++++++++++++-- build/worker/Dockerfile | 8 ++++---- build/worker/gevent_patch.py | 3 +++ compose.yaml | 3 +++ example.env | 21 +++++++++++++++++---- {build/worker => tests}/healthcheck.sh | 0 tests/main.py | 3 ++- 7 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 build/worker/gevent_patch.py rename {build/worker => tests}/healthcheck.sh (100%) diff --git a/build/nginx/nginx-template.conf b/build/nginx/nginx-template.conf index 42547fe0..be55ac47 100644 --- a/build/nginx/nginx-template.conf +++ b/build/nginx/nginx-template.conf @@ -6,6 +6,12 @@ upstream socketio-server { server ${SOCKETIO} fail_timeout=0; } +# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme. +map $http_x_forwarded_proto $proxy_x_forwarded_proto { + default $scheme; + https https; +} + server { listen 8080; server_name $http_host; @@ -21,6 +27,10 @@ server { add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin"; + set_real_ip_from ${UPSTREAM_REAL_IP_ADDRESS}; + real_ip_header ${UPSTREAM_REAL_IP_HEADER}; + real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE}; + location /assets { try_files $uri =404; } @@ -32,6 +42,8 @@ server { location /socket.io { proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER}; @@ -55,8 +67,8 @@ server { } location @webserver { - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Frappe-Site-Name ${FRAPPE_SITE_NAME_HEADER}; proxy_set_header Host $host; proxy_set_header X-Use-X-Accel-Redirect True; diff --git a/build/worker/Dockerfile b/build/worker/Dockerfile index bb42fe87..86ac846e 100644 --- a/build/worker/Dockerfile +++ b/build/worker/Dockerfile @@ -16,7 +16,7 @@ WORKDIR /home/frappe/frappe-bench RUN pip install --no-cache-dir -U pip wheel \ && python -m venv env \ - && env/bin/pip install --no-cache-dir -U pip wheel + && env/bin/pip install --no-cache-dir -U pip wheel gevent USER root @@ -85,7 +85,7 @@ RUN apt-get update \ xvfb \ libfontconfig \ wkhtmltopdf \ - # For healthcheck.sh in helm chart + # For healthcheck wait-for-it \ jq \ # other @@ -95,8 +95,8 @@ USER frappe COPY pretend-bench.sh /usr/local/bin/bench COPY push_backup.py /usr/local/bin/push-backup -# healthcheck.sh used in helm chart -COPY configure.py patched_bench_helper.py healthcheck.sh /usr/local/bin/ +COPY configure.py patched_bench_helper.py /usr/local/bin/ +COPY gevent_patch.py /opt/patches/ WORKDIR /home/frappe/frappe-bench/sites diff --git a/build/worker/gevent_patch.py b/build/worker/gevent_patch.py new file mode 100644 index 00000000..09f65ce7 --- /dev/null +++ b/build/worker/gevent_patch.py @@ -0,0 +1,3 @@ +import gevent.monkey + +gevent.monkey.patch_all() diff --git a/compose.yaml b/compose.yaml index a37286f6..da3decfd 100644 --- a/compose.yaml +++ b/compose.yaml @@ -34,6 +34,9 @@ services: BACKEND: backend:8000 SOCKETIO: websocket:9000 FRAPPE_SITE_NAME_HEADER: ${FRAPPE_SITE_NAME_HEADER:-$$host} + UPSTREAM_REAL_IP_ADDRESS: ${UPSTREAM_REAL_IP_ADDRESS:-127.0.0.1} + UPSTREAM_REAL_IP_HEADER: ${UPSTREAM_REAL_IP_HEADER:-X-Forwarded-For} + UPSTREAM_REAL_IP_RECURSIVE: ${UPSTREAM_REAL_IP_RECURSIVE:-off} volumes: - sites:/usr/share/nginx/html/sites - assets:/usr/share/nginx/html/assets diff --git a/example.env b/example.env index d5d94195..be5a43ec 100644 --- a/example.env +++ b/example.env @@ -20,9 +20,22 @@ REDIS_SOCKETIO= # Only with HTTPS override LETSENCRYPT_EMAIL=mail@example.com -# This environment variable is not required. Default value is `$$host` which resolves site by host. -# For example, if your host is `example.com`, site's name should be `example.com`, -# or if host is `127.0.0.1` (local debugging), it should be `127.0.0.1` This variable allows -# to override described behavior. Let's say you create site named `mysite` +# These environment variables are not required. + +# Default value is `$$host` which resolves site by host. For example, if your host is `example.com`, +# site's name should be `example.com`, or if host is `127.0.0.1` (local debugging), it should be `127.0.0.1`. +# This variable allows to override described behavior. Let's say you create site named `mysite` # and do want to access it by `127.0.0.1` host. Than you would set this variable to `mysite`. FRAPPE_SITE_NAME_HEADER= + +# Default value is `127.0.0.1`. Set IP address as our trusted upstream address. +UPSTREAM_REAL_IP_ADDRESS= + +# Default value is `X-Forwarded-For`. Set request header field whose value will be used to replace the client address +UPSTREAM_REAL_IP_HEADER= + +# Allowed values are on|off. Default value is `off`. If recursive search is disabled, +# the original client address that matches one of the trusted addresses +# is replaced by the last address sent in the request header field defined by the real_ip_header directive. +# If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the request header field. +UPSTREAM_REAL_IP_RECURSIVE= diff --git a/build/worker/healthcheck.sh b/tests/healthcheck.sh similarity index 100% rename from build/worker/healthcheck.sh rename to tests/healthcheck.sh diff --git a/tests/main.py b/tests/main.py index 57f84bcb..9c99352e 100644 --- a/tests/main.py +++ b/tests/main.py @@ -155,9 +155,10 @@ def create_containers(): @log("Check if Python services have connections") def ping_links_in_backends(): for service in BACKEND_SERVICES: + docker_compose("cp", "tests/healthcheck.sh", f"{service}:/tmp/") for _ in range(10): try: - docker_compose_exec(service, "healthcheck.sh") + docker_compose_exec(service, "bash", "/tmp/healthcheck.sh") break except subprocess.CalledProcessError: sleep(1)