better docker

INSTALLATION.md

@@ -242,3 +242,21 @@ To build all css files, run `gulp css`. For some situations, such as adding or r
 For detecting and automatically updating Tor exit node lists, see [tools/update_tor_exits.sh](tools/update_tor_exits.sh)
 
 For updating the GeoIP database for nginx, see [tools/update_geoip.sh](tools/update_geoip.sh)
+
+
+#### Docker
+
+Experimental, strictly for development only.
+
+Basically:
+
+```bash
+docker-compose up -d mongodb redis
+
+#on the first run, or to "gulp reset" later:
+docker-compose up jschan-reset
+
+docker-compose up -d jschan
+
+docker-compose up -d nginx
+```

docker/jschan-Dockerfile

@@ -1,16 +0,0 @@
-FROM node:16
-
-WORKDIR /opt
-ENV NODE_ENV development
-
-COPY . /opt/
-COPY ./docker/secrets.js /opt/configs/secrets.js
-
-RUN npm install
-RUN npm run-script setup
-RUN gulp reset
-RUN gulp
-
-EXPOSE 7000
-
-CMD [ "pm2-runtime", "start", "ecosystem.config.js" ]

docker/jschan/Dockerfile

@@ -0,0 +1,18 @@
+FROM node:16
+
+RUN apt-get update -y
+RUN apt-get install ffmpeg imagemagick graphicsmagick -y
+
+WORKDIR /opt
+
+COPY . .
+
+RUN npm install
+
+RUN npm install -g pm2 gulp
+
+RUN rm /opt/gulp/res/js/socket.io.js
+
+COPY ./docker/jschan/secrets.js ./configs/secrets.js
+
+CMD ["/bin/sh", "-c", "gulp; pm2-runtime start ecosystem.config.js"]

docker/jschan/Dockerfile-reset

@@ -0,0 +1,18 @@
+FROM node:16
+
+WORKDIR /opt
+
+COPY . .
+RUN npm install
+RUN npm i -g pm2 gulp
+
+RUN rm /opt/gulp/res/js/socket.io.js
+
+COPY ./docker/jschan/secrets.js ./configs/secrets.js
+
+#i fucking hate docker
+ENV MONGO_USERNAME jschan
+ENV MONGO_PASSWORD changeme
+ENV REDIS_PASSWORD changeme
+
+CMD ["/bin/sh", "-c", "gulp reset; gulp"]

docker/jschan/secrets.js

@@ -0,0 +1,40 @@
+module.exports = {
+
+	//mongodb connection string
+	dbURL: `mongodb://${process.env.MONGO_USERNAME}:${process.env.MONGO_PASSWORD}@mongodb:27017`,
+
+	//database name
+	dbName: 'jschan',
+
+	//redis connection info
+	redis: {
+		host: 'redis',
+		port: '6379',
+		password: process.env.REDIS_PASSWORD,
+	},
+
+	//backend webserver port
+	port: 7000,
+
+	//secrets/salts for various things
+	cookieSecret: process.env.COOKIE_SECRET,
+	tripcodeSecret: process.env.TRIPCODE_SECRET,
+	ipHashSecret: process.env.IP_HASH_SECRET,
+	postPasswordSecret: process.env.POST_PASSWORD_SECRET,
+
+	//keys for google recaptcha
+	google: {
+		siteKey: process.env.GOOGLE_SITEKEY,
+		secretKey: process.env.GOOGLE_SECRETKEY,
+	},
+
+	//keys for hcaptcha
+	hcaptcha: {
+		siteKey: process.env.HCAPTCHA_SITEKEY,
+		secretKey: process.env.HCAPTCHA_SECRETKEY,
+	},
+
+	//enable debug logging
+	debugLogs: true,
+
+};

docker/jschan_clearnet_routes.conf

@@ -1,40 +0,0 @@
-location / {
-	proxy_buffering off;
-	proxy_pass http://chan$request_uri;
-	proxy_http_version 1.1;
-
-	proxy_set_header Host $host;
-	proxy_set_header Upgrade $http_upgrade;
-	proxy_set_header Connection 'upgrade';
-	proxy_cache_bypass $http_upgrade;
-
-	proxy_set_header X-Forwarded-Proto https;
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Real-IP $remote_addr;
-	proxy_set_header X-Country-Code 'XX';
-}
-
-location @backend {
-	proxy_buffering off;
-	proxy_pass http://chan$request_uri;
-	proxy_http_version 1.1;
-	proxy_set_header X-Forwarded-Proto https;
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Real-IP $remote_addr;
-	proxy_set_header X-Country-Code 'XX';
-	proxy_set_header Connection '';
-	proxy_set_header Host $host;
-}
-
-location @backend-private {
-	include /etc/nginx/snippets/security_headers_nocache.conf;
-	proxy_buffering off;
-	proxy_pass http://chan$request_uri;
-	proxy_http_version 1.1;
-	proxy_set_header X-Forwarded-Proto https;
-	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	proxy_set_header X-Real-IP $remote_addr;
-	proxy_set_header X-Country-Code 'XX';
-	proxy_set_header Connection '';
-	proxy_set_header Host $host;
-}

docker/nginx/Dockerfile

@@ -0,0 +1,88 @@
+FROM nginx:mainline as builder
+
+ARG ENABLED_MODULES
+
+RUN set -ex \
+    && if [ "$ENABLED_MODULES" = "" ]; then \
+        echo "No additional modules enabled, exiting"; \
+        exit 1; \
+    fi
+
+#COPY ./ /modules/
+
+RUN set -ex \
+    && apt update \
+    && apt install -y --no-install-suggests --no-install-recommends \
+                patch make wget mercurial devscripts debhelper dpkg-dev \
+                quilt lsb-release build-essential libxml2-utils xsltproc \
+                equivs git g++ \
+    && hg clone -r ${NGINX_VERSION}-${PKG_RELEASE%%~*} https://hg.nginx.org/pkg-oss/ \
+    && cd pkg-oss \
+    && mkdir /tmp/packages \
+    && for module in $ENABLED_MODULES; do \
+        echo "Building $module for nginx-$NGINX_VERSION"; \
+        if [ -d /modules/$module ]; then \
+            echo "Building $module from user-supplied sources"; \
+            # check if module sources file is there and not empty
+            if [ ! -s /modules/$module/source ]; then \
+                echo "No source file for $module in modules/$module/source, exiting"; \
+                exit 1; \
+            fi; \
+            # some modules require build dependencies
+            if [ -f /modules/$module/build-deps ]; then \
+                echo "Installing $module build dependencies"; \
+                apt update && apt install -y --no-install-suggests --no-install-recommends $(cat /modules/$module/build-deps | xargs); \
+            fi; \
+            # if a module has a build dependency that is not in a distro, provide a
+            # shell script to fetch/build/install those
+            # note that shared libraries produced as a result of this script will
+            # not be copied from the builder image to the main one so build static
+            if [ -x /modules/$module/prebuild ]; then \
+                echo "Running prebuild script for $module"; \
+                /modules/$module/prebuild; \
+            fi; \
+            /pkg-oss/build_module.sh -v $NGINX_VERSION -f -y -o /tmp/packages -n $module $(cat /modules/$module/source); \
+            BUILT_MODULES="$BUILT_MODULES $(echo $module | tr '[A-Z]' '[a-z]' | tr -d '[/_\-\.\t ]')"; \
+        elif make -C /pkg-oss/debian list | grep -P "^$module\s+\d" > /dev/null; then \
+            echo "Building $module from pkg-oss sources"; \
+            cd /pkg-oss/debian; \
+            make rules-module-$module BASE_VERSION=$NGINX_VERSION NGINX_VERSION=$NGINX_VERSION; \
+            mk-build-deps --install --tool="apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends --yes" debuild-module-$module/nginx-$NGINX_VERSION/debian/control; \
+            make module-$module BASE_VERSION=$NGINX_VERSION NGINX_VERSION=$NGINX_VERSION; \
+            find ../../ -maxdepth 1 -mindepth 1 -type f -name "*.deb" -exec mv -v {} /tmp/packages/ \;; \
+            BUILT_MODULES="$BUILT_MODULES $module"; \
+        else \
+            echo "Don't know how to build $module module, exiting"; \
+            exit 1; \
+        fi; \
+    done \
+    && echo "BUILT_MODULES=\"$BUILT_MODULES\"" > /tmp/packages/modules.env
+
+FROM nginx:mainline
+COPY --from=builder /tmp/packages /tmp/packages
+RUN set -ex \
+    && apt update \
+    && apt-get install wget -y \
+    && . /tmp/packages/modules.env \
+    && for module in $BUILT_MODULES; do \
+           apt install --no-install-suggests --no-install-recommends -y /tmp/packages/nginx-module-${module}_${NGINX_VERSION}*.deb; \
+       done \
+    && rm -rf /tmp/packages \
+    && rm -rf /var/lib/apt/lists/
+
+RUN mkdir /usr/share/GeoIP
+RUN wget https://dl.miyuru.lk/geoip/dbip/country/dbip.dat.gz
+RUN gunzip dbip.dat.gz
+RUN mv dbip.dat /usr/share/GeoIP/GeoIP.dat
+
+RUN rm /etc/nginx/conf.d/default.conf
+
+COPY ./docker/nginx/nginx.conf /etc/nginx/nginx.conf
+
+COPY ./docker/nginx/jschan.conf /etc/nginx/conf.d/
+
+COPY ./configs/nginx/snippets/ /etc/nginx/snippets/
+
+EXPOSE 80
+
+CMD ["nginx", "-g", "daemon off;"]

docker/nginx/jschan.conf

@@ -6,8 +6,8 @@ server {
 	server_name _;
 	client_max_body_size 0;
 
-	listen 81;
-	listen [::]:81;
+	listen 80;
+	listen [::]:80;
 
 	include /etc/nginx/snippets/security_headers.conf;
 	include /etc/nginx/snippets/error_pages.conf;

docker/nginx/nginx.conf

@@ -0,0 +1,44 @@
+load_module /etc/nginx/modules/ngx_http_geoip_module-debug.so;
+
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 1000;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	geoip_country /usr/share/GeoIP/GeoIP.dat;
+
+	map_hash_max_size 4096;
+	map_hash_bucket_size 256;
+
+	aio threads;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	server_tokens off;
+	types_hash_max_size 2048;
+	server_names_hash_bucket_size 128;
+	client_max_body_size 0;
+
+	#proxy_request_buffering off;
+
+	log_format custom '[$time_local] $remote_addr $status "$request" "$http_referer" "$http_user_agent" $bytes_sent';
+	access_log /var/log/nginx/access.log custom;
+	error_log /var/log/nginx/error.log;
+
+	gzip on;
+	#gzip_vary off;
+	gzip_comp_level 6;
+	gzip_proxied any;
+	gzip_types text/plain text/css text/js text/xml text/javascript image/x-icon application/javascript application/json application/xml application/rss+xml image/svg+xml;
+
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	include /etc/nginx/conf.d/*;
+
+}

docker/secrets.js

@@ -1,40 +0,0 @@
-module.exports = {
-
-	//mongodb connection string
-	dbURL: 'mongodb://mongodb:27017',
-
-	//database name
-	dbName: 'jschan',
-
-	//redis connection info
-	redis: {
-		host: 'redis',
-		port: '6379',
-		password: ''
-	},
-
-	//backend webserver port
-	port: 7000,
-
-	//secrets/salts for various things
-	cookieSecret: 'changeme',
-	tripcodeSecret: 'changeme',
-	ipHashSecret: 'changeme',
-	postPasswordSecret: 'changeme',
-
-	//keys for google recaptcha
-	google: {
-		siteKey: 'changeme',
-		secretKey: 'changeme'
-	},
-
-	//keys for hcaptcha
-	hcaptcha: {
-		siteKey: '10000000-ffff-ffff-ffff-000000000001',
-		secretKey: '0x0000000000000000000000000000000000000000'
-	},
-
-	//enable debug logging
-	debugLogs: true,
-
-};