Use HTTPS in development mode

2020-07-16 15:20:07 +02:00 · 2020-07-16 15:20:07 +02:00 · 79ddac9da8
commit 79ddac9da8
parent e47b5fff17
13 changed files with 72 additions and 24 deletions
--- a/.gitignore
+++ b/.gitignore
@ -8,6 +8,9 @@
 .env
 *.code-workspace
 # certs
 *.pem
 # Old OS3 files and folders
 .coverage
 .mypy_cache
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -1,10 +1,30 @@
 # Development of OpenSlides 4
 ## Requirements
 You need git, bash, docker, docker-compose, make and go installed.
 Go is needed to install https://github.com/FiloSottile/mkcert. The development setup uses HTTPS per default. OpenSlides does not work with HTTP anymore since features are required (like http2) that only works in a secure environment.
 ## First time checkout
-After cloning the repository you need to initialize all submodules, before you can start the development setup
+Clone this repository:
    $ git clone git@github.com:OpenSlides/OpenSlides.git
    $ git checkout openslides4-dev
 TODO: use `--recurse-submodules`, when master is OS4
 After checking out the os4-branch you need to initialize all submodules and install a root-cert:
    $ git submodule update --init
    $ go get https://github.com/FiloSottile/mkcert
    $ sudo mkcert -install
 If you get an error, you might need to install `certutil`. For Debian: `sudo apt install libnss3-tools`.
 Finally, start the dev server:
    $ make run-dev
 ## Running tests
--- a/3
+++ b/3
@ -26,3 +26,6 @@ build-prod:
 run-prod: | build-prod
 	docker-compose -f docker-compose.yml -f docker-compose.prod.yml up
 reload-haproxy:
 	docker-compose -f docker-compose.yml -f docker-compose.dev.yml kill -s HUP haproxy
--- a/README.md
+++ b/README.md
@ -18,6 +18,8 @@ Read more about our [concept of OpenSlides 4.0](https://github.com/OpenSlides/Op
 ## Installation
 NOTE: Do not use prod at the moment. It will not work. Please refer to the DEVELOPMENT.md!
 Required software: Docker, docker-compose, make, git
 For a non-development setup, clone this repo and run it via docker compose. The make command is a handy shortcut for this:
--- a/haproxy/Dockerfile
+++ b/haproxy/Dockerfile
@ -1,4 +1,4 @@
-FROM haproxy
+FROM haproxy:2.0-alpine
 COPY src/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
 COPY src/prod-haproxy.cfg /usr/local/etc/haproxy/prod-haproxy.cfg
 CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/prod-haproxy.cfg"]
--- a/haproxy/Dockerfile.dev
+++ b/haproxy/Dockerfile.dev
@ -1,4 +1,5 @@
-FROM haproxy
+FROM haproxy:2.0-alpine
 COPY src/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
 COPY src/dev-haproxy.cfg /usr/local/etc/haproxy/dev-haproxy.cfg
 COPY src/combined.pem /usr/local/etc/haproxy/combined.pem
 CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg", "-f", "/usr/local/etc/haproxy/dev-haproxy.cfg"]
--- a/haproxy/Makefile
+++ b/haproxy/Makefile
@ -1,2 +1,3 @@
 build-dev:
 	./prepare-cert.sh
 	docker build -t openslides-haproxy-dev -f Dockerfile.dev .
--- a/haproxy/prepare-cert.sh
+++ b/haproxy/prepare-cert.sh
@ -0,0 +1,17 @@
 #!/bin/bash
 set -e
 cd "$(dirname "$0")"
 # check, if we already generated a cert
 combined="src/combined.pem"
 if [[ ! -f $combined ]]; then
    echo "Creating certificates..."
    cd src
    mkcert -cert-file localhost.pem -key-file localhost-key.pem localhost 127.0.0.1
    cat localhost.pem localhost-key.pem > combined.pem
    echo "done"
 else
    echo "Certificate exists."
 fi
--- a/haproxy/src/dev-haproxy.cfg
+++ b/haproxy/src/dev-haproxy.cfg
@ -1,5 +1,4 @@
 backend backend_client
    mode http
    timeout tunnel 1h
    server client client:9001 resolvers docker_resolver no-check
    timeout server 60s
    timeout connect 60s
--- a/haproxy/src/haproxy.cfg
+++ b/haproxy/src/haproxy.cfg
@ -1,12 +1,23 @@
 global
    log stdout  format raw  local0  debug
-frontend http
+defaults
-    bind *:8000
+    option http-use-htx
    timeout connect 10s
    timeout client 10s
    timeout client-fin 10s
    timeout server 10s
    timeout server-fin 10s
    timeout check 10s
    timeout tunnel 10s
    log global
    option httplog
 frontend https
    mode http
-    option http-keep-alive
+    bind *:8000 ssl crt /usr/local/etc/haproxy/combined.pem alpn h2,http/1.1
    default_backend backend_client  # this is defined in the dev-*/prod-* file
    timeout client 60s
    acl action path_beg -i /system/action
    use_backend backend_action if action
@ -30,23 +41,16 @@ resolvers docker_resolver
 backend backend_action
    mode http
    server action backend:9002 resolvers docker_resolver check
    timeout connect 60s
    timeout server 60s
 backend backend_presenter
    mode http
    server presenter backend:9003 resolvers docker_resolver check
    timeout connect 60s
    timeout server 60s
 backend backend_autoupdate
    mode http
-    server autoupdate autoupdate:9012 resolvers docker_resolver check
+    timeout server 1h
-    timeout connect 60s
+    server autoupdate autoupdate:9012 resolvers docker_resolver check ssl verify none alpn h2
    timeout server 60s
 backend backend_auth
    mode http
    server auth auth:9004 resolvers docker_resolver check
    timeout connect 60s
    timeout server 60s
--- a/haproxy/src/prod-haproxy.cfg
+++ b/haproxy/src/prod-haproxy.cfg
@ -1,5 +1,3 @@
 backend backend_client
    mode http
    server client client:9001 resolvers docker_resolver check
    timeout server 60s
    timeout connect 60s
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 94c3da7f70c76931cf426ea199eada3639dd27af
+Subproject commit ce94d13217edc72f7d53e94fb93864d183cb53d3
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 065b42afff8a3bbd5568b1557f965363a97542c0
+Subproject commit 197d552083287d418387556b99a755fa81abb29a
		`@ -1 +1 @@`
			`Subproject commit 94c3da7f70c76931cf426ea199eada3639dd27af`				`Subproject commit ce94d13217edc72f7d53e94fb93864d183cb53d3`
		`@ -1 +1 @@`
			`Subproject commit 065b42afff8a3bbd5568b1557f965363a97542c0`				`Subproject commit 197d552083287d418387556b99a755fa81abb29a`