From f228eb4f3e3075c52a7755b3b92816d440331c17 Mon Sep 17 00:00:00 2001 From: GeorgeC Date: Tue, 19 Dec 2023 15:48:56 -0500 Subject: [PATCH] Remove virtual host configuration files Virtual host configuration files have been removed from all relevant Dockerfiles for the PIC-SURE platform. This step simplifies the configuration by eliminating files that were previously copied into the Docker images. The necessary directives are instead being added directly in the Dockerfiles. --- biodatacatalyst-ui/Dockerfile | 3 - biodatacatalyst-ui/httpd-vhosts-dev.conf | 101 -------------------- biodatacatalyst-ui/httpd-vhosts.conf | 113 ----------------------- 3 files changed, 217 deletions(-) delete mode 100644 biodatacatalyst-ui/httpd-vhosts-dev.conf delete mode 100644 biodatacatalyst-ui/httpd-vhosts.conf diff --git a/biodatacatalyst-ui/Dockerfile b/biodatacatalyst-ui/Dockerfile index bc6eed02..209198b5 100644 --- a/biodatacatalyst-ui/Dockerfile +++ b/biodatacatalyst-ui/Dockerfile @@ -15,9 +15,6 @@ FROM httpd:2.4.53-alpine as base ARG FILE_SUFFIX ENV FILE_SUFFIX=${FILE_SUFFIX} -# Replace virtual host config file with ours -COPY httpd-vhosts.conf ${HTTPD_PREFIX}/conf/extra/httpd-vhosts.conf - # Enable virtual hosting config file RUN sed -i '/^#Include conf.extra.httpd-vhosts.conf/s/^#//' ${HTTPD_PREFIX}/conf/httpd.conf diff --git a/biodatacatalyst-ui/httpd-vhosts-dev.conf b/biodatacatalyst-ui/httpd-vhosts-dev.conf deleted file mode 100644 index faefee38..00000000 --- a/biodatacatalyst-ui/httpd-vhosts-dev.conf +++ /dev/null @@ -1,101 +0,0 @@ -Listen 0.0.0.0:80 -Listen 0.0.0.0:443 - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# -# Some MIME-types for downloading Certificates and CRLs -# -AddType application/x-x509-ca-cert .crt -AddType application/x-pkcs7-crl .crl - -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES - - -SSLHonorCipherOrder on - -SSLProtocol all -SSLv2 -SSLv3 -SSLProxyProtocol all -SSLv2 -SSLv3 -SSLPassPhraseDialog builtin - -SSLSessionCache "shmcb:${HTTPD_PREFIX}/logs/ssl_scache(512000)" -SSLSessionCacheTimeout 300 - -Mutex "file:${HTTPD_PREFIX}/logs/ssl_mutex" - -ServerTokens Prod - - - ServerName localhost - RewriteEngine On - ProxyPreserveHost On - RewriteCond %{HTTPS} off [OR] - RewriteCond %{HTTP_HOST} ^(?:)?(.+)$ [NC] - RewriteRule ^ https://%{SERVER_NAME}/picsureui/ [L,NE,R=301] - - - - SSLProxyEngine on - SSLProxyCheckPeerCN off - - SSLCertificateFile "${HTTPD_PREFIX}/cert/server.crt" - SSLCertificateKeyFile "${HTTPD_PREFIX}/cert/server.key" - SSLCertificateChainFile "${HTTPD_PREFIX}/cert/server.chain" - - # Content security policy: - # frame-ancestors 'none' - Stops our application from being loaded in an iframe - # default-src - Restricts loading resources to the same origin - # script-src - Allows inline scripts but only from the same origin and unsafe-eval and unsafe-inline - # unsafe-eval - Allows eval() and similar constructs - # unsafe-inline - Allows inline JavaScript, CSS, and event handlers - # style-src - Allows inline styles but only from the same origin - # img-src - Allows images from the same origin and data: URIs - Header always set Content-Security-Policy "frame-ancestors 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.googletagmanager.com; img-src 'self' data: https://public.era.nih.gov blob:;" - - # A fall back for legacy browsers that don't yet support CSP frame-ancestors. - Header always set X-Frame-Options "DENY" - - # Attempt to prevent some MIME-type confusion attacks. There is no perfect solution to this problem. - Header always set X-Content-Type-Options "nosniff" - - # Enables built-in XSS protection in modern web browsers. - # If a XSS is detected mode=block will block the entire page. - Header always set X-XSS-Protection "1; mode=block;" - - # Unset the Server header. Removes 1 approach to getting information about our server. - Header always unset Server - - RewriteEngine On - ProxyPreserveHost On - - RewriteRule ^/picsure/(.*)$ "https://biodatacatalyst.integration.hms.harvard.edu.actual/picsure/$1" [P] - RewriteRule ^/psama/(.*)$ "https://biodatacatalyst.integration.hms.harvard.edu.actual/psama/$1" [P] - - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d - - RewriteRule /picsureui/(.*) /picsureui/index.html [C] - RewriteRule ^/static/(.*)$ /static/$1 [L] - RewriteRule ^/psamaui/(.*)$ /picsureui/index.html [C] - - RedirectMatch ^/$ /picsureui/ - ErrorDocument 404 /index.html - - DocumentRoot "${HTTPD_PREFIX}/htdocs" - - ErrorLog "${HTTPD_PREFIX}/logs/error_log" - TransferLog "${HTTPD_PREFIX}/logs/access_log" - CustomLog "${HTTPD_PREFIX}/logs/ssl_request_log" \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - diff --git a/biodatacatalyst-ui/httpd-vhosts.conf b/biodatacatalyst-ui/httpd-vhosts.conf deleted file mode 100644 index 911fe284..00000000 --- a/biodatacatalyst-ui/httpd-vhosts.conf +++ /dev/null @@ -1,113 +0,0 @@ -Listen 0.0.0.0:80 -Listen 0.0.0.0:443 - -## -## SSL Global Context -## -## All SSL configuration in this context applies both to -## the main server and all SSL-enabled virtual hosts. -## - -# -# Some MIME-types for downloading Certificates and CRLs -# -AddType application/x-x509-ca-cert .crt -AddType application/x-pkcs7-crl .crl - -SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 -SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 - - -SSLHonorCipherOrder on - -SSLProtocol all -TLSv1.2 -SSLProxyProtocol all -TLSv1.2 -SSLPassPhraseDialog builtin - -SSLSessionCache "shmcb:${HTTPD_PREFIX}/logs/ssl_scache(512000)" -SSLSessionCacheTimeout 300 - -Mutex "file:${HTTPD_PREFIX}/logs/ssl_mutex" - -ServerTokens Prod - - - ServerName localhost - RewriteEngine On - ProxyPreserveHost On - - #Dont allow httpd debug methods - RewriteCond %{REQUEST_METHOD} ^TRACK - RewriteRule .* - [F] - RewriteCond %{REQUEST_METHOD} ^TRACE - RewriteRule .* - [F] - - RewriteCond %{HTTPS} off [OR] - RewriteCond %{HTTP_HOST} ^(?:)?(.+)$ [NC] - RewriteRule ^ https://%{SERVER_NAME}/picsureui/ [L,NE,R=301] - - - - SSLProxyEngine on - SSLProxyCheckPeerCN off - - SSLCertificateFile "${HTTPD_PREFIX}/cert/server.crt" - SSLCertificateKeyFile "${HTTPD_PREFIX}/cert/server.key" - SSLCertificateChainFile "${HTTPD_PREFIX}/cert/server.chain" - - Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" - - # Content security policy: - # frame-ancestors 'none' - Stops our application from being loaded in an iframe - # default-src - Restricts loading resources to the same origin - # script-src - Allows inline scripts but only from the same origin and unsafe-eval and unsafe-inline - # unsafe-eval - Allows eval() and similar constructs - # unsafe-inline - Allows inline JavaScript, CSS, and event handlers - # style-src - Allows inline styles but only from the same origin - # img-src - Allows images from the same origin and data: URIs - Header always set Content-Security-Policy "frame-ancestors 'none'; default-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.googletagmanager.com; img-src 'self' data: https://public.era.nih.gov blob: https://*.google-analytics.com https://*.googletagmanager.com; connect-src 'self' https://*.google-analytics.com https://*.analytics.google.com https://*.googletagmanager.com;" - - # A fall back for legacy browsers that don't yet support CSP frame-ancestors. - Header always set X-Frame-Options "DENY" - - # Attempt to prevent some MIME-type confusion attacks. There is no perfect solution to this problem. - Header always set X-Content-Type-Options "nosniff" - - # Enables built-in XSS protection in modern web browsers. - # If a XSS is detected mode=block will block the entire page. - Header always set X-XSS-Protection "1; mode=block;" - - RewriteEngine On - ProxyPreserveHost On - - #Dont allow httpd debug methods - RewriteCond %{REQUEST_METHOD} ^TRACK - RewriteRule .* - [F] - RewriteCond %{REQUEST_METHOD} ^TRACE - RewriteRule .* - [F] - - RewriteRule ^/picsure/(.*)$ "http://wildfly:8080/pic-sure-api-2/PICSURE/$1" [P] - RewriteRule ^/psama/(.*)$ "http://wildfly:8080/pic-sure-auth-services/auth/$1" [P] - - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f - RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d - - RewriteRule /picsureui/(.*) /picsureui/index.html [C] - RewriteRule ^/static/(.*)$ /static/$1 [L] - RewriteRule ^/psamaui/(.*)$ /picsureui/index.html [C] - - RedirectMatch ^/$ /picsureui/ - ErrorDocument 404 /index.html - - DocumentRoot "${HTTPD_PREFIX}/htdocs" - - ErrorLog "${HTTPD_PREFIX}/logs/error_log" - TransferLog "${HTTPD_PREFIX}/logs/access_log" - CustomLog "${HTTPD_PREFIX}/logs/ssl_request_log" \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - - BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - -