Use stock nginx image, mount nginx config and TLS cert

bin/docker-compose

@@ -22,6 +22,7 @@ function __main__() {
   SHARELATEX_IMAGE_VERSION="$(head -n 1 "$TOOLKIT_ROOT/config/version")"
   local MONGO_IMAGE="mongo:4.0"
   local REDIS_IMAGE="redis:5.0"
+  local NGINX_IMAGE="nginx:1.19-alpine"
 
   local MONGO_URL="mongodb://mongo/sharelatex"
   local REDIS_HOST="redis"
@@ -72,6 +73,9 @@ function __main__() {
   SHARELATEX_DATA_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$SHARELATEX_DATA_PATH")
   MONGO_DATA_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$MONGO_DATA_PATH")
   REDIS_DATA_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$REDIS_DATA_PATH")
+  NGINX_PRIVATE_KEY_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$NGINX_PRIVATE_KEY_PATH")
+  NGINX_CERTIFICATE_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$NGINX_CERTIFICATE_PATH")
+  NGINX_CONFIG_PATH=$(cd "$TOOLKIT_ROOT"; realpath "$NGINX_CONFIG_PATH")
 
   # Print debug info
   if [[ "${RC_DEBUG:-null}" != "null" ]]; then
@@ -98,7 +102,10 @@ function __main__() {
   export REDIS_DATA_PATH
   export REDIS_HOST
   export REDIS_PORT
-  export OL_DOMAINS
+  export NGINX_IMAGE
+  export NGINX_PRIVATE_KEY_PATH
+  export NGINX_CERTIFICATE_PATH
+  export NGINX_CONFIG_PATH
 
   # shellcheck disable=SC2068
   exec docker-compose -p "$project_name" ${compose_file_flags[@]} "$@"

bin/init

@@ -38,6 +38,18 @@ function set_up_config_files() {
     cp "$TOOLKIT_ROOT/lib/config-seed/version" "$TOOLKIT_ROOT/config/"
 }
 
+function set_up_tls_proxy() {
+    PRIVATE_KEY="$TOOLKIT_ROOT/config/nginx/certs/overleaf_key.pem"
+    CERT_SIGN_REQ="$TOOLKIT_ROOT/config/nginx/certs/overleaf_csr.pem"
+    CERT="$TOOLKIT_ROOT/config/nginx/certs/overleaf_certificate.pem"
+    echo "Generate example self-signed TLS cert"
+    mkdir -p config/nginx/certs
+    cp "$TOOLKIT_ROOT/lib/config-seed/nginx.conf" "$TOOLKIT_ROOT/config/nginx/"
+    openssl req -new -nodes -keyout $PRIVATE_KEY -out $CERT_SIGN_REQ -batch
+    chmod 600 $PRIVATE_KEY
+    openssl x509 -req -days 365 -in $CERT_SIGN_REQ  -signkey $PRIVATE_KEY -out $CERT
+}
+
 function __main__() {
     if [[ "${1:-null}" == "help" ]] || [[ "${1:-null}" == "--help" ]]; then
         usage
@@ -45,6 +57,7 @@ function __main__() {
     fi
     check_existing_config
     set_up_config_files
+    set_up_tls_proxy
 }
 
 __main__ "$@"

lib/config-seed/overleaf.rc

@@ -21,4 +21,6 @@ REDIS_DATA_PATH=data/redis
 
 # TLS Proxy
 NGINX_ENABLED=false
-OL_DOMAINS=localhost,*.localhost,overleaf-toolkit.com,*.overleaf-toolkit.com
+NGINX_CONFIG_PATH=config/nginx/nginx.conf
+NGINX_PRIVATE_KEY_PATH=config/nginx/certs/overleaf_key.pem
+NGINX_CERTIFICATE_PATH=config/nginx/certs/overleaf_certificate.pem

lib/docker-compose.nginx.yml

@@ -2,15 +2,15 @@
 version: '2.2'
 services:
 
-  tls_proxy:
-    build: ../tls_proxy
+  nginx:
+    image: "${NGINX_IMAGE}"
     ports:
       - 127.0.0.1:443:18443
     volumes:
-      - ./../tls_proxy/certs:/certs
-      - ./../tls_proxy/nginx.conf:/etc/nginx/nginx.conf
-    environment:
-      OL_DOMAINS: "${OL_DOMAINS}"
+      - "${NGINX_PRIVATE_KEY_PATH}:/certs/nginx_key.pem"
+      - "${NGINX_CERTIFICATE_PATH}:/certs/nginx_certificate.pem"
+      - "${NGINX_CONFIG_PATH}:/etc/nginx/nginx.conf"
     restart: on-failure:5
+    container_name: nginx
     depends_on:
       - sharelatex

tls_proxy/Dockerfile

@@ -1,15 +0,0 @@
-FROM golang:alpine AS build
-RUN apk add git
-RUN go get github.com/jsha/minica
-
-FROM nginx:alpine
-
-VOLUME /certs
-
-COPY --from=build /go/bin/minica /usr/bin/minica
-ADD run.sh /run.sh
-ADD nginx.conf /etc/nginx/nginx.conf
-
-EXPOSE 18443
-
-CMD /run.sh

tls_proxy/certs/.gitignore

@@ -1 +0,0 @@
-*.pem

tls_proxy/run.sh

@@ -1,15 +0,0 @@
-#!/bin/sh
-
-CERT_FOLDER=${OL_DOMAINS%%,*}
-
-cd /certs
-rm -rf $CERT_FOLDER
-
-/usr/bin/minica --domains $OL_DOMAINS && \
-  cat $CERT_FOLDER/cert.pem minica.pem > nginx_certificate.pem && \
-  cp $CERT_FOLDER/key.pem nginx_key.pem && \
-  chmod a+r *.pem && \
-  rm -rf $CERT_FOLDER
-
-nginx -g "daemon off;"
-