setup nginx static file serving

2025-06-18 19:43:31 -04:00 · 2025-06-18 19:43:31 -04:00 · 526a5959e0
commit 526a5959e0
parent 87104549e0
3 changed files with 111 additions and 28 deletions
--- a/abra.sh
+++ b/abra.sh
@ -1,7 +1,7 @@
 #!/bin/bash

 export ENTRYPOINT_VERSION=v2
-export INIT_VERSION=v1
+export NGINX_CONFIG_VERSION=v1

 file_env() {
    local var="$1"
--- a/compose.yml
+++ b/compose.yml
@ -4,53 +4,96 @@ version: "3.8"
 services:

  app:
+    image: nginx:stable
+    networks:
+      - internal
+      - proxy
+    volumes:
+      - uploads:/liberaforms/uploads:ro
+      - static:/liberaforms/static:ro
+    configs:
+      - source: nginx_conf
+        mode: 555
+        target: /etc/nginx/conf.d/default.conf
+    deploy:
+      restart_policy:
+        condition: on-failure
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=80"
+        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
+        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
+        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "coop-cloud.${STACK_NAME}.version=wip"
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost" ]
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
+
+  forms:
    image: fung.uy/mycosystems/liberaforms:v4.0.0
    configs:
      - source: entrypoint
-        mode: 0555
+        mode: 555
        target: /custom-entrypoint.sh
    entrypoint: /custom-entrypoint.sh
    command: "/usr/bin/supervisord -n"
    environment:
-      ENABLE_LDAP: "False"
-      FLASK_DEBUG: "False"
-      FLASK_CONFIG: production
-      DB_HOST: db
-      DB_USER: liberaforms
-      DB_PASSWORD_FILE: /run/secrets/db_password
-      DB_NAME: liberaforms
-      BASE_URL: https://${DOMAIN}
-      ROOT_USER: ${ADMIN_USER}
-      TMP_DIR: /tmp
-      SECRET_KEY_FILE: /run/secrets/secret_key
-      CRYPTO_KEY_FILE: /run/secrets/crypto_key
-      SESSION_TYPE: "filesystem"
-      LOG_LEVEL: INFO
-      LOG_DIR: /app/logs
-      GUNICORN_WORKERS: ${GUNICORN_WORKERS:-3}
+      - ENABLE_LDAP=False
+      - FLASK_DEBUG=False
+      - FLASK_CONFIG=production
+      - DB_HOST=db
+      - DB_USER=liberaforms
+      - DB_PASSWORD_FILE=/run/secrets/db_password
+      - DB_NAME=liberaforms
+      - BASE_URL=https://${DOMAIN}
+      - ROOT_USER=${ADMIN_USER}
+      - TMP_DIR=/tmp
+      - SECRET_KEY_FILE=/run/secrets/secret_key
+      - CRYPTO_KEY_FILE=/run/secrets/crypto_key
+      - SESSION_TYPE=filesystem
+      - LOG_LEVEL=INFO
+      - LOG_DIR=/app/logs
+      - GUNICORN_WORKERS=${GUNICORN_WORKERS:-3}
+      - DEFAULT_LANGUAGE
+      - SECRET_KEY
+      - TOKEN_EXPIRATION
+      - DEFAULT_TIMEZONE
+      - ENABLE_UPLOADS
+      - TOTAL_UPLOADS_LIMIT
+      - DEFAULT_USER_UPLOADS_LIMIT
+      - ENABLE_REMOTE_STORAGE
+      - MAX_MEDIA_SIZE
+      - MAX_ATTACHMENT_SIZE
+      - ENABLE_PROMETHEUS_METRICS
+      - ENABLE_RSS_FEED
+      - LDAP_SERVER
+      - LDAP_ANONYMOUS_BIND
+      - LDAP_BIND_ACCOUNT
+      - LDAP_BIND_PASSWORD
+      - LDAP_USER_DN_LIST
+      - LDAP_SEARCH_BASE_DN
+      - LDAP_FILTER
+      - LDAP_MAIL_ATTRIB
+      - LDAP_RECOVER_PASSWD_URL
+      - E2EE_MODE
    volumes:
      - uploads:/app/uploads
      - log:/app/logs
+      - static:/app/liberaforms/static
    secrets:
      - db_password
      - secret_key
      - crypto_key
    networks:
      - internal
-      - proxy
-    deploy:
-      labels:
-        - "coop-cloud.${STACK_NAME}.version=wip"
-        - "traefik.enable=true"
-        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5000"
-        - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
-        - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
-        - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"

  db:
    image: postgres:17
    healthcheck:
-      test: ["CMD", "pg_isready", "-q", "-d", "postgres", "-U", "${POSTGRES_ROOT_USER}"]
+      test: [ "CMD", "pg_isready", "-q", "-d", "postgres", "-U", "liberaforms" ]
      timeout: 45s
      interval: 10s
      retries: 10
@ -78,9 +121,11 @@ secrets:

 volumes:
  uploads:
+  static:
  log:
  db:

+
 networks:
  internal:
  proxy:
@ -91,3 +136,6 @@ configs:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_VERSION}
    file: entrypoint.sh.tmpl
    template_driver: golang
+  nginx_conf:
+    name: ${STACK_NAME}_nginx_conf_${NGINX_CONFIG_VERSION}
+    file: nginx.conf
--- a/nginx.conf
+++ b/nginx.conf
@ -0,0 +1,35 @@
+server {
+    listen         80;
+    server_name    localhost;
+    
+    client_max_body_size 2m;
+    
+    add_header Referrer-Policy "origin-when-cross-origin";
+    add_header X-Content-Type-Options nosniff;
+
+    location / {
+        location /static/ {
+            alias  /liberaforms/static/;
+        }
+        location /favicon.ico {
+            alias /liberaforms/uploads/media/brand/favicon.ico;
+        }
+        location /logo.png {
+            alias /liberaforms/uploads/media/brand/logo.png;
+        }
+        location /file/media/ {
+            alias /liberaforms/uploads/media/;
+        }
+        location /metrics {
+            return 404;
+        }
+        proxy_pass          http://forms:5000;
+        proxy_set_header    Host    $host;
+        proxy_set_header    X-Forwarded-For $remote_addr;
+        proxy_set_header    X-Real-IP   $remote_addr;
+        proxy_pass_header   server;
+        if ($request_uri !~ "/embed") {
+           add_header X-Frame-Options "SAMEORIGIN";
+        }
+    }
+}