* Remove HTTPS from frontend and api

  * Close their ports to the host
  * Add a gateway container to serve as ingress and do SSL termination for all of those instead
  * Add extra hosts to make that work (api.phpdocker.local, mailhog.phpdocker.local)

Author: luispabon

Makefile

@@ -1,7 +1,7 @@
 SHELL=/bin/bash
 MKCERT_VERSION=v1.4.1
 MKCERT_LOCATION=$(PWD)/bin/mkcert
-HOSTS_VERSION=3.5.0
+HOSTS_VERSION=3.6.3
 HOSTS_LOCATION=$(PWD)/bin/hosts
 PHPDOCKER_HOST=phpdocker.local
 
@@ -15,7 +15,7 @@ ifndef BINARY_ARCH
 	BUILD_TAG:=$(shell date +'%Y-%m-%d-%H-%M-%S')-$(shell git rev-parse --short HEAD)
 endif
 
-init: clean install-dependencies install-mkcert create-certs init-hosts build-local-php-container start load-fixtures
+init: clean install-dependencies install-mkcert create-certs install-hosts init-hosts build-local-php-container start load-fixtures
 
 build-backend-php:
 	docker build --target=deployment -t backend-php -f backend/docker/php-fpm/Dockerfile ./backend/
@@ -46,7 +46,7 @@ install-hosts:
 	@if [[ ! -f '$(HOSTS_LOCATION)' ]]; then curl -sL 'https://raw.githubusercontent.com/xwmx/hosts/$(HOSTS_VERSION)/hosts' -o $(HOSTS_LOCATION); chmod +x $(HOSTS_LOCATION);	fi;
 
 create-certs:
-	bin/mkcert -cert-file=infrastructure/local/local.pem -key-file=infrastructure/local/local.key.pem $(PHPDOCKER_HOST)
+	bin/mkcert -cert-file=infrastructure/local/local.pem -key-file=infrastructure/local/local.key.pem "$(PHPDOCKER_HOST)" "*.$(PHPDOCKER_HOST)"
 	cp infrastructure/local/local.pem infrastructure/local/webpack.pem
 	cat infrastructure/local/local.key.pem >> infrastructure/local/webpack.pem
 
@@ -55,6 +55,8 @@ clean-hosts:
 
 init-hosts: clean-hosts
 	sudo bin/hosts add 127.0.0.1 $(PHPDOCKER_HOST)
+	sudo bin/hosts add 127.0.0.1 api.$(PHPDOCKER_HOST)
+	sudo bin/hosts add 127.0.0.1 mailhog.$(PHPDOCKER_HOST)
 
 clean:
 	docker-compose down
@@ -72,13 +74,13 @@ open-frontend:
 #	xdg-open https://phpdocker.local:5001
 
 open-content-api:
-	xdg-open https://phpdocker.local:5002/content
+	xdg-open https://api.phpdocker.local/content
 
 open-mailhog:
-	xdg-open http://phpdocker.local:5003/
+	xdg-open http://mailhog.phpdocker.local/
 
 open-api-profiler:
-	xdg-open https://phpdocker.local:5002/_profiler/latest?limit=10
+	xdg-open https://api.phpdocker.local/_profiler/latest?limit=10
 
 api-clear-cache:
 	docker-compose exec php-fpm bin/console cache:clear

backend/docker/nginx/nginx.conf

@@ -1,9 +1,5 @@
 server {
     listen 80 default;
-    listen 443 default_server ssl;
-
-    ssl_certificate     /etc/infrastructure/local.pem;
-    ssl_certificate_key /etc/infrastructure/local.key.pem;
 
     client_max_body_size 108M;
 

docker-compose.yml

@@ -4,6 +4,22 @@
 version: "3.4"
 services:
 
+    # Main gateway to act as reverse proxy for all the other services via https://phpdocker.local
+    # Uses the same certs as the others - we don't need them if we close their outside p
+    gateway:
+      depends_on:
+        - api
+        - frontend
+        - mailhog
+      image: nginx:alpine
+      working_dir: /application
+      volumes:
+        - .:/application
+        - ./infrastructure/local/gateway.nginx.conf:/etc/nginx/conf.d/default.conf
+      ports:
+        - "443:443"
+        - "80:80"
+
     database:
       image: postgres:9.6-alpine
       working_dir: /application
@@ -18,11 +34,9 @@ services:
       image: nginx:alpine
       working_dir: /application
       volumes:
-          - ./backend:/application
-          - ./backend/docker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
-          - ./infrastructure/local:/etc/infrastructure
-      ports:
-       - "5002:443"
+        - ./backend:/application
+        - ./backend/docker/nginx/nginx.conf:/etc/nginx/conf.d/default.conf
+        - ./infrastructure/local:/etc/infrastructure
 
     php-fpm:
       build:
@@ -38,23 +52,14 @@ services:
       image: node:12.0-alpine
       working_dir: /application
       stdin_open: true # Regression in react-scripts 3.4.1, fixed in 4.0 https://github.com/facebook/create-react-app/pull/8845
+      environment:
+        - REACT_APP_POST_API_URI=https://api.phpdocker.local/content/posts
+        - REACT_APP_CONTACT_API_URI=https://api.phpdocker.local/contact
+        - REACT_APP_GENERATOR_API_URI=https://api.phpdocker.local/generator
       volumes:
         - ./frontend:/application
         - ./infrastructure/local:/etc/infrastructure
-      ports:
-        - "5000:3000"
       command: yarn start
 
-#    admin:
-#      image: node:12.0-alpine
-#      working_dir: /application
-#      volumes:
-#        - ./admin:/application
-#      ports:
-#        - "5001:3000"
-#      command: yarn start
-
     mailhog:
       image: mailhog/mailhog:latest
-      ports:
-        - "5003:8025"

frontend/package.json

@@ -18,11 +18,10 @@
     "semantic-ui-react": "^0.88.1"
   },
   "scripts": {
-    "start": "HTTPS=true react-scripts start",
+    "start": "react-scripts start",
     "build": "react-scripts build",
     "test": "react-scripts test",
-    "eject": "react-scripts eject",
-    "prestart": "rm ./node_modules/webpack-dev-server/ssl/server.pem -f && cp -f /etc/infrastructure/webpack.pem ./node_modules/webpack-dev-server/ssl/server.pem"
+    "eject": "react-scripts eject"
   },
   "eslintConfig": {
     "extends": "react-app"

infrastructure/local/.gitkeep

@@ -0,0 +1,50 @@
+# Set up gateway to different services
+# Note: the resolver and upstream set up per location is done (instead of simply proxy_pass http://servicename) to allow
+# the gateway to be online by itself (or with not all services up). Otherwise nginx exits.
+
+# Redirect ALL non HTTPS traffic to HTTPS
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+  server_name _;
+  return 301 https://$host$request_uri;
+}
+
+# Frontend
+server {
+  server_name  phpdocker.local;
+
+  listen 443 ssl;
+  ssl_certificate     /application/infrastructure/local/local.pem;
+  ssl_certificate_key /application/infrastructure/local/local.key.pem;
+
+  location / {
+      proxy_pass http://frontend:3000;
+  }
+}
+
+# Backend
+server {
+  server_name  api.phpdocker.local;
+
+  listen 443 ssl;
+  ssl_certificate     /application/infrastructure/local/local.pem;
+  ssl_certificate_key /application/infrastructure/local/local.key.pem;
+
+  location / {
+      proxy_pass http://api;
+  }
+}
+
+# Mailhog
+server {
+  server_name  mailhog.phpdocker.local;
+
+  listen 443 ssl;
+  ssl_certificate     /application/infrastructure/local/local.pem;
+  ssl_certificate_key /application/infrastructure/local/local.key.pem;
+
+  location / {
+      proxy_pass http://mailhog:8025;
+  }
+}