Commit 3435fc84 authored by Rucha Deshpande's avatar Rucha Deshpande
Browse files

Add SSL support in core server code

parent 53a0cc7f
Pipeline #32184 failed with stages
in 18 minutes and 1 second
./ssl.sh; ./ssl.sh;
node ./dist/cloud/providers/aws/server/server-start.js node ./dist/server/server-start.js
...@@ -45,5 +45,4 @@ WORKDIR /seistore-service ...@@ -45,5 +45,4 @@ WORKDIR /seistore-service
COPY src/cloud/providers/aws/build-aws/ssl.sh /seistore-service/ssl.sh COPY src/cloud/providers/aws/build-aws/ssl.sh /seistore-service/ssl.sh
COPY src/cloud/providers/aws/build-aws/entrypoint.sh /seistore-service/entrypoint.sh COPY src/cloud/providers/aws/build-aws/entrypoint.sh /seistore-service/entrypoint.sh
RUN npm install --production RUN npm install --production
EXPOSE 5000
ENTRYPOINT ["/bin/sh", "-c", "/seistore-service/entrypoint.sh"] ENTRYPOINT ["/bin/sh", "-c", "/seistore-service/entrypoint.sh"]
\ No newline at end of file
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
export { Server } from './server';
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
import { Config, TraceFactory, ConfigFactory } from '../../..';
import { StorageJobManager } from '../../../../cloud/shared/queue';
import { Locker } from '../../../../services/dataset/locker';
import { Feature, FeatureFlags } from '../../../../shared';
async function ServerStart() {
try {
// tslint:disable-next-line
console.log('- Initializing cloud provider');
Config.setCloudProvider(process.env.CLOUDPROVIDER);
// tslint:disable-next-line
console.log('- Initializing ' + Config.CLOUDPROVIDER + ' configurations')
await ConfigFactory.build(Config.CLOUDPROVIDER).init();
// tslint:disable-next-line
console.log('- Initializing redis cache')
await Locker.init();
// tslint:disable-next-line
console.log('- Initializing storage transfer deamon')
StorageJobManager.setup({
ADDRESS: Config.DES_REDIS_INSTANCE_ADDRESS,
PORT: Config.DES_REDIS_INSTANCE_PORT
})
if(FeatureFlags.isEnabled(Feature.TRACE)) {
// tslint:disable-next-line
console.log('- Initializing cloud tracer')
TraceFactory.build(Config.CLOUDPROVIDER).start();
}
new (await import('./server')).Server().start();
} catch (error) {
// tslint:disable-next-line
console.log(error);
process.exit(1);
}
}
ServerStart();
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
import bodyparser from 'body-parser';
import cors from 'cors';
import express from 'express';
import jwtProxy, { JwtProxyOptions } from 'jwtproxy';
import { Config, LoggerFactory } from '../../..';
import { ServiceRouter } from '../../../../services';
import { Feature, FeatureFlags} from '../../../../shared';
import fs from 'fs';
import https from 'https';
// -------------------------------------------------------------------
// Seismic Store Service
// -------------------------------------------------------------------
export class Server {
private app: express.Express;
private port: number;
private httpServer: import('http').Server;
private httpsServer: import('https').Server;
private corsOptions = {
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
preflightContinue: false,
optionsSuccessStatus: 204,
credentials: true,
maxAge: 3600,
exposedHeaders: [
'Origin',
'Content-Type',
'X-Requested-With',
'Authorization',
'Accept',
'Referer',
'X-Requested-With',
'Access-Control-Allow-Origin',
'x-traffic-manager'
],
allowedHeaders: [
'Origin',
'Content-Type',
'X-Requested-With',
'Authorization',
'Accept',
'Referer',
'X-Requested-With',
'Access-Control-Allow-Origin',
'x-traffic-manager'
]
}
constructor() {
this.app = express();
this.app.use(bodyparser.urlencoded({ extended: false }));
this.app.use(bodyparser.json());
this.app.disable('x-powered-by');
this.app.use(cors(this.corsOptions));
this.app.options('*', cors());
this.app.use((req: express.Request, res: express.Response, next: express.NextFunction) => {
// not required anymore - to verify
if (req.get('slb-on-behalf-of') !== undefined) {
req.headers.authorization = req.get('slb-on-behalf-of');
}
// track caller to the main log
const key = req.headers['x-api-key'] as string;
const logger = LoggerFactory.build(Config.CLOUDPROVIDER);
logger.info(
((key && key.length > 5) ? ('[***' + key.substr(key.length - 5) + '] ') : '')
+ '[' + req.method + '] ' + req.url);
// init the metrics logger
if(FeatureFlags.isEnabled(Feature.LOGGING)) {
LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
req.headers['content-length'] ? +req.headers['content-length'] : 0)
}
// forward the caller appkey if exist
// if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
req[Config.DE_FORWARD_APPKEY] =
req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined
next();
});
const jwtValidateOptions: JwtProxyOptions = {
disable: !Config.JWT_ENABLE_FEATURE,
excluded: Config.JWT_EXCLUDE_PATHS ? Config.JWT_EXCLUDE_PATHS.split(';') : [],
jwksUrl:Config.JWKS_URL,
algorithms: ['RS256'],
audience: Config.JWT_AUDIENCE
}
// adding middleware to intercept and valiate jwt
this.app.use(jwtProxy(jwtValidateOptions));
this.app.use(ServiceRouter);
}
public async start(port = Config.SERVICE_PORT) {
this.port = port;
// The timeout of the backend service should be greater than the timeout of the load balancer. This will
// prevent premature connection closures from the service
// Additionally, the headerstimeout needs to be greater than keepalivetimeout
// https://github.com/nodejs/node/issues/27363
// SSL
const privateKey = fs.readFileSync(process.env.SSL_KEY_PATH, 'utf8');
const certificate = fs.readFileSync(process.env.SSL_CERT_PATH, 'utf8');
const credentials = {key: privateKey, cert: certificate};
if (process.env.SSL_ENABLED === "true"){
this.httpsServer = https.createServer(credentials, this.app).listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpsServer.keepAliveTimeout = 65 * 1000;
this.httpsServer.headersTimeout = 66 * 1000;
} else {
this.httpServer = this.app.listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpServer.keepAliveTimeout = 65 * 1000;
this.httpServer.headersTimeout = 66 * 1000;
}
}
public stop() {
if (this.httpServer) {
this.httpServer.close();
}
if (this.httpsServer) {
this.httpsServer.close();
}
}
}
...@@ -22,7 +22,8 @@ import { Config, LoggerFactory } from '../cloud'; ...@@ -22,7 +22,8 @@ import { Config, LoggerFactory } from '../cloud';
import { ServiceRouter } from '../services'; import { ServiceRouter } from '../services';
import { Feature, FeatureFlags } from '../shared'; import { Feature, FeatureFlags } from '../shared';
import fs from 'fs';
import https from 'https';
// ------------------------------------------------------------------- // -------------------------------------------------------------------
// Seismic Store Service // Seismic Store Service
...@@ -31,7 +32,9 @@ export class Server { ...@@ -31,7 +32,9 @@ export class Server {
private app: express.Express; private app: express.Express;
private port: number; private port: number;
private server: import('http').Server;
private httpServer: import('http').Server;
private httpsServer: import('https').Server;
private corsOptions = { private corsOptions = {
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS', methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
...@@ -118,17 +121,36 @@ export class Server { ...@@ -118,17 +121,36 @@ export class Server {
// prevent premature connection closures from the service // prevent premature connection closures from the service
// Additionally, the headerstimeout needs to be greater than keepalivetimeout // Additionally, the headerstimeout needs to be greater than keepalivetimeout
// https://github.com/nodejs/node/issues/27363 // https://github.com/nodejs/node/issues/27363
this.server = this.app.listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`); // SSL
}); const privateKey = fs.readFileSync(process.env.SSL_KEY_PATH, 'utf8');
this.server.keepAliveTimeout = 65 * 1000; const certificate = fs.readFileSync(process.env.SSL_CERT_PATH, 'utf8');
this.server.headersTimeout = 66 * 1000; const credentials = {key: privateKey, cert: certificate};
if (process.env.SSL_ENABLED === 'true'){
this.httpsServer = https.createServer(credentials, this.app).listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpsServer.keepAliveTimeout = 65 * 1000;
this.httpsServer.headersTimeout = 66 * 1000;
} else {
this.httpServer = this.app.listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpServer.keepAliveTimeout = 65 * 1000;
this.httpServer.headersTimeout = 66 * 1000;
}
} }
public stop() { public stop() {
if (this.server) { if (this.httpServer) {
this.server.close(); this.httpServer.close();
}
if (this.httpsServer) {
this.httpsServer.close();
} }
} }
} }
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment