From 2f90b5cb5e2322e0c9d1815f63bdcfcdae94ded1 Mon Sep 17 00:00:00 2001 From: flechsig Date: Mon, 6 Oct 2025 15:41:30 +0200 Subject: [PATCH 01/43] add opticswiki.conf --- conf.d/opticswiki.conf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 conf.d/opticswiki.conf diff --git a/conf.d/opticswiki.conf b/conf.d/opticswiki.conf new file mode 100644 index 0000000..ea93766 --- /dev/null +++ b/conf.d/opticswiki.conf @@ -0,0 +1,24 @@ +# opticswiki conf for nginx +# cloned from gfa-status-test.conf +# adjustments UF 20251006 +server { + listen 80; + server_name opticswiki.psi.ch; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name opticswiki.psi.ch; + + ssl_certificate /etc/nginx/certs/opticswiki.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/opticswiki.psi.ch.key; + + location / { + proxy_pass http://opticswiki:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} From 324e8e2879b88c31c9770c1b7114d4d5fc175f23 Mon Sep 17 00:00:00 2001 From: flechsig Date: Mon, 6 Oct 2025 15:46:45 +0200 Subject: [PATCH 02/43] use port 8090 --- conf.d/opticswiki.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf.d/opticswiki.conf b/conf.d/opticswiki.conf index ea93766..4601aa1 100644 --- a/conf.d/opticswiki.conf +++ b/conf.d/opticswiki.conf @@ -1,6 +1,6 @@ # opticswiki conf for nginx # cloned from gfa-status-test.conf -# adjustments UF 20251006 +# adjustments UF 20251006 use port 8090 server { listen 80; server_name opticswiki.psi.ch; @@ -15,7 +15,7 @@ server { ssl_certificate_key /etc/nginx/private/opticswiki.psi.ch.key; location / { - proxy_pass http://opticswiki:80; + proxy_pass http://opticswiki:8090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 4fe84492c5ba18dda2f3096b59c838fc0ffeff72 Mon Sep 17 00:00:00 2001 From: flechsig Date: Mon, 6 Oct 2025 15:55:42 +0200 Subject: [PATCH 03/43] clone other entry, partial adjustment --- docker-compose.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index f894c18..b2039ed 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -249,3 +249,16 @@ networks: woodpecker_backend: it_strategy_dashboard_backend: + # Flechsig Uwe + # opticswiki (test setup) + opticswiki: + image: gitea.psi.ch/images/elog:3.1.5 + container_name: opticswiki + restart: always + volumes: + - /opt/logbooks/LMU:/usr/local/elog/logbooks + - /opt/webcontent/LMU/elog.cfg:/usr/local/elog/elogd.cfg + networks: + - backend + + From ef30ebf83421b0b8774dc931491e20c7901037f0 Mon Sep 17 00:00:00 2001 From: flechsig Date: Tue, 7 Oct 2025 10:44:54 +0200 Subject: [PATCH 04/43] moved opticswiki after gfa-status-test since Im not sure about the correct intention after woodpecker --- docker-compose.yaml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index b2039ed..899f367 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -130,6 +130,23 @@ services: networks: - backend + # Flechsig Uwe + # opticswiki (test setup) + # I assume gitea.psi.ch/images is the local image repository filled docker push + # /opt/webcontent/opticswiki must be filled once (before starting the container) + # gitea.psi.ch/optics/opticswiki/ => make initvolumes + opticswiki: + image: gitea.psi.ch/images/opticswiki + container_name: opticswiki + restart: always + volumes: + - /opt/webcontent/opticswiki/data:/usr/local/apache2/Foswiki-2.1.9/data + - /opt/webcontent/opticswiki/pub:/usr/local/apache2/Foswiki-2.1.9/pub + - /opt/webcontent/opticswiki/working:/usr/local/apache2/Foswiki-2.1.9/working + - /opt/webcontent/opticswiki/lib:/usr/local/apache2/Foswiki-2.1.9/lib + networks: + - backend + # Sven Augustin -Hax0rL0rd # CI/CD Aaddition to Gitea (Jenkins for poor people) woodpecker-server: @@ -249,16 +266,5 @@ networks: woodpecker_backend: it_strategy_dashboard_backend: - # Flechsig Uwe - # opticswiki (test setup) - opticswiki: - image: gitea.psi.ch/images/elog:3.1.5 - container_name: opticswiki - restart: always - volumes: - - /opt/logbooks/LMU:/usr/local/elog/logbooks - - /opt/webcontent/LMU/elog.cfg:/usr/local/elog/elogd.cfg - networks: - - backend From 52cd5e5f6884e12049e7d9cd4feaa6e08cf32535 Mon Sep 17 00:00:00 2001 From: flechsig Date: Tue, 7 Oct 2025 11:03:33 +0200 Subject: [PATCH 05/43] verify file format by comparing with original version --- docker-compose.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 899f367..597a808 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -266,5 +266,3 @@ networks: woodpecker_backend: it_strategy_dashboard_backend: - - From 3e7bc935accee4dd68578c00df4485bb2141f44e Mon Sep 17 00:00:00 2001 From: ritter_t Date: Wed, 8 Oct 2025 15:24:27 +0200 Subject: [PATCH 06/43] it_strategy_dashboard v2.0.1 (#12) New defautlt data added via liquibase in backend container Co-authored-by: ritter_t Co-authored-by: tom.ritter Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/12 Reviewed-by: buchel_k Co-authored-by: ritter_t Co-committed-by: ritter_t --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index f894c18..d9d1813 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -202,7 +202,7 @@ services: - it_strategy_dashboard_backend it-strategy-dashboard-backend: - image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0 + image: gitea.psi.ch/9501/it-strategy-dashboard-backend:2.0.1 container_name: it-strategy-dashboard-backend restart: always environment: From 2bd2cbade7f41f845f506d5e7cfb0b1abec23716 Mon Sep 17 00:00:00 2001 From: romainsacchi Date: Thu, 16 Oct 2025 18:42:29 +0200 Subject: [PATCH 07/43] Rename service name from `carculator` to `swiss-ecargo` because this is a special version of `carculator` and we want to reserve the `carculator` name for later. --- conf.d/{carculator.conf => swiss-ecargo.conf} | 6 +++--- docker-compose.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) rename conf.d/{carculator.conf => swiss-ecargo.conf} (70%) diff --git a/conf.d/carculator.conf b/conf.d/swiss-ecargo.conf similarity index 70% rename from conf.d/carculator.conf rename to conf.d/swiss-ecargo.conf index 767515e..0f7f127 100644 --- a/conf.d/carculator.conf +++ b/conf.d/swiss-ecargo.conf @@ -1,16 +1,16 @@ server { listen 80; - server_name carculator-api-test.psi.ch; + server_name swiss-ecargo-api-test.psi.ch; return 301 https://$host$request_uri; } server { listen 443 ssl; - server_name carculator-api-test.psi.ch; + server_name swiss-ecargo-api-test.psi.ch; location / { - proxy_pass http://carculator:8000; + proxy_pass http://swiss-ecargo:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/docker-compose.yaml b/docker-compose.yaml index 6388cf0..cd61395 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -60,9 +60,9 @@ services: # Romain Sacchi # Software host and access to the Internet - carculator: - image: gitea.psi.ch/sacchi_r/carculator:0.1.0 - container_name: carculator + swiss-ecargo: + image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.0 + container_name: swiss-ecargo restart: always networks: - backend From 57edf05d52cb85580f7e17fefcebc4c74c9a11de Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 21 Oct 2025 13:42:45 +0200 Subject: [PATCH 08/43] letsencrypt Signed-off-by: Basil Bruhn --- docker-compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index d9d1813..4abc565 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -11,6 +11,8 @@ services: - "80:80" - "443:443" volumes: + - /etc/letsencrypt/live:/etc/letsencrypt/live:ro + - /etc/letsencrypt/archive:/etc/letsencrypt/archive:ro - /etc/pki/tls/certs:/etc/nginx/certs:ro - /etc/pki/tls/private:/etc/nginx/private:ro - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro From d78cc05037d479ddb97059fe853f440d9107b944 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 21 Oct 2025 17:00:20 +0200 Subject: [PATCH 09/43] certificate name Signed-off-by: Basil Bruhn --- conf.d/swiss-ecargo.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/conf.d/swiss-ecargo.conf b/conf.d/swiss-ecargo.conf index 28830cd..00e3ef9 100644 --- a/conf.d/swiss-ecargo.conf +++ b/conf.d/swiss-ecargo.conf @@ -8,8 +8,8 @@ server { listen 443 ssl; server_name swiss-ecargo-api-test.psi.ch; - ssl_certificate /etc/nginx/certs/carculator-api-test.psi.ch.crt; - ssl_certificate_key /etc/nginx/private/carculator-api-test.psi.ch.key; + ssl_certificate /etc/nginx/certs/swiss-ecargo-api-test.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/swiss-ecargo-api-test.psi.ch.key; location / { proxy_pass http://swiss-ecargo:8000; From 44c64087ffdde73942e34a3fbd62fc34aaccc5de Mon Sep 17 00:00:00 2001 From: flechsig Date: Thu, 23 Oct 2025 14:06:17 +0200 Subject: [PATCH 10/43] correct port number to 80 --- conf.d/opticswiki.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf.d/opticswiki.conf b/conf.d/opticswiki.conf index 4601aa1..cf2d303 100644 --- a/conf.d/opticswiki.conf +++ b/conf.d/opticswiki.conf @@ -15,7 +15,7 @@ server { ssl_certificate_key /etc/nginx/private/opticswiki.psi.ch.key; location / { - proxy_pass http://opticswiki:8090; + proxy_pass http://opticswiki:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 7d3007c361acc78ef1c27672f6623e9c4da632fe Mon Sep 17 00:00:00 2001 From: flechsig Date: Thu, 23 Oct 2025 14:06:58 +0200 Subject: [PATCH 11/43] correct comment --- conf.d/opticswiki.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf.d/opticswiki.conf b/conf.d/opticswiki.conf index cf2d303..0090bac 100644 --- a/conf.d/opticswiki.conf +++ b/conf.d/opticswiki.conf @@ -1,6 +1,6 @@ # opticswiki conf for nginx # cloned from gfa-status-test.conf -# adjustments UF 20251006 use port 8090 + server { listen 80; server_name opticswiki.psi.ch; From 77f34de401118bc4c32d4fd743bf2e86d1c0aeff Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Mon, 27 Oct 2025 09:21:51 +0100 Subject: [PATCH 12/43] default server Signed-off-by: Basil Bruhn --- conf.d/00-default.conf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 conf.d/00-default.conf diff --git a/conf.d/00-default.conf b/conf.d/00-default.conf new file mode 100644 index 0000000..4cd2df5 --- /dev/null +++ b/conf.d/00-default.conf @@ -0,0 +1,20 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 404; + +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + + ssl_certificate /etc/nginx/certs/default.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/default.psi.ch.key; + + return 404; +} + From 1031743c36c5b4e9a250c8da8ad8171482be3fba Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:28:56 +0100 Subject: [PATCH 13/43] add OpenMaint as panda-maintenance.psi.ch (#14) Add a [OpenMaint](https://www.openmaint.org/en/home) instance using the Docker images and compose from https://github.com/itmicus/cmdbuild_docker. Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/14 Reviewed-by: bruhn_b Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 21 +++++++++++++ docker-compose.yaml | 58 +++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 conf.d/panda-maintenance.conf diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf new file mode 100644 index 0000000..3c1d7b2 --- /dev/null +++ b/conf.d/panda-maintenance.conf @@ -0,0 +1,21 @@ +server { + listen 80; + server_name panda-maintenance.psi.ch; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name panda-maintenance.psi.ch; + + ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key; + + location / { + proxy_pass http://panda-maintenance-app:8080/cmdbuild; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/docker-compose.yaml b/docker-compose.yaml index f52e63f..c300345 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -242,10 +242,68 @@ services: timeout: 5s retries: 5 +# Christoph Hug , Simon Suter +# Panda-Maintenance (OpenMaint) + panda-maintenance-db: + image: postgis/postgis:17-3.5-alpine + container_name: panda-maintenance-db + volumes: + - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw + ports: + - 5432:5432 + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + restart: always + mem_limit: 4000m + mem_reservation: 2000m + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U postgres" ] + interval: 30s + timeout: 10s + retries: 3 + start_period: 80s + networks: + - panda_maintenance_backend + panda-maintenance-app: + image: itmicus/cmdbuild:om-2.4-4.1.0 + container_name: panda-maintenance-app + links: + - panda-maintenance-db + depends_on: + panda-maintenance-db: + condition: service_healthy + ports: + - 8080:8080 + restart: always + volumes: + - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + - POSTGRES_PORT=5432 + - POSTGRES_HOST=openmaint_db + - POSTGRES_DB=openmaint + - CMDBUILD_DUMP=empty.dump.xz + - JAVA_OPTS=-Xmx6000m -Xms3000m + mem_limit: 6000m + mem_reservation: 3500m + healthcheck: + test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] + interval: 30s + timeout: 10s + retries: 5 + start_period: 120s + networks: + - backend + - panda_maintenance_backend + + networks: public: backend: hedgedoc_backend: woodpecker_backend: it_strategy_dashboard_backend: + panda_maintenance_backend: From edb28e88de0765aa16f95aaf8834b66a3d58a99c Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:35:43 +0100 Subject: [PATCH 14/43] fix indentation (#15) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/15 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- docker-compose.yaml | 106 ++++++++++++++++++++++---------------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index c300345..8d7944c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -244,59 +244,59 @@ services: # Christoph Hug , Simon Suter # Panda-Maintenance (OpenMaint) - panda-maintenance-db: - image: postgis/postgis:17-3.5-alpine - container_name: panda-maintenance-db - volumes: - - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw - ports: - - 5432:5432 - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - restart: always - mem_limit: 4000m - mem_reservation: 2000m - healthcheck: - test: [ "CMD-SHELL", "pg_isready -U postgres" ] - interval: 30s - timeout: 10s - retries: 3 - start_period: 80s - networks: - - panda_maintenance_backend - panda-maintenance-app: - image: itmicus/cmdbuild:om-2.4-4.1.0 - container_name: panda-maintenance-app - links: - - panda-maintenance-db - depends_on: - panda-maintenance-db: - condition: service_healthy - ports: - - 8080:8080 - restart: always - volumes: - - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - - POSTGRES_PORT=5432 - - POSTGRES_HOST=openmaint_db - - POSTGRES_DB=openmaint - - CMDBUILD_DUMP=empty.dump.xz - - JAVA_OPTS=-Xmx6000m -Xms3000m - mem_limit: 6000m - mem_reservation: 3500m - healthcheck: - test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] - interval: 30s - timeout: 10s - retries: 5 - start_period: 120s - networks: - - backend - - panda_maintenance_backend + panda-maintenance-db: + image: postgis/postgis:17-3.5-alpine + container_name: panda-maintenance-db + volumes: + - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw + ports: + - 5432:5432 + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + restart: always + mem_limit: 4000m + mem_reservation: 2000m + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U postgres" ] + interval: 30s + timeout: 10s + retries: 3 + start_period: 80s + networks: + - panda_maintenance_backend + panda-maintenance-app: + image: itmicus/cmdbuild:om-2.4-4.1.0 + container_name: panda-maintenance-app + links: + - panda-maintenance-db + depends_on: + panda-maintenance-db: + condition: service_healthy + ports: + - 8080:8080 + restart: always + volumes: + - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + - POSTGRES_PORT=5432 + - POSTGRES_HOST=openmaint_db + - POSTGRES_DB=openmaint + - CMDBUILD_DUMP=empty.dump.xz + - JAVA_OPTS=-Xmx6000m -Xms3000m + mem_limit: 6000m + mem_reservation: 3500m + healthcheck: + test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] + interval: 30s + timeout: 10s + retries: 5 + start_period: 120s + networks: + - backend + - panda_maintenance_backend networks: From 690f1fc8c59f4f821e3f453351b338b4686b964c Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:44:17 +0100 Subject: [PATCH 15/43] name db host properly (#16) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/16 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 8d7944c..6d6b39b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -282,7 +282,7 @@ services: - POSTGRES_USER=postgres - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - POSTGRES_PORT=5432 - - POSTGRES_HOST=openmaint_db + - POSTGRES_HOST=panda-maintenance-db - POSTGRES_DB=openmaint - CMDBUILD_DUMP=empty.dump.xz - JAVA_OPTS=-Xmx6000m -Xms3000m From 9ff88d5de008fa99e1179443d41f6663fdc590da Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 10:16:39 +0100 Subject: [PATCH 16/43] fix forwarding for cmdbuild (#17) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/17 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf index 3c1d7b2..e6f658b 100644 --- a/conf.d/panda-maintenance.conf +++ b/conf.d/panda-maintenance.conf @@ -11,8 +11,14 @@ server { ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt; ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key; + + rewrite ^/$ /cmdbuild/ permanent; location / { - proxy_pass http://panda-maintenance-app:8080/cmdbuild; + return 404; + } + + location /cmdbuild { + proxy_pass http://panda-maintenance-app:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From b018578b30cd35f6df092462f46e9f29d26a079d Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 11:03:53 +0100 Subject: [PATCH 17/43] OpenMaint: fix mixed content block (#18) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/18 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 2 ++ docker-compose.yaml | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf index e6f658b..f34d885 100644 --- a/conf.d/panda-maintenance.conf +++ b/conf.d/panda-maintenance.conf @@ -23,5 +23,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + # https://forum.cmdbuild.org/t/cmdbuild-behind-nginx-reverse-proxy/5070/3 + add_header Content-Security-Policy upgrade-insecure-requests always; } } diff --git a/docker-compose.yaml b/docker-compose.yaml index 6d6b39b..940b375 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -249,8 +249,6 @@ services: container_name: panda-maintenance-db volumes: - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw - ports: - - 5432:5432 environment: - POSTGRES_USER=postgres - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} @@ -273,8 +271,6 @@ services: depends_on: panda-maintenance-db: condition: service_healthy - ports: - - 8080:8080 restart: always volumes: - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro From 6201b7d127eb54f466189ca756090403b1d4bb7d Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Mon, 3 Nov 2025 16:36:39 +0100 Subject: [PATCH 18/43] restart woodpecker Signed-off-by: Basil Bruhn --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 940b375..7ee5f2d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -135,6 +135,7 @@ services: woodpecker-server: image: woodpeckerci/woodpecker-server:next container_name: woodpecker_server + restart: always ports: - 8000:8000 volumes: From 7fca83e6244c66af252c0b2f09d852c1b08aab5e Mon Sep 17 00:00:00 2001 From: bruhn_b Date: Tue, 4 Nov 2025 15:13:23 +0100 Subject: [PATCH 19/43] Update docker-compose.yaml --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 31fce05..d700f49 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -136,7 +136,7 @@ services: # /opt/webcontent/opticswiki must be filled once (before starting the container) # gitea.psi.ch/optics/opticswiki/ => make initvolumes opticswiki: - image: gitea.psi.ch/images/opticswiki + image: docker pull gitea.psi.ch/images/opticswiki:1 container_name: opticswiki restart: always volumes: From 81323b69647fa1d44e8a57f980f809295b3d2230 Mon Sep 17 00:00:00 2001 From: bruhn_b Date: Tue, 4 Nov 2025 15:20:15 +0100 Subject: [PATCH 20/43] Update docker-compose.yaml --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index de7d98e..d39981d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -136,7 +136,7 @@ services: # /opt/webcontent/opticswiki must be filled once (before starting the container) # gitea.psi.ch/optics/opticswiki/ => make initvolumes opticswiki: - image: docker pull gitea.psi.ch/images/opticswiki:1 + image: gitea.psi.ch/images/opticswiki:1 container_name: opticswiki restart: always volumes: From 52790849b155ce4e5195550eaa094fb19844104f Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 4 Nov 2025 15:23:38 +0100 Subject: [PATCH 21/43] version up swiss ecargo Signed-off-by: Basil Bruhn --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index d39981d..d368c02 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -69,7 +69,7 @@ services: # Romain Sacchi swiss-ecargo: - image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.0 + image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.1 container_name: swiss-ecargo restart: always networks: From e164197a8ce2441ca5f573fe8341f84fa279e708 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Fri, 7 Nov 2025 08:52:36 +0100 Subject: [PATCH 22/43] update Hedgedoc and swiss ecargo, also add env variable for openAI Signed-off-by: Basil Bruhn --- docker-compose.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index d368c02..f1e3d1f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -69,16 +69,18 @@ services: # Romain Sacchi swiss-ecargo: - image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.1 + image: gitea.psi.ch/sacchi_r/swiss-ecargo:0.1.2 container_name: swiss-ecargo restart: always + environment: + - HOSTED_API_KEY=${ecargo_api_key} networks: - backend # Augustin Sven # POC for SiwssFel hedgedoc_app: - image: quay.io/hedgedoc/hedgedoc:1.10.1 + image: quay.io/hedgedoc/hedgedoc:1.10.3 container_name: hedgedoc environment: - CMD_DB_URL=postgres://${hedgedoc_user}:${hedgedoc_password}@hedgedoc_db:5432/hedgedoc From 0661847299c941c1ccb888b576261be62fcb1c9f Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Fri, 7 Nov 2025 09:08:24 +0100 Subject: [PATCH 23/43] remove all woodpecker containers and nginx config Signed-off-by: Basil Bruhn --- conf.d/woodpecker-test.conf | 21 ------------------- docker-compose.yaml | 41 +------------------------------------ 2 files changed, 1 insertion(+), 61 deletions(-) delete mode 100644 conf.d/woodpecker-test.conf diff --git a/conf.d/woodpecker-test.conf b/conf.d/woodpecker-test.conf deleted file mode 100644 index df81b84..0000000 --- a/conf.d/woodpecker-test.conf +++ /dev/null @@ -1,21 +0,0 @@ -server { - listen 80; - server_name woodpecker-test.psi.ch; - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name woodpecker-test.psi.ch; - - ssl_certificate /etc/nginx/certs/woodpecker-test.psi.ch.crt; - ssl_certificate_key /etc/nginx/private/woodpecker-test.psi.ch.key; - - location / { - proxy_pass http://woodpecker_server:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } -} diff --git a/docker-compose.yaml b/docker-compose.yaml index f1e3d1f..b87386f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -140,7 +140,7 @@ services: opticswiki: image: gitea.psi.ch/images/opticswiki:1 container_name: opticswiki - restart: always + restart: always volumes: - /opt/webcontent/opticswiki/data:/usr/local/apache2/Foswiki-2.1.9/data - /opt/webcontent/opticswiki/pub:/usr/local/apache2/Foswiki-2.1.9/pub @@ -149,44 +149,6 @@ services: networks: - backend - # Sven Augustin -Hax0rL0rd - # CI/CD Aaddition to Gitea (Jenkins for poor people) - woodpecker-server: - image: woodpeckerci/woodpecker-server:next - container_name: woodpecker_server - restart: always - ports: - - 8000:8000 - volumes: - - /opt/webcontent/woodpecker/server:/var/lib/woodpecker/ - environment: - - WOODPECKER_OPEN=true - - WOODPECKER_HOST=https://woodpecker-test.psi.ch - - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }} - - WOODPECKER_GITEA=true - - WOODPECKER_GITEA_URL=https://gitea-test.psi.ch - - WOODPECKER_GITEA_CLIENT={{ WOODPECKER_GITEA_CLIENT }} - - WOODPECKER_GITEA_SECRET={{ WOODPECKER_GITEA_SECRET }} - networks: - - backend - - woodpecker_backend - - woodpecker-agent: - image: woodpeckerci/woodpecker-agent:next - container_name: woodpecker_agent - command: agent - restart: always - depends_on: - - woodpecker-server - volumes: - - /opt/webcontent/woodpecker/agent/woodpecker:/etc/woodpecker - - /var/run/docker.sock:/var/run/docker.sock - environment: - - WOODPECKER_SERVER=woodpecker-server:9000 - - WOODPECKER_AGENT_SECRET={{ WOODPECKER_AGENT_SECRET }} - networks: - - woodpecker_backend - # Angelo Sozzi INC0150655 angelo.sozzi@psi.ch # POC Software - might be installed on docker-dmz n8n: @@ -319,7 +281,6 @@ networks: public: backend: hedgedoc_backend: - woodpecker_backend: it_strategy_dashboard_backend: panda_maintenance_backend: From 0d160ed817ba3160a7d774a6c332c14b448a865d Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 11:00:19 +0100 Subject: [PATCH 24/43] deploy fluid-eos and rfmwtools test Signed-off-by: Basil Bruhn --- conf.d/fluid-eos-test.conf | 30 ++++++++++++++++++++++++++++++ conf.d/rfmwtools-test.conf | 30 ++++++++++++++++++++++++++++++ docker-compose.yaml | 2 ++ 3 files changed, 62 insertions(+) create mode 100644 conf.d/fluid-eos-test.conf create mode 100644 conf.d/rfmwtools-test.conf diff --git a/conf.d/fluid-eos-test.conf b/conf.d/fluid-eos-test.conf new file mode 100644 index 0000000..6826f64 --- /dev/null +++ b/conf.d/fluid-eos-test.conf @@ -0,0 +1,30 @@ +# INC0150202 Kohlbrecher Joachim & Wall Edward Owen +server { + listen 80; + server_name fluid-eos-test.psi.ch; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name fluid-eos-test.psi.ch; + + root /opt/webcontent/fluid-eos; + index index.html; + + ssl_certificate /etc/nginx/certs/fluid-eos-test.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/fluid-eos-test.psi.ch.key; + + access_log /var/log/nginx/fluid-eos-test.access.log; + error_log /var/log/nginx/fluid-eos-test.error.log; + + location / { + autoindex on; + autoindex_exact_size off; + autoindex_localtime on; + + try_files $uri $uri/ =404; + } +} + diff --git a/conf.d/rfmwtools-test.conf b/conf.d/rfmwtools-test.conf new file mode 100644 index 0000000..6a59873 --- /dev/null +++ b/conf.d/rfmwtools-test.conf @@ -0,0 +1,30 @@ +# Gaspar Marcos - ISPD Migration +server { + listen 80; + server_name rfmwtools-test.psi.ch; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name rfmwtools-test.psi.ch; + + root /opt/webcontent/rfmwtools; + index rfmwtools.html; + + ssl_certificate /etc/nginx/certs/rfmwtools-test.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/rfmwtools-test.psi.ch.key; + + access_log /var/log/nginx/rfmwtools-test.access.log; + error_log /var/log/nginx/rfmwtools-test.error.log; + + location / { + autoindex on; + autoindex_exact_size off; + autoindex_localtime on; + + try_files $uri $uri/ =404; + } +} + diff --git a/docker-compose.yaml b/docker-compose.yaml index b87386f..e2a26b0 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,6 +18,8 @@ services: - /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /etc/nginx/conf.d:/etc/nginx/conf.d:ro - /opt/webcontent/sinqstatus-test:/opt/webcontent/sinqstatus-test:ro + - /opt/webcontent/fluid-eos:/opt/webcontent/fluid-eos:ro + - /opt/webcontent/rfmwtools:/opt/webcontent/rfmwtools:ro - /opt/webcontent/it-strategy-dashboard/frontend/:/opt/webcontent/it-strategy-dashboard/:ro networks: - public From 478e3ab70f4b9100c2290fa47185749d26774354 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 11:07:39 +0100 Subject: [PATCH 25/43] fix description and locations EOS Signed-off-by: Basil Bruhn --- conf.d/fluid-eos-test.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/conf.d/fluid-eos-test.conf b/conf.d/fluid-eos-test.conf index 6826f64..5951684 100644 --- a/conf.d/fluid-eos-test.conf +++ b/conf.d/fluid-eos-test.conf @@ -1,4 +1,4 @@ -# INC0150202 Kohlbrecher Joachim & Wall Edward Owen +# Churakov Sergey - ISPD migration server { listen 80; server_name fluid-eos-test.psi.ch; @@ -26,5 +26,12 @@ server { try_files $uri $uri/ =404; } + location /EOS/ { + autoindex on; + autoindex_exact_size off; + autoindex_localtime on; + + try_files $uri $uri/ =404; + } } From 0b68f417156e37433f5f34236f67ab00eb9469df Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 11:10:13 +0100 Subject: [PATCH 26/43] prefix match Signed-off-by: Basil Bruhn --- conf.d/fluid-eos-test.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf.d/fluid-eos-test.conf b/conf.d/fluid-eos-test.conf index 5951684..e0e1a21 100644 --- a/conf.d/fluid-eos-test.conf +++ b/conf.d/fluid-eos-test.conf @@ -26,7 +26,7 @@ server { try_files $uri $uri/ =404; } - location /EOS/ { + location ^~ /EOS/ { autoindex on; autoindex_exact_size off; autoindex_localtime on; From c96d168b6d35690bc82d48f960a01b9c5204cfa4 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 11:28:42 +0100 Subject: [PATCH 27/43] x-frame-options allow Signed-off-by: Basil Bruhn --- nginx.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index 022ad56..6516663 100644 --- a/nginx.conf +++ b/nginx.conf @@ -12,7 +12,6 @@ http { default_type application/octet-stream; add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS add_header Referrer-Policy no-referrer-when-downgrade; # Referrer policy From 0ace2e232e5f3a536dde28181a4454ffabd6427a Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 11:50:02 +0100 Subject: [PATCH 28/43] java script errors Signed-off-by: Basil Bruhn --- conf.d/rfmwtools-test.conf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/conf.d/rfmwtools-test.conf b/conf.d/rfmwtools-test.conf index 6a59873..d1a9f70 100644 --- a/conf.d/rfmwtools-test.conf +++ b/conf.d/rfmwtools-test.conf @@ -19,12 +19,21 @@ server { access_log /var/log/nginx/rfmwtools-test.access.log; error_log /var/log/nginx/rfmwtools-test.error.log; + # CSP-only framing + add_header Content-Security-Policy "frame-ancestors https://*.psi.ch" always; + add_header X-Frame-Options "" always; + + location ~* \.(js|css|html|gif|png|jpg|ico)$ { + autoindex off; + try_files $uri =404; + } + location / { autoindex on; autoindex_exact_size off; autoindex_localtime on; - try_files $uri $uri/ =404; + try_files $uri/ =404; } } From 70569943087e7f036f26cfbad557ec67153f049a Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:03:42 +0100 Subject: [PATCH 29/43] whitespaces Signed-off-by: Basil Bruhn --- docker-compose.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index e2a26b0..ce17a33 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -40,19 +40,19 @@ services: pif-elog: image: gitea.psi.ch/images/elog:3.1.5 container_name: pif-elog - restart: always + restart: always volumes: - /opt/logbooks/pif:/usr/local/elog/logbooks - /opt/webcontent/pif/elog.cfg:/usr/local/elog/elogd.cfg networks: - - backend + - backend # Krieger Jonas Andreas , Raselli Andrea-Raeto # Elog as a Service PoC mit musr-elog.psi.ch? linux-eng@psi.ch lmu-elog: image: gitea.psi.ch/images/elog:3.1.5 container_name: lmu-elog - restart: always + restart: always volumes: - /opt/logbooks/LMU:/usr/local/elog/logbooks - /opt/webcontent/LMU/elog.cfg:/usr/local/elog/elogd.cfg @@ -66,7 +66,7 @@ services: image: gitea.psi.ch/images/mcda-calculator:1.0.3 container_name: mcda-calculator restart: always - networks: + networks: - backend # Romain Sacchi @@ -104,7 +104,7 @@ services: - /opt/webcontent/sf-hedgedoc/uploads:/hedgedoc/public/uploads restart: always depends_on: - - hedgedoc_db + - hedgedoc_db networks: - backend - hedgedoc_backend From 572398fe572b0e2a27f1d90353e113a6f6e84382 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:21:04 +0100 Subject: [PATCH 30/43] add apache php / cgi container for future apps and rfmwtools Signed-off-by: Basil Bruhn --- apache/conf/httpd.conf | 25 ++++++++++++++++++++++++ conf.d/rfmwtools-test.conf | 39 -------------------------------------- conf.d/rfmwtools.conf | 21 ++++++++++++++++++++ docker-compose.yaml | 15 +++++++++++++-- 4 files changed, 59 insertions(+), 41 deletions(-) create mode 100644 apache/conf/httpd.conf delete mode 100644 conf.d/rfmwtools-test.conf create mode 100644 conf.d/rfmwtools.conf diff --git a/apache/conf/httpd.conf b/apache/conf/httpd.conf new file mode 100644 index 0000000..f4edc99 --- /dev/null +++ b/apache/conf/httpd.conf @@ -0,0 +1,25 @@ +# Enable modules +LoadModule cgi_module modules/mod_cgi.so +LoadModule rewrite_module modules/mod_rewrite.so +LoadModule php_module modules/libphp.so # already in php:8.2-apache + +# RFMTools +DocumentRoot "/var/www/rfmwtools" + + + Options +ExecCGI +FollowSymLinks + AddHandler cgi-script .sh .cgi + Require all granted + + +# Optional: PHP apps under /phpapps (not enabled yet) + + Options Indexes FollowSymLinks + AllowOverride All + Require all granted + + +# Aliases for PHP apps (commented until ready) +#Alias /phpapp1/ /var/www/phpapps/app1/ +#Alias /phpapp2/ /var/www/phpapps/app2/ + diff --git a/conf.d/rfmwtools-test.conf b/conf.d/rfmwtools-test.conf deleted file mode 100644 index d1a9f70..0000000 --- a/conf.d/rfmwtools-test.conf +++ /dev/null @@ -1,39 +0,0 @@ -# Gaspar Marcos - ISPD Migration -server { - listen 80; - server_name rfmwtools-test.psi.ch; - - return 301 https://$host$request_uri; -} - -server { - listen 443 ssl; - server_name rfmwtools-test.psi.ch; - - root /opt/webcontent/rfmwtools; - index rfmwtools.html; - - ssl_certificate /etc/nginx/certs/rfmwtools-test.psi.ch.crt; - ssl_certificate_key /etc/nginx/private/rfmwtools-test.psi.ch.key; - - access_log /var/log/nginx/rfmwtools-test.access.log; - error_log /var/log/nginx/rfmwtools-test.error.log; - - # CSP-only framing - add_header Content-Security-Policy "frame-ancestors https://*.psi.ch" always; - add_header X-Frame-Options "" always; - - location ~* \.(js|css|html|gif|png|jpg|ico)$ { - autoindex off; - try_files $uri =404; - } - - location / { - autoindex on; - autoindex_exact_size off; - autoindex_localtime on; - - try_files $uri/ =404; - } -} - diff --git a/conf.d/rfmwtools.conf b/conf.d/rfmwtools.conf new file mode 100644 index 0000000..5331c38 --- /dev/null +++ b/conf.d/rfmwtools.conf @@ -0,0 +1,21 @@ +server { + listen 80; + server_name rfmwtools-test.psi.ch; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name rfmwtools-test.psi.ch; + + ssl_certificate /etc/nginx/certs/rfmwtools-test.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/rfmwtools-test.psi.ch.key; + + location / { + proxy_pass http://apache_app:80; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/docker-compose.yaml b/docker-compose.yaml index ce17a33..ee7cd7c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -19,12 +19,23 @@ services: - /etc/nginx/conf.d:/etc/nginx/conf.d:ro - /opt/webcontent/sinqstatus-test:/opt/webcontent/sinqstatus-test:ro - /opt/webcontent/fluid-eos:/opt/webcontent/fluid-eos:ro - - /opt/webcontent/rfmwtools:/opt/webcontent/rfmwtools:ro - /opt/webcontent/it-strategy-dashboard/frontend/:/opt/webcontent/it-strategy-dashboard/:ro networks: - public - backend - + + apache: + image: php:8.2-apache + container_name: apache_app + restart: always + volumes: + - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro +# Apache config is prepared to have php apps inside /var/www/phpapps +# - ./phpapps:/var/www/phpapps:ro + - ./apache/conf/httpd.conf:/usr/local/etc/apache2/httpd.conf:ro + networks: + - backend + # linux-eng@psi.ch # Test app excalidraw: From fe99b08bdda05aaf97378feee1820aecb7de69df Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:26:57 +0100 Subject: [PATCH 31/43] apache config document root disable Signed-off-by: Basil Bruhn --- apache/conf/httpd.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apache/conf/httpd.conf b/apache/conf/httpd.conf index f4edc99..1325bf0 100644 --- a/apache/conf/httpd.conf +++ b/apache/conf/httpd.conf @@ -3,6 +3,11 @@ LoadModule cgi_module modules/mod_cgi.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule php_module modules/libphp.so # already in php:8.2-apache +# Disable default doc root + + Require all denied + + # RFMTools DocumentRoot "/var/www/rfmwtools" From 2280fb03ad6fb50eb2e37e215610d8110719cfa4 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:42:02 +0100 Subject: [PATCH 32/43] make apache config modular Signed-off-by: Basil Bruhn --- apache/conf/httpd.conf | 30 ------------------------------ apache/conf/rfmwtools.conf | 15 +++++++++++++++ docker-compose.yaml | 5 ++--- 3 files changed, 17 insertions(+), 33 deletions(-) delete mode 100644 apache/conf/httpd.conf create mode 100644 apache/conf/rfmwtools.conf diff --git a/apache/conf/httpd.conf b/apache/conf/httpd.conf deleted file mode 100644 index 1325bf0..0000000 --- a/apache/conf/httpd.conf +++ /dev/null @@ -1,30 +0,0 @@ -# Enable modules -LoadModule cgi_module modules/mod_cgi.so -LoadModule rewrite_module modules/mod_rewrite.so -LoadModule php_module modules/libphp.so # already in php:8.2-apache - -# Disable default doc root - - Require all denied - - -# RFMTools -DocumentRoot "/var/www/rfmwtools" - - - Options +ExecCGI +FollowSymLinks - AddHandler cgi-script .sh .cgi - Require all granted - - -# Optional: PHP apps under /phpapps (not enabled yet) - - Options Indexes FollowSymLinks - AllowOverride All - Require all granted - - -# Aliases for PHP apps (commented until ready) -#Alias /phpapp1/ /var/www/phpapps/app1/ -#Alias /phpapp2/ /var/www/phpapps/app2/ - diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf new file mode 100644 index 0000000..e4d10c0 --- /dev/null +++ b/apache/conf/rfmwtools.conf @@ -0,0 +1,15 @@ + + ServerName rfmwtools-test.psi.ch + + DocumentRoot /var/www/rfmwtools + + + Options +ExecCGI +FollowSymLinks + AddHandler cgi-script .sh .cgi + Require all granted + + + ErrorLog /proc/self/fd/2 + CustomLog /proc/self/fd/1 combined + + diff --git a/docker-compose.yaml b/docker-compose.yaml index ee7cd7c..b7983b7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -30,9 +30,8 @@ services: restart: always volumes: - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro -# Apache config is prepared to have php apps inside /var/www/phpapps -# - ./phpapps:/var/www/phpapps:ro - - ./apache/conf/httpd.conf:/usr/local/etc/apache2/httpd.conf:ro + - ./apache/conf/rfmwtools.conf:/etc/apache2/sites-enabled/rfmwtools.conf:ro + networks: - backend From a455dcc0324ee65663cd1f8c01bfb11a87627b16 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:44:55 +0100 Subject: [PATCH 33/43] change index Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index e4d10c0..8c61e85 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -4,8 +4,9 @@ DocumentRoot /var/www/rfmwtools - Options +ExecCGI +FollowSymLinks + Options +ExecCGI +FollowSymLinks +Indexes AddHandler cgi-script .sh .cgi + DirectoryIndex rfmwtools.html Require all granted From fb522a5a893644f3103f7d9322453007f7bf8daf Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:47:03 +0100 Subject: [PATCH 34/43] apache ist soooooooo kompliziert Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index 8c61e85..941665e 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -3,7 +3,7 @@ DocumentRoot /var/www/rfmwtools - + Options +ExecCGI +FollowSymLinks +Indexes AddHandler cgi-script .sh .cgi DirectoryIndex rfmwtools.html From 4fb595ea66fad702103d4dd2dab6e024f2f39e0e Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 12:48:33 +0100 Subject: [PATCH 35/43] fail Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index 941665e..0967497 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -3,10 +3,17 @@ DocumentRoot /var/www/rfmwtools + # Serve HTML and static files at root + + Options +FollowSymLinks + DirectoryIndex rfmwtools.html + Require all granted + + + # Enable CGI execution for scripts in cgi-bin - Options +ExecCGI +FollowSymLinks +Indexes + Options +ExecCGI +FollowSymLinks AddHandler cgi-script .sh .cgi - DirectoryIndex rfmwtools.html Require all granted From ac9831d4aa83d86253ecbf41509ae4948297d5d3 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 13:04:43 +0100 Subject: [PATCH 36/43] own docker image Signed-off-by: Basil Bruhn --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index b7983b7..16fc00f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -25,7 +25,7 @@ services: - backend apache: - image: php:8.2-apache + image: gitea.psi.ch/images/php-apache:latest container_name: apache_app restart: always volumes: From 0f0ceb374b84fb975655bd6d077133d443a960af Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 13:07:57 +0100 Subject: [PATCH 37/43] apache mal wieder Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index 0967497..ca12624 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -3,16 +3,10 @@ DocumentRoot /var/www/rfmwtools - # Serve HTML and static files at root - - Options +FollowSymLinks - DirectoryIndex rfmwtools.html - Require all granted - + ScriptAlias /cgi-bin/ /var/www/rfmwtools/cgi-bin/ - # Enable CGI execution for scripts in cgi-bin - Options +ExecCGI +FollowSymLinks + Options +ExecCGI +FollowSymLinks +Indexes AddHandler cgi-script .sh .cgi Require all granted From 50b7cf64c585f71fb0be3f61235a687253bde5ff Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 13:10:36 +0100 Subject: [PATCH 38/43] apache Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index ca12624..5122cda 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -11,6 +11,11 @@ Require all granted + + Options Indexes FollowSymLinks + Require all granted + + ErrorLog /proc/self/fd/2 CustomLog /proc/self/fd/1 combined From 570cd243e2bc07266f32314f15cabff886a2eb18 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 13:18:58 +0100 Subject: [PATCH 39/43] finally Signed-off-by: Basil Bruhn --- apache/conf/rfmwtools.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apache/conf/rfmwtools.conf b/apache/conf/rfmwtools.conf index 5122cda..e86abfd 100644 --- a/apache/conf/rfmwtools.conf +++ b/apache/conf/rfmwtools.conf @@ -1,19 +1,26 @@ ServerName rfmwtools-test.psi.ch + # Document root for static files DocumentRoot /var/www/rfmwtools + # CGI scripts ScriptAlias /cgi-bin/ /var/www/rfmwtools/cgi-bin/ Options +ExecCGI +FollowSymLinks +Indexes AddHandler cgi-script .sh .cgi Require all granted + + SetEnv SCRIPT_WORKDIR /var/www/rfmwtools/cgi-bin + DirectoryIndex rfmwtools.html Options Indexes FollowSymLinks + AllowOverride None Require all granted + DirectoryIndex rfmwtools.html ErrorLog /proc/self/fd/2 From a543867ffd41f9790f60e3034fb37bf979abcc80 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 14:48:26 +0100 Subject: [PATCH 40/43] gfa-status-test Signed-off-by: Basil Bruhn --- apache/conf/gfa-status.conf | 32 ++++++++++++++++++++++++++++++++ docker-compose.yaml | 17 ++++------------- 2 files changed, 36 insertions(+), 13 deletions(-) create mode 100644 apache/conf/gfa-status.conf diff --git a/apache/conf/gfa-status.conf b/apache/conf/gfa-status.conf new file mode 100644 index 0000000..5bdfea7 --- /dev/null +++ b/apache/conf/gfa-status.conf @@ -0,0 +1,32 @@ + + ServerName gfa-status.web.psi.ch + ServerAlias www.gfa-status.web.psi.ch + DocumentRoot /var/www/gfa-status.web.psi.ch/web + + ErrorLog /proc/self/fd/2 + CustomLog /proc/self/fd/1 combined + + Header set Access-Control-Allow-Origin "*" + + # PHP configuration + + SetHandler application/x-httpd-php + + + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@gfa-status.web.psi.ch" + php_admin_value upload_tmp_dir /var/www/clients/client45/web70/tmp + php_admin_value session.save_path /var/www/clients/client45/web70/tmp + php_admin_value open_basedir /var/www/clients/client45/web70/web:/var/www/clients/client45/web70/private:/var/www/clients/client45/web70/tmp:/var/www/gfa-status.web.psi.ch/web:/tmp:/usr/share/php:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/var/www/error/ + + + Options +FollowSymLinks +Includes + AllowOverride All + Require all granted + + # SSI support + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml + + + + diff --git a/docker-compose.yaml b/docker-compose.yaml index 16fc00f..d468e87 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -24,14 +24,16 @@ services: - public - backend + # rfwtools + # gfa-status-test apache: image: gitea.psi.ch/images/php-apache:latest container_name: apache_app restart: always volumes: - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro - - ./apache/conf/rfmwtools.conf:/etc/apache2/sites-enabled/rfmwtools.conf:ro - + - /opt/webcontent/gfa-status:/var/www/gfa-status:ro + - ./apache/conf/:/etc/apache2/sites-enabled/:ro networks: - backend @@ -133,17 +135,6 @@ services: networks: - hedgedoc_backend - # Andreas Luedeke - # POC not running yet - gfa-status-test: - image: php:8.2-apache - container_name: gfa-status-test - volumes: - - /opt/webcontent/gfa-status/web:/var/www/html - restart: always - networks: - - backend - # Flechsig Uwe # opticswiki (test setup) # I assume gitea.psi.ch/images is the local image repository filled docker push From d9bc31d0b66de88e0383fe66a935ecd348f86ff9 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 14:55:46 +0100 Subject: [PATCH 41/43] individual configs Signed-off-by: Basil Bruhn --- docker-compose.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index d468e87..5b482d3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -33,7 +33,8 @@ services: volumes: - /opt/webcontent/rfmwtools:/var/www/rfmwtools:ro - /opt/webcontent/gfa-status:/var/www/gfa-status:ro - - ./apache/conf/:/etc/apache2/sites-enabled/:ro + - ./apache/conf/rfmwtools.conf:/etc/apache2/sites-enabled/rfmwtools.conf:ro + - ./apache/conf/gfa-status.conf:/etc/apache2/sites-enabled/gfa-status.conf:ro networks: - backend From ecc9fc2fc14fbd3de03f50a4cbe50710ae825a39 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 15:14:42 +0100 Subject: [PATCH 42/43] different container for gfa status Signed-off-by: Basil Bruhn --- conf.d/gfa-status-test.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf.d/gfa-status-test.conf b/conf.d/gfa-status-test.conf index b7fec56..6c991a0 100644 --- a/conf.d/gfa-status-test.conf +++ b/conf.d/gfa-status-test.conf @@ -12,7 +12,7 @@ server { ssl_certificate_key /etc/nginx/private/gfa-status-test.psi.ch.key; location / { - proxy_pass http://gfa-status-test:80; + proxy_pass http://apache_app:80; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 106d05bedb4519eabe6376067be0d70c05d986a1 Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Tue, 11 Nov 2025 15:21:11 +0100 Subject: [PATCH 43/43] apache config error Signed-off-by: Basil Bruhn --- apache/conf/gfa-status.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apache/conf/gfa-status.conf b/apache/conf/gfa-status.conf index 5bdfea7..23bf340 100644 --- a/apache/conf/gfa-status.conf +++ b/apache/conf/gfa-status.conf @@ -1,7 +1,6 @@ - ServerName gfa-status.web.psi.ch - ServerAlias www.gfa-status.web.psi.ch - DocumentRoot /var/www/gfa-status.web.psi.ch/web + ServerName gfa-status-test.psi.ch + DocumentRoot /var/www/gfa-status/web ErrorLog /proc/self/fd/2 CustomLog /proc/self/fd/1 combined