From 77f34de401118bc4c32d4fd743bf2e86d1c0aeff Mon Sep 17 00:00:00 2001 From: Basil Bruhn Date: Mon, 27 Oct 2025 09:21:51 +0100 Subject: [PATCH 1/6] default server Signed-off-by: Basil Bruhn --- conf.d/00-default.conf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 conf.d/00-default.conf diff --git a/conf.d/00-default.conf b/conf.d/00-default.conf new file mode 100644 index 0000000..4cd2df5 --- /dev/null +++ b/conf.d/00-default.conf @@ -0,0 +1,20 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name _; + + return 404; + +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + + ssl_certificate /etc/nginx/certs/default.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/default.psi.ch.key; + + return 404; +} + From 1031743c36c5b4e9a250c8da8ad8171482be3fba Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:28:56 +0100 Subject: [PATCH 2/6] add OpenMaint as panda-maintenance.psi.ch (#14) Add a [OpenMaint](https://www.openmaint.org/en/home) instance using the Docker images and compose from https://github.com/itmicus/cmdbuild_docker. Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/14 Reviewed-by: bruhn_b Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 21 +++++++++++++ docker-compose.yaml | 58 +++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 conf.d/panda-maintenance.conf diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf new file mode 100644 index 0000000..3c1d7b2 --- /dev/null +++ b/conf.d/panda-maintenance.conf @@ -0,0 +1,21 @@ +server { + listen 80; + server_name panda-maintenance.psi.ch; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name panda-maintenance.psi.ch; + + ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt; + ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key; + + location / { + proxy_pass http://panda-maintenance-app:8080/cmdbuild; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} diff --git a/docker-compose.yaml b/docker-compose.yaml index f52e63f..c300345 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -242,10 +242,68 @@ services: timeout: 5s retries: 5 +# Christoph Hug , Simon Suter +# Panda-Maintenance (OpenMaint) + panda-maintenance-db: + image: postgis/postgis:17-3.5-alpine + container_name: panda-maintenance-db + volumes: + - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw + ports: + - 5432:5432 + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + restart: always + mem_limit: 4000m + mem_reservation: 2000m + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U postgres" ] + interval: 30s + timeout: 10s + retries: 3 + start_period: 80s + networks: + - panda_maintenance_backend + panda-maintenance-app: + image: itmicus/cmdbuild:om-2.4-4.1.0 + container_name: panda-maintenance-app + links: + - panda-maintenance-db + depends_on: + panda-maintenance-db: + condition: service_healthy + ports: + - 8080:8080 + restart: always + volumes: + - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + - POSTGRES_PORT=5432 + - POSTGRES_HOST=openmaint_db + - POSTGRES_DB=openmaint + - CMDBUILD_DUMP=empty.dump.xz + - JAVA_OPTS=-Xmx6000m -Xms3000m + mem_limit: 6000m + mem_reservation: 3500m + healthcheck: + test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] + interval: 30s + timeout: 10s + retries: 5 + start_period: 120s + networks: + - backend + - panda_maintenance_backend + + networks: public: backend: hedgedoc_backend: woodpecker_backend: it_strategy_dashboard_backend: + panda_maintenance_backend: From edb28e88de0765aa16f95aaf8834b66a3d58a99c Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:35:43 +0100 Subject: [PATCH 3/6] fix indentation (#15) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/15 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- docker-compose.yaml | 106 ++++++++++++++++++++++---------------------- 1 file changed, 53 insertions(+), 53 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index c300345..8d7944c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -244,59 +244,59 @@ services: # Christoph Hug , Simon Suter # Panda-Maintenance (OpenMaint) - panda-maintenance-db: - image: postgis/postgis:17-3.5-alpine - container_name: panda-maintenance-db - volumes: - - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw - ports: - - 5432:5432 - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - restart: always - mem_limit: 4000m - mem_reservation: 2000m - healthcheck: - test: [ "CMD-SHELL", "pg_isready -U postgres" ] - interval: 30s - timeout: 10s - retries: 3 - start_period: 80s - networks: - - panda_maintenance_backend - panda-maintenance-app: - image: itmicus/cmdbuild:om-2.4-4.1.0 - container_name: panda-maintenance-app - links: - - panda-maintenance-db - depends_on: - panda-maintenance-db: - condition: service_healthy - ports: - - 8080:8080 - restart: always - volumes: - - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro - environment: - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - - POSTGRES_PORT=5432 - - POSTGRES_HOST=openmaint_db - - POSTGRES_DB=openmaint - - CMDBUILD_DUMP=empty.dump.xz - - JAVA_OPTS=-Xmx6000m -Xms3000m - mem_limit: 6000m - mem_reservation: 3500m - healthcheck: - test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] - interval: 30s - timeout: 10s - retries: 5 - start_period: 120s - networks: - - backend - - panda_maintenance_backend + panda-maintenance-db: + image: postgis/postgis:17-3.5-alpine + container_name: panda-maintenance-db + volumes: + - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw + ports: + - 5432:5432 + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + restart: always + mem_limit: 4000m + mem_reservation: 2000m + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U postgres" ] + interval: 30s + timeout: 10s + retries: 3 + start_period: 80s + networks: + - panda_maintenance_backend + panda-maintenance-app: + image: itmicus/cmdbuild:om-2.4-4.1.0 + container_name: panda-maintenance-app + links: + - panda-maintenance-db + depends_on: + panda-maintenance-db: + condition: service_healthy + ports: + - 8080:8080 + restart: always + volumes: + - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro + environment: + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} + - POSTGRES_PORT=5432 + - POSTGRES_HOST=openmaint_db + - POSTGRES_DB=openmaint + - CMDBUILD_DUMP=empty.dump.xz + - JAVA_OPTS=-Xmx6000m -Xms3000m + mem_limit: 6000m + mem_reservation: 3500m + healthcheck: + test: [ "CMD", "curl", "-f", "-L", "http://localhost:8080/cmdbuild/ui" ] + interval: 30s + timeout: 10s + retries: 5 + start_period: 120s + networks: + - backend + - panda_maintenance_backend networks: From 690f1fc8c59f4f821e3f453351b338b4686b964c Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 08:44:17 +0100 Subject: [PATCH 4/6] name db host properly (#16) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/16 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 8d7944c..6d6b39b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -282,7 +282,7 @@ services: - POSTGRES_USER=postgres - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} - POSTGRES_PORT=5432 - - POSTGRES_HOST=openmaint_db + - POSTGRES_HOST=panda-maintenance-db - POSTGRES_DB=openmaint - CMDBUILD_DUMP=empty.dump.xz - JAVA_OPTS=-Xmx6000m -Xms3000m From 9ff88d5de008fa99e1179443d41f6663fdc590da Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 10:16:39 +0100 Subject: [PATCH 5/6] fix forwarding for cmdbuild (#17) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/17 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf index 3c1d7b2..e6f658b 100644 --- a/conf.d/panda-maintenance.conf +++ b/conf.d/panda-maintenance.conf @@ -11,8 +11,14 @@ server { ssl_certificate /etc/nginx/certs/panda-maintenance.psi.ch.crt; ssl_certificate_key /etc/nginx/private/panda-maintenance.psi.ch.key; + + rewrite ^/$ /cmdbuild/ permanent; location / { - proxy_pass http://panda-maintenance-app:8080/cmdbuild; + return 404; + } + + location /cmdbuild { + proxy_pass http://panda-maintenance-app:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From b018578b30cd35f6df092462f46e9f29d26a079d Mon Sep 17 00:00:00 2001 From: Konrad Bucheli Date: Tue, 28 Oct 2025 11:03:53 +0100 Subject: [PATCH 6/6] OpenMaint: fix mixed content block (#18) Reviewed-on: https://gitea.psi.ch/linux/WebHosting/pulls/18 Co-authored-by: Konrad Bucheli Co-committed-by: Konrad Bucheli --- conf.d/panda-maintenance.conf | 2 ++ docker-compose.yaml | 4 ---- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/conf.d/panda-maintenance.conf b/conf.d/panda-maintenance.conf index e6f658b..f34d885 100644 --- a/conf.d/panda-maintenance.conf +++ b/conf.d/panda-maintenance.conf @@ -23,5 +23,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + # https://forum.cmdbuild.org/t/cmdbuild-behind-nginx-reverse-proxy/5070/3 + add_header Content-Security-Policy upgrade-insecure-requests always; } } diff --git a/docker-compose.yaml b/docker-compose.yaml index 6d6b39b..940b375 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -249,8 +249,6 @@ services: container_name: panda-maintenance-db volumes: - /opt/webcontent/panda-maintenance/data:/var/lib/postgresql/data:rw - ports: - - 5432:5432 environment: - POSTGRES_USER=postgres - POSTGRES_PASSWORD=${PANDA_MAINTENANCE_DB_PW} @@ -273,8 +271,6 @@ services: depends_on: panda-maintenance-db: condition: service_healthy - ports: - - 8080:8080 restart: always volumes: - /opt/webcontent/panda-maintenance/docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh:ro