diff --git a/CHANGES.md b/CHANGES.md index 656f9f3f26..c9681623c4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -80,6 +80,7 @@ A non exhaustive list of changes: - Deselect layers (and path nodes) with Ctrl+Shift+Drag [Github #2509](https://github.com/penpot/penpot/issues/2509) - Copy to SVG from contextual menu [Github #838](https://github.com/penpot/penpot/issues/838) - Add styles for Inkeep Chat at workspace [Taiga #10708](https://tree.taiga.io/project/penpot/us/10708) +- Add configuration for air gapped installations with Docker ### :bug: Bugs fixed - Fix getCurrentUser for plugins api [Taiga #11057](https://tree.taiga.io/project/penpot/issue/11057) diff --git a/docker/images/Dockerfile.frontend b/docker/images/Dockerfile.frontend index 9c89f571f3..0b3b93a127 100644 --- a/docker/images/Dockerfile.frontend +++ b/docker/images/Dockerfile.frontend @@ -11,6 +11,7 @@ RUN set -ex; \ ADD ./bundle-frontend/ /var/www/app/ ADD ./files/config.js /var/www/app/js/config.js ADD ./files/nginx.conf /etc/nginx/nginx.conf.template +ADD ./files/nginx-proxies.conf /etc/nginx/nginx-proxies.conf ADD ./files/resolvers.conf /etc/nginx/overrides.d/resolvers.conf.template ADD ./files/nginx-mime.types /etc/nginx/mime.types ADD ./files/nginx-entrypoint.sh /entrypoint.sh diff --git a/docker/images/files/nginx-entrypoint.sh b/docker/images/files/nginx-entrypoint.sh index 7dae546e7a..dff065af50 100644 --- a/docker/images/files/nginx-entrypoint.sh +++ b/docker/images/files/nginx-entrypoint.sh @@ -1,5 +1,16 @@ #!/usr/bin/env bash +######################################### +## Air Gapped config +######################################### + +if [[ $PENPOT_FLAGS == *"enable-air-gapped-conf"* ]]; then + export INCLUDE_PROXIES="" + export PENPOT_FLAGS="$PENPOT_FLAGS disable-google-fonts-provider disable-dashboard-templates-section" +else + export INCLUDE_PROXIES="include /etc/nginx/nginx-proxies.conf;" +fi + ######################################### ## App Frontend config ######################################### @@ -15,20 +26,21 @@ update_flags() { update_flags /var/www/app/js/config.js + ######################################### ## Nginx Config ######################################### -export PENPOT_BACKEND_URI=${PENPOT_BACKEND_URI:-http://penpot-backend:6060}; -export PENPOT_EXPORTER_URI=${PENPOT_EXPORTER_URI:-http://penpot-exporter:6061}; -PENPOT_DEFAULT_INTERNAL_RESOLVER="$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf)"; -export PENPOT_INTERNAL_RESOLVER=${PENPOT_INTERNAL_RESOLVER:-$PENPOT_DEFAULT_INTERNAL_RESOLVER}; -export PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE=${PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE:-367001600}; # Default to 350MiB +export PENPOT_BACKEND_URI=${PENPOT_BACKEND_URI:-http://penpot-backend:6060} +export PENPOT_EXPORTER_URI=${PENPOT_EXPORTER_URI:-http://penpot-exporter:6061} +PENPOT_DEFAULT_INTERNAL_RESOLVER="$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf)" +export PENPOT_INTERNAL_RESOLVER=${PENPOT_INTERNAL_RESOLVER:-$PENPOT_DEFAULT_INTERNAL_RESOLVER} +export PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE=${PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE:-367001600} # Default to 350MiB -envsubst "\$PENPOT_BACKEND_URI,\$PENPOT_EXPORTER_URI,\$PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE" \ - < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf; +envsubst "\$PENPOT_BACKEND_URI,\$PENPOT_EXPORTER_URI,\$PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE,\$INCLUDE_PROXIES" \ + < /etc/nginx/nginx.conf.template > /etc/nginx/nginx.conf envsubst "\$PENPOT_INTERNAL_RESOLVER" \ - < /etc/nginx/overrides.d/resolvers.conf.template > /etc/nginx/overrides.d/resolvers.conf; + < /etc/nginx/overrides.d/resolvers.conf.template > /etc/nginx/overrides.d/resolvers.conf exec "$@"; diff --git a/docker/images/files/nginx-proxies.conf b/docker/images/files/nginx-proxies.conf new file mode 100644 index 0000000000..c9c106864b --- /dev/null +++ b/docker/images/files/nginx-proxies.conf @@ -0,0 +1,59 @@ +location ~ ^/github/penpot-files/(.+)$ { + rewrite ^/github/penpot-files/(.+) /penpot/penpot-files/refs/heads/main/$1 break; + proxy_pass https://raw.githubusercontent.com; + + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Cookies; + proxy_set_header User-Agent "curl/8.5.0"; + proxy_set_header Host "raw.githubusercontent.com"; + proxy_set_header Accept "*/*"; + add_header Access-Control-Allow-Origin $http_origin; + proxy_buffering off; +} + +location ~ ^/internal/gfonts/font/(?.+) { + proxy_pass https://fonts.gstatic.com/s/$font_file; + + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Cross-Origin-Resource-Policy; + proxy_hide_header Link; + proxy_hide_header Alt-Svc; + proxy_hide_header Cache-Control; + proxy_hide_header Expires; + proxy_hide_header Cross-Origin-Opener-Policy; + proxy_hide_header Report-To; + + proxy_ignore_headers Set-Cookie Vary Cache-Control Expires; + + proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"; + proxy_set_header Host "fonts.gstatic.com"; + proxy_set_header Accept "*/*"; + + proxy_cache penpot; + + add_header Access-Control-Allow-Origin $http_origin; + add_header Cache-Control max-age=86400; + add_header X-Cache-Status $upstream_cache_status; +} + +location ~ ^/internal/gfonts/css { + proxy_pass https://fonts.googleapis.com/css?$args; + proxy_hide_header Access-Control-Allow-Origin; + proxy_hide_header Cross-Origin-Resource-Policy; + proxy_hide_header Link; + proxy_hide_header Alt-Svc; + proxy_hide_header Cache-Control; + proxy_hide_header Expires; + + proxy_ignore_headers Set-Cookie Vary Cache-Control Expires; + + proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"; + proxy_set_header Host "fonts.googleapis.com"; + proxy_set_header Accept "*/*"; + + proxy_cache penpot; + + add_header Access-Control-Allow-Origin $http_origin; + add_header Cache-Control max-age=86400; + add_header X-Cache-Status $upstream_cache_status; +} diff --git a/docker/images/files/nginx.conf b/docker/images/files/nginx.conf index 38278d2875..053b18144e 100644 --- a/docker/images/files/nginx.conf +++ b/docker/images/files/nginx.conf @@ -135,65 +135,7 @@ http { } location / { - location ~ ^/github/penpot-files/(.+)$ { - rewrite ^/github/penpot-files/(.+) /penpot/penpot-files/refs/heads/main/$1 break; - proxy_pass https://raw.githubusercontent.com; - - proxy_hide_header Access-Control-Allow-Origin; - proxy_hide_header Cookies; - proxy_set_header User-Agent "curl/8.5.0"; - proxy_set_header Host "raw.githubusercontent.com"; - proxy_set_header Accept "*/*"; - add_header Access-Control-Allow-Origin $http_origin; - proxy_buffering off; - } - - location ~ ^/internal/gfonts/font/(?.+) { - proxy_pass https://fonts.gstatic.com/s/$font_file; - - proxy_hide_header Access-Control-Allow-Origin; - proxy_hide_header Cross-Origin-Resource-Policy; - proxy_hide_header Link; - proxy_hide_header Alt-Svc; - proxy_hide_header Cache-Control; - proxy_hide_header Expires; - proxy_hide_header Cross-Origin-Opener-Policy; - proxy_hide_header Report-To; - - proxy_ignore_headers Set-Cookie Vary Cache-Control Expires; - - proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"; - proxy_set_header Host "fonts.gstatic.com"; - proxy_set_header Accept "*/*"; - - proxy_cache penpot; - - add_header Access-Control-Allow-Origin $http_origin; - add_header Cache-Control max-age=86400; - add_header X-Cache-Status $upstream_cache_status; - } - - location ~ ^/internal/gfonts/css { - proxy_pass https://fonts.googleapis.com/css?$args; - proxy_hide_header Access-Control-Allow-Origin; - proxy_hide_header Cross-Origin-Resource-Policy; - proxy_hide_header Link; - proxy_hide_header Alt-Svc; - proxy_hide_header Cache-Control; - proxy_hide_header Expires; - - proxy_ignore_headers Set-Cookie Vary Cache-Control Expires; - - proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"; - proxy_set_header Host "fonts.googleapis.com"; - proxy_set_header Accept "*/*"; - - proxy_cache penpot; - - add_header Access-Control-Allow-Origin $http_origin; - add_header Cache-Control max-age=86400; - add_header X-Cache-Status $upstream_cache_status; - } + $INCLUDE_PROXIES location ~ ^/js/config.js$ { add_header Cache-Control "no-store, no-cache, max-age=0" always; diff --git a/docs/technical-guide/configuration.md b/docs/technical-guide/configuration.md index 7fac87c157..e4f075e094 100644 --- a/docs/technical-guide/configuration.md +++ b/docs/technical-guide/configuration.md @@ -366,7 +366,7 @@ PENPOT_REDIS_URI: redis://localhost/0 PENPOT_REDIS_URI: redis://localhost/0 ``` -If you are using the official docker compose file, this is already configurRed. +If you are using the official docker compose file, this is already configured. ## Demo environment @@ -392,6 +392,22 @@ verification process: PENPOT_FLAGS: disable-email-verification enable-demo-warning ``` +## Air gapped environments + +The current Penpot installation defaults to several external proxies: +- to Github, from where the libraries and templates are downloaded +- to Google, from where the google-fonts are downloaded. + +This is implemented as specific locations in the penpot-front Nginx. If your organization needs to install Penpot +in a 100% air-gapped environment, you can use the following configuration: + +```bash +PENPOT_FLAGS: enable-air-gapped-conf +``` + +When Penpot starts, it will leave out the Nginx configuration related to external requests. This means that, +with this flag enabled, the Penpot configuration will disable as well the libraries and templates dashboard and the use of Google fonts. + ## Backend This section enumerates the backend only configuration variables.