Build: Add Dockerfile for new static codeorigin server

* Add a basic Docker build.

* Increase map_hash_bucket_size to accommodate longer CDN tokens.

* Add project-specific forwards, and fix git forwards
  Per discussions, all origin requests redirect securely

Signed-off-by: Brian Warner <brian@bdwarner.com>

Author: brianwarner

.gitignore

@@ -3,3 +3,4 @@
 /resources/sri-directives.json
 /git/
 /config.js*
+*.swp

Dockerfile

@@ -0,0 +1,31 @@
+FROM nginx:alpine
+
+# Install pre-reqs, since we're doing everything in one container for minimum complexity
+RUN apk add vim openrc
+
+# Define the environment variable that will be used in the origin pull magic header
+ARG CDN_ACCESS_KEY=''
+
+# Copy in the necessary config files
+COPY cfg/vimrc /etc/vim/vimrc
+COPY cfg/default.conf /etc/nginx/conf.d/default.conf
+
+# If the CDN_ACCESS_KEY environment variable is *not* set, operate in "break glass" mode where the
+# container responds to all requests. Otherwise, look for the secret header the CDN adds to origin
+# pulls and only allow responses to those requests, and 301 the rest back to the CDN.
+#
+# Note: We're writing directly to the config files because nginx does not currently have a way to
+# access environment variables without significant workarounds. Furthermore, the variables are
+# required because nginx does not currently support nested if statements.
+RUN if [ -n "$CDN_ACCESS_KEY" ]; then \
+    sed -i s/CDN_ACCESS_KEY_PLACEHOLDER/$CDN_ACCESS_KEY/g /etc/nginx/conf.d/default.conf && \
+    sed -i s/##ACTIVATE-XCDNACCESS##//g /etc/nginx/conf.d/default.conf; \
+  fi
+
+# Load the releases into the container
+#
+# Avoid wildcard as that would flatten the directory structure.
+COPY cdn/ /usr/share/nginx/html/
+
+EXPOSE 80
+

README.md

@@ -1,6 +1,55 @@
-codeorigin.jquery.com
+# Official project releases
 =====================
 
-### Build
+This repo is used to build a Docker container that serves the codeorigin site for jQuery and related projects. It is designed to deploy easily, and includes a "break glass in case of emergency" minimal config mode should codeorigin need to be redeployed urgently.
 
-To build and deploy your changes for previewing in a [`jquery-wp-content`](https://github.com/jquery/jquery-wp-content) instance, follow the [workflow instructions](http://contribute.jquery.org/web-sites/#workflow) from our documentation on [contributing to jQuery Foundation web sites](http://contribute.jquery.org/web-sites/).
+It also contains the files necessary to build and deploy releases.jquery.com on a separate host, which provides an index of the files on codeorigin.
+
+## Build a local copy of codeorigin
+
+### Default, no restrictions (development or emergency mode)
+
+To build a local container (defaults to "break glass" mode):
+
+1. Install Docker
+1. Clone this repo, and `cd` into it
+1. Build the image: `docker build -t releases ./`
+1. Run the container, exposing port 80: `docker run -p 127.0.0.1:80:80/tcp releases`
+1. To exit the container, press `ctrl+c`
+
+### Redirect non-origin pulls to CDN (production mode)
+
+To build a local container in deployment mode (redirecting any requests without the magic header that indicates an origin pull), build the container with the header value in an environment variable:
+
+1. Install Docker
+1. Clone this repo, and `cd` into it
+1. Generate a random string for the environment variable: ``CDN_ACCESS_KEY=`openssl rand -hex 32` ``
+1. Build the image: `docker build -t prod-releases --build-arg CDN_ACCESS_KEY=$CDN_ACCESS_KEY ./`
+1. Run the container, exposing port 80: `docker run -p 127.0.0.1:80:80/tcp prod-releases`
+1. To exit the container, press `ctrl+c`
+
+Note that you will need to keep track of `$CDN_ACCESS_KEY` and add it to the headers sent for origin pulls. To test whether this is working correctly, you can use `curl`:
+
+* This should always redirect to `code.jquery.com`: `curl -i localhost/jquery-3.1.1.js`
+* This should always deliver a copy of the file (don't forget to set the environment variable in your current shell): `curl -i -H "x-cdn-access: ${CDN_ACCESS_KEY}" localhost/jquery-3.1.1.js`
+
+## Build the production site
+
+To deploy, first generate the CDN access key. Next, you'll need to configure the container host to build from the Dockerfile in this repository, and use the CDN access key as build arguments. Finally, you'll configure the CDN to send both the Host header and the access key during origin pulls.
+
+1. Generate the access key: ``CDN_ACCESS_KEY=`openssl rand -hex 16` ``
+1. Configure the container host to build from this repo, and set this build variable:
+  * `CDN_ACCESS_KEY=(Insert the value of $CDN_ACCESS_KEY here)`
+1. Add the magic header and the host header at the CDN for origin pulls: `x-cdn-access: (Insert the value of $CDN_ACCESS_KEY here)|Host: (insert URL to app container)`
+
+## In case of emergency
+
+If you need to deploy a codeorigin container immediately, or if there are origin pull failures and you're not sure why, deploy the container without configuring the `CDN_ACCESS_KEY` environment variable. The codeorigin server will respond to all requests without redirecting non-origin pulls to the CDN, so this should be only used in case of emergencies.
+
+## Build the releases sites
+
+To build and deploy your changes for previewing in a [`jquery-wp-content`](https://github.com/jquery/jquery-wp-content) instance, follow the [workflow instructions](http://contribute.jquery.org/web-sites/#workflow) from our documentation on [contributing to jQuery web sites](http://contribute.jquery.org/web-sites/).
+
+## Add or update project release files
+
+To add a new release or update an existing one, simply commit the new file to the `cdn` directory and merge to the `main` branch. The container will rebuild automatically.

cfg/30-start-php-fpm7.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+php-fpm7 -D

cfg/default.conf

@@ -0,0 +1,173 @@
+#
+# This file is responsible for the site which serves the main releases from codeorigin. By default,
+# it generates a site that operates in "break glass" emergency mode. All requests are served,
+# regardless of where they come from.
+#
+# In production, the CDN should add a private header to origin fetches. All requests which do not
+# include the correct header should be bounced via 301 redirect back to the CDN. This ensures that
+# even if a client attempts to link to codeorigin, it will still be served from the CDN. The end
+# result should be that codeorigin is only reachable for origin pulls from the CDN, decreasing its
+# load and reducing the attack surface for DDOSs.
+#
+# Configuration information is in the README.md file.
+#
+
+# Increase map_hash_bucket_size to accommodate longer CDN tokens
+map_hash_bucket_size 128;
+
+# Do not change the following lines. The Dockerfile will set the access key and remove the comment
+# at build time if the correct environment variable is set.
+##ACTIVATE-XCDNACCESS##map $http_x_cdn_access $reroute_to_cdn { default '1'; CDN_ACCESS_KEY_PLACEHOLDER '0'; }
+
+server {
+  listen        80;
+  listen        [::]:80;
+  server_name   localhost;
+
+  access_log  /var/log/nginx/host.access.log  main;
+
+  location / {
+    root        /usr/share/nginx/html;
+    index       index.html index.htm;
+
+    # Do not change the following line. The Dockerfile will set the access key and remove the
+    # comment at build time if the correct environment variable is set.
+    ##ACTIVATE-XCDNACCESS##if ($reroute_to_cdn) { return 301 https://code2.jquery.com$uri; }
+
+  }
+
+  # PHP configuration for purge.php
+
+  location ~ \.php$ {
+    root           /usr/share/nginx/html;
+    fastcgi_pass   127.0.0.1:9000;
+    fastcgi_index  index.php;
+    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+    include        fastcgi_params;
+  }
+
+  # Redirect requests to the root to the release viewer
+
+  location ~ ^/(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com;
+  }
+
+  # Redirect requests to paths known to be non-release files (e.g., git versions and their assets)
+  # to the viewer. Jenkins needs access to the host that delivers these files, and codeorigin is
+  # intended to be more tightly managed via github repo.
+
+  # Redirect to releases.jquery.com/
+
+  location ~ ^/git(?:/(.*))? {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com$request_uri;
+  }
+
+  # Redirect specific project pages to releases.jquery.com
+  location ~ ^/jquery(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/jquery/;
+  }
+
+  location ~ ^/ui(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/ui/;
+  }
+
+  location ~ ^/mobile(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/mobile/;
+  }
+
+  location ~ ^/color(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/color/;
+  }
+
+  location ~ ^/qunit(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/qunit/;
+  }
+
+  location ~ ^/pep(?:/)?$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/pep/;
+  }
+
+  # Redirect to releases.jquery.com/git/
+
+  location ~* -git\.(js|min.js|slim.js|slim.min.js|css)$ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/git$request_uri;
+  }
+
+  location ^~ /mobile/git/ {
+    expires off;
+    gzip on;
+    return 301 https://releases.jquery.com/git$request_uri;
+  }
+
+  # Redirect some known legacy URLs that may still point to code.jquery.com. This list is a
+  # workaround, and should not need to be expanded.
+
+  rewrite ^/ui/images/ui-icons_cc0000_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_cc0000_256x240.png permanent;
+  rewrite ^/ui/images/ui-icons_777777_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_777777_256x240.png permanent;
+  rewrite ^/ui/images/ui-icons_777620_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_777620_256x240.png permanent;
+  rewrite ^/ui/images/ui-icons_555555_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_555555_256x240.png permanent;
+  rewrite ^/ui/images/ui-icons_444444_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_444444_256x240.png permanent;
+  rewrite ^/ui/images/ui-bg_flat_0_aaaaaa_40x100\.png$ https://releases.jquery.com/git/ui/images/ui-bg_flat_0_aaaaaa_40x100.png permanent;
+  rewrite ^/ui/images/ui-icons_ffffff_256x240\.png$ https://releases.jquery.com/git/ui/images/ui-icons_ffffff_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_cc0000_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_cc0000_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_highlight-soft_75_cccccc_1x100\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_highlight-soft_75_cccccc_1x100.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_2e83ff_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_2e83ff_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_flat_75_ffffff_40x100\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_flat_75_ffffff_40x100.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_glass_95_fef1ec_1x400\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_glass_95_fef1ec_1x400.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_777777_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_777777_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_glass_65_ffffff_1x400\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_glass_65_ffffff_1x400.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_777620_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_777620_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_555555_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_555555_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_glass_75_e6e6e6_1x400\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_glass_75_e6e6e6_1x400.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_222222_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_222222_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_888888_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_888888_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_444444_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_444444_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_cd0a0a_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_cd0a0a_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_glass_55_fbf9ee_1x400\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_glass_55_fbf9ee_1x400.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_454545_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_454545_256x240.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_glass_75_dadada_1x400\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_glass_75_dadada_1x400.png permanent;
+  rewrite ^/ui/_images/images/ui-bg_flat_0_aaaaaa_40x100\.png$ https://releases.jquery.com/git/ui/_images/images/ui-bg_flat_0_aaaaaa_40x100.png permanent;
+  rewrite ^/ui/_images/images/ui-icons_ffffff_256x240\.png$ https://releases.jquery.com/git/ui/_images/images/ui-icons_ffffff_256x240.png permanent;
+  rewrite ^/ui/_images/ui-bg_highlight-soft_75_cccccc_1x100\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_highlight-soft_75_cccccc_1x100.png permanent;
+  rewrite ^/ui/_images/ui-icons_2e83ff_256x240\.png$ https://releases.jquery.com/git/ui/_images/ui-icons_2e83ff_256x240.png permanent;
+  rewrite ^/ui/_images/ui-bg_flat_75_ffffff_40x100\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_flat_75_ffffff_40x100.png permanent;
+  rewrite ^/ui/_images/ui-bg_glass_95_fef1ec_1x400\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_glass_95_fef1ec_1x400.png permanent;
+  rewrite ^/ui/_images/ui-bg_glass_65_ffffff_1x400\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_glass_65_ffffff_1x400.png permanent;
+  rewrite ^/ui/_images/ui-bg_glass_75_e6e6e6_1x400\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_glass_75_e6e6e6_1x400.png permanent;
+  rewrite ^/ui/_images/ui-icons_222222_256x240\.png$ https://releases.jquery.com/git/ui/_images/ui-icons_222222_256x240.png permanent;
+  rewrite ^/ui/_images/ui-icons_888888_256x240\.png$ https://releases.jquery.com/git/ui/_images/ui-icons_888888_256x240.png permanent;
+  rewrite ^/ui/_images/ui-icons_cd0a0a_256x240\.png$ https://releases.jquery.com/git/ui/_images/ui-icons_cd0a0a_256x240.png permanent;
+  rewrite ^/ui/_images/ui-bg_glass_55_fbf9ee_1x400\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_glass_55_fbf9ee_1x400.png permanent;
+  rewrite ^/ui/_images/ui-icons_454545_256x240\.png$ https://releases.jquery.com/git/ui/_images/ui-icons_454545_256x240.png permanent;
+  rewrite ^/ui/_images/ui-bg_glass_75_dadada_1x400\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_glass_75_dadada_1x400.png permanent;
+  rewrite ^/ui/_images/ui-bg_flat_0_aaaaaa_40x100\.png$ https://releases.jquery.com/git/ui/_images/ui-bg_flat_0_aaaaaa_40x100.png permanent;
+
+  #error_page    404              /404.html;
+
+  # redirect server error pages to the static page /50x.html
+  #
+  error_page    500 502 503 504  /50x.html;
+  location = /50x.html {
+    root   /usr/share/nginx/html;
+  }
+}
+
+# vim: ts=2 sw=2 et

cfg/vimrc

@@ -0,0 +1,16 @@
+set nocompatible        " Use Vim defaults (much better!)
+set bs=2                " Allow backspacing over everything in insert mode
+set ai                  " Always set auto-indenting on
+set history=50          " keep 50 lines of command history
+set ruler               " Show the cursor position all the time
+
+" Don't use Ex mode, use Q for formatting
+map Q gq
+
+" When doing tab completion, give the following files lower priority.
+set suffixes+=.info,.aux,.log,.dvi,.bbl,.out,.o,.lo
+
+set modeline
+syntax on
+autocmd BufRead APKBUILD set filetype=sh
+