From f1df9c3217656763ac983788a5067f38ba43b8b2 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:03:33 -0500
Subject: [PATCH 1/7] initial nginx dynamic docker image config

---
 docker-compose.yml          |  4 ++++
 nginx-ingress/Dockerfile    |  8 ++++++++
 nginx-ingress/entrypoint.sh |  7 +++++++
 nginx-ingress/nginx.conf    | 28 ++++++++++++++++++++++++++++
 4 files changed, 47 insertions(+)
 create mode 100644 nginx-ingress/Dockerfile
 create mode 100644 nginx-ingress/entrypoint.sh
 create mode 100644 nginx-ingress/nginx.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index f70207f..ca96d70 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,3 +3,7 @@
 # Using version 2 as 3 does not support resource constraint options (cpu_*, mem_* limits) for non swarm mode in Compose
 version: "2"
 
+services:
+    proxy:
+        build: ./nginx-ingress
+        image: local/nginx-ingress:base
diff --git a/nginx-ingress/Dockerfile b/nginx-ingress/Dockerfile
new file mode 100644
index 0000000..c00e373
--- /dev/null
+++ b/nginx-ingress/Dockerfile
@@ -0,0 +1,8 @@
+FROM nginx:stable-alpine
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+COPY entrypoint.sh /
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh
new file mode 100644
index 0000000..8bcdeb5
--- /dev/null
+++ b/nginx-ingress/entrypoint.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [[ $ACCESS_LOG ]]; then
+  sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf
+fi
+
+nginx -g "daemon off;"
diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf
new file mode 100644
index 0000000..c8aac96
--- /dev/null
+++ b/nginx-ingress/nginx.conf
@@ -0,0 +1,28 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    server {
+        listen *:8080;
+
+        client_max_body_size 0;
+
+        set  $allowOriginSite *;
+        proxy_pass_request_headers on;
+        proxy_pass_header Set-Cookie;
+
+        # External settings, do not remove
+        #ENV_ACCESS_LOG
+
+        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
+        proxy_redirect off;
+        proxy_buffering off;
+        proxy_set_header Host            $host:$server_port;
+        proxy_set_header X-Real-IP       $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass_header Set-Cookie;
+    }
+}

From 010149e6b643fb95bfa85d5fdfe45b4c7b47f79a Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:07:17 -0500
Subject: [PATCH 2/7] added platform config

---
 nginx-ingress/entrypoint.sh |  4 ++++
 nginx-ingress/nginx.conf    | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh
index 8bcdeb5..5adaad5 100644
--- a/nginx-ingress/entrypoint.sh
+++ b/nginx-ingress/entrypoint.sh
@@ -1,5 +1,9 @@
 #!/bin/sh
 
+if [[ $ACS_PLATFORM_URL ]]; then
+  sed -i s%http:\/\/platform:8080%"$REPO_URL"%g /etc/nginx/nginx.conf
+fi
+
 if [[ $ACCESS_LOG ]]; then
   sed -i s%\#ENV_ACCESS_LOG%"access_log $ACCESS_LOG;"%g /etc/nginx/nginx.conf
 fi
diff --git a/nginx-ingress/nginx.conf b/nginx-ingress/nginx.conf
index c8aac96..0bbab22 100644
--- a/nginx-ingress/nginx.conf
+++ b/nginx-ingress/nginx.conf
@@ -24,5 +24,28 @@ http {
         proxy_set_header X-Real-IP       $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_pass_header Set-Cookie;
+        
+        # Protect access to SOLR APIs
+        location ~ ^(/.*/service/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/s/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/wcservice/api/solr/.*)$ {return 403;}
+        location ~ ^(/.*/wcs/api/solr/.*)$ {return 403;}
+
+        location ~ ^(/.*/proxy/alfresco/api/solr/.*)$ {return 403 ;}
+        location ~ ^(/.*/-default-/proxy/alfresco/api/.*)$ {return 403;}
+        
+        # Protect access to Prometheus endpoint
+        location ~ ^(/.*/s/prometheus)$ {return 403;}
+        
+        location / {
+            proxy_pass http://platform:8080;
+        }
+
+        location /alfresco/ {
+            proxy_pass http://platform:8080;
+
+            # If using external proxy / load balancer (for initial redirect if no trailing slash)
+            absolute_redirect off;
+        }
     }
 }

From 6332985ebd0111234a3c7c4e6b4f678f6262f456 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:09:48 -0500
Subject: [PATCH 3/7] removed proxy

---
 docker-compose.yml | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 5bdc666..e952af6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,12 +20,3 @@ services:
 
     activemq:
         image: alfresco/alfresco-activemq:latest
-
-    proxy:
-        image: alfresco/alfresco-acs-nginx:latest
-        environment:
-            REPO_URL: "http://platform:8080"
-        depends_on:
-            - platform
-        ports:
-            - 8080:8080

From ab396f76564bca406f0228e6ea52e06a54907d25 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:16:44 -0500
Subject: [PATCH 4/7] changed version to 'acs'

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index ca96d70..da2d925 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,4 +6,4 @@ version: "2"
 services:
     proxy:
         build: ./nginx-ingress
-        image: local/nginx-ingress:base
+        image: local/nginx-ingress:acs

From a42af256495dd4d05205baf1a51b8694bb3aa7b7 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:19:34 -0500
Subject: [PATCH 5/7] added port for localhost

---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index ca96d70..e82f46e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,3 +7,5 @@ services:
     proxy:
         build: ./nginx-ingress
         image: local/nginx-ingress:base
+        ports:
+            - 8080:8080

From 6b0c103d7569cecba84e57f6065edd5fd1603354 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:24:34 -0500
Subject: [PATCH 6/7] added depends_on for proxy

---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 245d268..fbc506d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,3 +26,5 @@ services:
         image: local/nginx-ingress:acs
         ports:
             - 8080:8080
+        depends_on:
+            - platform

From 46bbeeef30f9f21685a446b158ae5cc91088c207 Mon Sep 17 00:00:00 2001
From: Brian Long <brian@yateslong.us>
Date: Thu, 17 Dec 2020 16:29:36 -0500
Subject: [PATCH 7/7] fixed missed envvar

---
 nginx-ingress/entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx-ingress/entrypoint.sh b/nginx-ingress/entrypoint.sh
index 5adaad5..3dc2e8e 100644
--- a/nginx-ingress/entrypoint.sh
+++ b/nginx-ingress/entrypoint.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 if [[ $ACS_PLATFORM_URL ]]; then
-  sed -i s%http:\/\/platform:8080%"$REPO_URL"%g /etc/nginx/nginx.conf
+  sed -i s%http:\/\/platform:8080%"$ACS_PLATFORM_URL"%g /etc/nginx/nginx.conf
 fi
 
 if [[ $ACCESS_LOG ]]; then