Code cleanup
This commit is contained in:
LukeGus
@@ -1,49 +0,0 @@
|
||||
# Termix Docker Environment Configuration Example
|
||||
#
|
||||
# IMPORTANT: This file shows available environment variables.
|
||||
# For most users, you DON'T need to create a .env file.
|
||||
# Termix will auto-generate secure keys on first startup.
|
||||
#
|
||||
# Copy this file to .env ONLY if you need custom configuration:
|
||||
# cp docker/.env.example docker/.env
|
||||
|
||||
# ===== BASIC CONFIGURATION =====
|
||||
PORT=8080
|
||||
NODE_ENV=production
|
||||
|
||||
# ===== SSL/HTTPS CONFIGURATION =====
|
||||
ENABLE_SSL=false
|
||||
SSL_PORT=8443
|
||||
SSL_DOMAIN=localhost
|
||||
SSL_CERT_PATH=/app/ssl/termix.crt
|
||||
SSL_KEY_PATH=/app/ssl/termix.key
|
||||
|
||||
# ===== SECURITY KEYS =====
|
||||
# WARNING: Only set these if you need specific keys for multi-instance deployment
|
||||
# For single instance deployment, leave these EMPTY - Termix will auto-generate
|
||||
# secure random keys and persist them in Docker volumes.
|
||||
#
|
||||
# If you DO set these, generate them with: openssl rand -hex 32
|
||||
JWT_SECRET=
|
||||
DATABASE_KEY=
|
||||
INTERNAL_AUTH_TOKEN=
|
||||
|
||||
# ===== CORS CONFIGURATION =====
|
||||
ALLOWED_ORIGINS=*
|
||||
|
||||
# ===== DEPLOYMENT NOTES =====
|
||||
#
|
||||
# Single Instance (Recommended):
|
||||
# - Don't create .env file - let Termix auto-generate keys
|
||||
# - Keys are automatically persisted in Docker volumes
|
||||
# - Secure and maintenance-free
|
||||
#
|
||||
# Multi-Instance Cluster:
|
||||
# - Set identical JWT_SECRET, DATABASE_KEY, INTERNAL_AUTH_TOKEN across all instances
|
||||
# - Use shared storage for /app/data and /app/config volumes
|
||||
# - Ensure all instances can access the same encryption keys
|
||||
#
|
||||
# Security Best Practices:
|
||||
# - Never commit .env files to version control
|
||||
# - Use Docker secrets in production environments
|
||||
# - Regularly rotate keys (requires data migration)
|
||||
@@ -1,38 +0,0 @@
|
||||
# Termix Docker Compose Configuration
|
||||
#
|
||||
# QUICK START: Just run "docker-compose up -d"
|
||||
# - Security keys are auto-generated on first startup
|
||||
# - Keys are persisted in Docker volumes (survive container restarts)
|
||||
# - No manual .env file needed for single-instance deployment
|
||||
#
|
||||
# See docker/.env.example for advanced configuration options
|
||||
|
||||
services:
|
||||
termix-dev:
|
||||
image: ghcr.io/lukegus/termix:dev-1.7.0
|
||||
container_name: termix-dev
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "4300:4300"
|
||||
- "8443:8443"
|
||||
volumes:
|
||||
- termix-dev-data:/app/data
|
||||
environment:
|
||||
PORT: "4300"
|
||||
ENABLE_SSL: "true"
|
||||
SSL_DOMAIN: "termix-dev.karmaa.site"
|
||||
SSL_CERT_PATH: "/app/data/ssl/termix.crt"
|
||||
SSL_KEY_PATH: "/app/data/ssl/termix.key"
|
||||
# Resource limits for better large file handling
|
||||
deploy:
|
||||
resources:
|
||||
limits:
|
||||
memory: 2G
|
||||
cpus: '1.0'
|
||||
reservations:
|
||||
memory: 512M
|
||||
cpus: '0.5'
|
||||
|
||||
volumes:
|
||||
termix-dev-data:
|
||||
driver: local
|
||||
@@ -9,9 +9,6 @@ export SSL_KEY_PATH=${SSL_KEY_PATH:-/app/data/ssl/termix.key}
|
||||
|
||||
echo "Configuring web UI to run on port: $PORT"
|
||||
|
||||
# Choose nginx configuration based on SSL setting
|
||||
# Default: HTTP-only for easy setup
|
||||
# Set ENABLE_SSL=true to use HTTPS with automatic redirect
|
||||
if [ "$ENABLE_SSL" = "true" ]; then
|
||||
echo "SSL enabled - using HTTPS configuration with redirect"
|
||||
NGINX_CONF_SOURCE="/etc/nginx/nginx-https.conf"
|
||||
@@ -27,18 +24,15 @@ mkdir -p /app/data
|
||||
chown -R node:node /app/data
|
||||
chmod 755 /app/data
|
||||
|
||||
# If SSL is enabled, generate certificates first
|
||||
if [ "$ENABLE_SSL" = "true" ]; then
|
||||
echo "Generating SSL certificates..."
|
||||
mkdir -p /app/data/ssl
|
||||
chown -R node:node /app/data/ssl
|
||||
chmod 755 /app/data/ssl
|
||||
|
||||
# Generate SSL certificates using OpenSSL directly (faster and more reliable)
|
||||
|
||||
DOMAIN=${SSL_DOMAIN:-localhost}
|
||||
echo "Generating certificate for domain: $DOMAIN"
|
||||
|
||||
# Create OpenSSL config
|
||||
|
||||
cat > /app/data/ssl/openssl.conf << EOF
|
||||
[req]
|
||||
default_bits = 2048
|
||||
@@ -68,18 +62,14 @@ IP.1 = 127.0.0.1
|
||||
IP.2 = ::1
|
||||
EOF
|
||||
|
||||
# Generate private key
|
||||
openssl genrsa -out /app/data/ssl/termix.key 2048
|
||||
|
||||
# Generate certificate
|
||||
|
||||
openssl req -new -x509 -key /app/data/ssl/termix.key -out /app/data/ssl/termix.crt -days 365 -config /app/data/ssl/openssl.conf -extensions v3_req
|
||||
|
||||
# Set proper permissions
|
||||
|
||||
chmod 600 /app/data/ssl/termix.key
|
||||
chmod 644 /app/data/ssl/termix.crt
|
||||
chown node:node /app/data/ssl/termix.key /app/data/ssl/termix.crt
|
||||
|
||||
# Clean up config
|
||||
|
||||
rm -f /app/data/ssl/openssl.conf
|
||||
|
||||
echo "SSL certificates generated successfully for domain: $DOMAIN"
|
||||
|
||||
@@ -10,19 +10,16 @@ http {
|
||||
keepalive_timeout 65;
|
||||
client_header_timeout 300s;
|
||||
|
||||
# SSL Configuration
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# HTTP Server - Redirect to HTTPS
|
||||
server {
|
||||
listen ${PORT};
|
||||
server_name _;
|
||||
|
||||
# Redirect all HTTP traffic to HTTPS
|
||||
return 301 https://$host:${SSL_PORT}$request_uri;
|
||||
}
|
||||
|
||||
@@ -31,11 +28,9 @@ http {
|
||||
listen ${SSL_PORT} ssl;
|
||||
server_name _;
|
||||
|
||||
# SSL Certificate paths
|
||||
ssl_certificate ${SSL_CERT_PATH};
|
||||
ssl_certificate_key ${SSL_KEY_PATH};
|
||||
|
||||
# Security headers for HTTPS
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Frame-Options DENY always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
@@ -118,35 +113,26 @@ http {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# WebSocket proxy for authenticated terminal connections
|
||||
location /ssh/websocket/ {
|
||||
# Pass to WebSocket server with authentication support
|
||||
proxy_pass http://127.0.0.1:30002/;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# WebSocket upgrade headers
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
|
||||
# Pass client information for authentication logging
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# Query parameters are passed by default with proxy_pass
|
||||
proxy_read_timeout 86400s;
|
||||
proxy_send_timeout 86400s;
|
||||
proxy_connect_timeout 10s;
|
||||
|
||||
# WebSocket timeouts (longer for terminal sessions)
|
||||
proxy_read_timeout 86400s; # 24 hours
|
||||
proxy_send_timeout 86400s; # 24 hours
|
||||
proxy_connect_timeout 10s; # Quick auth check
|
||||
|
||||
# Disable buffering for real-time terminal
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
|
||||
# Handle connection errors gracefully
|
||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||
}
|
||||
|
||||
|
||||
@@ -10,19 +10,16 @@ http {
|
||||
keepalive_timeout 65;
|
||||
client_header_timeout 300s;
|
||||
|
||||
# SSL Configuration
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 10m;
|
||||
|
||||
# HTTP Server - Redirect to HTTPS when SSL enabled
|
||||
server {
|
||||
listen ${PORT};
|
||||
server_name localhost;
|
||||
|
||||
# Security headers
|
||||
add_header X-Frame-Options DENY always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
@@ -104,35 +101,26 @@ http {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# WebSocket proxy for authenticated terminal connections
|
||||
location /ssh/websocket/ {
|
||||
# Pass to WebSocket server with authentication support
|
||||
proxy_pass http://127.0.0.1:30002/;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
# WebSocket upgrade headers
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $host;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
|
||||
# Pass client information for authentication logging
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# Query parameters are passed by default with proxy_pass
|
||||
proxy_read_timeout 86400s;
|
||||
proxy_send_timeout 86400s;
|
||||
proxy_connect_timeout 10s;
|
||||
|
||||
# WebSocket timeouts (longer for terminal sessions)
|
||||
proxy_read_timeout 86400s; # 24 hours
|
||||
proxy_send_timeout 86400s; # 24 hours
|
||||
proxy_connect_timeout 10s; # Quick auth check
|
||||
|
||||
# Disable buffering for real-time terminal
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
|
||||
# Handle connection errors gracefully
|
||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user