refactor: remove SSL from standalone setup

Dragory · Dragory · commit e146ed641676 · 2024-04-06T18:47:12.000+03:00
Since Zeppelin was only creating a self-signed certificate, this
gave a false sense of security when in reality you'd always want
to have a proxy with a proper certificate in front of this anyway.

Additionally, generating the certificate at build time meant that
the domain couldn't easily be changed/updated without rebuilding.
diff --git a/.env.example b/.env.example
@@ -54,9 +54,7 @@ DEVELOPMENT_SSH_PASSWORD=password
 # NOTE: You only need to fill in these values for running the standalone production environment
 # ==========================
 
-STANDALONE_DOMAIN=
-
-STANDALONE_WEB_PORT=443
+STANDALONE_WEB_PORT=80
 
 # The MySQL database running in the container is exposed to the host on this port,
 # allowing access with database tools such as DBeaver
diff --git a/docker-compose.standalone.yml b/docker-compose.standalone.yml
@@ -28,10 +28,8 @@ services:
     build:
       context: .
       dockerfile: docker/production/nginx/Dockerfile
-      args:
-        STANDALONE_DOMAIN: ${STANDALONE_DOMAIN:?Missing STANDALONE_DOMAIN}
     ports:
-      - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:443"
+      - "${STANDALONE_WEB_PORT:?Missing STANDALONE_WEB_PORT}:80"
 
   migrate:
     depends_on:
diff --git a/docker/production/nginx/Dockerfile b/docker/production/nginx/Dockerfile
@@ -1,9 +1,3 @@
 FROM nginx
 
-ARG STANDALONE_DOMAIN
-
-RUN apt-get update && apt-get install -y openssl
-RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/zeppelin-self-signed-cert.key -out /etc/ssl/certs/zeppelin-self-signed-cert.pem -days 3650 -subj "/CN=${STANDALONE_DOMAIN}" -nodes
-
 COPY ./docker/production/nginx/default.conf /etc/nginx/conf.d/default.conf
-RUN sed -ir "s/_STANDALONE_DOMAIN_/${STANDALONE_DOMAIN}/g" /etc/nginx/conf.d/default.conf
diff --git a/docker/production/nginx/default.conf b/docker/production/nginx/default.conf
@@ -1,7 +1,6 @@
 server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name _STANDALONE_DOMAIN_;
+  listen 80 default_server;
+  server_name _;
 
   # Using a variable here stops nginx from crashing if the dev container is restarted or becomes otherwise unavailable
   set $backend_upstream "http://api:3001";
@@ -21,14 +20,4 @@ server {
 
     client_max_body_size 200M;
   }
-
-  ssl_certificate /etc/ssl/certs/zeppelin-self-signed-cert.pem;
-  ssl_certificate_key /etc/ssl/private/zeppelin-self-signed-cert.key;
-
-  ssl_session_timeout 1d;
-  ssl_session_cache shared:MozSSL:10m;
-  ssl_session_tickets off;
-
-  ssl_protocols TLSv1.3;
-  ssl_prefer_server_ciphers off;
 }
