Add nginx reverse proxy configuration.

.gitignore

@@ -24,3 +24,4 @@ MYMETA.json
 node_modules/
 www/statics/
 totp/
+nginx/tcms.conf

Makefile

@@ -34,7 +34,7 @@ prereq-debian: prereq-debs prereq-perl prereq-frontend prereq-node
 prereq-debs:
 	sudo apt-get update
 	sudo apt-get install -y sqlite3 nodejs npm libsqlite3-dev libdbd-sqlite3-perl cpanminus starman libxml2 curl         \
-		uwsgi uwsgi-plugin-psgi fail2ban \
+		uwsgi uwsgi-plugin-psgi fail2ban nginx certbot\
 	    libtext-xslate-perl libplack-perl libconfig-tiny-perl libdatetime-format-http-perl libjson-maybexs-perl          \
 	    libuuid-tiny-perl libcapture-tiny-perl libconfig-simple-perl libdbi-perl libfile-slurper-perl libfile-touch-perl \
 	    libfile-copy-recursive-perl libxml-rss-perl libmodule-install-perl libio-string-perl                             \
@@ -73,3 +73,20 @@ reset-remove:
 fail2ban:
 	sudo ln -sr fail2ban/tcms-jail.conf   /etc/fail2ban/jail.d/tcms.conf
 	sudo ln -sr fail2ban/tcms-filter.conf /etc/fail2ban/filter.d/tcms.conf
+
+.PHONY: nginx
+nginx:
+	[ -n "$$SERVER_NAME" ] || ( echo "Please set the SERVER_NAME environment variable before running (e.g. test.test)" && /bin/false )
+	[ -n "$$SERVER_PORT" ] || ( echo "Please set the SERVER_PORT environment variable before running (e.g. 5000)" && /bin/false )
+	sed 's/\%SERVER_NAME\%/$(SERVER_NAME)/g' nginx/tcms.conf.tmpl > nginx/tcms.conf.intermediate
+	sed 's/\%SERVER_PORT\%/$(SERVER_PORT)/g' nginx/tcms.conf.intermediate > nginx/tcms.conf
+	rm nginx/tcms.conf.intermediate
+	mkdir -p '/var/www/$(SERVER_NAME)'
+	mkdir -p '/var/www/$(SERVER_NAME)'
+	ln -sr nginx/tcms.conf '/etc/nginx/sites-enabled/$(SERVER_NAME).conf'
+	openssl req -x509 -nodes -newkey -in '$(SERVER_NAME)' rsa:4096 -keyout key.pem -out cert.pem -days 365
+	openssl req -x509 -nodes -newkey -in '$(SERVER_NAME)' rsa:4096 -keyout key.pem -out cert.pem -days 365
+	certbot certonly --webroot -w '/var/www/$(SERVER_NAME)/' -d '$(SERVER_NAME)' -d 'www.$(SERVER_NAME)' -w '/var/www/mail.$(SERVER_NAME)' -d 'mail.$(SERVER_NAME)'
+	systemctl restart nginx
+	systemctl restart dovecot
+	systemctl restart postfix

lib/TCMS.pm

@@ -86,6 +86,9 @@ sub app {
     # It's important that we log what the user ACTUALLY requested rather than the rewritten path later on.
     my $fullpath = "$scheme://$domain$pport$path";
 
+    use Data::Dumper;
+    print Dumper($env);
+
     # Check eTags.  If we don't know about it, just assume it's good and lazily fill the cache
     # XXX yes, this allows cache poisoning...but only for logged in users!
     if ( $env->{HTTP_IF_NONE_MATCH} ) {
@@ -94,6 +97,19 @@ sub app {
         $etags{ $env->{REQUEST_URI} } = $env->{HTTP_IF_NONE_MATCH} unless exists $etags{ $env->{REQUEST_URI} };
     }
 
+    # TODO: Actually do something with the language passed to the renderer
+    my $lang = $env->{HTTP_ACCEPT_LANGUAGE};
+
+    #TODO: Actually do something with the acceptable output formats in the renderer
+    my $accept = $env->{HTTP_ACCEPT};
+
+    # These two parameters are entirely academic, as no integration with any kind of analytics is implemented.
+    #my $no_track = $env->{HTTP_DNT};
+    #my $no_sell_info = $env->{HTTP_SEC_GPC};
+
+    # We generally prefer this to be handled at the reverse proxy level.
+    #my $prefer_ssl = $env->{HTTP_UPGRADE_INSECURE_REQUESTS};
+
     my $last_fetch = 0;
     if ( $env->{HTTP_IF_MODIFIED_SINCE} ) {
         $last_fetch = DateTime::Format::HTTP->parse_datetime( $env->{HTTP_IF_MODIFIED_SINCE} )->epoch();
@@ -242,6 +258,8 @@ sub app {
     $query->{primary_post} = {};
     $query->{has_query}    = $has_query;
     $query->{port}         = $port;
+    $query->{lang}         = $lang;
+    $query->{accept}       = $accept;
     # Redirecting somewhere naughty not allow
     $query->{to}           = URI->new($query->{to} // '')->path() || $query->{to} if $query->{to};
 

nginx/tcms.conf.tmpl

@@ -0,0 +1,62 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name %SERVER_NAME% www.%SERVER_NAME%;
+
+    ssl_certificate /etc/letsencrypt/live/%SERVER_NAME%/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:%SERVER_PORT%;
+        proxy_set_header Host            $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+    location /.well-known/ {
+        root /var/www/%SERVER_NAME%/;
+    }
+
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name %SERVER_NAME% www.%SERVER_NAME%;
+
+    location / {
+        proxy_pass http://127.0.0.1:%SERVER_PORT%;
+        proxy_set_header Host            $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+
+    location /.well-known/ {
+        root /var/www/%SERVER_NAME%/;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name mail.%SERVER_NAME%;
+
+    ssl_certificate /etc/letsencrypt/live/%SERVER_NAME%/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/%SERVER_NAME%/privkey.pem;
+
+    location / {
+        root /var/www/mail.%SERVER_NAME%/;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name mail.%SERVER_NAME%;
+
+    location / {
+        root /var/www/mail.%SERVER_NAME%/;
+    }
+}