From 4cca9715c47c7fd2432a72721c94f63b69b8ef7a Mon Sep 17 00:00:00 2001 From: Raphael Kabo Date: Wed, 13 Dec 2023 15:32:52 +0000 Subject: [PATCH] fix: formatting and explanatory comments --- .github/workflows/cypress-e2e.yml | 4 +- cypress/cypress-nginx.conf | 127 +++++++++++++++--------------- 2 files changed, 68 insertions(+), 63 deletions(-) diff --git a/.github/workflows/cypress-e2e.yml b/.github/workflows/cypress-e2e.yml index f0b3332ffd..a369e07950 100644 --- a/.github/workflows/cypress-e2e.yml +++ b/.github/workflows/cypress-e2e.yml @@ -47,7 +47,9 @@ jobs: uses: cypress-io/github-action@v6 env: CYPRESS_IDAPI_CLIENT_ACCESS_TOKEN: ${{ secrets.IDAPI_CLIENT_ACCESS_TOKEN }} - # Required for the Cypress tests to run as we're unable to verify the created certs + # This env variable prevents Node from rejecting self-signed TLS certificates. It's + # required for the Cypress tests to run as we're unable to verify the created certs. + # See: https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue NODE_TLS_REJECT_UNAUTHORIZED: 0 with: start: yarn cypress:e2e:server diff --git a/cypress/cypress-nginx.conf b/cypress/cypress-nginx.conf index 670979c083..c1185a1753 100644 --- a/cypress/cypress-nginx.conf +++ b/cypress/cypress-nginx.conf @@ -3,67 +3,69 @@ # with a ssl cert set on the domain #user nobody; -worker_processes 1; +worker_processes 1; events { - worker_connections 1024; + worker_connections 1024; } http { - include mime.types; - default_type application/octet-stream; + include mime.types; + default_type application/octet-stream; - sendfile on; + sendfile on; - keepalive_timeout 65; + # Set to 5 seconds longer than 60 seconds (pretty sure this is a magic numnber). + # This should help prevent timeouts in Cypress requests inside Github Actions. + keepalive_timeout 65; # fixes issues for large response headers - proxy_buffer_size 128k; - proxy_buffers 4 256k; - proxy_busy_buffers_size 256k; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + proxy_busy_buffers_size 256k; # manage.thegulocal.com # ====================== server { - listen 443 ssl; - server_name manage.thegulocal.com; - proxy_http_version 1.1; # this is essential for chunked responses to work + listen 443 ssl; + server_name manage.thegulocal.com; + proxy_http_version 1.1; # this is essential for chunked responses to work - ssl_certificate manage.thegulocal.com.crt; - ssl_certificate_key manage.thegulocal.com.key; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate manage.thegulocal.com.crt; + ssl_certificate_key manage.thegulocal.com.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; location / { - proxy_pass http://localhost:9234/; - proxy_set_header Host $http_host; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; + proxy_pass http://localhost:9234/; + proxy_set_header Host $http_host; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; } } # members-data-api.thegulocal.com # ====================== server { - listen 443 ssl; - server_name members-data-api.thegulocal.com; - proxy_http_version 1.1; # this is essential for chunked responses to work + listen 443 ssl; + server_name members-data-api.thegulocal.com; + proxy_http_version 1.1; # this is essential for chunked responses to work - ssl_certificate members-data-api.thegulocal.com.crt; - ssl_certificate_key members-data-api.thegulocal.com.key; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate members-data-api.thegulocal.com.crt; + ssl_certificate_key members-data-api.thegulocal.com.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; location / { - proxy_pass https://members-data-api.code.dev-theguardian.com; - proxy_next_upstream error timeout http_404 non_idempotent; - proxy_set_header "X-Forwarded-Proto" "https"; + proxy_pass https://members-data-api.code.dev-theguardian.com; + proxy_next_upstream error timeout http_404 non_idempotent; + proxy_set_header "X-Forwarded-Proto" "https"; proxy_set_header Host members-data-api.code.dev-theguardian.com; proxy_set_header Accept-Encoding ""; proxy_hide_header Content-Security-Policy; @@ -81,50 +83,51 @@ http { # profile.thegulocal.com # ====================== server { - listen 443 ssl; - server_name profile.thegulocal.com; - proxy_http_version 1.1; # this is essential for chunked responses to work + listen 443 ssl; + server_name profile.thegulocal.com; + proxy_http_version 1.1; # this is essential for chunked responses to work - ssl_certificate profile.thegulocal.com.crt; - ssl_certificate_key profile.thegulocal.com.key; - ssl_session_timeout 5m; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + ssl_certificate profile.thegulocal.com.crt; + ssl_certificate_key profile.thegulocal.com.key; + ssl_session_timeout 5m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; # dummy location header for the API - proxy_set_header X-GU-ID-Geolocation ip:$remote_addr,country:GB,city:Leeds; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-GU-ID-Geolocation ip:$remote_addr,country:GB,city:Leeds; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { - proxy_pass https://profile.code.dev-theguardian.com; - proxy_next_upstream error timeout http_404 non_idempotent; - proxy_set_header "X-Forwarded-Proto" "https"; - proxy_set_header "X-GU-Okta-Env" "profile.code.dev-theguardian.com"; - proxy_set_header Host profile.code.dev-theguardian.com; - proxy_set_header Accept-Encoding ""; - proxy_hide_header Content-Security-Policy; + proxy_pass https://profile.code.dev-theguardian.com; + proxy_next_upstream error timeout http_404 non_idempotent; + proxy_set_header "X-Forwarded-Proto" "https"; + proxy_set_header "X-GU-Okta-Env" "profile.code.dev-theguardian.com"; + proxy_set_header Host profile.code.dev-theguardian.com; + proxy_set_header Accept-Encoding ""; + proxy_hide_header Content-Security-Policy; - proxy_cookie_domain profile.code.dev-theguardian.com profile.thegulocal.com; - proxy_cookie_domain .code.dev-theguardian.com .thegulocal.com; + proxy_cookie_domain profile.code.dev-theguardian.com profile.thegulocal.com; + proxy_cookie_domain .code.dev-theguardian.com .thegulocal.com; - sub_filter_types application/json; - sub_filter_once off; - sub_filter 'profile.code.dev-theguardian.com' 'profile.thegulocal.com'; + sub_filter_types application/json; + sub_filter_once off; + sub_filter 'profile.code.dev-theguardian.com' 'profile.thegulocal.com'; ###### # remove `sid` cookie in requests to Gateway # save original "Cookie" header value - set $altered_cookie $http_cookie; + set $altered_cookie $http_cookie; # check if the "sid" cookie is present + # From: https://stackoverflow.com/a/67627604 if ($http_cookie ~ '(.*)(^|;\s)sid=("[^"]*"|[^\s]*[^;]?)(\2|$|;$)(?:;\s)?(.*)') { # cut "sid" cookie from the string - set $altered_cookie $1$4$5; + set $altered_cookie $1$4$5; } # hide original "Cookie" header - proxy_hide_header Cookie; + proxy_hide_header Cookie; # set "Cookie" header to the new value - proxy_set_header Cookie $altered_cookie; + proxy_set_header Cookie $altered_cookie; ###### } }