From 586796bc12770e8effb78efb9208aa98b101c336 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Thu, 9 Jan 2025 11:42:20 -0800 Subject: [PATCH 1/2] Update Dockerfile to use gh-base-image (#53830) --- Dockerfile | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca3381d9c512..d4ce7e2c8793 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,11 +5,23 @@ # -------------------------------------------------------------------------------- # BASE IMAGE # -------------------------------------------------------------------------------- -# To update the sha, run `docker pull node:$VERSION-alpine` -# look for something like: `Digest: sha256:0123456789abcdef` -FROM node:22-alpine@sha256:c13b26e7e602ef2f1074aef304ce6e9b7dd284c419b35d89fcf3cc8e44a8def9 AS base +# To update the sha: +# https://github.com/github/gh-base-image/pkgs/container/gh-base-image%2Fgh-base-noble +FROM ghcr.io/github/gh-base-image/gh-base-noble:20250108-185521-gcd4825276 AS base + +# Install git for cloning docs-early-access & translations repos +# Install curl for determining the early access branch +RUN apt-get -qq update && apt-get -qq install --no-install-recommends git curl + +# Install Node.js latest LTS +# https://github.com/nodejs/release#release-schedule +# Ubuntu's apt-get install nodejs is _very_ outdated +RUN curl -sL https://deb.nodesource.com/setup_22.x | bash - +RUN apt-get install -y nodejs +RUN node --version # This directory is owned by the node user +RUN useradd -ms /bin/bash node ARG APP_HOME=/home/node/app RUN mkdir -p $APP_HOME && chown -R node:node $APP_HOME WORKDIR $APP_HOME @@ -17,10 +29,6 @@ WORKDIR $APP_HOME # Switch to root to ensure we have permissions to copy, chmod, and install USER root -# Install git for cloning docs-early-access & translations repos -# Install curl for determining the early access branch -RUN apk add --no-cache git curl - # Copy in build scripts COPY src/deployments/production/build-scripts/*.sh ./build-scripts/ @@ -39,12 +47,12 @@ COPY data ./data # We use --mount-type=secret to avoid the secret being copied into the image layers for security # The secret passed via --secret can only be used in this RUN command RUN --mount=type=secret,id=DOCS_BOT_PAT_READPUBLICKEY \ - # We don't cache because Docker can't know if we need to fetch new content from remote repos - echo "Don't cache this step by printing date: $(date)" && \ - . ./build-scripts/fetch-repos.sh + # We don't cache because Docker can't know if we need to fetch new content from remote repos + echo "Don't cache this step by printing date: $(date)" && \ + . ./build-scripts/fetch-repos.sh # Give node user access to the copied content since we cloned as root -RUN chown -R node:node $APP_HOME/content +RUN chown -R node:node $APP_HOME/content RUN chown -R node:node $APP_HOME/assets RUN chown -R node:node $APP_HOME/data # Give node user access to translations repos @@ -105,7 +113,7 @@ RUN npm run precompute-pageinfo -- --max-versions 2 RUN npm prune --production # -------------------------------------------------------------------------------- -# PRODUCTION IMAGE +# PRODUCTION IMAGE # -------------------------------------------------------------------------------- FROM base AS production @@ -140,7 +148,7 @@ COPY --chown=node:node --from=builder $APP_HOME/next.config.js ./ COPY --chown=node:node --from=builder $APP_HOME/tsconfig.json ./ # - - - -# Environment variables are set in the Moda +# Environment variables are set in the Moda # configuration: config/moda/configuration/*/env.yaml # - - - From 43e123417fb0a2ffedf3af1c94923ba147e9af45 Mon Sep 17 00:00:00 2001 From: Kevin Heis Date: Thu, 9 Jan 2025 13:09:36 -0800 Subject: [PATCH 2/2] Remove remote IP endpoint (#53826) --- src/frame/middleware/index.ts | 2 -- src/frame/middleware/remote-ip.ts | 25 ------------------- src/frame/tests/remote-ip.ts | 41 ------------------------------- 3 files changed, 68 deletions(-) delete mode 100644 src/frame/middleware/remote-ip.ts delete mode 100644 src/frame/tests/remote-ip.ts diff --git a/src/frame/middleware/index.ts b/src/frame/middleware/index.ts index d899c34c549f..9d4c9a99d42a 100644 --- a/src/frame/middleware/index.ts +++ b/src/frame/middleware/index.ts @@ -29,7 +29,6 @@ import archivedEnterpriseVersionsAssets from '@/archives/middleware/archived-ent import api from './api' import healthz from './healthz' import manifestJson from './manifest-json' -import remoteIP from './remote-ip' import buildInfo from './build-info' import reqHeaders from './req-headers' import archivedEnterpriseVersions from '@/archives/middleware/archived-enterprise-versions' @@ -245,7 +244,6 @@ export default function (app: Express) { // *** Rendering, 2xx responses *** app.use('/api', api) - app.get('/_ip', remoteIP) app.get('/_build', buildInfo) app.get('/_req-headers', reqHeaders) app.use(asyncMiddleware(manifestJson)) diff --git a/src/frame/middleware/remote-ip.ts b/src/frame/middleware/remote-ip.ts deleted file mode 100644 index b0072409e207..000000000000 --- a/src/frame/middleware/remote-ip.ts +++ /dev/null @@ -1,25 +0,0 @@ -import type { Request, Response } from 'express' - -import { noCacheControl } from './cache-control.js' - -export default function remoteIp(req: Request, res: Response) { - noCacheControl(res) - res.json({ - ip: req.ip, - 'x-forwarded-for': req.headers['x-forwarded-for'] || null, - 'x-forwarded-host': req.headers['x-forwarded-host'] || null, - host: req.headers['host'] || null, - 'fastly-client-ip': req.headers['fastly-client-ip'] || null, - }) -} - -/* -Note from previous author: -This is used to check that the WAF is working correctly. -Doing things such as IP blocking in the Azure Firewall. -To make sure we got the Fastly -> Azure FrontDoor -> Azure App service header stuff right. -For example, if you use the express IP rate limit thing, -you want to make sure it's using the end user's IP and not the Fastly POP node. -So it was to end-to-end test the config by comparing that URL -with this https://www.google.com/search?q=what+is+my+ip -*/ diff --git a/src/frame/tests/remote-ip.ts b/src/frame/tests/remote-ip.ts deleted file mode 100644 index 37a963ebddf2..000000000000 --- a/src/frame/tests/remote-ip.ts +++ /dev/null @@ -1,41 +0,0 @@ -import { describe, expect, test, vi } from 'vitest' - -import { get } from '@/tests/helpers/e2etest.js' - -describe('remote ip debugging', () => { - vi.setConfig({ testTimeout: 60 * 1000 }) - - test('basics', async () => { - const res = await get('/_ip') - expect(res.statusCode).toBe(200) - expect(res.headers['content-type']).toContain('application/json') - const kv = JSON.parse(res.body) - expect('ip' in kv).toBeTruthy() - expect('x-forwarded-for' in kv).toBeTruthy() - expect('fastly-client-ip' in kv).toBeTruthy() - }) - - test('carrying the x-forwarded-for header', async () => { - const res = await get('/_ip', { - headers: { - 'X-Forwarded-For': '123.123.0.1', - }, - }) - expect(res.statusCode).toBe(200) - const kv = JSON.parse(res.body) - expect(kv['x-forwarded-for']).toBe('123.123.0.1') - }) - - test('req.ip becomes the first value from x-forwarded-for', async () => { - const xForwardedFor = '100.0.0.1, 100.0.0.2, 100.0.0.3' - const res = await get('/_ip', { - headers: { - 'X-Forwarded-For': xForwardedFor, - }, - }) - expect(res.statusCode).toBe(200) - const kv = JSON.parse(res.body) - expect(kv.ip).toBe('100.0.0.1') - expect(kv['x-forwarded-for']).toBe(xForwardedFor) - }) -})