nginx updates and python 3.11.6

2023-10-26 01:08:52 +00:00 · 2023-10-26 01:08:52 +00:00 · 52740271d9
parent c2e444249a
commit 52740271d9
5 changed files with 233 additions and 61 deletions
--- a/.github/workflows/ci-tests.yml
+++ b/.github/workflows/ci-tests.yml
@ -14,7 +14,7 @@ jobs:
    name: Tests
    strategy:
      matrix:
-        python-version: ["3.11.4"]
+        python-version: ["3.11.6"]

    steps:
      - uses: actions/checkout@v3
--- a/ansible/roles/trmm_dev/defaults/main.yml
+++ b/ansible/roles/trmm_dev/defaults/main.yml
@ -1,7 +1,7 @@
 ---
 user: "tactical"
-python_ver: "3.11.4"
-go_ver: "1.20.4"
+python_ver: "3.11.6"
+go_ver: "1.20.7"
 backend_repo: "https://github.com/amidaware/tacticalrmm.git"
 frontend_repo: "https://github.com/amidaware/tacticalrmm-web.git"
 scripts_repo: "https://github.com/amidaware/community-scripts.git"
--- a/install.sh
+++ b/install.sh
@ -29,7 +29,7 @@ RED='\033[0;31m'
 NC='\033[0m'

 SCRIPTS_DIR='/opt/trmm-community-scripts'
-PYTHON_VER='3.11.4'
+PYTHON_VER='3.11.6'
 SETTINGS_FILE='/rmm/api/tacticalrmm/tacticalrmm/settings.py'
 local_settings='/rmm/api/tacticalrmm/tacticalrmm/local_settings.py'

@ -292,8 +292,8 @@ sudo make altinstall
 cd ~
 sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz

-print_green 'Installing redis and git'
-sudo apt install -y ca-certificates redis git weasyprint
+print_green 'Installing redis git and weasyprint'
+sudo apt install -y redis git weasyprint

 print_green 'Installing postgresql'

--- a/restore.sh
+++ b/restore.sh
@ -13,7 +13,7 @@ RED='\033[0;31m'
 NC='\033[0m'

 SCRIPTS_DIR='/opt/trmm-community-scripts'
-PYTHON_VER='3.11.4'
+PYTHON_VER='3.11.6'
 SETTINGS_FILE='/rmm/api/tacticalrmm/tacticalrmm/settings.py'

 TMP_FILE=$(mktemp -p "" "rmmrestore_XXXXXXXXXX")
@ -183,11 +183,6 @@ for i in sites-available sites-enabled; do
  sudo mkdir -p /etc/nginx/$i
 done

-for i in rmm frontend meshcentral; do
-  sudo cp ${tmp_dir}/nginx/${i}.conf /etc/nginx/sites-available/
-  sudo ln -s /etc/nginx/sites-available/${i}.conf /etc/nginx/sites-enabled/${i}.conf
-done
-
 print_green 'Restoring certbot'

 sudo apt install -y software-properties-common
@ -256,8 +251,8 @@ sudo make altinstall
 cd ~
 sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz

-print_green 'Installing redis and git'
-sudo apt install -y redis git
+print_green 'Installing redis, git and weasyprint'
+sudo apt install -y redis git weasyprint

 print_green 'Installing postgresql'

@ -430,6 +425,7 @@ pip install --no-cache-dir --upgrade pip
 pip install --no-cache-dir setuptools==${SETUPTOOLS_VER} wheel==${WHEEL_VER}
 pip install --no-cache-dir -r /rmm/api/tacticalrmm/requirements.txt
 python manage.py migrate
+python manage.py generate_json_schemas
 python manage.py collectstatic --no-input
 python manage.py create_natsapi_conf
 python manage.py create_uwsgi_conf
@ -437,9 +433,12 @@ python manage.py reload_nats
 python manage.py post_update_tasks
 API=$(python manage.py get_config api)
 WEB_VERSION=$(python manage.py get_config webversion)
+FRONTEND=$(python manage.py get_config webdomain)
 webdomain=$(python manage.py get_config webdomain)
 meshdomain=$(python manage.py get_config meshdomain)
 WEBTAR_URL=$(python manage.py get_webtar_url)
+CERT_PUB_KEY=$(python manage.py get_config certfile)
+CERT_PRIV_KEY=$(python manage.py get_config keyfile)
 deactivate

 print_green 'Restoring hosts file'
@ -450,6 +449,115 @@ if grep -q manage_etc_hosts /etc/hosts; then
  sudo systemctl restart cloud-init >/dev/null
 fi

+print_green 'Restoring nginx configs'
+
+for i in frontend meshcentral; do
+  sudo cp ${tmp_dir}/nginx/${i}.conf /etc/nginx/sites-available/
+  sudo ln -s /etc/nginx/sites-available/${i}.conf /etc/nginx/sites-enabled/${i}.conf
+done
+
+if ! grep -q "location /assets/" $tmp_dir/nginx/rmm.conf; then
+  if [ -d "${tmp_dir}/certs/selfsigned" ]; then
+    CERT_PUB_KEY="${certdir}/cert.pem"
+    CERT_PRIV_KEY="${certdir}/key.pem"
+  fi
+  nginxrmm="$(
+    cat <<EOF
+server_tokens off;
+
+upstream tacticalrmm {
+    server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
+}
+
+map \$http_user_agent \$ignore_ua {
+    "~python-requests.*" 0;
+    "~go-resty.*" 0;
+    default 1;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${API};
+    return 301 https://\$server_name\$request_uri;
+}
+
+server {
+    listen 443 ssl reuseport;
+    listen [::]:443 ssl;
+    server_name ${API};
+    client_max_body_size 300M;
+    access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=\$ignore_ua;
+    error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
+    ssl_certificate ${CERT_PUB_KEY};
+    ssl_certificate_key ${CERT_PRIV_KEY};
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    ssl_ecdh_curve secp384r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header X-Content-Type-Options nosniff;
+    
+    location /static/ {
+        root /rmm/api/tacticalrmm;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+    }
+
+    location /private/ {
+        internal;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+        alias /rmm/api/tacticalrmm/tacticalrmm/private/;
+    }
+
+    location /assets/ {
+        internal;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+        alias /opt/tactical/reporting/assets/;
+    }
+
+    location ~ ^/ws/ {
+        proxy_pass http://unix:/rmm/daphne.sock;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_redirect     off;
+        proxy_set_header   Host \$host;
+        proxy_set_header   X-Real-IP \$remote_addr;
+        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host \$server_name;
+    }
+
+    location ~ ^/natsws {
+        proxy_pass http://127.0.0.1:9235;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host \$host;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-Host \$host:\$server_port;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
+    location / {
+        uwsgi_pass  tacticalrmm;
+        include     /etc/nginx/uwsgi_params;
+        uwsgi_read_timeout 300s;
+        uwsgi_ignore_client_abort on;
+    }
+}
+EOF
+  )"
+  echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf >/dev/null
+else
+  sudo cp ${tmp_dir}/nginx/rmm.conf /etc/nginx/sites-available/
+fi
+sudo ln -s /etc/nginx/sites-available/rmm.conf /etc/nginx/sites-enabled/rmm.conf
+
 HAS_11=$(grep 127.0.1.1 /etc/hosts)
 if [[ $HAS_11 ]]; then
  sudo sed -i "/127.0.1.1/s/$/ ${API} ${webdomain} ${meshdomain}/" /etc/hosts
--- a/update.sh
+++ b/update.sh
@ -10,7 +10,7 @@ NC='\033[0m'
 THIS_SCRIPT=$(readlink -f "$0")

 SCRIPTS_DIR='/opt/trmm-community-scripts'
-PYTHON_VER='3.11.4'
+PYTHON_VER='3.11.6'
 SETTINGS_FILE='/rmm/api/tacticalrmm/tacticalrmm/settings.py'

 TMP_FILE=$(mktemp -p "" "rmmupdate_XXXXXXXXXX")
@ -102,45 +102,6 @@ EOF
  sudo systemctl daemon-reload
 fi

-rmmconf='/etc/nginx/sites-available/rmm.conf'
-CHECK_NATS_WEBSOCKET=$(grep natsws $rmmconf)
-if ! [[ $CHECK_NATS_WEBSOCKET ]]; then
-  echo "Adding nats websocket to nginx config"
-  echo "$(awk '
-  /location \/ {/ {
-      print "    location ~ ^/natsws {"
-      print "        proxy_pass http://127.0.0.1:9235;"
-      print "        proxy_http_version 1.1;"
-      print "        proxy_set_header Host $host;"
-      print "        proxy_set_header Upgrade $http_upgrade;"
-      print "        proxy_set_header Connection \"upgrade\";"
-      print "        proxy_set_header X-Forwarded-Host $host:$server_port;"
-      print "        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"
-      print "        proxy_set_header X-Forwarded-Proto $scheme;"
-      print "    }"
-      print "\n"
-  }
-  { print }
-  ' $rmmconf)" | sudo tee $rmmconf >/dev/null
-fi
-
-front_end=$(/rmm/api/env/bin/python /rmm/api/tacticalrmm/manage.py get_config webdomain)
-CHECK_ASSETS_NGINX=$(grep assets $rmmconf)
-if ! [[ $CHECK_ASSETS_NGINX ]]; then
-  echo "Adding assets to nginx config"
-  echo "$(awk '
-  /location \/ {/ {
-      print "    location /assets/ {"
-      print "        internal;"
-      print "        add_header 'Access-Control-Allow-Origin' 'https://${front_end}';"
-      print "        alias /opt/tactical/reporting/assets/;"
-      print "    }"
-      print "\n"
-  }
-  { print }
-  ' $rmmconf)" | sudo tee $rmmconf >/dev/null
-fi
-
 printf >&2 "${GREEN}Stopping celery and celerybeat services (this might take a while)...${NC}\n"
 for i in celerybeat celery; do
  sudo systemctl stop ${i}
@ -212,13 +173,6 @@ if ! [[ $CHECK_NGINX_NOLIMIT ]]; then
 /' $nginxdefaultconf
 fi

-backend_conf='/etc/nginx/sites-available/rmm.conf'
-CHECK_NGINX_REUSEPORT=$(grep reuseport $backend_conf)
-if ! [[ $CHECK_NGINX_REUSEPORT ]]; then
-  printf >&2 "${GREEN}Setting nginx reuseport${NC}\n"
-  sudo sed -i 's/listen 443 ssl;/listen 443 ssl reuseport;/g' $backend_conf
-fi
-
 sudo sed -i 's/# server_names_hash_bucket_size.*/server_names_hash_bucket_size 64;/g' $nginxdefaultconf

 if ! sudo nginx -t >/dev/null 2>&1; then
@ -245,6 +199,11 @@ if ! [[ $HAS_PY311 ]]; then
  sudo rm -rf Python-${PYTHON_VER} Python-${PYTHON_VER}.tgz
 fi

+HAS_WEASYPRINT=$(dpkg -l | grep weasyprint)
+if ! [[ $HAS_WEASYPRINT ]]; then
+  sudo apt install -y weasyprint
+fi
+
 arch=$(uname -m)
 nats_server='/usr/local/bin/nats-server'

@ -391,6 +350,8 @@ WEB_VERSION=$(python manage.py get_config webversion)
 FRONTEND=$(python manage.py get_config webdomain)
 MESHDOMAIN=$(python manage.py get_config meshdomain)
 WEBTAR_URL=$(python manage.py get_webtar_url)
+CERT_PUB_KEY=$(python manage.py get_config certfile)
+CERT_PRIV_KEY=$(python manage.py get_config keyfile)
 deactivate

 if grep -q manage_etc_hosts /etc/hosts; then
@ -401,6 +362,109 @@ if grep -q manage_etc_hosts /etc/hosts; then
  fi
 fi

+rmmconf='/etc/nginx/sites-available/rmm.conf'
+if ! grep -q "location /assets/" $rmmconf; then
+  printf >&2 "${YELLOW}WARNING!!!!\n\n"
+  printf >&2 "${rmmconf} will now be replaced due to changes needed for this update.\n\n"
+  printf >&2 "A backup of the existing config will be created in your home directory at ~/rmm.conf.nginx.bak\n\n"
+  printf >&2 "If you have made any custom or unsupported changes to this file please add them back in after this update.\n\n"
+  read -n 1 -s -r -p "Press any key to confirm you have read the above and continue..."
+  printf >&2 "\n${NC}\n"
+  cp $rmmconf ~/rmm.conf.nginx.bak
+  nginxrmm="$(
+    cat <<EOF
+server_tokens off;
+
+upstream tacticalrmm {
+    server unix:////rmm/api/tacticalrmm/tacticalrmm.sock;
+}
+
+map \$http_user_agent \$ignore_ua {
+    "~python-requests.*" 0;
+    "~go-resty.*" 0;
+    default 1;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${API};
+    return 301 https://\$server_name\$request_uri;
+}
+
+server {
+    listen 443 ssl reuseport;
+    listen [::]:443 ssl;
+    server_name ${API};
+    client_max_body_size 300M;
+    access_log /rmm/api/tacticalrmm/tacticalrmm/private/log/access.log combined if=\$ignore_ua;
+    error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log;
+    ssl_certificate ${CERT_PUB_KEY};
+    ssl_certificate_key ${CERT_PRIV_KEY};
+    
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    ssl_ecdh_curve secp384r1;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    add_header X-Content-Type-Options nosniff;
+    
+    location /static/ {
+        root /rmm/api/tacticalrmm;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+    }
+
+    location /private/ {
+        internal;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+        alias /rmm/api/tacticalrmm/tacticalrmm/private/;
+    }
+
+    location /assets/ {
+        internal;
+        add_header "Access-Control-Allow-Origin" "https://${FRONTEND}";
+        alias /opt/tactical/reporting/assets/;
+    }
+
+    location ~ ^/ws/ {
+        proxy_pass http://unix:/rmm/daphne.sock;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_redirect     off;
+        proxy_set_header   Host \$host;
+        proxy_set_header   X-Real-IP \$remote_addr;
+        proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host \$server_name;
+    }
+
+    location ~ ^/natsws {
+        proxy_pass http://127.0.0.1:9235;
+        proxy_http_version 1.1;
+
+        proxy_set_header Host \$host;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header X-Forwarded-Host \$host:\$server_port;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+    }
+
+    location / {
+        uwsgi_pass  tacticalrmm;
+        include     /etc/nginx/uwsgi_params;
+        uwsgi_read_timeout 300s;
+        uwsgi_ignore_client_abort on;
+    }
+}
+EOF
+  )"
+  echo "${nginxrmm}" | sudo tee /etc/nginx/sites-available/rmm.conf >/dev/null
+fi
+
 CHECK_HOSTS=$(grep 127.0.1.1 /etc/hosts | grep "$API" | grep "$FRONTEND" | grep "$MESHDOMAIN")
 HAS_11=$(grep 127.0.1.1 /etc/hosts)