From 541dca18825831c49e6fc0f44be3b8498ceefd99 Mon Sep 17 00:00:00 2001 From: metalicn20 Date: Mon, 25 Oct 2021 14:15:43 +0330 Subject: [PATCH 1/4] Implement CORS in nginx --- Deployment/docker-compose.yml | 2 +- Deployment/nginx.conf | 125 +++++++++++++++++++--------------- 2 files changed, 70 insertions(+), 57 deletions(-) diff --git a/Deployment/docker-compose.yml b/Deployment/docker-compose.yml index 4bf6728b9..7f511f6a2 100644 --- a/Deployment/docker-compose.yml +++ b/Deployment/docker-compose.yml @@ -307,7 +307,7 @@ services: restart_policy: condition: on-failure nginx: - image: nginx:latest + image: jboesl/docker-nginx-headers-more container_name: opex_nginx volumes: - ./nginx.conf:/etc/nginx/nginx.conf diff --git a/Deployment/nginx.conf b/Deployment/nginx.conf index debca9b7b..0c54ba9ef 100644 --- a/Deployment/nginx.conf +++ b/Deployment/nginx.conf @@ -1,66 +1,79 @@ worker_processes 1; -events { worker_connections 1024; } + +events { + worker_connections 1024; +} + http { - sendfile on; - upstream docker-wallet { - server wallet:8091; + sendfile on; + + upstream docker-wallet { + server wallet:8091; + } + + upstream docker-auth { + server auth:8083; + } + + upstream docker-matching-gateway { + server matching-gateway:8093; + } + + upstream docker-api { + server api:8094; + } + + upstream docker-storage { + server storage:8096; + } + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + + server { + server_name api.opex.dev; + + more_set_headers 'Access-Control-Allow-Origin: *'; + more_set_headers 'Access-Control-Allow-Headers: *'; + more_set_headers 'Access-Control-Allow-Methods: POST, PUT, PATCH, GET, OPTIONS'; + + location /auth { + proxy_pass http://docker-auth; + } + + location /wallet/transfer { + return 403; + } + + location /wallet/deposit { + return 403; } - upstream docker-auth { - server auth:8083; + + location /wallet { + proxy_pass http://docker-wallet; + rewrite ^/wallet(.*)$ $1 break; } - upstream docker-matching-gateway { - server matching-gateway:8093; + + location /gateway { + proxy_pass http://docker-matching-gateway; + rewrite ^/gateway(.*)$ $1 break; } - upstream docker-api { - server api:8094; + + location /storage { + proxy_pass http://docker-storage; + rewrite ^/storage/(.*)$ /$1 break; } - upstream docker-storage { - server storage:8096; + + location /api { + proxy_pass http://docker-api; + rewrite ^/api(.*)$ $1 break; } - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - - server { - server_name api.opex.dev; - - location /auth { - proxy_pass http://docker-auth; - } - - location /wallet/transfer { - return 403; - } - - location /wallet/deposit { - return 403; - } - - location /wallet { - proxy_pass http://docker-wallet; - rewrite ^/wallet(.*)$ $1 break; - } - - location /gateway { - proxy_pass http://docker-matching-gateway; - rewrite ^/gateway(.*)$ $1 break; - } - - location /storage { - proxy_pass http://docker-storage; - rewrite ^/storage/(.*)$ /$1 break; - } - - location /api { - proxy_pass http://docker-api; - rewrite ^/api(.*)$ $1 break; - } - - location /sapi { - proxy_pass http://docker-api; - rewrite ^/sapi(.*)$ $1 break; - } + location /sapi { + proxy_pass http://docker-api; + rewrite ^/sapi(.*)$ $1 break; } + } } From 213829544fb642c778e242c9f649ac443b2f27d7 Mon Sep 17 00:00:00 2001 From: metalicn20 Date: Mon, 25 Oct 2021 14:25:13 +0330 Subject: [PATCH 2/4] Remove CORS from individual modules --- .../co/nilin/opex/app/config/CorsConfig.kt | 25 ------------------- .../src/main/resources/application-docker.yml | 3 --- .../port/api/binance/config/SecurityConfig.kt | 2 -- .../bcgateway/app/config/SecurityConfig.kt | 7 ------ .../opex/storage/app/config/CorsConfig.kt | 25 ------------------- .../opex/storage/app/config/SecurityConfig.kt | 2 -- .../opex/wallet/app/config/CorsConfig.kt | 25 ------------------- .../src/main/resources/application-docker.yml | 5 ---- 8 files changed, 94 deletions(-) delete mode 100644 Api/api-app/src/main/kotlin/co/nilin/opex/app/config/CorsConfig.kt delete mode 100644 Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/CorsConfig.kt delete mode 100644 Wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/CorsConfig.kt diff --git a/Api/api-app/src/main/kotlin/co/nilin/opex/app/config/CorsConfig.kt b/Api/api-app/src/main/kotlin/co/nilin/opex/app/config/CorsConfig.kt deleted file mode 100644 index 805a70f57..000000000 --- a/Api/api-app/src/main/kotlin/co/nilin/opex/app/config/CorsConfig.kt +++ /dev/null @@ -1,25 +0,0 @@ -package co.nilin.opex.app.config - -import org.springframework.beans.factory.annotation.Value -import org.springframework.context.annotation.Configuration -import org.springframework.web.reactive.config.CorsRegistry -import org.springframework.web.reactive.config.WebFluxConfigurer - -@Configuration -class CorsConfig : WebFluxConfigurer { - - @Value("\${app.cors.allowed-hosts}") - private lateinit var hosts: Array - - @Value("\${app.cors.allowed-patterns}") - private lateinit var patterns: Array - - override fun addCorsMappings(registry: CorsRegistry) { - registry.addMapping("/**") - .allowedOrigins(*hosts) - .allowedOriginPatterns(*patterns) - .allowedHeaders("*") - .allowedMethods("*") - } - -} \ No newline at end of file diff --git a/Api/api-app/src/main/resources/application-docker.yml b/Api/api-app/src/main/resources/application-docker.yml index a09ea2e3b..22ee7eaae 100644 --- a/Api/api-app/src/main/resources/application-docker.yml +++ b/Api/api-app/src/main/resources/application-docker.yml @@ -15,9 +15,6 @@ spring: allow-bean-definition-overriding: true app: - cors: - allowed-hosts: https://opex.dev, http://localhost:3000 - allowed-patterns: http://192.168.* accountant: url: lb://opex-accountant matching-gateway: diff --git a/Api/api-ports/api-binance-rest/src/main/kotlin/co/nilin/opex/port/api/binance/config/SecurityConfig.kt b/Api/api-ports/api-binance-rest/src/main/kotlin/co/nilin/opex/port/api/binance/config/SecurityConfig.kt index f2cfb87e6..12b98b829 100644 --- a/Api/api-ports/api-binance-rest/src/main/kotlin/co/nilin/opex/port/api/binance/config/SecurityConfig.kt +++ b/Api/api-ports/api-binance-rest/src/main/kotlin/co/nilin/opex/port/api/binance/config/SecurityConfig.kt @@ -19,7 +19,6 @@ class SecurityConfig(private val webClient: WebClient) { @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? { http.csrf().disable() - .cors().and() .authorizeExchange() .pathMatchers("/hello").permitAll() .pathMatchers("/actuator/**").permitAll() @@ -31,7 +30,6 @@ class SecurityConfig(private val webClient: WebClient) { .pathMatchers("/v3/ticker/**").permitAll() .pathMatchers("/v3/exchangeInfo").permitAll() .pathMatchers("/v3/klines").permitAll() - .pathMatchers(HttpMethod.OPTIONS, "/**").permitAll() .pathMatchers("/**").hasAuthority("SCOPE_trust") .anyExchange().authenticated() .and() diff --git a/BlockchainGateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt b/BlockchainGateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt index 2ad33315f..d6340e9d9 100644 --- a/BlockchainGateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt +++ b/BlockchainGateway/bc-gateway-app/src/main/kotlin/co/nilin/opex/bcgateway/app/config/SecurityConfig.kt @@ -3,19 +3,12 @@ package co.nilin.opex.bcgateway.app.config import org.springframework.beans.factory.annotation.Qualifier import org.springframework.beans.factory.annotation.Value import org.springframework.context.annotation.Bean -import org.springframework.core.io.ClassPathResource -import org.springframework.core.io.Resource import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity import org.springframework.security.config.web.server.ServerHttpSecurity import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder import org.springframework.security.web.server.SecurityWebFilterChain -import org.springframework.util.Base64Utils -import org.springframework.util.FileCopyUtils import org.springframework.web.reactive.function.client.WebClient -import java.security.KeyFactory -import java.security.interfaces.RSAPublicKey -import java.security.spec.X509EncodedKeySpec @EnableWebFluxSecurity class SecurityConfig(@Qualifier("loadBalanced") private val webClient: WebClient) { diff --git a/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/CorsConfig.kt b/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/CorsConfig.kt deleted file mode 100644 index 988235929..000000000 --- a/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/CorsConfig.kt +++ /dev/null @@ -1,25 +0,0 @@ -package co.nilin.opex.storage.app.config - -import org.springframework.beans.factory.annotation.Value -import org.springframework.context.annotation.Configuration -import org.springframework.web.reactive.config.CorsRegistry -import org.springframework.web.reactive.config.WebFluxConfigurer - -@Configuration -class CorsConfig : WebFluxConfigurer { - - @Value("\${app.cors.allowed-hosts}") - private lateinit var hosts: Array - - @Value("\${app.cors.allowed-patterns}") - private lateinit var patterns: Array - - override fun addCorsMappings(registry: CorsRegistry) { - registry.addMapping("/**") - .allowedOrigins(*hosts) - .allowedOriginPatterns(*patterns) - .allowedHeaders("*") - .allowedMethods("*") - } - -} diff --git a/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt b/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt index 1f77edddb..c7f3b7ea4 100644 --- a/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt +++ b/Storage/storage-app/src/main/kotlin/co/nilin/opex/storage/app/config/SecurityConfig.kt @@ -22,7 +22,6 @@ class SecurityConfig(private val webClient: WebClient) { @Bean fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? { http.csrf().disable() - .cors().and() .authorizeExchange() .pathMatchers("/hello").permitAll() .pathMatchers("/actuator/**").permitAll() @@ -37,7 +36,6 @@ class SecurityConfig(private val webClient: WebClient) { AuthorizationDecision(granted) } } - .pathMatchers(HttpMethod.OPTIONS, "/**").permitAll() .pathMatchers("/**").hasAuthority("SCOPE_trust") .anyExchange().authenticated() .and() diff --git a/Wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/CorsConfig.kt b/Wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/CorsConfig.kt deleted file mode 100644 index 2b2e6b644..000000000 --- a/Wallet/wallet-app/src/main/kotlin/co/nilin/opex/wallet/app/config/CorsConfig.kt +++ /dev/null @@ -1,25 +0,0 @@ -package co.nilin.opex.wallet.app.config - -import org.springframework.beans.factory.annotation.Value -import org.springframework.context.annotation.Configuration -import org.springframework.web.reactive.config.CorsRegistry -import org.springframework.web.reactive.config.WebFluxConfigurer - -@Configuration -class CorsConfig : WebFluxConfigurer { - - @Value("\${app.cors.allowed-hosts}") - private lateinit var hosts: Array - - @Value("\${app.cors.allowed-patterns}") - private lateinit var patterns: Array - - override fun addCorsMappings(registry: CorsRegistry) { - registry.addMapping("/**") - .allowedOrigins(*hosts) - .allowedOriginPatterns(*patterns) - .allowedHeaders("*") - .allowedMethods("*") - } - -} \ No newline at end of file diff --git a/Wallet/wallet-app/src/main/resources/application-docker.yml b/Wallet/wallet-app/src/main/resources/application-docker.yml index 2f411893a..72129f214 100644 --- a/Wallet/wallet-app/src/main/resources/application-docker.yml +++ b/Wallet/wallet-app/src/main/resources/application-docker.yml @@ -16,8 +16,3 @@ spring: consul: host: ${CONSUL_HOST} port: 8500 - -app: - cors: - allowed-hosts: https://opex.dev, http://localhost:3000 - allowed-patterns: http://192.168.* \ No newline at end of file From f528d3a2791c28ff2321793b6f114a8fd986588a Mon Sep 17 00:00:00 2001 From: metalicn20 Date: Mon, 25 Oct 2021 14:39:05 +0330 Subject: [PATCH 3/4] Add more allowed methods --- Deployment/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Deployment/nginx.conf b/Deployment/nginx.conf index 0c54ba9ef..0bc841264 100644 --- a/Deployment/nginx.conf +++ b/Deployment/nginx.conf @@ -37,7 +37,7 @@ http { more_set_headers 'Access-Control-Allow-Origin: *'; more_set_headers 'Access-Control-Allow-Headers: *'; - more_set_headers 'Access-Control-Allow-Methods: POST, PUT, PATCH, GET, OPTIONS'; + more_set_headers 'Access-Control-Allow-Methods: POST, PUT, PATCH, GET, DELETE, OPTIONS, HEAD'; location /auth { proxy_pass http://docker-auth; From 9f44f311cd83cb81147f828678063c23e6584e60 Mon Sep 17 00:00:00 2001 From: metalicn20 Date: Mon, 25 Oct 2021 16:07:14 +0330 Subject: [PATCH 4/4] Setup binance proxy to nginx --- Deployment/nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Deployment/nginx.conf b/Deployment/nginx.conf index 0bc841264..64ba68d80 100644 --- a/Deployment/nginx.conf +++ b/Deployment/nginx.conf @@ -75,5 +75,10 @@ http { proxy_pass http://docker-api; rewrite ^/sapi(.*)$ $1 break; } + + location /api/v3/klines { + proxy_set_header Host api.binance.com; + proxy_pass https://api.binance.com; + } } }