updates

Dockerfile

@@ -1,17 +1,23 @@
 # Stage 1: Build Stage
-FROM node:current-alpine AS builder
+FROM --platform=$BUILDPLATFORM node:current-alpine AS builder
+
+
+
+# Client configuration will be put into client/.env
+ENV TZ=UTC \
+    VITE_COMMIT_SHA=prion
+
+
 
 WORKDIR /opt/app
 COPY  . . 
 
-RUN apk update \
-        && apk add --no-cache bash \
-        && chmod +x /opt/app/start.sh \
-        && npm install -g yarn@latest --force \
+
+
+RUN     npm install -g yarn@latest --force \
         && yarn install --flat --production --no-cache \
         && yarn build --no-cache \
         && rm -rf /opt/app/node_modules \
-        && rm -rf /opt/app/server/node_modules \
         && yarn cache clean \
         && yarn autoclean --force
 
@@ -20,23 +26,26 @@ FROM alpine:latest
 
 WORKDIR /opt/app
 
+RUN apk add --no-cache nginx yarn openssl iptables
+
 COPY --from=builder /opt/app/client/dist /opt/app/client/dist
+#COPY --from=builder /opt/app/client/src/.env /opt/app/client/src/.env
 COPY --from=builder /opt/app/server /opt/app/server
 COPY package.json /opt/app/package.json
 COPY default.conf /etc/nginx/http.d/
 COPY start.sh /opt/app/start.sh
 
 
+RUN  chmod +x /opt/app/start.sh
+
 
 
-RUN apk add --no-cache nginx yarn openssl && \
-    chmod +x /opt/app/start.sh
 
 
 
 HEALTHCHECK --interval=30s --timeout=30s --start-period=10s --retries=3 \ 
     CMD [ "curl", "-f", "http://localhost:3001", "||", "exit", "1" ]
 
-CMD ["/opt/app/start.sh"]
+CMD ["/opt/app/start.sh", "start" ]
 
 STOPSIGNAL SIGTERM

build.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 api_host=$API_HOST
 

client/src/config/env.js

@@ -1,5 +1,5 @@
 /* istanbul ignore file */
-export const MAX_FILE_SIZE = import.meta.VITE_MAX_FILE_SIZE || 4;
+export const MAX_FILE_SIZE = import.meta.VITE_MAX_FILE_SIZE;
 export const COMMIT_SHA = import.meta.env.VITE_COMMIT_SHA;
 
 export default import.meta.env.NODE_ENV;

docker-compose.yaml

@@ -3,27 +3,18 @@ services:
   darkwire:
     build: .
     #image: noxcis/darkwire:test
-    environment:
-      - TZ=UTC
-      - VITE_API_PORT=3001
-      - VITE_API_HOST=localhost
-      - VITE_API_PROTOCOL=http
-      - VITE_COMMIT_SHA=some_sha
-      - VITE_MAX_FILE_SIZE=20
-      - MAILGUN_API_KEY=api-key
-      - MAILGUN_DOMAIN=darkwire.io
-      - ABUSE_TO_EMAIL_ADDRESS=abuse@darkwire.io
-      - ABUSE_FROM_EMAIL_ADDRESS=Darkwire <no-reply@darkwire.io>
-      - CLIENT_DIST_DIRECTORY='client/dist'
-      - ROOM_HASH_SECRET='some-uuid'
-      - SITE_URL=https://darkwire.io
-      - STORE_BACKEND=memory
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
     networks:
       - db
     ports:
       - 3002:80
       - 4001:443
       - 5001:3001
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
       
 networks:
   db:

server/src/index.js

@@ -118,7 +118,9 @@ if (store.hasSocketAdapter) {
   io.adapter(store.getSocketAdapter());
 }
 
-const roomHashSecret = process.env.ROOM_HASH_SECRET;
+
+const roomHashSecret = process.env.ROOM_HASH_SECRET || crypto.randomBytes(256).toString('hex');
+
 
 const getRoomIdHash = id => {
   if (env === 'development') {

start.sh

@@ -1,56 +1,84 @@
 #!/bin/sh
 
-# We use this file to translate environmental variables to .env files used by the application
-set_env() {
-echo "
-TZ=UTC
-VITE_API_HOST=$VITE_API_HOST
-VITE_API_PROTOCOL=$VITE_API_PROTOCOL
-VITE_API_PORT=$VITE_API_PORT
-VITE_COMMIT_SHA=$VITE_COMMIT_SHA
-MODE=production
-VITE_COMMIT_SHA=$VITE_COMMIT_SHA
-VITE_MAX_FILE_SIZE=$VITE_MAX_FILE_SIZE
-" > client/.env
-
-
-echo "
-MAILGUN_API_KEY=$MAILGUN_API_KEY
-MAILGUN_DOMAIN=$MAILGUN_DOMAIN
-ABUSE_TO_EMAIL_ADDRESS=$ABUSE_TO_EMAIL_ADDRESS
-ABUSE_FROM_EMAIL_ADDRESS=$ABUSE_FROM_EMAIL_ADDRESS
-CLIENT_DIST_DIRECTORY='client/dist/'
-ROOM_HASH_SECRET=$ROOM_HASH_SECRET
-SITE_URL=$SITE_URL
-STORE_BACKEND=$STORE_BACKEND
-STORE_HOST=$STORE_HOST
-" > server/.env
-}
 
 generate_self_signed_ssl() {
     local key_file="certs/selfsigned.key"
     local cert_file="certs/selfsigned.crt"
     local csr_file="certs/selfsigned.csr"
+    local config_file="certs/openssl.cnf"
     local days_valid=365
 
-    # Create "certs" directory if it doesn't exist
     mkdir -p certs
 
-    # Generate private key
+    cat > "$config_file" <<EOF
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+x509_extensions = v3_ca
+
+[dn]
+C = US
+ST = FL
+L = Miami
+O = NoxCorp
+OU = GhostWorks
+CN = Noxcis
+
+[req_ext]
+subjectAltName = @alt_names
+
+[alt_names]
+IP.1 = 127.0.0.1
+
+[v3_ca]
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+EOF
+
     openssl genpkey -algorithm RSA -out "$key_file"
-
-    # Generate certificate signing request (CSR)
-    openssl req -new -key "$key_file" -out "$csr_file" -subj "/C=US/ST=FL/L=Miami/O=NoxCorp/OU=GhostWorks/CN=Noxcis"
-
-    # Generate self-signed certificate
-    openssl x509 -req -days "$days_valid" -in "$csr_file" -signkey "$key_file" -out "$cert_file"
-
-    # Provide information about the generated files
-    echo "Self-signed SSL key: $key_file"
-    echo "Self-signed SSL certificate: $cert_file"
-    echo "Certificate signing request: $csr_file"
+    openssl req -new -key "$key_file" -out "$csr_file" -config "$config_file"
+    openssl x509 -req -days "$days_valid" -in "$csr_file" -signkey "$key_file" \
+        -out "$cert_file" -extfile "$config_file" -extensions req_ext -extensions v3_ca
 }
 
+#!/bin/bash
+
+# Function to allow only private IP ranges for incoming connections
+allow_private_ips_only() {
+    # Flush existing iptables rules
+    iptables -F
+    iptables -X
+
+    # Allow loopback traffic
+    iptables -A INPUT -i lo -j ACCEPT
+    iptables -A OUTPUT -o lo -j ACCEPT
+
+    # Allow established and related connections
+    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+    # Allow traffic from private IP ranges
+    iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
+    iptables -A INPUT -s 172.16.0.0/12 -j ACCEPT
+    iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
+
+    # Drop all other traffic
+    iptables -A INPUT -j DROP
+
+    # Allow outgoing traffic to private IP ranges
+    iptables -A OUTPUT -d 10.0.0.0/8 -j ACCEPT
+    iptables -A OUTPUT -d 172.16.0.0/12 -j ACCEPT
+    iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
+
+    # Drop all other outgoing traffic
+    iptables -A OUTPUT -j DROP
+}
+
+
+
 # Graceful shutdown function
 shutdown_nginx() {
     echo "Shutting down Nginx..."
@@ -61,16 +89,21 @@ shutdown_nginx() {
 # Trap SIGTERM signal and call shutdown_nginx
 trap 'shutdown_nginx' SIGTERM
 
-set_env &&
-# Start your application
-generate_self_signed_ssl generate_self_signed_ssl >> /dev/null 2>&1
 
+        generate_self_signed_ssl  >> /dev/null 2>&1 
+        echo '
+██████╗  █████╗ ██████╗ ██╗  ██╗██╗    ██╗██╗██████╗ ███████╗
+██╔══██╗██╔══██╗██╔══██╗██║ ██╔╝██║    ██║██║██╔══██╗██╔════╝
+██║  ██║███████║██████╔╝█████╔╝ ██║ █╗ ██║██║██████╔╝█████╗  
+██║  ██║██╔══██║██╔══██╗██╔═██╗ ██║███╗██║██║██╔══██╗██╔══╝  
+██████╔╝██║  ██║██║  ██║██║  ██╗╚███╔███╔╝██║██║  ██║███████╗
+╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝╚═╝  ╚═╝╚══════╝
+Dockerized by NOXCIS                                                             
+'
+        # Start the server
+        allow_private_ips_only
+        yarn start &
+        nginx &
+        # Wait indefinitely to handle SIGTERM
+        wait
 
-# Start the server
-cd server
-yarn install
-cd ..
-yarn start &&
-nginx &
-# Wait indefinitely to handle SIGTERM
-wait

torrc

@@ -0,0 +1,13 @@
+##### Do not edit. #####
+UseBridges 1
+AutomapHostsOnResolve 1
+VirtualAddrNetwork 10.192.0.0/10
+User tor
+DataDirectory /var/lib/tor
+SocksPort auto
+TransPort 10.2.0.3:59040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
+ClientTransportPlugin webtunnel exec ./client
+%include /etc/tor/torrc.d/*.conf
+
+
+