Add some files to the test config folder, and a readme

llemeurfr · web-flow · commit 683babfbbd94 · 2026-02-14T18:32:55.000+01:00
diff --git a/config/README.md b/config/README.md
@@ -0,0 +1,83 @@
+# Configuration Secrets
+
+This directory contains sensitive configuration files used as Docker secrets.
+
+## Required Files
+
+### `access.txt`
+Basic authentication credentials for LCP API access and JWT dashboard accounts.
+
+**Format:**
+```
+username:password
+dashboard_user1:password1
+dashboard_user2:password2
+```
+
+First line: Basic auth credentials for API access
+Following lines: Dashboard admin accounts (username:password pairs)
+
+### `mysql-root-password.txt`
+MySQL root password.
+
+**Example:**
+```
+your_strong_root_password_here
+```
+
+### `mysql-password.txt`
+Password for the MySQL user defined in `MYSQL_USER` (typically `lcp_user`).
+
+**Example:**
+```
+your_strong_user_password_here
+```
+
+### `jwt-secretkey.txt`
+Secret key used to sign JWT tokens for dashboard authentication.
+
+**Example:**
+```
+your_strong_random_jwt_secret_key_minimum_32_characters
+```
+
+**⚠️ Important:** Generate a strong random key of at least 32 characters.
+
+## Security Best Practices
+
+1. **Never commit these files to version control** (already ignored in `.gitignore`)
+2. **Use strong, random passwords** - minimum 16 characters
+3. **Different passwords for each secret**
+4. **Generate JWT secret key with:**
+   ```bash
+   openssl rand -base64 48
+   ```
+5. **Restrict file permissions:**
+   ```bash
+   chmod 600 config/*.txt
+   ```
+6. **Rotate secrets regularly** in production
+7. **Backup secrets securely** (encrypted storage)
+
+## Initial Setup
+
+1. Copy example files or create new ones:
+   ```bash
+   cd config/
+   echo "your_mysql_root_password" > mysql-root-password.txt
+   echo "your_mysql_user_password" > mysql-password.txt
+   echo "apiuser:apipassword" > access.txt
+   openssl rand -base64 48 > jwt-secretkey.txt
+   chmod 600 *.txt
+   ```
+
+2. Update `config-vm/` directory with production values if needed
+
+## How Secrets Are Used
+
+- **Docker Compose** mounts these files to `/run/secrets/` inside containers
+- **LCP Server** reads secrets at startup via environment variables:
+  - `LCPSERVER_ACCESS_FILE` → `/run/secrets/access`
+  - `MYSQL_PASSWORD_FILE` → `/run/secrets/mysql-password`
+  - `JWT_SECRETKEY_FILE` → `/run/secrets/jwt-secretkey`
+- Passwords are **never** stored in environment variables or code
diff --git a/config/access.txt b/config/access.txt
@@ -0,0 +1,3 @@
+username:password
+bob:supersecret
+hugh:supersecret
diff --git a/config/jwt-secretkey.txt b/config/jwt-secretkey.txt
@@ -0,0 +1 @@
+your_strong_jwt_secret_key_here_change_in_production
diff --git a/config/nginx.conf b/config/nginx.conf
@@ -0,0 +1,146 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # Logging
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_comp_level 6;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/json
+        application/javascript
+        application/xml+rss
+        application/atom+xml
+        image/svg+xml;
+
+    # Rate limiting
+    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
+
+    # Upstream for LCP server
+    upstream lcp_server {
+        server server:8989;
+        keepalive 32;
+    }
+
+    # Upstream for Dashboard service
+    upstream lcp_dashboard {
+        server dashboard:8080;
+        keepalive 16;
+    }
+
+    # HTTP configuration
+    server {
+        listen 80;
+        server_name _;
+
+        # Security headers
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        # Client max body size for file uploads
+        client_max_body_size 100M;
+
+        # Proxy settings
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Health check endpoint
+        location /health {
+            access_log off;
+            proxy_pass http://lcp_server/health;
+            proxy_connect_timeout 5s;
+            proxy_read_timeout 10s;
+        }
+
+        # Group 1: Public / High Traffic (Status, Register, Renew, Return)
+        # These endpoints are frequently accessed by devices
+        location ~ ^/(status|register|renew|return)/ {
+            limit_req zone=api burst=50 nodelay;
+            proxy_pass http://lcp_server;
+            proxy_connect_timeout 30s;
+            proxy_read_timeout 60s;
+            proxy_send_timeout 60s;
+        }
+
+        # Group 2: LCP Server API (Publications, LicenseInfo, Licenses, Revoke, Dashdata)
+        # These endpoints are protected by Basic Auth, for use by LCP integrators,
+        # or (dashdata) protected by JWT, for use by the dashboard UI.
+        location ~ ^/(publications|licenseinfo|licenses|revoke|dashdata)(?:/|$) {
+            limit_req zone=api burst=20 nodelay;
+            proxy_pass http://lcp_server;
+            proxy_connect_timeout 30s;
+            proxy_read_timeout 120s;
+            proxy_send_timeout 60s;
+        }
+
+        # Group 3: Resources (Static files)
+        # Large files, high burst allowed for parallel downloads
+        location /resources/ {
+            limit_req zone=api burst=100 nodelay;
+            proxy_pass http://lcp_server/resources/;
+            proxy_connect_timeout 30s;
+            proxy_read_timeout 300s; # Longer timeout for large files
+            proxy_send_timeout 300s;
+        }
+
+        # Group 4: Dashboard UI
+        # Used by human admins via web interface
+        # Access to the root and specific paths
+        location ~ ^/($|login|dashboard|assets) {
+            limit_req zone=api burst=20 nodelay;
+            proxy_pass http://lcp_dashboard;
+            proxy_connect_timeout 30s;
+            proxy_read_timeout 60s;
+            proxy_send_timeout 60s;
+            # So the dashboard receives correct IP information
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # Group 4.1: Dashboard public assets
+        location ~ ^/(favicon.ico|placeholder.svg|cleanup-localstorage.js)$ {
+            limit_req zone=api burst=20 nodelay;
+            proxy_pass http://lcp_dashboard;
+            proxy_connect_timeout 30s;
+            proxy_read_timeout 60s;
+            proxy_send_timeout 60s;
+        }
+
+        # Default proxy for all other requests (fallback)
+        location / {
+            return 404;
+            access_log off;
+        }
+
+        # Error pages
+        error_page 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+username:password`
	`2`	`+bob:supersecret`
	`3`	`+hugh:supersecret`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+your_strong_jwt_secret_key_here_change_in_production`