Compare commits
35 Commits
48f386c312
...
d26d8a822f
Author | SHA1 | Date | |
---|---|---|---|
d26d8a822f | |||
d0eb4cc821 | |||
762b97d19d | |||
2889c153f3 | |||
dfa50ea6b5 | |||
41dcd6a5bb | |||
2dbcd4a845 | |||
81cfe975b4 | |||
e83dce3304 | |||
7ce5738399 | |||
34ffb96025 | |||
1e7531e632 | |||
b2a02407b9 | |||
f196697569 | |||
f77961145e | |||
3001dbca73 | |||
5ded2bc320 | |||
a184866de3 | |||
c48e985d23 | |||
e8d238f3c3 | |||
8f35aaef11 | |||
ee38b2468e | |||
fdfba8ab4f | |||
2c3bcf27d7 | |||
ba7d33943e | |||
f30e22b333 | |||
9ee212fcef | |||
1ca3b48d0d | |||
d864231db1 | |||
7828ff2125 | |||
0fbd3303e4 | |||
e82fad68ac | |||
cc10ee2241 | |||
9e9abe945f | |||
f21510cdf7 |
120
.env
Normal file
120
.env
Normal file
@ -0,0 +1,120 @@
|
|||||||
|
#
|
||||||
|
# Parameters for node-livereload-tls stack:
|
||||||
|
# This file makes it easier to customize your node-livereload-tls stack deployment by providing centralized configuration options.
|
||||||
|
# This file is *not required* since all values have (sane) default settings.
|
||||||
|
# There is *no* sensitive information in this file.
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# COMMON PARAMETERS
|
||||||
|
|
||||||
|
# TZ:
|
||||||
|
# Timezone used in logs and console messages. No effect on operation, purely aesthetic.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: Etc/UTC
|
||||||
|
# VALID OPTIONS: Any valid IANA TZ formatted timezone. Refer to https://en.wikipedia.org/wiki/List_of_tz_database_time_zones.
|
||||||
|
TZ=Etc/UTC
|
||||||
|
|
||||||
|
# GID:
|
||||||
|
# You may wish to change the GroupID of the container's user. This allows it access certain resources on the host like certificates or files.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT:
|
||||||
|
# VALID OPTIONS: Any valid UID/GID
|
||||||
|
#GID=
|
||||||
|
|
||||||
|
# WATCHDIR:
|
||||||
|
# Directory containing files you want to monitor for changes and trigger a browser reload.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT:
|
||||||
|
# VALID OPTIONS: Any valid directory on the host
|
||||||
|
WATCHDIR=~/myWebProject
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# AB-NGINX parameters
|
||||||
|
# refer to https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki for more details
|
||||||
|
|
||||||
|
# NGINX_HTTP:
|
||||||
|
# Port to map on the host for ab-nginx to listen for HTTP connections.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: 80
|
||||||
|
# VALID OPTIONS: Any valid TCP port that does not cause conflicts in your environment
|
||||||
|
#NGINX_HTTP=80
|
||||||
|
|
||||||
|
# NGINX_HTTPS:
|
||||||
|
# Port to map on the host for ab-nginx to listen for HTTPS connections.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: 443
|
||||||
|
# VALID OPTIONS: Any valid TCP port that does not cause conflicts in your environment
|
||||||
|
#NGINX_HTTPS=443
|
||||||
|
|
||||||
|
# SERVER_NAMES:
|
||||||
|
# Space-delimited list of names to which the server should respond. This needs to match any certificates being used.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: _
|
||||||
|
# VALID OPTIONS: Any valid hostnames for your environment
|
||||||
|
SERVER_NAMES=_
|
||||||
|
|
||||||
|
# TLS13_ONLY:
|
||||||
|
# Use and accept only TLS version 1.3 connections. If false, both TLS versions 1.2 and 1.3 will be accepted.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: TRUE
|
||||||
|
# VALID OPTIONS: TRUE, FALSE
|
||||||
|
TLS13_ONLY=TRUE
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# node-livereload parameters
|
||||||
|
|
||||||
|
# LR_PORT:
|
||||||
|
# Port on which the server should listen. Virtually all clients expect the default setting.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: 35729
|
||||||
|
# VALID OPTIONS: Any valid TCP port number that does not conflict within your environment
|
||||||
|
#LR_PORT=35729
|
||||||
|
|
||||||
|
# LR_EXTS:
|
||||||
|
# Comma-delimited list of extensions to watch for changes and trigger a browser reload.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: "html,xml,css,js,jsx,ts,tsx,php,py"
|
||||||
|
# VALID OPTIONS: Any valid file extension(s)
|
||||||
|
LR_EXTS="html,xml,css,js,jsx,ts,tsx,php,py"
|
||||||
|
|
||||||
|
# LR_EXCLUDE:
|
||||||
|
# Comma-delimited set of /regular-expressions/ defining what to exclude from monitoring in addition to the defaults.
|
||||||
|
# Upstream node-livereload lists the following as defaults: "/\.git\//,/\.svn\//,/\.hg\//"
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: "/\.vscode\//,/\.idea\//,/\.tmp/,/\.swp/"
|
||||||
|
# VALID OPTIONS: Any valid RegEx that matches files or directories
|
||||||
|
LR_EXCLUDE="/\.vscode\//,/\.idea\//,/\.tmp/,/\.swp/"
|
||||||
|
|
||||||
|
# LR_DELAY:
|
||||||
|
# Amount of time in milliseconds before detecting a change and sending a trigger for a browser reload. Useful if you need to allow time for background recompilation, etc.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: 500
|
||||||
|
# VALID OPTIONS: Any integer representing a number of milliseconds (ms)
|
||||||
|
LR_DELAY=500
|
||||||
|
|
||||||
|
# LR_DEBUG:
|
||||||
|
# Whether or not to print diagnostic debugging messages about the server's operation. Usually a good idea to leave this set to 'true'.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: true
|
||||||
|
# VALID OPTIONS: true, false
|
||||||
|
LR_DEBUG=true
|
||||||
|
|
||||||
|
# LR_HTTPS:
|
||||||
|
# Whether or not to enable SSL/TLS on the server's listening port. This may be required depending on your domain and environment configuration.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: true
|
||||||
|
# VALID OPTIONS: true, false
|
||||||
|
LR_HTTPS=true
|
||||||
|
|
||||||
|
# CERT_HOSTNAME:
|
||||||
|
# Hostname to use if container is auto-generating a self-signed certificate.
|
||||||
|
# REQUIRED: NO
|
||||||
|
# DEFAULT: $HOSTNAME
|
||||||
|
# VALID OPTIONS: Any valid hostname
|
||||||
|
CERT_HOSTNAME=${SERVER_NAMES}
|
||||||
|
|
||||||
|
|
||||||
|
#EOF
|
36
.gitattributes
vendored
36
.gitattributes
vendored
@ -4,9 +4,6 @@
|
|||||||
# https://www.davidlaing.com/2012/09/19/customise-your-gitattributes-to-become-a-git-ninja/
|
# https://www.davidlaing.com/2012/09/19/customise-your-gitattributes-to-become-a-git-ninja/
|
||||||
* text=auto
|
* text=auto
|
||||||
|
|
||||||
# JetBrains: Do not touch line endings, but show diff
|
|
||||||
.idea/** -text
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# The above will handle all files NOT found below
|
# The above will handle all files NOT found below
|
||||||
#
|
#
|
||||||
@ -23,7 +20,7 @@
|
|||||||
*.PDF diff=astextplain
|
*.PDF diff=astextplain
|
||||||
*.rtf diff=astextplain
|
*.rtf diff=astextplain
|
||||||
*.RTF diff=astextplain
|
*.RTF diff=astextplain
|
||||||
*.md text
|
*.md text diff=markdown
|
||||||
*.tex text diff=tex
|
*.tex text diff=tex
|
||||||
*.adoc text
|
*.adoc text
|
||||||
*.textile text
|
*.textile text
|
||||||
@ -33,6 +30,7 @@
|
|||||||
*.tsv text
|
*.tsv text
|
||||||
*.txt text
|
*.txt text
|
||||||
*.sql text
|
*.sql text
|
||||||
|
*.ps1 text eol=crlf
|
||||||
|
|
||||||
# Graphics
|
# Graphics
|
||||||
*.png binary
|
*.png binary
|
||||||
@ -56,7 +54,22 @@
|
|||||||
# These are explicitly windows files and should use crlf
|
# These are explicitly windows files and should use crlf
|
||||||
*.bat text eol=crlf
|
*.bat text eol=crlf
|
||||||
*.cmd text eol=crlf
|
*.cmd text eol=crlf
|
||||||
*.ps1 text eol=crlf
|
|
||||||
|
# web frontend stack -- force LF so SRI hashes are always correct
|
||||||
|
*.html text eol=lf
|
||||||
|
*.htm text eol=lf
|
||||||
|
*.css text eol=lf
|
||||||
|
*.min.css text eol=lf
|
||||||
|
*.js text eol=lf
|
||||||
|
*.min.js text eol=lf
|
||||||
|
|
||||||
|
# Visual Studio projects (Rider also)
|
||||||
|
*.cs diff=csharp
|
||||||
|
*.sln merge=union
|
||||||
|
*.csproj merge=union
|
||||||
|
*.vbproj merge=union
|
||||||
|
*.fsproj merge=union
|
||||||
|
*.dbproj merge=union
|
||||||
|
|
||||||
# Serialisation
|
# Serialisation
|
||||||
*.json text
|
*.json text
|
||||||
@ -72,9 +85,6 @@
|
|||||||
*.tgz binary
|
*.tgz binary
|
||||||
*.zip binary
|
*.zip binary
|
||||||
|
|
||||||
# Docker build files
|
|
||||||
Dockerfile text eol=lf
|
|
||||||
|
|
||||||
# Text files where line endings should be preserved
|
# Text files where line endings should be preserved
|
||||||
*.patch -text
|
*.patch -text
|
||||||
|
|
||||||
@ -82,8 +92,8 @@ Dockerfile text eol=lf
|
|||||||
# Exclude files from exporting
|
# Exclude files from exporting
|
||||||
#
|
#
|
||||||
|
|
||||||
.gitattributes export-ignore
|
.gitattributes export-ignore
|
||||||
.gitignore export-ignore
|
.gitignore export-ignore
|
||||||
.gitkeep export-ignore
|
.gitkeep export-ignore
|
||||||
.vscode export-ignore
|
.idea export-ignore
|
||||||
.idea export-ignore
|
.vscode export-ignore
|
||||||
|
80
.gitignore
vendored
80
.gitignore
vendored
@ -1,10 +1,72 @@
|
|||||||
.vscode/*
|
### JetBrains template
|
||||||
!.vscode/settings.json
|
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
|
||||||
!.vscode/tasks.json
|
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
|
||||||
!.vscode/launch.json
|
|
||||||
!.vscode/extensions.json
|
|
||||||
!.vscode/numbered-bookmarks.json
|
|
||||||
*.code-workspace
|
|
||||||
|
|
||||||
# Local History for Visual Studio Code
|
# User-specific stuff
|
||||||
.history/
|
.idea/**/workspace.xml
|
||||||
|
.idea/**/tasks.xml
|
||||||
|
.idea/**/usage.statistics.xml
|
||||||
|
.idea/**/dictionaries
|
||||||
|
.idea/**/shelf
|
||||||
|
|
||||||
|
# Generated files
|
||||||
|
.idea/**/contentModel.xml
|
||||||
|
|
||||||
|
# Sensitive or high-churn files
|
||||||
|
.idea/**/dataSources/
|
||||||
|
.idea/**/dataSources.ids
|
||||||
|
.idea/**/dataSources.local.xml
|
||||||
|
.idea/**/sqlDataSources.xml
|
||||||
|
.idea/**/dynamic.xml
|
||||||
|
.idea/**/uiDesigner.xml
|
||||||
|
.idea/**/dbnavigator.xml
|
||||||
|
|
||||||
|
# Gradle
|
||||||
|
.idea/**/gradle.xml
|
||||||
|
.idea/**/libraries
|
||||||
|
|
||||||
|
# Gradle and Maven with auto-import
|
||||||
|
# When using Gradle or Maven with auto-import, you should exclude module files,
|
||||||
|
# since they will be recreated, and may cause churn. Uncomment if using
|
||||||
|
# auto-import.
|
||||||
|
# .idea/artifacts
|
||||||
|
# .idea/compiler.xml
|
||||||
|
# .idea/jarRepositories.xml
|
||||||
|
# .idea/modules.xml
|
||||||
|
# .idea/*.iml
|
||||||
|
# .idea/modules
|
||||||
|
# *.iml
|
||||||
|
# *.ipr
|
||||||
|
|
||||||
|
# CMake
|
||||||
|
cmake-build-*/
|
||||||
|
|
||||||
|
# Mongo Explorer plugin
|
||||||
|
.idea/**/mongoSettings.xml
|
||||||
|
|
||||||
|
# File-based project format
|
||||||
|
*.iws
|
||||||
|
|
||||||
|
# IntelliJ
|
||||||
|
out/
|
||||||
|
|
||||||
|
# mpeltonen/sbt-idea plugin
|
||||||
|
.idea_modules/
|
||||||
|
|
||||||
|
# JIRA plugin
|
||||||
|
atlassian-ide-plugin.xml
|
||||||
|
|
||||||
|
# Cursive Clojure plugin
|
||||||
|
.idea/replstate.xml
|
||||||
|
|
||||||
|
# Crashlytics plugin (for Android Studio and IntelliJ)
|
||||||
|
com_crashlytics_export_strings.xml
|
||||||
|
crashlytics.properties
|
||||||
|
crashlytics-build.properties
|
||||||
|
fabric.properties
|
||||||
|
|
||||||
|
# Editor-based Rest Client
|
||||||
|
.idea/httpRequests
|
||||||
|
|
||||||
|
# Android studio 3.1+ serialized cache file
|
||||||
|
.idea/caches/build_file_checksums.ser
|
||||||
|
58
Dockerfile
58
Dockerfile
@ -1,58 +0,0 @@
|
|||||||
#
|
|
||||||
# nodejs with livereload
|
|
||||||
#
|
|
||||||
|
|
||||||
# allow dynamic build by specifying base image as build arg
|
|
||||||
ARG NODE_TAG="16.4.2-alpine3.14"
|
|
||||||
FROM node:${NODE_TAG}
|
|
||||||
|
|
||||||
# change user id of node user
|
|
||||||
ARG NODE_UID=9999
|
|
||||||
RUN deluser --remove-home node \
|
|
||||||
&& addgroup -g ${NODE_UID} -S node \
|
|
||||||
&& adduser -G node -S -u ${NODE_UID} node
|
|
||||||
|
|
||||||
# add tini, timezone support
|
|
||||||
RUN apk --update --no-cache add tzdata tini
|
|
||||||
|
|
||||||
# labels
|
|
||||||
LABEL org.opencontainers.image.authors="Asif Bacchus <asif@asifbacchus.dev>"
|
|
||||||
LABEL org.opencontainers.image.title="livereload npm"
|
|
||||||
LABEL org.opencontainers.image.description="Dockerized npm livereload running under limited user account. Environment variables allow specifying files to watch/exclude and notification delay."
|
|
||||||
LABEL org.opencontainers.image.url="https://git.asifbacchus.dev/ab-docker/livereload"
|
|
||||||
LABEL org.opencontainers.image.documentation="https://git.asifbacchus.dev/ab-docker/livereload/raw/branch/master/README.md"
|
|
||||||
LABEL org.opencontainers.image.source="https://git.asifbacchus.dev/ab-docker/livereload.git"
|
|
||||||
|
|
||||||
# create default volume in case user forgets to map one
|
|
||||||
VOLUME [ "/var/watch" ]
|
|
||||||
|
|
||||||
# expose port
|
|
||||||
EXPOSE 35729
|
|
||||||
|
|
||||||
# default environment variables
|
|
||||||
ENV TZ=Etc/UTC
|
|
||||||
ENV NODE_ENV=production
|
|
||||||
ENV NPM_CONFIG_PREFIX=/home/node/.npm-global
|
|
||||||
ENV PATH=$PATH:/home/node/.npm-global/bin
|
|
||||||
ENV EXT="html,xml,css,js,jsx,ts,tsx,php,py"
|
|
||||||
ENV EXCLUDE=".git/,.svn/"
|
|
||||||
ENV DELAY=500
|
|
||||||
|
|
||||||
# install livereload for node user
|
|
||||||
USER node
|
|
||||||
WORKDIR /home/node
|
|
||||||
RUN mkdir -p .npm-global/bin .npm-global/lib \
|
|
||||||
&& npm install -g livereload
|
|
||||||
|
|
||||||
# run node via tini by default
|
|
||||||
ENTRYPOINT [ "/sbin/tini", "--" ]
|
|
||||||
CMD livereload /var/watch --debug --exts $EXT --exclusions $EXCLUDE -u true --wait $DELAY
|
|
||||||
|
|
||||||
# set build timestamp and version labels
|
|
||||||
ARG BUILD_DATE
|
|
||||||
LABEL org.opencontainers.image.version="16.4.2"
|
|
||||||
LABEL org.opencontainers.image.vendor="nodeJS"
|
|
||||||
LABEL dev.asifbacchus.image.name="livereload npm"
|
|
||||||
LABEL dev.asifbacchus.image.version="1.2"
|
|
||||||
LABEL org.opencontainers.image.created=${BUILD_DATE}
|
|
||||||
#EOF
|
|
241
README.md
241
README.md
@ -1,20 +1,41 @@
|
|||||||
# livereload (dockerized nodejs)
|
# node-livereload-tls (dockerized Livereload)
|
||||||
|
|
||||||
Containerized implementation of [npm livereload](https://www.npmjs.com/package/livereload) as forked by [Brian Hogan](https://github.com/napcs) ([github repo](https://github.com/napcs/node-livereload)). This container is based on Node running on Alpine and provides for easy version and node user UID/GID changes via build args. Time zone, monitored extensions, excluded files/directories and polling delays can be set via environment variables passed at runtime. The container runs under the non-root user *'node'* over the standard livereload port *35729* for compatibility with browser addons.
|
Containerized implementation of [node-livereload](https://www.npmjs.com/package/livereload) as forked by [Brian Hogan](https://github.com/napcs) ([github repo](https://github.com/napcs/node-livereload)). This container is based on Node running on Alpine and provides for easy version-pinning and node user UID/GID changes via build args. Time zone, monitored extensions, excluded files/directories and polling delays can be set via environment variables passed at runtime. The container runs under the non-root user *'node'* over the standard livereload port *35729* for compatibility with browser addons.
|
||||||
|
|
||||||
**Please note:** This container only generates notifications on port 35729 for livereload clients. It does NOT contain a webserver! Please see [Example run commands](#example-run-commands) and [Docker-Compose](#docker-compose) for how to add this to your webdev-stack.
|
**VERSION 2.x: IMPORTANT CHANGES**
|
||||||
|
|
||||||
|
Starting with the 2.x version line, I’ve added two *very* important features:
|
||||||
|
|
||||||
|
- SSL/TLS support with auto-generated self-signed certificates if you don’t have your own certificates
|
||||||
|
- Healthcheck allowing for proper integration using docker-compose into a webstack
|
||||||
|
|
||||||
|
**Please note:** This container only generates notifications for livereload clients. It does NOT contain a webserver! Please see [Examples](#examples) and [Docker-Compose](#docker-compose) for how to add this to your webdev-stack.
|
||||||
|
|
||||||
## Contents
|
## Contents
|
||||||
|
|
||||||
|
<!-- toc -->
|
||||||
|
|
||||||
- [Private docker repository](#private-docker-repository)
|
- [Private docker repository](#private-docker-repository)
|
||||||
- [Source/Issues](#source-issues)
|
- [Source/Issues](#sourceissues)
|
||||||
- [Environment variables](#environment-variables)
|
- [Environment variables](#environment-variables)
|
||||||
- [Volume mapping](#volume-mapping)
|
- [Volume mapping](#volume-mapping)
|
||||||
- [Example run commands](#example-run-commands)
|
* [Certificate mount (HTTPS only)](#certificate-mount-https-only)
|
||||||
- [Using environment variables](#using-environment-variables)
|
* [Content mount](#content-mount)
|
||||||
|
- [Commands](#commands)
|
||||||
|
- [Examples](#examples)
|
||||||
|
* [Run in HTTP (unsecured) mode](#run-in-http-unsecured-mode)
|
||||||
|
* [Run in HTTPS mode with supplied certificate](#run-in-https-mode-with-supplied-certificate)
|
||||||
|
* [Run in HTTPS mode with generated certificate](#run-in-https-mode-with-generated-certificate)
|
||||||
|
- [Livereload client](#livereload-client)
|
||||||
|
- [Permissions](#permissions)
|
||||||
|
* [Option 1: rebuild with different UID/GID](#option-1-rebuild-with-different-uidgid)
|
||||||
|
* [Option 2: specify runtime GID](#option-2-specify-runtime-gid)
|
||||||
|
* [Using Let’s Encrypt](#using-lets-encrypt)
|
||||||
- [Docker-Compose](#docker-compose)
|
- [Docker-Compose](#docker-compose)
|
||||||
- [Final thoughts](#final-thoughts)
|
- [Final thoughts](#final-thoughts)
|
||||||
|
|
||||||
|
<!-- tocstop -->
|
||||||
|
|
||||||
## Private docker repository
|
## Private docker repository
|
||||||
|
|
||||||
If you prefer, you can also use my private repository to download possibly newer containers. Simply change `asifbacchus/livereload:tag` to `docker.asifbacchus.dev/livereload/livereload:tag`.
|
If you prefer, you can also use my private repository to download possibly newer containers. Simply change `asifbacchus/livereload:tag` to `docker.asifbacchus.dev/livereload/livereload:tag`.
|
||||||
@ -27,70 +48,188 @@ ## Environment variables
|
|||||||
|
|
||||||
All environment variables have sensible defaults and, thus, are *not* required to be set for the container to run successfully.
|
All environment variables have sensible defaults and, thus, are *not* required to be set for the container to run successfully.
|
||||||
|
|
||||||
| variable | description | default |
|
| variable | description | default |
|
||||||
| -------- | ------------------------------------------------------------ | --------------------------------- |
|
| ------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
|
||||||
| TZ | Set the container's time zone. NO impact on runtime, included for convenience. | Etc/UTC |
|
| TZ | Set the container's time zone. NO impact on runtime, included for convenience. | Etc/UTC |
|
||||||
| EXT | Defines monitored extensions. | html,xml,css,js,jsx,ts,tsx,php,py |
|
| LR_PORT | Port over which Livereload will communicate. All clients presently expect port 35729, so I suggest leaving this alone. | 35729 |
|
||||||
| EXCLUDE | Defines *paths* to ignore. | .git/,.svn/ |
|
| LR_EXTS | Defines monitored extensions. | html,xml,css,js,jsx,ts,tsx,php,py |
|
||||||
| DELAY | Time (ms) between polling for changed files. | 500 |
|
| LR_EXCLUDE | Array of JavaScript regular-expressions (Regex) that define paths or files to ignore. These are *appended* to the node-livereload upstream defaults which ignore everything in the `.git/`, `.svn/` and `.hg/` directories.<br />JavaScript regex format is: `/your-regex/`<br />**N.B.** At present, exclusions do not seem to be working properly. I’ve filed an issue upstream and will update the container when it’s resolved. | /\\.vscode//,/\\.idea//,/\\.tmp/,/\\.swp/ |
|
||||||
|
| LR_DELAY | Time (ms) between polling for changed files. | 500 |
|
||||||
|
| LR_DEBUG | Print informational messages to the console. Allows you to see Livereload working. | true |
|
||||||
|
| LR_HTTPS | Use HTTPS and WSS. In other words, use a certificate for SSL/TLS operation. | true |
|
||||||
|
| CERT_HOSTNAME | If the container needs to generate a self-signed certificate, this is the hostname it will use. | Container hostname -- this almost *never* what you really want so don’t use this default. |
|
||||||
|
|
||||||
## Volume mapping
|
## Volume mapping
|
||||||
|
|
||||||
Obviously, this container needs something to monitor to determine whether changes have been made. This is accomplished via bind-mounting a directory from the host and is why 'polling' is necessary. Map a directory with files to be monitored to the container at */var/watch*.
|
The container needs two mounts to function correctly in HTTPS mode and only one in HTTP mode:
|
||||||
|
|
||||||
## Example run commands
|
### Certificate mount (HTTPS only)
|
||||||
|
|
||||||
|
If you do not bind-mount a directory, the container will create a volume for you. Bind-mounting or supplying a manually created volume is a much better option. The container reads certificates from this directory or, alternatively, will generate a certificate and key in this directory. Whatever you are mounting, it must map to */certs* in the container.
|
||||||
|
|
||||||
|
If you are mounting existing certificates:
|
||||||
|
|
||||||
|
- your certificate *must* be named *fullchain.pem* and be readable by the container user (UID=9999, GID=9999 by default)
|
||||||
|
- your private key *must* be named *privkey.pem* and be readable by the container user (UID=9999, GID=9999 by default)
|
||||||
|
|
||||||
|
> Important: The container runs as user *node* with UID and GID *9999* by default. You can change this by rebuilding the container or at runtime by supplying `--user "uid:gid"`. This may be necessary especially if you are bind-mounting since the container needs permissions to read both a supplied certificate *and* key. If it is generating said certificate and key, then obviously it needs *write* permissions to said mounted directory. If you are using a volume, permissions are easier. This is discussed in the [Permissions](#permissions) section.
|
||||||
|
|
||||||
|
### Content mount
|
||||||
|
|
||||||
|
Obviously, this container needs something to monitor to determine whether changes have been made. This is accomplished via bind-mounting a directory from the host and is why 'polling' is necessary. Mount a directory with files to be monitored to */watch* in the container.
|
||||||
|
|
||||||
|
## Commands
|
||||||
|
|
||||||
|
The container’s entrypoint script recognizes a few commands that tell it what you want to do:
|
||||||
|
|
||||||
|
| command | description |
|
||||||
|
| --------- | ------------------------------------------------------------ |
|
||||||
|
| listen | Activate Livereload server using configured parameters.<br />Aliases: run \| server \| start<br />`docker run --rm ... asifbacchus/livereload listen` |
|
||||||
|
| shell | Start container but drop to an Ash shell. Alternatvely, if you supply a command, the container will run that command in the shell, output results and then exit.<br />`docker run -it --rm ... asifbacchus/livereload shell`<br />`docker run --rm ... asifbacchus/livereload shell ls -lAsh /certs` |
|
||||||
|
| new-cert | Generate a new self-signed certificate with CN=CERT_HOSTNAME and matching DNS.1 value. Certificate and private key will be stored in */certs* as *fullchain.pem* and *privkey.pem*, respectively.<br />I strongly suggest running the container with `--user "uid:gid"` where the *gid* corresponds to one matching your webserver user, for example. That way your webserver would have read access to the generated private key. More information in the [Permissions](#permissions) section.<br />For example, running `docker run --rm -u "9999:6001" -v /etc/mycerts:/certs -e CERT_HOSTNAME=sub.domain.tld asifbacchus/livereload new-cert` would generate a new certificate and key pair in the */etc/mycerts/* directory on the host. Importantly, the private key would be readable by GID 6001 which, in this example, might be your webdev programs group including your webserver and you as the web-dev. |
|
||||||
|
| show-cert | Display the currently loaded certificate. This can be either a generated or a supplied certificate. Great way to confirm you mounted the right one!<br />`docker run --rm -v /etc/mycerts:/certs asifbacchus/livereload show-cert` |
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
### Run in HTTP (unsecured) mode
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker run -d --name livereload --restart unless-stopped \
|
docker run -d --rm -v /var/www:/watch:ro -e LR_HTTPS=false -p 35729:35729 asifbacchus/livereload listen
|
||||||
-v /home/user/Documents/myWebPage:/var/watch \
|
|
||||||
-p 35729:35729 \
|
|
||||||
asifbacchus/livereload:latest
|
|
||||||
```
|
```
|
||||||
|
|
||||||
The above command will run the container with a name of *livereload*, restarting with your machine unless explicitly stopped, using the default livereload port. It will monitor all files in */home/user/Documents/myWebPage* for changes.
|
- `-d --rm`: run in the background and remove container upon exit
|
||||||
|
- `-v ...`: mount directory to monitor
|
||||||
|
- `-e LR_HTTPS=false`: run in HTTP instead of default HTTPS mode
|
||||||
|
- `-p 35729:35729`: map on all interfaces port 35729 on the host --> port 35729 in container
|
||||||
|
- `listen`: start the Livereload server
|
||||||
|
|
||||||
### Using environment variables
|
### Run in HTTPS mode with supplied certificate
|
||||||
|
|
||||||
Say you want to only monitor html and css files and you want to ignore anything going on in your 'oldversion' folder. You can set environment variables as follows:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker run -d --name livereload --restart unless-stopped \
|
docker run -d --rm -v /etc/mycerts:/certs:ro -v /var/www:/watch:ro -p 35729:35729 asifbacchus/livereload listen
|
||||||
-v /home/user/Documents/myWebPage:/var/watch \
|
|
||||||
-p 35729:35729 \
|
|
||||||
-e EXT="html,css" \
|
|
||||||
-e EXCLUDE="oldversion/"
|
|
||||||
asifbacchus/livereload:latest
|
|
||||||
```
|
```
|
||||||
|
|
||||||
If you wanted a longer polling period, run as follows:
|
- all options same as above except we’ve included a bind-mount for the certificates
|
||||||
|
- HTTPS is the default operating mode, so it is *not necessary* to supply `LR_HTTPS=true`
|
||||||
|
|
||||||
|
### Run in HTTPS mode with generated certificate
|
||||||
|
|
||||||
|
You have two options for running with a self-signed generated certificate. If the container starts up in HTTPS mode and does not find an existing certificate, it will just make one for you. Alternatively, you can generate a certificate first and then run the container manually after -- there are use-cases for both options. Let’s start with the second option first:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
docker run -d --name livereload --restart unless-stopped \
|
# create volume
|
||||||
-v /home/user/Documents/myWebPage:/var/watch \
|
docker volume create livereload-certs
|
||||||
-p 35729:35729 \
|
|
||||||
-e DELAY=3000 \
|
# generate a certificate readable by GID=6001 in new volume and exit
|
||||||
asifbacchus/livereload:latest
|
docker run --rm --user "9999:6001" -v livereload-certs:/certs -e CERT_HOSTNAME=webdev.mydomain.tld asifbacchus/livereload new-cert
|
||||||
|
|
||||||
|
# run container using our new certificate
|
||||||
|
docker run -d --rm -v livereload-certs:/certs:ro -v /home/janedoe/myWebProject:/watch:ro -p 35729:35729 asifbacchus/livereload listen
|
||||||
|
```
|
||||||
|
|
||||||
|
Or, do it all in one-shot:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# write new certificate readable by GID=5100 to a bind-mounted directory and run container in one-step
|
||||||
|
docker run -d --rm --user "9999:5100" -v /etc/mycerts:/certs -v /home/janedoe/myWebProject:/watch:ro -e CERT_HOSTNAME=webdev.myserver.tld -p 35729:35729 asifbacchus/livereload listen
|
||||||
|
```
|
||||||
|
|
||||||
|
## Livereload client
|
||||||
|
|
||||||
|
There aren’t a lot of currently updated Livereload clients and/or browser addons out there, but the ones that do exist seem to only work over HTTP. In fact, that was the impetus behind creating this container. I develop on both *.dev* and *.app* domains -- both of which *require* HTTPS. As a result, I couldn’t use any existing clients nor could I use the preconfigured node-livereload distribution via the command-line as version 1.x of this container did.
|
||||||
|
|
||||||
|
If you are running in an HTTP-permissive environment then lucky you! You can run this container in HTTP mode (`LR_HTTPS=false`) and use any of the clients and addons out there. If you want to use a snippet in your code instead of a client, simply insert this in the `<head>` of your page while using Livereload during dev:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<script>
|
||||||
|
document.write('<script src="http://' + (location.host || 'localhost').split(':')[0] +
|
||||||
|
':35729/livereload.js?snipver=1"></' + 'script>')
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
If, however, you are like me and want/need to use HTTPS then things are a little different. As I said, I can’t find a single client or addon that works over HTTPS. Therefore, you *must* use a snippet in your webpage. It’s the exact same as above, just use HTTPS instead -- again inserting in the `<head>` of your page:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<script>
|
||||||
|
document.write('<script src="https://' + (location.host || 'localhost').split(':')[0] +
|
||||||
|
':35729/livereload.js?snipver=1"></' + 'script>')
|
||||||
|
</script>
|
||||||
|
```
|
||||||
|
|
||||||
|
That’s it. The advantage of using the snippet is that you don’t need any clients or addons or any other garbage. Things just work so long as this is in your code. When you’re done developing and ready to go to production, just remove the snippet and Livereload is disabled like it never existed.
|
||||||
|
|
||||||
|
## Permissions
|
||||||
|
|
||||||
|
The container is run as a limited user, *node*, with UID=9999 and GID=9999 by default. While this is much more secure than running as root, it does cause some complications especially with certificates. If you are supplying a certificate then the container user must be able to read both the certificate and the private key. If you are generating a certificate-key pair, then the container needs to be able to write them somewhere *and* they have to be generated with permissions making them usable to other services such as a web server. By default the container generates *fullchain.pem* with *644* permissions and *privkey.pem* with ***640*** permissions.
|
||||||
|
|
||||||
|
> Private keys are usually generated with *600* permissions. However, this is useless in our case since this container is not a web server and, thus, this key must be shared with at least one other service (i.e. the web server). That is why it is GROUP readable via the 6**4**0 permissions. As long as your other services are in the same group, they can use this generated certificate.
|
||||||
|
|
||||||
|
Here’s the catch: By default, the node user’s GID is the same as their UID so the certificate is still only readable by the node user itself. There are two ways around this:
|
||||||
|
|
||||||
|
### Option 1: rebuild with different UID/GID
|
||||||
|
|
||||||
|
If you already have an infrastructure set up and need to plug this in, it might just be easier to alter the container user’s IDs so everything works in your environment. Clone the [git repo](https://git.asifbacchus.dev/ab-docker/livereload) and build as follows:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# clone repo
|
||||||
|
cd /usr/local/src
|
||||||
|
git clone https://git.asifbacchus.dev/ab-docker/livereload
|
||||||
|
|
||||||
|
# change directory and build
|
||||||
|
cd livereload/build
|
||||||
|
docker build --build-arg NODE_UID=1101 --build-arg NODE_GID=6001 --build-arg BUILD_DATE=$(date +%F_%T) -t livereload:latest .
|
||||||
|
```
|
||||||
|
|
||||||
|
- `NODE_UID`: optional -- desired UID for node user, in most cases the default is fine
|
||||||
|
- `NODE_GID`: desired GID for node user --> this is probably what you really want to change
|
||||||
|
- `BUILD_DATE`: optional -- applies container build date in a standardized label
|
||||||
|
- `livereload:latest`: you can of course choose any imageName:tag that suits you
|
||||||
|
|
||||||
|
Now a generated certificate-key pair will be owned by your defined UID and will be readable by any other user sharing the defined GID.
|
||||||
|
|
||||||
|
### Option 2: specify runtime GID
|
||||||
|
|
||||||
|
Maybe easier and more customizable, you can simply specify a GID to use at runtime so that things work in your environment. For example, let’s say your web server has a *www-data* group with GID 6001 which already has access to your web files. Now you want to secure everything with a certificate and add Livereload. Ok, let’s just run it with the right IDs:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# make a certificates directory with secure permissions
|
||||||
|
sudo mkdir /devCerts && chown root:www-data /devCerts && chmod 770 /devCerts
|
||||||
|
sudo ls -ldsh /devCerts
|
||||||
|
4.0K drwxrwx--- 2 root www-data 4.0K Jul 24 16:44 /devCerts
|
||||||
|
|
||||||
|
# create certificate with hostname myserver.tld
|
||||||
|
docker run --rm --user "9999:6001" -v /devCerts:/certs -e CERT_HOSTNAME=myserver.tld asifbacchus/livereload new-cert
|
||||||
|
|
||||||
|
# check our work -- looks good!
|
||||||
|
sudo ls -lAsh /devCerts
|
||||||
|
total 16K
|
||||||
|
4.0K -rw-r--r-- 1 9999 www-data 1.8K Jul 24 16:46 chain.pem
|
||||||
|
4.0K -rw-r--r-- 1 9999 www-data 1.5K Jul 24 16:46 dhparam.pem
|
||||||
|
4.0K -rw-r--r-- 1 9999 www-data 1.8K Jul 24 16:46 fullchain.pem
|
||||||
|
4.0K -rw-r----- 1 9999 www-data 3.2K Jul 24 16:46 privkey.pem
|
||||||
|
|
||||||
|
# run server
|
||||||
|
docker run -d --rm -v /devCerts:/certs:ro -v /usr/share/nginx/html:/watch -p 35729:35729 asifbacchus/livereload listen
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using Let’s Encrypt
|
||||||
|
|
||||||
|
I won’t get too much into details here, but while Let’s Encrypt is awesome it does present a little extra work when dealing with containers. Basically, you have to remember that the *live* directory contains symlinks to the latest version of your certificate. However, if you try to mount a symlink to your container you’ll quickly find out that doesn’t work since the *target* of the link does not exist in the container also.
|
||||||
|
|
||||||
|
The most robust solution is setting up a post-renew script for your Let’s Encrypt management solution that copies these certificates to a location your container can access and use the above information to use that certificate.
|
||||||
|
|
||||||
|
Alternatively, you can alter the *group* permissions on the */etc/letsencrypt/live* and */etc/letsencrypt/archive* directories. Then change the *group* permissions on */etc/letsencrypt/archive/certname/privkey1.pem* to allow reading it. This example is for Certbot, but most LE managers should work similarly. Assuming your LE client maintains permissions (like Certbot), the GID in question can read what is needed.
|
||||||
|
|
||||||
|
A final note: You **cannot** bind-mount `/etc/letsencrypt/live/certname:/certs`. It’s the same reason as above, it will bind symlinks that are not valid within the container. You need to bind-mount each individual link so it is resolved by Docker when running the container:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker run --rm ... -v /etc/letsencrypt/live/certname/fullchain.pem:/certs/fullchain.pem:ro -v /etc/letsencrypt/certname/privkey.pem:/certs/privkey.pem:ro ...
|
||||||
```
|
```
|
||||||
|
|
||||||
## Docker-Compose
|
## Docker-Compose
|
||||||
|
|
||||||
It is very likely this would be integrated via docker-compose with an existing webserver container (like Nginx or Apache). Add this to your docker-compose.yml:
|
Containers, like people, often get lonely and enjoy working with others. In the case of this container, it is quite useless if not paired with at least a web server. I’ve included the core of the actual set up I use for web development -- a customized NGINX container and this Livereload container all secured with a certificate so everything even in testing is working over TLS like in real life. Take a look at the *docker-compose.yml* for more details. If you’re using Let’s Encrypt certificates, read the section above and remember to mount the files individually. If you are interested in my AB-NGINX container which has several useful additions to the official container including a healthcheck, then [check out the repo](https://git.asifbacchus.dev/ab-docker/ab-nginx).
|
||||||
|
|
||||||
```yaml
|
|
||||||
livereload:
|
|
||||||
image: asifbacchus/livereload:latest
|
|
||||||
container_name: livereload
|
|
||||||
restart: unless-stopped
|
|
||||||
volumes:
|
|
||||||
- /local/directory/to/watch:/var/watch
|
|
||||||
ports:
|
|
||||||
- 35729:35729
|
|
||||||
environment:
|
|
||||||
- TZ=Region/Locality
|
|
||||||
```
|
|
||||||
|
|
||||||
Obviously, you should change `/local/directory/to/watch` and `TZ=Region/Locality` as needed. Also, please remember to verify the scope of port mapping as appropriate to your environment! You may *not* need to bind to all addresses as I have in this example.
|
|
||||||
|
|
||||||
## Final thoughts
|
## Final thoughts
|
||||||
|
|
||||||
That's it. Hopefully this is useful for you and makes it easier to run a live-reload server without having to install node on your machine. As always, let me know if you have any issues/suggestions by filing an issue on either git repo.
|
That's it. Hopefully this is useful for you and makes it easier to run a live-reload server without having to install node on your machine. As always, let me know if you have any issues/suggestions or if something isn’t well documented by filing an issue on either git repo.
|
||||||
|
88
build/Dockerfile
Normal file
88
build/Dockerfile
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
# node-livereload server supporting SSL/TLS
|
||||||
|
|
||||||
|
# allow dynamic building by specifying base image elements as build-args
|
||||||
|
ARG NODE_VERSION=16
|
||||||
|
ARG ALPINE_VERSION=3.14
|
||||||
|
FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION}
|
||||||
|
|
||||||
|
# create new node user with set UID and GID from build-args and create volume directories
|
||||||
|
ARG NODE_UID=9999
|
||||||
|
ARG NODE_GID=9999
|
||||||
|
RUN deluser --remove-home node \
|
||||||
|
&& addgroup -g ${NODE_GID} -S node \
|
||||||
|
&& adduser -G node -S -u ${NODE_UID} node \
|
||||||
|
&& mkdir /watch /certs \
|
||||||
|
&& chown root:node /certs \
|
||||||
|
&& chmod 770 /certs
|
||||||
|
|
||||||
|
# create default volumes in-case user forgets, expose default port
|
||||||
|
VOLUME [ "/watch", "/certs" ]
|
||||||
|
EXPOSE 35729
|
||||||
|
|
||||||
|
# add tini, timezone support and create certificate directories
|
||||||
|
RUN apk --update --no-cache add \
|
||||||
|
tini \
|
||||||
|
tzdata \
|
||||||
|
openssl
|
||||||
|
|
||||||
|
# labels
|
||||||
|
LABEL org.opencontainers.image.authors="Asif Bacchus <asif@asifbacchus.dev>"
|
||||||
|
LABEL org.opencontainers.image.title="node-livereload-tls"
|
||||||
|
LABEL org.opencontainers.image.description="Dockerized node-livereload supporting TLS and running under limited user account. Environment variables allow specifying files to watch/exclude and notification delay."
|
||||||
|
LABEL org.opencontainers.image.url="https://git.asifbacchus.dev/ab-docker/livereload"
|
||||||
|
LABEL org.opencontainers.image.documentation="https://git.asifbacchus.dev/ab-docker/livereload/raw/branch/master/README.md"
|
||||||
|
LABEL org.opencontainers.image.source="https://git.asifbacchus.dev/ab-docker/livereload.git"
|
||||||
|
|
||||||
|
# default environment variables
|
||||||
|
ENV NODE_ENV=production
|
||||||
|
ENV NPM_CONFIG_PREFIX=/home/node/.npm-global
|
||||||
|
ENV PATH=/home/node/.npm-global/bin:$PATH
|
||||||
|
ENV TZ="Etc/UTC"
|
||||||
|
ENV LR_PORT=35729
|
||||||
|
ENV LR_EXTS="html,xml,css,js,jsx,ts,tsx,php,py"
|
||||||
|
ENV LR_EXCLUDE=".git/,.svn/,.vscode/,.idea/"
|
||||||
|
ENV LR_DELAY=500
|
||||||
|
ENV LR_DEBUG=true
|
||||||
|
ENV LR_HTTPS=true
|
||||||
|
ENV CERT_HOSTNAME=""
|
||||||
|
|
||||||
|
# install node-livereload and express as node user then switch back to root user
|
||||||
|
USER node
|
||||||
|
WORKDIR /home/node
|
||||||
|
RUN mkdir -p .npm-global/bin .npm-global/lib \
|
||||||
|
&& npm config set fund false \
|
||||||
|
&& npm config set update-notifier false \
|
||||||
|
&& npm install livereload express --save
|
||||||
|
|
||||||
|
# copy scripts and fix-up all permissions
|
||||||
|
USER root
|
||||||
|
COPY [ "selfsigned.cnf", "/etc/selfsigned.cnf" ]
|
||||||
|
COPY [ "livereload.js", "/home/node/livereload.js" ]
|
||||||
|
COPY [ "entrypoint.sh", "/usr/local/bin/entrypoint.sh" ]
|
||||||
|
RUN chown node:node /home/node/livereload.js \
|
||||||
|
&& chmod 644 /home/node/livereload.js \
|
||||||
|
&& chmod 755 /usr/local/bin/entrypoint.sh \
|
||||||
|
&& chmod 644 /etc/selfsigned.cnf
|
||||||
|
|
||||||
|
HEALTHCHECK \
|
||||||
|
--interval=10s \
|
||||||
|
--timeout=5s \
|
||||||
|
--start-period=60s \
|
||||||
|
--retries=3 \
|
||||||
|
CMD wget --spider -T 3 -q localhost:3000/api/v1/health || exit 1
|
||||||
|
|
||||||
|
# switch to node user, run entrypoint script by default
|
||||||
|
USER node
|
||||||
|
WORKDIR /home/node
|
||||||
|
ENTRYPOINT [ "/sbin/tini", "--", "/usr/local/bin/entrypoint.sh" ]
|
||||||
|
|
||||||
|
# set build timestamp and version labels
|
||||||
|
ARG INTERNAL_VERSION
|
||||||
|
ARG BUILD_DATE
|
||||||
|
LABEL org.opencontainers.image.version="16.5.0, 0.9.3"
|
||||||
|
LABEL org.opencontainers.image.vendor="NODE.js, node-livereload"
|
||||||
|
LABEL dev.asifbacchus.image.name="node-livereload-tls"
|
||||||
|
LABEL dev.asifbacchus.image.version=${INTERNAL_VERSION}
|
||||||
|
LABEL org.opencontainers.image.created=${BUILD_DATE}
|
||||||
|
|
||||||
|
#EOF
|
177
build/entrypoint.sh
Normal file
177
build/entrypoint.sh
Normal file
@ -0,0 +1,177 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# entrypoint script for node-livereload-tls container
|
||||||
|
#
|
||||||
|
|
||||||
|
# functions
|
||||||
|
certificateCheckExist() {
|
||||||
|
if [ -n "$(find /certs/ -type d -empty -print)" ]; then
|
||||||
|
printf "noexist"
|
||||||
|
elif ! [ -r "/certs/fullchain.pem" ]; then
|
||||||
|
printf "noread_certificate"
|
||||||
|
elif ! [ -r "/certs/privkey.pem" ]; then
|
||||||
|
printf "noread_key"
|
||||||
|
else
|
||||||
|
printf "ok"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
certificateGenerateNew() {
|
||||||
|
# generate self-signed certificate and export as PFX
|
||||||
|
printf "\nGenerating new self-signed certificate:\n"
|
||||||
|
# shellcheck disable=SC3028
|
||||||
|
if [ -z "$CERT_HOSTNAME" ]; then export CERT_HOSTNAME="$HOSTNAME"; fi
|
||||||
|
# create placeholder files to set permissions
|
||||||
|
touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem
|
||||||
|
touch /certs/privkey.pem && chmod 640 /certs/privkey.pem
|
||||||
|
# generate certificate
|
||||||
|
if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /etc/selfsigned.cnf; then
|
||||||
|
printf "\nUnable to generate certificate. Is your 'certs' directory writable by this container?\n\n"
|
||||||
|
exit 55
|
||||||
|
fi
|
||||||
|
cp /certs/fullchain.pem /certs/chain.pem
|
||||||
|
# generate dh-params for TLS1.2
|
||||||
|
if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then
|
||||||
|
printf "\nUnable to generate dh-params. Is you 'certs' directory writable by this container?\n\n"
|
||||||
|
exit 56
|
||||||
|
fi
|
||||||
|
|
||||||
|
# print message to user
|
||||||
|
printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n"
|
||||||
|
printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n"
|
||||||
|
printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n"
|
||||||
|
}
|
||||||
|
|
||||||
|
certificateShow() {
|
||||||
|
printf "\nCurrently loaded certificate:\n"
|
||||||
|
certStatus="$(certificateCheckExist)"
|
||||||
|
case "$certStatus" in
|
||||||
|
noexist)
|
||||||
|
printf "[ERROR]: No certificate is loaded (certificate directory empty).\n\n"
|
||||||
|
exit 51
|
||||||
|
;;
|
||||||
|
noread_certificate)
|
||||||
|
printf "[ERROR]: Cannot read loaded certificate.\n\n"
|
||||||
|
exit 52
|
||||||
|
;;
|
||||||
|
noread_key)
|
||||||
|
printf "\n[WARNING]: Cannot find private key associated with certificate!\n\n"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
if ! openssl x509 -noout -text -nameopt align,multiline -certopt no_pubkey,no_sigdump -in /certs/fullchain.pem; then
|
||||||
|
printf "\n[ERROR]: Unable to display loaded certificate.\n\n"
|
||||||
|
exit 52
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
convertCaseLower() {
|
||||||
|
printf "%s" "$1" | tr "[:upper:]" "[:lower:]"
|
||||||
|
}
|
||||||
|
|
||||||
|
# default variable values
|
||||||
|
doCertNew=0
|
||||||
|
doCertShow=0
|
||||||
|
doServer=0
|
||||||
|
doShell=0
|
||||||
|
|
||||||
|
# clean-up boolean environment variables for this script and JavaScript
|
||||||
|
enableHTTPS="$(convertCaseLower "$LR_HTTPS")"
|
||||||
|
enableDebug="$(convertCaseLower "$LR_DEBUG")"
|
||||||
|
export LR_HTTPS="$enableHTTPS"
|
||||||
|
export LR_DEBUG="$enableDebug"
|
||||||
|
|
||||||
|
# process action parameter
|
||||||
|
case "$1" in
|
||||||
|
listen | server | run | start)
|
||||||
|
doServer=1
|
||||||
|
;;
|
||||||
|
shell)
|
||||||
|
doShell=1
|
||||||
|
;;
|
||||||
|
new-cert)
|
||||||
|
doCertNew=1
|
||||||
|
;;
|
||||||
|
show-cert)
|
||||||
|
doCertShow=1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# invalid or unknown option
|
||||||
|
printf "\nUnknown action requested: %s\n" "$1"
|
||||||
|
printf "Valid actions: [listen | server | run | start] | shell | new-cert | show-cert\n\n"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# action: run server
|
||||||
|
if [ "$doServer" -eq 1 ]; then
|
||||||
|
printf "Starting node-livereload-tls server:\n"
|
||||||
|
|
||||||
|
# https pre-flight check
|
||||||
|
if [ "$enableHTTPS" = "true" ]; then
|
||||||
|
certStatus="$(certificateCheckExist)"
|
||||||
|
case "$certStatus" in
|
||||||
|
noexist)
|
||||||
|
printf "[Generating certificate]\n"
|
||||||
|
certificateGenerateNew
|
||||||
|
;;
|
||||||
|
noread_certificate)
|
||||||
|
printf "[Checking mounted certificate]"
|
||||||
|
printf "\nERROR: SSL/TLS mode selected but unable to read certificate!\n\n"
|
||||||
|
exit 52
|
||||||
|
;;
|
||||||
|
noread_key)
|
||||||
|
printf "[Checking mounted certificate]"
|
||||||
|
printf "\nERROR: SSL/TLS mode selected but unable to read private key!\n\n"
|
||||||
|
exit 53
|
||||||
|
;;
|
||||||
|
ok)
|
||||||
|
printf "[Certificate OK]\n"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
exec node livereload.js
|
||||||
|
exit "$?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# action: drop to shell
|
||||||
|
if [ "$doShell" -eq 1 ]; then
|
||||||
|
if [ -z "$2" ]; then
|
||||||
|
printf "\nExecuting interactive shell:\n"
|
||||||
|
exec /bin/sh
|
||||||
|
else
|
||||||
|
shift
|
||||||
|
printf "\nExecuting shell: '%s'\n" "$*"
|
||||||
|
exec /bin/sh -c "$*"
|
||||||
|
fi
|
||||||
|
exit "$?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# action: generate new self-signed certificate
|
||||||
|
if [ "$doCertNew" -eq 1 ]; then
|
||||||
|
certificateGenerateNew
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# action: show loaded certificate
|
||||||
|
if [ "$doCertShow" -eq 1 ]; then
|
||||||
|
certificateShow
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# failsafe exit - terminate with code 99: this code should never be executed!
|
||||||
|
exit 99
|
||||||
|
|
||||||
|
# exit codes:
|
||||||
|
# 0: normal exit, no errors
|
||||||
|
# 1: invalid or invalid parameter passed to script
|
||||||
|
# 2: interactive shell required
|
||||||
|
# 50: certificate errors
|
||||||
|
# 51: certificate directory empty
|
||||||
|
# 52: unable to read certificate/chain
|
||||||
|
# 53: unable to read private key
|
||||||
|
# 55: unable to generate new certificate
|
||||||
|
# 56: unable to generate dh-params
|
||||||
|
# 99: code error
|
||||||
|
|
||||||
|
#EOF
|
61
build/livereload.js
Normal file
61
build/livereload.js
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
// implement node-livereload over an HTTPS connection
|
||||||
|
|
||||||
|
// healthcheck function
|
||||||
|
function healthcheck() {
|
||||||
|
const express = require('express');
|
||||||
|
const http = require('http');
|
||||||
|
|
||||||
|
const app = express();
|
||||||
|
const router = express.Router();
|
||||||
|
|
||||||
|
router.use((req, res, next) =>{
|
||||||
|
res.header('Access-Control-Allow-Methods', 'GET');
|
||||||
|
next();
|
||||||
|
});
|
||||||
|
|
||||||
|
router.get('/health', (req, res) =>{
|
||||||
|
res.status(200).send('Ok');
|
||||||
|
});
|
||||||
|
|
||||||
|
app.use('/api/v1', router);
|
||||||
|
|
||||||
|
const hServer = http.createServer(app);
|
||||||
|
hServer.listen(3000);
|
||||||
|
}
|
||||||
|
|
||||||
|
// load livereload module
|
||||||
|
const livereload = require('livereload');
|
||||||
|
|
||||||
|
// set createServer options
|
||||||
|
const fs = require('fs');
|
||||||
|
const options = {
|
||||||
|
port: process.env.LR_PORT,
|
||||||
|
exts: process.env.LR_EXTS,
|
||||||
|
exclusions: process.env.LR_EXCLUDE,
|
||||||
|
usePolling: true,
|
||||||
|
delay: process.env.LR_DELAY,
|
||||||
|
};
|
||||||
|
|
||||||
|
// set debugging output as per LR_DEBUG
|
||||||
|
if (process.env.LR_DEBUG === "true") {
|
||||||
|
options.debug = true
|
||||||
|
console.log("[Debug output ENABLED]");
|
||||||
|
}
|
||||||
|
|
||||||
|
// set HTTPS as per LR_HTTPS
|
||||||
|
if (process.env.LR_HTTPS === "true") {
|
||||||
|
options.https = {
|
||||||
|
cert: fs.readFileSync('/certs/fullchain.pem'),
|
||||||
|
key: fs.readFileSync('/certs/privkey.pem')
|
||||||
|
};
|
||||||
|
console.log("[HTTPS mode]");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
console.log("[HTTP mode]");
|
||||||
|
}
|
||||||
|
|
||||||
|
// start server
|
||||||
|
const lrServer = livereload.createServer(options, healthcheck);
|
||||||
|
lrServer.watch('/watch')
|
||||||
|
|
||||||
|
//#EOF
|
16
build/selfsigned.cnf
Normal file
16
build/selfsigned.cnf
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
default_bits = 4096
|
||||||
|
default_md = sha256
|
||||||
|
distinguished_name = dn
|
||||||
|
req_extensions = san
|
||||||
|
x509_extensions = san
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[dn]
|
||||||
|
organizationName = LiveReload WebServer
|
||||||
|
CN = ${ENV::CERT_HOSTNAME}
|
||||||
|
|
||||||
|
[san]
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = ${ENV::CERT_HOSTNAME}
|
54
docker-compose.yml
Normal file
54
docker-compose.yml
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
#
|
||||||
|
# node-livereload-tls stack
|
||||||
|
#
|
||||||
|
|
||||||
|
version: '2.4'
|
||||||
|
|
||||||
|
services:
|
||||||
|
livereload:
|
||||||
|
image: docker.asifbacchus.dev/livereload/livereload:latest
|
||||||
|
container_name: livereload
|
||||||
|
volumes:
|
||||||
|
- ./certs:certs
|
||||||
|
- ${WATCHDIR}:/watch:ro
|
||||||
|
networks:
|
||||||
|
- network
|
||||||
|
ports:
|
||||||
|
- "${LR_PORT:-35729}:${LR_PORT:-35729}"
|
||||||
|
environment:
|
||||||
|
- TZ=${TZ}
|
||||||
|
- LR_PORT=${LR_PORT}
|
||||||
|
- LR_EXTS=${LR_EXTS}
|
||||||
|
- LR_EXCLUDE=${LR_EXCLUDE}
|
||||||
|
- LR_DELAY=${LR_DELAY}
|
||||||
|
- LR_DEBUG=${LR_DEBUG}
|
||||||
|
- LR_HTTPS=${LR_HTTPS}
|
||||||
|
- CERT_HOSTNAME=${CERT_HOSTNAME}
|
||||||
|
user: "9999:${GID:-9999}"
|
||||||
|
command: listen
|
||||||
|
ab-nginx:
|
||||||
|
image: docker.asifbacchus.dev/nginx/ab-nginx:latest
|
||||||
|
container_name: ab-nginx
|
||||||
|
depends_on:
|
||||||
|
livereload:
|
||||||
|
condition: service_healthy
|
||||||
|
volumes:
|
||||||
|
- ./certs/certs:ro
|
||||||
|
- ${WATCHDIR}:/usr/share/nginx/html:ro
|
||||||
|
- ./nginx/config:/etc/nginx/config:ro
|
||||||
|
networks:
|
||||||
|
- network
|
||||||
|
ports:
|
||||||
|
- "${NGINX_HTTP:-80}:80"
|
||||||
|
- "${NGINX_HTTPS:-443}:443"
|
||||||
|
environment:
|
||||||
|
- TZ=${TZ}
|
||||||
|
- SERVER_NAMES=${SERVER_NAMES}
|
||||||
|
- TLS13_ONLY=${TLS13_ONLY}
|
||||||
|
user: "8080:${GID:-8080}"
|
||||||
|
|
||||||
|
networks:
|
||||||
|
network:
|
||||||
|
external: false
|
||||||
|
|
||||||
|
#EOF
|
Loading…
Reference in New Issue
Block a user