Merge branch 'next' of https://github.com/Geode-solutions/OpenGeodeWeb-Router

Author: BotellaA

.github/workflows/CD.yml

@@ -2,14 +2,10 @@ name: Docker Image CD
 
 on:
   push:
-    branches: [ master, next ] 
 
 jobs:
   docker-build-squash-push:
     uses: Geode-solutions/actions/.github/workflows/docker-build-squash-push.yml@master
     with:
-      image_name: 'opengeodeweb-router'
       tag: ${{ github.ref_name }}
-    secrets: 
-      TOKEN: ${{secrets.GITHUB_TOKEN}}
-
+    secrets: inherit

Dockerfile

@@ -1,9 +1,14 @@
 FROM nginx:alpine
+
+RUN apk add python3 py3-pip supervisor
+RUN pip3 install --break-system-packages google-cloud-run
+
 COPY nginx.conf /etc/nginx/nginx.conf
 
-RUN \
-    apk add openssl && \
-    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/nginx.key -out /etc/nginx/nginx.crt -subj "/C=FR/ST=France/L=Pau/O=Geode-solutions"
+COPY supervisord.conf /etc/supervisord.conf
+RUN mkdir -p /var/log/supervisor
 
+COPY cleanup_watcher.py /usr/local/bin/cleanup_watcher.py
+RUN chmod +x /usr/local/bin/cleanup_watcher.py
 
-EXPOSE 443
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

cleanup_watcher.py

@@ -0,0 +1,31 @@
+import os
+import time
+import requests
+from google.cloud import run_v2
+
+
+PARENT = os.getenv("PARENT")
+SERVICE_NAME = os.getenv("K_SERVICE")
+
+
+def delete_service():
+    print("Deleting service")
+    client = run_v2.ServicesClient()
+    name = f"{PARENT}/services/{SERVICE_NAME}"
+    try:
+        print(f"Flask appears down → Deleting service {name}")
+        client.delete_service(name=name)
+    except Exception as e:
+        print(f"Delete failed: {e}")
+
+
+while True:
+    time.sleep(30)
+    try:
+        response = requests.get("http://127.0.0.1/geode/health", timeout=5)
+        print("response", response, flush=True)
+        if response.status_code != 200:
+            raise Exception("Bad status")
+    except Exception:
+        delete_service()
+        break

nginx.conf

@@ -3,26 +3,47 @@ events {
 }
 
 http {
-  # Nginx will handle gzip compression of responses from the app server
+  # Map only allows your geode-solutions.com domains (including next.vease.geode-solutions.com)
+  map $http_origin $allow_origin {
+    ~^https://(.*\.)?geode-solutions\.com$  $http_origin;
+    default "";
+  }
+
   gzip on;
   gzip_proxied any;
   gzip_types text/plain application/json;
   gzip_min_length 1000;
 
   server {
-    listen 443 ssl;
+    listen 80;
     server_name localhost;
-
-    ssl_certificate nginx.crt;
-    ssl_certificate_key nginx.key;
-
     client_max_body_size 0;
 
-    location ~ "^/[a-z0-9]{32}/geode/" {
-      if ($request_method !~ ^(DELETE|GET|POST|PUT|OPTIONS)$) {
-        return 405;
+    # ====================== /geode/ location ======================
+    location ~ "^/geode/" {
+      # Preflight OPTIONS - handled by nginx (fast, no hit to Flask)
+      if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+        add_header 'Access-Control-Max-Age'           1728000 always;   # 20 days
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
+        return 204;
       }
-      rewrite "^/[a-z0-9]{32}/geode/(.*)" /$1 break;
+
+      # Normal requests
+      limit_except DELETE GET POST PUT OPTIONS { deny all; }
+
+      add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+      add_header 'Access-Control-Allow-Credentials' 'true' always;
+      add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+      add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+      add_header 'Access-Control-Expose-Headers'    'Content-Length,Content-Range' always;
+      add_header 'Vary'                             'Origin' always;
+
+      rewrite "^/geode/(.*)" /$1 break;
       proxy_pass http://localhost:5000;
       proxy_http_version 1.1;
       proxy_set_header Host $host;
@@ -31,20 +52,56 @@ http {
       proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    location ~ "^/[a-z0-9]{32}/viewer/" {
-      if ($request_method !~ ^(GET|POST|OPTIONS)$) {
-        return 405;
+    # ====================== /viewer/ location ======================
+    location ~ "^/viewer/" {
+      if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+        add_header 'Access-Control-Max-Age'           1728000 always;
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
+        return 204;
       }
-      rewrite "^/[a-z0-9]{32}/viewer/(.*)" /$1 break;
+
+      limit_except GET POST OPTIONS { deny all; }
+
+      add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+      add_header 'Access-Control-Allow-Credentials' 'true' always;
+      add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+      add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+      add_header 'Access-Control-Expose-Headers'    'Content-Length,Content-Range' always;
+      add_header 'Vary'                             'Origin' always;
+
+      rewrite "^/viewer/(.*)" /$1 break;
       proxy_pass http://localhost:1234;
       proxy_http_version 1.1;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto $scheme;
-
       proxy_set_header Connection "keep-alive, Upgrade";
       proxy_set_header Upgrade websocket;
     }
+
+    # Catch-all for anything else (optional, returns proper CORS even on 404)
+    location / {
+      if ($request_method = 'OPTIONS') {
+        add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+        add_header 'Access-Control-Allow-Credentials' 'true' always;
+        add_header 'Access-Control-Allow-Methods'     'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
+        add_header 'Access-Control-Allow-Headers'     'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization,X-CSRF-Token' always;
+        add_header 'Access-Control-Max-Age'           1728000 always;
+        add_header 'Content-Type'                     'text/plain; charset=utf-8';
+        add_header 'Content-Length'                   0;
+        return 204;
+      }
+
+      add_header 'Access-Control-Allow-Origin'      $allow_origin always;
+      add_header 'Access-Control-Allow-Credentials' 'true' always;
+      add_header 'Vary'                             'Origin' always;
+      return 404;
+    }
   }
-}
+}

supervisord.conf

@@ -0,0 +1,23 @@
+[supervisord]
+nodaemon=true
+logfile=/dev/stdout
+logfile_maxbytes=0
+pidfile=/var/run/supervisord.pid
+
+[program:nginx]
+command=nginx -g 'daemon off;'
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:cleanup-watcher]
+command=python3 /usr/local/bin/cleanup_watcher.py
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0