MOBILE-4304 ci: Configure SSL

Author: NoelDeMartin

.github/workflows/acceptance.yml

@@ -41,6 +41,17 @@ jobs:
         working-directory: app
         run: npm run build:test
 
+      - name: Generate SSL certificates
+        working-directory: app
+        run: |
+          mkdir ./ssl
+          openssl req -x509 -nodes \
+            -days 365 \
+            -newkey rsa:2048 \
+            -keyout ./ssl/certificate.key \
+            -out ./ssl/certificate.crt \
+            -subj="/O=Moodle"
+
       - name: Build Behat plugin
         working-directory: app
         run: ./scripts/build-behat-plugin.js ../plugin
@@ -111,11 +122,12 @@ jobs:
 
       - uses: actions/cache/save@v4
         with:
-            key: build-${{ github.sha }}
-            path: |
-              app/node_modules/**/*
-              app/www/**/*
-              plugin/**/*
+          key: build-${{ github.sha }}
+          path: |
+            app/ssl/**/*
+            app/node_modules/**/*
+            app/www/**/*
+            plugin/**/*
 
   behat:
     runs-on: ubuntu-latest
@@ -157,14 +169,22 @@ jobs:
         with:
           key: build-${{ github.sha }}
           path: |
+            app/ssl/**/*
             app/node_modules/**/*
             app/www/**/*
             plugin/**/*
 
       - name: Launch Docker images
         working-directory: app
         run: |
-          docker run -d --rm -p 8001:80 --name moodleapp -v ./www:/usr/share/nginx/html -v ./nginx.conf:/etc/nginx/conf.d/default.conf nginx:alpine
+          docker run -d --rm \
+              -p 8001:443 \
+              --name moodleapp \
+              -v ./www:/usr/share/nginx/html \
+              -v ./nginx.conf:/etc/nginx/conf.d/default.conf \
+              -v ./ssl/certificate.crt:/etc/ssl/certificate.crt \
+              -v ./ssl/certificate.key:/etc/ssl/certificate.key \
+              nginx:alpine
           docker run -d --rm -p 8002:80 --name bigbluebutton moodlehq/bigbluebutton_mock:latest
 
       - name: Initialise moodle-plugin-ci
@@ -184,7 +204,7 @@ jobs:
           DB: pgsql
           MOODLE_BRANCH: ${{ github.event.inputs.moodle_branch || 'main' }}
           MOODLE_REPO: ${{ github.event.inputs.moodle_repository || 'https://github.com/moodle/moodle.git' }}
-          MOODLE_BEHAT_IONIC_WWWROOT: http://localhost:8001
+          MOODLE_BEHAT_IONIC_WWWROOT: https://localhost:8001
           MOODLE_BEHAT_DEFAULT_BROWSER: chrome
 
       - name: Update config

Dockerfile

@@ -23,10 +23,17 @@ ARG build_command="npm run build:prod"
 COPY . /app
 RUN ${build_command}
 
+# Generate SSL certificate
+RUN mkdir /app/ssl
+RUN openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /app/ssl/certificate.key -out /app/ssl/certificate.crt -subj="/O=Moodle"
+
 ## SERVE STAGE
 FROM nginx:alpine as serve-stage
 
 # Copy assets & config
 COPY --from=build-stage /app/www /usr/share/nginx/html
+COPY --from=build-stage /app/ssl/certificate.crt /etc/ssl/certificate.crt
+COPY --from=build-stage /app/ssl/certificate.key /etc/ssl/certificate.key
 COPY ./nginx.conf /etc/nginx/conf.d/default.conf
-HEALTHCHECK --interval=10s --timeout=4s CMD curl -f http://localhost/assets/env.json || exit 1
+EXPOSE 443
+HEALTHCHECK --interval=10s --timeout=4s CMD curl --insecure -f https://localhost/assets/env.json || exit 1

nginx.conf

@@ -1,9 +1,23 @@
 server {
-    listen 0.0.0.0:80;
+    listen 80;
+    listen 443 ssl;
     root /usr/share/nginx/html;
     server_tokens off;
     access_log off;
 
+    # Configure SSL
+    if ($scheme = "http") {
+        return 301 https://$host$request_uri;
+    }
+
+    ssl_certificate /etc/ssl/certificate.crt;
+    ssl_certificate_key /etc/ssl/certificate.key;
+    ssl_protocols TLSv1.3;
+
+    # Enable OPFS
+    add_header Cross-Origin-Opener-Policy "same-origin";
+    add_header Cross-Origin-Embedder-Policy "require-corp";
+
     location / {
         try_files $uri $uri/ /index.html;
     }