Исправлены websocket и добавлен конфиг для https

external_ports_https_v2/.env

@@ -0,0 +1,147 @@
+########## Обязательные переменные ##########
+
+# Система Yonote поставляется с несколькими дополнительными сервисами:
+# - PostgreSQL - основная БД для хранения данных
+# - Keycloak - сервер авторизации
+# - Minio - S3 файловое хранилище
+# - Redis - key-value хранилище
+# - Nginx - используется как reverse-proxy для всех сервисов
+#
+# Мы рекомендуем для каждого сервиса (кроме nginx) создать поддомены:
+# Если мы хотим, чтобы Yonote был доступен по адресу domain.ru -> 80.11.121.12 (пример),
+# то необходимо также создать следующие DNS записи для корректной работы системы:
+# - domain.ru -> 80.11.121.12
+# - auth.domain.ru -> domain.ru
+# - s3.domain.ru -> domain.ru
+#
+# Если вы запускаете сервис с HTTPS,
+# необходимо соответсвенно поменять на https:// и wss://
+
+### Keycloak
+AUTH_VERSION=latest
+
+# Адрес сервера авторизации (с http/https)
+KC_YNT_HOST=auth.demoqtech.ru
+KC_YNT_HOST_PROTOCOL=https://
+KC_YNT_EXTERNAL_PORT=9443 # Внешний порт обращения по адресу
+KC_YNT_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST}:${KC_YNT_EXTERNAL_PORT} # Адрес для клиентской стороны
+KC_YNT_INTERNAL_URL=${KC_YNT_HOST_PROTOCOL}${KC_YNT_HOST} # Адрес для серверной стороны
+
+# Подключение к базе данных (база создается автоматически)
+KC_DB=keycloak
+KC_DB_USERNAME=keycloak
+KC_DB_PASSWORD=
+
+# Настройка клиента авторизации (ключ от OIDC провайдера)
+KC_CLIENT_SECRET=
+
+# Адрес сервера S3/Minio (с http/https)
+MINIO_YNT_HOST=s3.demoqtech.ru
+MINIO_ADMIN_YNT_HOST=s3-admin.demoqtech.ru
+MINIO_YNT_EXTERNAL_PORT=9443
+MINIO_YNT_HOST_PROTOCOL=https://
+MINIO_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT}
+MINIO_ADMIN_YNT_URL=${MINIO_YNT_HOST_PROTOCOL}${MINIO_ADMIN_YNT_HOST}:${MINIO_YNT_EXTERNAL_PORT}
+# Логин и пароль для администратора S3 (пользователь создается автоматически)
+MINIO_ADMIN_USERNAME=admin
+MINIO_ADMIN_PASSWORD=
+
+# Адрес для Yonote (укажите домен или адрес сервера)
+BASENAME_FOR_SUBDOMAIN=demoqtech.ru:9443
+YNT_HTTP_PROTOCOL=https://
+YNT_WEBSOCKET_PROTOCOL=wss://
+# YNT_INTERNAL_URL=app.kb.demoqtech.ru
+
+### OAuth/OIDC (Keycloak) - сервер авторизации
+KC_USERNAME=admin
+KC_PASSWORD=
+
+### S3 совместимое хранилище (Minio)
+MINIO_ACCESS_KEY_ID=yonote
+MINIO_SECRET_ACCESS_KEY=
+
+### Yonote
+APP_VERSION=latest
+
+# Данные для подключения к БД (БД и пользователь будут созданны автоматически)
+YNT_DB_NAME=yonote
+YNT_DB_USER=postgres
+YNT_DB_PASSWORD=
+
+# Максимальный размер одно файла для загрузки в хранилище (в байтах)
+AWS_S3_UPLOAD_MAX_SIZE=226214400
+
+# Ключ шыфрования (32 байта). Рекомендуем использовать команду ниже для генерации ключа:
+# `openssl rand -hex 32`
+# храните данный ключ в надежном месте
+SECRET_KEY=
+
+# Уникальный random ключ. Используется для различных крипто-функций,
+# рекомендуем так же использовать команду ниже для генерации ключа:
+# `openssl rand -hex 32`
+UTILS_SECRET=
+
+# SMTP сервер
+SMTP_HOST=
+SMTP_PORT=
+SMTP_USERNAME=
+SMTP_PASSWORD=
+SMTP_FROM_EMAIL=
+SMTP_REPLY_EMAIL=
+SMTP_TLS_CIPHERS=
+SMTP_SECURE=
+
+# Лицензионный ключ
+# Для получения, обратитесь в отдел продаж hello@yonote.ru
+LICENSE_KEY=
+
+############ OPTIONAL ################
+
+# Производить редирект на HTTPS если запрос пришел на HTTP
+FORCE_HTTPS=false
+
+# Отслеживать появление новых версий
+ENABLE_UPDATES=false
+
+# Как много подпроцессов множно запускать.
+# Самый простой вариант подсчета: разделить доступный объем памяти сервера на 512Мб
+WEB_CONCURRENCY=1
+
+# Максимальный размер файла импорта (Для импорта из Notion, Confluence и тд)
+MAXIMUM_IMPORT_SIZE=5120000
+
+# Логировать HTTP запросы.
+# DEBUG=http
+
+# Список почтовых доменов с которых разрешена регистрация. Домены разделяются запятыми.
+# По умолчанию разрешены любые домены
+# ALLOWED_DOMAINS=
+
+# Отправка отчетов об ошибках разработчикам.
+# Закомментируйте, если не хотите делиться отчетами об ошибках
+SENTRY_DSN=https://5bdaaba1cf8043ba9cc43933b65f3b46@sentry.wilix.dev/7
+
+# Логотип команды, который будет отображаться при входе в систему.
+# Будет уменьшен до height: 60px
+# TEAM_LOGO=https://example.com/images/logo.png
+
+# Язык по умолчанию
+DEFAULT_LANGUAGE=ru_RU
+
+# Ключи для отправки WEB Push уведомлений
+# Инструкция по получению ключей https://yo.yonote.ru/share/onprem/doc/ustanovka-i-nastrojka-KbTxPbAUoo#h-generaciya-klyuchej-web-push-service-worker
+SERVICE_WORKER_PUBLIC_KEY=
+SERVICE_WORKER_PRIVATE_KEY=
+
+# Интеграция с Telegram. Если TELEGRAM_BOT_TOKEN не указан, то интеграция отключена
+# Инструкция по настройке https://yo.yonote.ru/share/onprem/doc/integraciya-s-telegram-9d2l0erXGN
+# TELEGRAM_BOT_TOKEN=
+# TELEGRAM_BOT_URL=
+
+# Интеграция с Loop https://loop.ru/. Если LOOP_KEY не указан, то интеграция отключена
+# LOOP_KEY=
+# LOOP_SECRET=
+# LOOP_VERIFICATION_TOKEN=
+# LOOP_MESSAGE_ACTIONS=true
+
+OPENAI_API_KEY=123

external_ports_https_v2/docker-compose.yml

@@ -0,0 +1,176 @@
+services:
+  yonote:
+    container_name: yonote
+    image: images.updates.yonote.ru/yonote:${APP_VERSION}
+    env_file:
+      - .env
+    ports:
+      - "3000"
+    depends_on:
+      - postgres
+      - redis
+      - keycloak
+      - s3
+    command: yarn start:selfhosted
+    environment:
+      BIND_HOST: 0.0.0.0
+      PORT: 3000
+      URL: ${YNT_HTTP_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN}
+      COLLABORATION_URL: ${YNT_WEBSOCKET_PROTOCOL}app.${BASENAME_FOR_SUBDOMAIN}
+      DATABASE_URL: postgres://${YNT_DB_USER}:${YNT_DB_PASSWORD}@postgres:5432/${YNT_DB_NAME}
+      OIDC_CLIENT_ID: yonote
+      OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
+      OIDC_AUTH_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/auth
+      OIDC_TOKEN_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/token
+      OIDC_USERINFO_URI: ${KC_YNT_INTERNAL_URL}/realms/yonote/protocol/openid-connect/userinfo
+      OIDC_LOGOUT_URI: ${KC_YNT_URL}/realms/yonote/protocol/openid-connect/logout
+      AWS_S3_UPLOAD_BUCKET_URL: ${MINIO_YNT_URL}
+      AWS_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
+      AWS_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
+      AWS_S3_UPLOAD_BUCKET_NAME: yonote-bucket
+      AWS_REGION: xx-xxxx-x
+      TELEGRAM_API_URL: https://api.telegram.org
+      OIDC_DISPLAY_NAME: email
+      OIDC_SCOPES: openid email
+      REDIS_URL: redis://redis:6379
+      PGSSLMODE: disable
+      USE_LEGACY_LOGOUT: true
+      AWS_S3_FORCE_PATH_STYLE: true
+      AWS_S3_ACL: private
+      NODE_TLS_REJECT_UNAUTHORIZED: 0
+      SUBDOMAINS_ENABLED: true 
+    volumes:
+      - ./License.key:/opt/yonote/License.key
+    networks:
+      - yonote-network
+    external_links:
+     - "nginx:${KC_YNT_HOST}"
+
+  redis:
+    container_name: redis
+    image: redis:7-alpine
+    restart: unless-stopped
+    user: "redis:redis"
+    networks:
+      - yonote-network
+
+  postgres:
+    container_name: postgres
+    image: postgres:14
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${YNT_DB_NAME}
+      POSTGRES_USER: ${YNT_DB_USER}
+      POSTGRES_PASSWORD: ${YNT_DB_PASSWORD}
+      KC_DB_USERNAME: ${KC_DB_USERNAME}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
+      user: "postgres:postgres"
+    volumes:
+      - ./db-data:/var/lib/postgresql/data
+      - ./postgres/init-keycloak-db.sh:/docker-entrypoint-initdb.d/init-keycloak-db.sh
+    networks:
+      - yonote-network
+
+  s3:
+    container_name: minio
+    image: minio/minio:RELEASE.2022-08-26T19-53-15Z
+    restart: unless-stopped
+    environment:
+      MINIO_ROOT_USER: ${MINIO_ADMIN_USERNAME}
+      MINIO_ROOT_PASSWORD: ${MINIO_ADMIN_PASSWORD}
+      MINIO_BROWSER_REDIRECT_URL: ${MINIO_ADMIN_YNT_URL}
+    command: server --address :9000 --console-address :9001 /data
+    ports:
+      - "9000"
+      - "9001"
+    volumes:
+      - ./s3-data:/data
+        # - minio:/data
+    networks:
+      - yonote-network
+
+  s3-client:
+    container_name: minio-client
+    image: minio/mc:RELEASE.2022-08-28T20-08-11Z
+    volumes:
+      - ./minio:/tmp/policies
+    environment:
+      MINIO_ACCESS_KEY_ID: ${MINIO_ACCESS_KEY_ID}
+      MINIO_SECRET_ACCESS_KEY: ${MINIO_SECRET_ACCESS_KEY}
+      MINIO_ADMIN_USERNAME: ${MINIO_ADMIN_USERNAME}
+      MINIO_ADMIN_PASSWORD: ${MINIO_ADMIN_PASSWORD}
+    entrypoint: >
+      /bin/sh -c "
+      /usr/bin/mc config host add myminio http://minio:9000 ${MINIO_ADMIN_USERNAME} ${MINIO_ADMIN_PASSWORD};
+      /usr/bin/mc mb myminio/yonote-bucket;
+      /usr/bin/mc policy set-json /tmp/policies/minio-bucket-policy.json myminio/yonote-bucket;
+      /usr/bin/mc admin user add myminio ${MINIO_ACCESS_KEY_ID} ${MINIO_SECRET_ACCESS_KEY};
+      /usr/bin/mc admin policy add myminio yonote-policy /tmp/policies/minio-user-policy.json;
+      /usr/bin/mc admin policy set myminio yonote-policy user=${MINIO_ACCESS_KEY_ID};
+      exit 0;
+      "      
+    networks:
+      - yonote-network
+    depends_on:
+      - nginx 
+
+  keycloak:
+    container_name: keycloak
+    image: images.updates.yonote.ru/yonote-keycloak:${AUTH_VERSION}
+    ports:
+      - "8080"
+    environment:
+      KC_HOSTNAME: ${KC_YNT_HOST}
+      KC_HOSTNAME_PORT: ${KC_YNT_EXTERNAL_PORT}
+      OIDC_CLIENT_SECRET: ${KC_CLIENT_SECRET}
+      YNT_HTTP_PROTOCOL: ${YNT_HTTP_PROTOCOL}
+      BASENAME_FOR_SUBDOMAIN: app.${BASENAME_FOR_SUBDOMAIN}
+      KEYCLOAK_ADMIN: ${KC_USERNAME}
+      KEYCLOAK_ADMIN_PASSWORD: ${KC_PASSWORD}
+      KC_DB: postgres
+      KC_DB_URL: jdbc:postgresql://postgres:5432/keycloak
+      KC_DB_USERNAME: ${KC_DB_USERNAME}
+      KC_DB_PASSWORD: ${KC_DB_PASSWORD}
+      KC_PROXY_ADDRESS_FORWARDING: true
+      PROXY_ADDRESS_FORWARDING: true
+      KC_PROXY: edge
+      KC_HOSTNAME_STRICT: false
+    command: start --spi-login-protocol-openid-connect-legacy-logout-redirect-uri=true --import-realm
+    networks:
+      - yonote-network
+    depends_on:
+      - postgres
+
+  nginx:
+    container_name: nginx
+    image: nginx
+    ports:
+      - 80:80
+      - 443:443
+    environment:
+      BASENAME_FOR_SUBDOMAIN: ${BASENAME_FOR_SUBDOMAIN}
+      MINIO_YNT_HOST: ${MINIO_YNT_HOST}
+      MINIO_ADMIN_YNT_HOST: ${MINIO_ADMIN_YNT_HOST}
+      KC_YNT_HOST: ${KC_YNT_HOST}
+      DOLLAR: "$"
+    volumes:
+      - ./nginx/default.conf.tmpl:/etc/nginx/conf.d/default.conf.tmpl
+      - ./nginx/server.crt.pem:/etc/nginx/ssl/server.crt.pem
+      - ./nginx/server.key.pem:/etc/nginx/ssl/server.key.pem
+    networks:
+      yonote-network:
+    depends_on:
+      - postgres
+      - redis
+      - keycloak
+      - s3
+      - yonote
+    command: /bin/bash -c "envsubst < /etc/nginx/conf.d/default.conf.tmpl > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'"
+
+networks:
+  yonote-network:
+    name: yonote-internal-network
+
+volumes:
+  db:
+  minio:

external_ports_https_v2/minio/minio-bucket-policy.json

@@ -0,0 +1,33 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "*"
+        ]
+      },
+      "Action": [
+        "s3:GetBucketLocation"
+      ],
+      "Resource": [
+        "arn:aws:s3:::yonote-bucket"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": [
+          "*"
+        ]
+      },
+      "Action": [
+        "s3:GetObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::yonote-bucket/*"
+      ]
+    }
+  ]
+}

external_ports_https_v2/minio/minio-user-policy.json

@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VisualEditor",
+      "Effect": "Allow",
+      "Action": [
+        "s3:DeleteObject",
+        "s3:GetObject",
+        "s3:PutObject"
+      ],
+      "Resource": [
+        "arn:aws:s3:::yonote-bucket/*"
+      ]
+    }
+  ]
+}

external_ports_https_v2/nginx/default.conf.tmpl

@@ -0,0 +1,169 @@
+server {
+  server_name ${BASENAME_FOR_SUBDOMAIN} ${MINIO_YNT_HOST} ${MINIO_ADMIN_YNT_HOST} ${KC_YNT_HOST};
+  listen 80;
+  return 301 https://${DOLLAR}host${DOLLAR}request_uri;
+}
+
+server {
+  server_name ${BASENAME_FOR_SUBDOMAIN};
+  listen 443 ssl;
+
+  ssl_certificate /etc/nginx/ssl/server.crt.pem;
+  ssl_certificate_key /etc/nginx/ssl/server.key.pem;
+
+  proxy_http_version 1.1;
+  proxy_busy_buffers_size   512k;
+  proxy_buffers   4 512k;
+  proxy_buffer_size   256k;  
+  proxy_connect_timeout 75s;
+
+  location / {
+    proxy_pass http://yonote:3000;
+    proxy_set_header Host ${DOLLAR}host;
+    proxy_set_header Connection '';
+    chunked_transfer_encoding off;
+    proxy_cache off;
+ }
+
+  location ^~/realtime {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host ${DOLLAR}host;
+    proxy_pass http://yonote:3000;
+ }
+  location ^~/collaboration {
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+    proxy_set_header Connection "Upgrade";
+    proxy_set_header Host ${DOLLAR}host;
+    proxy_pass http://yonote:3000;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name ${MINIO_YNT_HOST};
+
+  ssl_certificate /etc/nginx/ssl/server.crt.pem;
+  ssl_certificate_key /etc/nginx/ssl/server.key.pem;
+
+  # To allow special characters in headers
+  ignore_invalid_headers off;
+  # Allow any size file to be uploaded.
+  # Set to a value such as 1000m; to restrict file size to a specific value
+  client_max_body_size 0;
+  # To disable buffering
+  proxy_buffering off;
+
+  # Use Docker DNS
+  # You might not need this section but in case you need to resolve
+  # docker service names inside the container then this can be useful.
+  # resolver 127.0.0.11 valid=10s;
+  # resolver_timeout 5s;
+
+  # Apparently the following line might prevent caching of DNS lookups
+  # and force nginx to resolve the name on each request via the internal
+  # Docker DNS.
+  # set ${DOLLAR}upstream "s3";
+
+  # Proxy requests to the Minio API on port 9000
+  location / {
+    proxy_pass http://s3:9000;
+
+    proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+    proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    proxy_set_header Host ${DOLLAR}http_host;
+
+    proxy_connect_timeout 300;
+
+    # To support websocket
+    # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+    proxy_set_header Connection "upgrade";
+    chunked_transfer_encoding off;
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name ${MINIO_ADMIN_YNT_HOST};
+
+  ssl_certificate /etc/nginx/ssl/server.crt.pem;
+  ssl_certificate_key /etc/nginx/ssl/server.key.pem;
+
+  # To allow special characters in headers
+  ignore_invalid_headers off;
+  # Allow any size file to be uploaded.
+  # Set to a value such as 1000m; to restrict file size to a specific value
+  client_max_body_size 0;
+  # To disable buffering
+  proxy_buffering off;
+
+  # Use Docker DNS
+  # You might not need this section but in case you need to resolve
+  # docker service names inside the container then this can be useful.
+  # resolver 127.0.0.11 valid=10s;
+  # resolver_timeout 5s;
+
+  # Apparently the following line might prevent caching of DNS lookups
+  # and force nginx to resolve the name on each request via the internal
+  # Docker DNS.
+  # set ${DOLLAR}upstream "s3";
+
+  # Minio Console (UI)
+  location / {
+    # This was really the key for me. Even though the Nginx docs say 
+    # that with a URI part in the `proxy_pass` directive, the `/console/`
+    # URI should automatically be rewritten, this wasn't working for me.
+    # rewrite ^/console/(.*)${DOLLAR} /${DOLLAR}1 break;
+
+    proxy_pass http://s3:9001;
+
+    proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+    proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    proxy_set_header Host ${DOLLAR}http_host;
+
+    proxy_connect_timeout 300;
+    proxy_set_header Connection "";
+    chunked_transfer_encoding off;
+
+    # To support websocket
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Origin '';
+  }
+}
+
+server {
+  server_name ${KC_YNT_HOST};
+  listen 443 ssl;
+
+  ssl_certificate /etc/nginx/ssl/server.crt.pem;
+  ssl_certificate_key /etc/nginx/ssl/server.key.pem;
+
+  proxy_http_version 1.1;
+  proxy_busy_buffers_size   512k;
+  proxy_buffers   4 512k;
+  proxy_buffer_size   256k;
+  proxy_read_timeout 300s;
+  proxy_connect_timeout 75s;
+
+  proxy_set_header Host ${DOLLAR}host; # to forward the original host requested by the client
+  proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+  proxy_set_header X-Forwarded-Host ${DOLLAR}host;
+  proxy_set_header X-Forwarded-Port 9443;
+  proxy_set_header X-Forwarded-Server ${DOLLAR}host;
+  proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for; # To forward the original client's IP address
+  proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme; # to forward the  original protocol (HTTP or HTTPS)
+
+  location / {
+    proxy_pass http://keycloak:8080;
+ }
+}

external_ports_https_v2/postgres/init-keycloak-db.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+CREATE DATABASE keycloak;
+CREATE USER ${KC_DB_USERNAME} WITH PASSWORD '${KC_DB_PASSWORD}';
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO ${KC_DB_USERNAME};
+EOSQL