Add a basic Docker build

Signed-off-by: Brian Warner <brian@bdwarner.com>

Author: brianwarner

Dockerfile

@@ -0,0 +1,23 @@
+FROM nginx:alpine
+
+RUN apk add vim
+COPY cfg/vimrc /etc/vim/vimrc
+
+
+ARG CDN_ACCESS_KEY=''
+COPY cfg/default.conf /etc/nginx/conf.d/default.conf
+
+# If the CDN_ACCESS_KEY environment variable is *not* set, operate in "break glass" mode where the
+# container responds to all requests. Otherwise, look for the secret header the CDN adds to origin
+# pulls and only allow responses to those requests, and 301 the rest back to the CDN.
+
+RUN if [ -n "$CDN_ACCESS_KEY" ]; then \
+    sed -i s/##PLACEHOLDER-cdn_header_detection-DO_NOT_CHANGE##/"map \$http_cdn_access \$reroute_to_cdn { default '1'; $CDN_ACCESS_KEY '0'; }"/g /etc/nginx/conf.d/default.conf && \
+    sed -i s/##PLACEHOLDER-cdn_reroute-DO_NOT_CHANGE##/"if (\$reroute_to_cdn) { return 301 \$scheme:\/\/code.jquery.com\$uri; }"/g /etc/nginx/conf.d/default.conf; \
+  fi
+
+COPY cdn/* /usr/share/nginx/html/
+COPY git/* /usr/share/nginx/html/
+
+EXPOSE 80
+

README.md

@@ -1,6 +1,44 @@
-codeorigin.jquery.com
+# Official project releases
 =====================
 
-### Build
+This repo is used to build a Docker container that serves the codeorigin site for jQuery and related projects. It is designed to deploy easily, and includes a "break glass in case of emergency" minimal config mode should codeorigin need to be redeployed urgently.
 
-To build and deploy your changes for previewing in a [`jquery-wp-content`](https://github.com/jquery/jquery-wp-content) instance, follow the [workflow instructions](http://contribute.jquery.org/web-sites/#workflow) from our documentation on [contributing to jQuery Foundation web sites](http://contribute.jquery.org/web-sites/).
+## Build a local copy
+
+To build a local container (defaults to "break glass" mode):
+
+1. Install Docker
+1. Clone this repo, and `cd` into it
+1. Build the image: `docker build -t releases ./`
+1. Run the container, exposing port 80: `docker run -p 127.0.0.1:80:80/tcp releases`
+1. To exit the container, press `ctrl+c`
+
+To build a local container in deployment mode (redirecting any requests without the magic header that indicates an origin pull), build the container with the header value in an environment variable:
+
+1. Install Docker
+1. Clone this repo, and `cd` into it
+1. Generate a random string for the environment variable: ``CDN_ACCESS_KEY=`openssl rand -hex 16` ``
+1. Build the image: `docker build -t prod-releases --build-arg CDN_ACCESS_KEY=$CDN_ACCESS_KEY ./`
+1. Run the container, exposing port 80: `docker run -p 127.0.0.1:80:80/tcp prod-releases`
+1. To exit the container, press `ctrl+c`
+
+Note that you will need to keep track of `$CDN_ACCESS_KEY` and add it to the headers sent for origin pulls. To test whether this is working correctly, you can use `curl`:
+
+* This should always redirect to `code.jquery.org`: `curl -i localhost/jquery-3.1.1.js`
+* This should always deliver a copy of the file (don't forget to set the environment variable in your current shell): `curl -i -H "cdn-access: ${CDN_ACCESS_KEY}" localhost/jquery-3.1.1.js`
+
+## Build the production site
+
+To deploy, first generate the CDN access key. Next, you'll need to configure the container host to build from the Dockerfile in this repository, and use the CDN access key as a build argument. Finally, you'll configure the CDN to send both the Host header and the access key during origin pulls.
+
+1. Generate the access key: ``CDN_ACCESS_KEY=`openssl rand -hex 16` ``
+1. Configure the container host to build from this repo, and set this build variable: `CDN_ACCESS_KEY=(Insert the value of $CDN_ACCESS_KEY here)`
+1. Create the magic header and the host header at the CDN: `cdn-access: (Insert the value of $CDN_ACCESS_KEY here)|Host: (insert URL to app container)`
+
+## In case of emergency
+
+If you need to deploy a codeorigin container immediately, or if there are origin pull failures and you're not sure why, deploy without setting the `CDN_ACCESS_KEY` environment variable. The codeorigin server will respond to all requests without redirecting non-origin pulls to the CDN, so this should be only used in case of emergencies.
+
+## Add or update project release files
+
+To add a new release or update an existing one, simply commit the new file to the `cdn` directory and merge to the `main` branch. The container will rebuild automatically.

cfg/default.conf

@@ -0,0 +1,82 @@
+#
+# This file is responsible for the site which serves the main releases from codeorigin. By default,
+# it generates a site that operates in "break glass" emergency mode. All requests are served,
+# regardless of where they come from.
+#
+# In production, the CDN should add a private header to origin fetches. All requests which do not
+# include the correct header should be bounced via 301 redirect back to the CDN. This ensures that
+# even if a client attempts to link to codeorigin, it will still be served from the CDN. The end
+# result should be that codeorigin is only reachable for origin pulls from the CDN, decreasing its
+# load and reducing the attack surface for DDOSs.
+#
+# How to enable production mode:
+#
+# **VERY IMPORTANT**: You must first configure the CDN to send the header **BEFORE** you configure
+# codeorigin to ignore requests that omit the header. If you do not preserve this order you will
+# create a 301 redirect loop and **break a substantial portion of the internet.**
+#
+# 1. Add a header to origin pulls named "cdn-access". Set the value to something long and random. An
+# md5 hash of some random letters is probably good enough.
+#
+# 2. Rebuild this container and set the environment variable CDN_ACCESS_KEY to the value in step 1.
+#
+# 3. Test the container:
+#   * First, check that requests with the correct header will not be redirected. This should always
+#     return the actual file contents of the 3.5.1 release.
+#
+#     * `curl -i -H 'cdn-access: {value from step 1}' https://CONTAINER_URL/jquery-3.5.1.js`
+#
+#   * Next, check that requests without the header are redirected to code.jquery.com. This should
+#      always return "HTTP/1.1 301 Moved Permanently"
+#
+#     * `curl -i https://CONTAINER_URL/jquery-3.5.1.js`
+#
+# 4. Update the DNS to point the codeorigin CNAME to https://CONTAINER_URL
+#
+#
+# How to enable "Break glass" mode:
+#
+# If everything has melted down and you need to go into "break glass" mode, deploy this container
+# without a CDN_ACCESS_KEY environment variable. It will serve all requests without redirecting to
+# the CDN, regardless of the presence or absence of the header.
+#
+# What this means in real terms is that requests to https://code.jquery.com will still go through
+# the CDN, but requests to https://codeorigin.jquery.com will hit this container directly. This is a
+# recipe for a DDOS (innocent or intentional), so this should be a last resort while other issues
+# are worked out.
+#
+
+# Do not change the following line. The Dockerfile will add CDN header detection at build time if
+# the correct environment variable is set.
+##PLACEHOLDER-cdn_header_detection-DO_NOT_CHANGE##
+
+
+#  CDN_ACCESS_KEY "0";
+server {
+  listen        80;
+  listen        [::]:80;
+  server_name   localhost;
+
+  access_log  /var/log/nginx/host.access.log  main;
+
+  location / {
+    root        /usr/share/nginx/html;
+    index       index.html index.htm;
+
+    # Do not change the following line. The Dockerfile will add the reroute logic at build time if
+    # the correct environment variable is set.
+    ##PLACEHOLDER-cdn_reroute-DO_NOT_CHANGE##
+
+  }
+
+  #error_page    404              /404.html;
+
+  # redirect server error pages to the static page /50x.html
+  #
+  error_page    500 502 503 504  /50x.html;
+  location = /50x.html {
+    root   /usr/share/nginx/html;
+  }
+}
+
+# vim: ts=2 sw=2 et

cfg/vimrc

@@ -0,0 +1,16 @@
+set nocompatible        " Use Vim defaults (much better!)
+set bs=2                " Allow backspacing over everything in insert mode
+set ai                  " Always set auto-indenting on
+set history=50          " keep 50 lines of command history
+set ruler               " Show the cursor position all the time
+
+" Don't use Ex mode, use Q for formatting
+map Q gq
+
+" When doing tab completion, give the following files lower priority.
+set suffixes+=.info,.aux,.log,.dvi,.bbl,.out,.o,.lo
+
+set modeline
+syntax on
+autocmd BufRead APKBUILD set filetype=sh
+

git/README.md

@@ -0,0 +1,6 @@
+# Release snapshots
+
+This directory is for git  snapshots only. They should be considered extremely
+unstable and entirely unsuitable for production deployments, and should only be
+used in active develompent.
+