mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-05-17 01:49:35 -05:00
Dries Peeters
64b5fbe45d
- Move Python and shell scripts (apply_migration, check_routes, run_tests, etc.) to scripts/ - Move setup-https-mkcert and start-https (bat/sh) to scripts/ - Update start-local-test.bat and start-local-test.sh
150 lines
4.3 KiB
Batchfile
150 lines
4.3 KiB
Batchfile
@echo off
|
|
REM Setup HTTPS for TimeTracker using mkcert
|
|
REM Works with localhost and IP addresses - NO certificate warnings!
|
|
|
|
echo ==========================================
|
|
echo TimeTracker HTTPS Setup with mkcert
|
|
echo ==========================================
|
|
echo.
|
|
|
|
REM Check if mkcert is installed
|
|
where mkcert >nul 2>&1
|
|
if %errorlevel% neq 0 (
|
|
echo [ERROR] mkcert is not installed!
|
|
echo.
|
|
echo Install mkcert:
|
|
echo Using Chocolatey: choco install mkcert
|
|
echo Using Scoop: scoop install mkcert
|
|
echo.
|
|
pause
|
|
exit /b 1
|
|
)
|
|
|
|
echo [OK] mkcert found
|
|
echo.
|
|
|
|
REM Install local CA
|
|
echo Installing local Certificate Authority...
|
|
mkcert -install
|
|
echo [OK] Local CA installed
|
|
echo.
|
|
|
|
REM Get local IP
|
|
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| findstr /c:"IPv4 Address"') do (
|
|
set LOCAL_IP=%%a
|
|
goto :found_ip
|
|
)
|
|
:found_ip
|
|
set LOCAL_IP=%LOCAL_IP: =%
|
|
if "%LOCAL_IP%"=="" set LOCAL_IP=192.168.1.100
|
|
|
|
echo Detected local IP: %LOCAL_IP%
|
|
echo.
|
|
|
|
REM Create directories
|
|
if not exist nginx\ssl mkdir nginx\ssl
|
|
if not exist nginx\conf.d mkdir nginx\conf.d
|
|
|
|
REM Generate certificates
|
|
echo Generating certificates...
|
|
mkcert -key-file nginx\ssl\key.pem -cert-file nginx\ssl\cert.pem localhost 127.0.0.1 ::1 %LOCAL_IP% *.local
|
|
|
|
echo [OK] Certificates generated
|
|
echo.
|
|
|
|
REM Create nginx config
|
|
(
|
|
echo server {
|
|
echo listen 80;
|
|
echo server_name _;
|
|
echo return 301 https://$host$request_uri;
|
|
echo }
|
|
echo.
|
|
echo server {
|
|
echo listen 443 ssl http2;
|
|
echo server_name _;
|
|
echo.
|
|
echo ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
echo ssl_certificate_key /etc/nginx/ssl/key.pem;
|
|
echo.
|
|
echo ssl_protocols TLSv1.2 TLSv1.3;
|
|
echo ssl_ciphers HIGH:!aNULL:!MD5;
|
|
echo ssl_prefer_server_ciphers on;
|
|
echo.
|
|
echo add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
echo add_header X-Frame-Options "DENY" always;
|
|
echo add_header X-Content-Type-Options "nosniff" always;
|
|
echo.
|
|
echo location / {
|
|
echo proxy_pass http://app:8080;
|
|
echo proxy_set_header Host $host;
|
|
echo proxy_set_header X-Real-IP $remote_addr;
|
|
echo proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
echo proxy_set_header X-Forwarded-Proto $scheme;
|
|
echo
|
|
echo proxy_http_version 1.1;
|
|
echo proxy_set_header Upgrade $http_upgrade;
|
|
echo proxy_set_header Connection "upgrade";
|
|
echo }
|
|
echo }
|
|
) > nginx\conf.d\https.conf
|
|
|
|
echo [OK] nginx config created
|
|
echo.
|
|
|
|
REM Create docker-compose override
|
|
(
|
|
echo services:
|
|
echo nginx:
|
|
echo image: nginx:alpine
|
|
echo container_name: timetracker-nginx
|
|
echo ports:
|
|
echo - "80:80"
|
|
echo - "443:443"
|
|
echo volumes:
|
|
echo - ./nginx/conf.d:/etc/nginx/conf.d:ro
|
|
echo - ./nginx/ssl:/etc/nginx/ssl:ro
|
|
echo depends_on:
|
|
echo - app
|
|
echo restart: unless-stopped
|
|
echo.
|
|
echo app:
|
|
echo ports: []
|
|
echo environment:
|
|
echo - WTF_CSRF_SSL_STRICT=true
|
|
echo - SESSION_COOKIE_SECURE=true
|
|
echo - CSRF_COOKIE_SECURE=true
|
|
) > docker-compose.https.yml
|
|
|
|
echo [OK] docker-compose.https.yml created
|
|
echo.
|
|
|
|
REM Update .env if exists
|
|
if exist .env (
|
|
copy .env .env.backup >nul
|
|
powershell -Command "$content = Get-Content .env; if ($content -match '^WTF_CSRF_SSL_STRICT=') { $content = $content -replace '^WTF_CSRF_SSL_STRICT=.*', 'WTF_CSRF_SSL_STRICT=true' } else { $content += 'WTF_CSRF_SSL_STRICT=true' }; if ($content -match '^SESSION_COOKIE_SECURE=') { $content = $content -replace '^SESSION_COOKIE_SECURE=.*', 'SESSION_COOKIE_SECURE=true' } else { $content += 'SESSION_COOKIE_SECURE=true' }; if ($content -match '^CSRF_COOKIE_SECURE=') { $content = $content -replace '^CSRF_COOKIE_SECURE=.*', 'CSRF_COOKIE_SECURE=true' } else { $content += 'CSRF_COOKIE_SECURE=true' }; $content | Set-Content .env"
|
|
echo [OK] .env updated
|
|
) else (
|
|
echo [WARNING] No .env file - create from env.example
|
|
)
|
|
|
|
echo.
|
|
echo ==========================================
|
|
echo [OK] HTTPS Setup Complete!
|
|
echo ==========================================
|
|
echo.
|
|
echo Start with HTTPS:
|
|
echo docker-compose -f docker-compose.yml -f docker-compose.https.yml up -d
|
|
echo.
|
|
echo Access at:
|
|
echo https://localhost
|
|
echo https://%LOCAL_IP%
|
|
echo.
|
|
echo For other devices:
|
|
echo 1. Find CA: mkcert -CAROOT
|
|
echo 2. Copy rootCA.pem to device
|
|
echo 3. Import as trusted certificate
|
|
echo.
|
|
pause
|
|
|