npm - ante-erp-cli - Versions diffs - 1.11.55 → 1.11.56 - Mend

ante-erp-cli 1.11.55 → 1.11.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/bin/ante-cli.js +1 -0
package/package.json +1 -1
package/src/commands/set-domain.js +13 -2
package/src/utils/nginx.js +394 -2

package/bin/ante-cli.js CHANGED Viewed

@@ -334,6 +334,7 @@ program
   .option('--backend-client <url>', 'Backend Client API domain/URL (non-interactive mode)')
   .option('--detect', 'Auto-detect public IP address')
   .option('--ssl, --enable-ssl', 'Enable SSL certificate (Let\'s Encrypt)')
+  .option('--cloudflare-ssl', 'Enable Cloudflare SSL mode (self-signed cert for Full mode)')
   .option('--email <email>', 'Email for SSL certificate notifications')
   .option('--ssl-staging', 'Use Let\'s Encrypt staging environment (for testing)')
   .option('--no-interactive', 'Non-interactive mode')

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.11.55",
+  "version": "1.11.56",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/set-domain.js CHANGED Viewed

@@ -5,7 +5,7 @@ import { readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { getInstallDir } from '../utils/config.js';
 import { detectPublicIPWithFeedback, buildURL, isValidIPv4 } from '../utils/network.js';
-import { configureNginx, requiresNginx } from '../utils/nginx.js';
+import { configureNginx, requiresNginx, generateCloudflareCert } from '../utils/nginx.js';
 import { pullImages, stopServices, startServices, waitForServiceHealthy } from '../utils/docker.js';
 import { obtainSSLCertificate, updateNginxForSSL, setupAutoRenewal, extractDomain } from '../utils/ssl.js';
@@ -753,11 +753,22 @@ export async function setDomain(options) {
       console.log(chalk.gray('\n🔧 Setting up reverse proxy...\n'));
       try {
+        // Check if Cloudflare SSL mode is enabled
+        const cloudflareSsl = options.cloudflareSsl || false;
+        // Generate self-signed certificate for Cloudflare if needed
+        if (cloudflareSsl) {
+          console.log(chalk.gray('Generating self-signed certificate for Cloudflare Full mode...'));
+          await generateCloudflareCert();
+          console.log(chalk.green('✓ Self-signed certificate ready'));
+        }
         const nginxConfig = {
           frontendDomain: frontendUrl,
           apiDomain: apiUrl,
           frontendPort: 8080,
-          apiPort: 3001
+          apiPort: 3001,
+          cloudflareSsl
         };
         if (hasGateApp && gateAppUrl) {

package/src/utils/nginx.js CHANGED Viewed

@@ -62,7 +62,8 @@ export async function installNginx(spinner) {
  * @param {number} [config.posAppPort] - POS app Docker port (default: 8084)
  * @param {number} [config.clientAppPort] - Client app Docker port (default: 9005)
  * @param {number} [config.backendClientPort] - Backend client API Docker port (default: 4001)
- * @param {boolean} config.ssl - Enable SSL configuration (default: false)
+ * @param {boolean} config.ssl - Enable SSL configuration with Let's Encrypt (default: false)
+ * @param {boolean} config.cloudflareSsl - Enable Cloudflare SSL mode with self-signed certs (default: false)
  * @returns {string} NGINX configuration content
  */
 export function generateNginxConfig(config) {
@@ -83,7 +84,8 @@ export function generateNginxConfig(config) {
     posAppPort = 8084,
     clientAppPort = 9005,
     backendClientPort = 4001,
-    ssl = false
+    ssl = false,
+    cloudflareSsl = false
   } = config;
   // Extract domain without protocol
@@ -96,6 +98,29 @@ export function generateNginxConfig(config) {
   const clientAppHost = clientAppDomain ? clientAppDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '') : null;
   const backendClientHost = backendClientDomain ? backendClientDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '') : null;
+  // Cloudflare SSL mode - uses self-signed certs for Cloudflare "Full" mode
+  if (cloudflareSsl) {
+    return generateCloudflareNginxConfig({
+      frontendHost,
+      apiHost,
+      gateAppHost,
+      guardianAppHost,
+      facialAppHost,
+      posAppHost,
+      clientAppHost,
+      backendClientHost,
+      frontendPort,
+      apiPort,
+      gateAppPort,
+      guardianAppPort,
+      facialWebPort,
+      posAppPort,
+      clientAppPort,
+      backendClientPort
+    });
+  }
+  // Let's Encrypt SSL mode
   if (ssl) {
     return generateSslNginxConfig({
       frontendHost,
@@ -371,6 +396,373 @@ server {
 ` : ''}`;
 }
+/**
+ * Generate NGINX configuration for Cloudflare SSL (Full mode)
+ * Uses self-signed certificates at /etc/nginx/ssl/cloudflare.crt and .key
+ * Cloudflare terminates SSL and re-encrypts to origin with these certs
+ * @param {Object} config - Configuration object
+ * @returns {string} NGINX configuration with Cloudflare SSL
+ */
+function generateCloudflareNginxConfig(config) {
+  const {
+    frontendHost,
+    apiHost,
+    gateAppHost,
+    guardianAppHost,
+    facialAppHost,
+    posAppHost,
+    clientAppHost,
+    backendClientHost,
+    frontendPort,
+    apiPort,
+    gateAppPort = 8081,
+    guardianAppPort = 8082,
+    facialWebPort = 8083,
+    posAppPort = 8084,
+    clientAppPort = 9005,
+    backendClientPort = 4001
+  } = config;
+  // SSL certificate paths for Cloudflare self-signed certs
+  const sslCert = '/etc/nginx/ssl/cloudflare.crt';
+  const sslKey = '/etc/nginx/ssl/cloudflare.key';
+  return `# ANTE Frontend Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${frontendHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${frontendPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+# ANTE API Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${apiHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${apiPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+    }
+}
+${gateAppHost ? `
+# ANTE Gate App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${gateAppHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${gateAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${guardianAppHost ? `
+# ANTE Guardian App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${guardianAppHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${guardianAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${facialAppHost ? `
+# ANTE Facial Web App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${facialAppHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for image uploads
+    client_max_body_size 50M;
+    location / {
+        proxy_pass http://localhost:${facialWebPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${posAppHost ? `
+# ANTE POS App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${posAppHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${posAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${clientAppHost ? `
+# ANTE Client App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${clientAppHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${clientAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${backendClientHost ? `
+# ANTE Backend Client API Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${backendClientHost};
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${backendClientPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}`;
+}
+/**
+ * Generate self-signed SSL certificate for Cloudflare Full mode
+ * @returns {Promise<void>}
+ */
+export async function generateCloudflareCert() {
+  const sslDir = '/etc/nginx/ssl';
+  const certPath = join(sslDir, 'cloudflare.crt');
+  const keyPath = join(sslDir, 'cloudflare.key');
+  // Check if certs already exist
+  if (existsSync(certPath) && existsSync(keyPath)) {
+    return; // Certs already exist
+  }
+  // Create SSL directory if it doesn't exist
+  if (!existsSync(sslDir)) {
+    mkdirSync(sslDir, { recursive: true });
+  }
+  // Generate self-signed certificate (valid for 10 years)
+  await execa('openssl', [
+    'req', '-x509', '-nodes',
+    '-days', '3650',
+    '-newkey', 'rsa:2048',
+    '-keyout', keyPath,
+    '-out', certPath,
+    '-subj', '/CN=cloudflare-origin/O=ANTE/C=PH'
+  ], { stdio: 'pipe' });
+  // Set proper permissions
+  await execa('chmod', ['600', keyPath], { stdio: 'pipe' });
+  await execa('chmod', ['644', certPath], { stdio: 'pipe' });
+}
 /**
  * Generate NGINX configuration with SSL support
  * @param {Object} config - Configuration object