ante-erp-cli 1.11.55 → 1.11.57

package/bin/ante-cli.js

@@ -334,6 +334,7 @@ program
   .option('--backend-client <url>', 'Backend Client API domain/URL (non-interactive mode)')
   .option('--detect', 'Auto-detect public IP address')
   .option('--ssl, --enable-ssl', 'Enable SSL certificate (Let\'s Encrypt)')
+  .option('--cloudflare-ssl', 'Enable Cloudflare SSL mode (self-signed cert for Full mode)')
   .option('--email <email>', 'Email for SSL certificate notifications')
   .option('--ssl-staging', 'Use Let\'s Encrypt staging environment (for testing)')
   .option('--no-interactive', 'Non-interactive mode')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.11.55",
+  "version": "1.11.57",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/set-domain.js

@@ -5,7 +5,7 @@ import { readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { getInstallDir } from '../utils/config.js';
 import { detectPublicIPWithFeedback, buildURL, isValidIPv4 } from '../utils/network.js';
-import { configureNginx, requiresNginx } from '../utils/nginx.js';
+import { configureNginx, requiresNginx, generateCloudflareCert } from '../utils/nginx.js';
 import { pullImages, stopServices, startServices, waitForServiceHealthy } from '../utils/docker.js';
 import { obtainSSLCertificate, updateNginxForSSL, setupAutoRenewal, extractDomain } from '../utils/ssl.js';
 
@@ -753,11 +753,22 @@ export async function setDomain(options) {
       console.log(chalk.gray('\n🔧 Setting up reverse proxy...\n'));
 
       try {
+        // Check if Cloudflare SSL mode is enabled
+        const cloudflareSsl = options.cloudflareSsl || false;
+
+        // Generate self-signed certificate for Cloudflare if needed
+        if (cloudflareSsl) {
+          console.log(chalk.gray('Generating self-signed certificate for Cloudflare Full mode...'));
+          await generateCloudflareCert();
+          console.log(chalk.green('✓ Self-signed certificate ready'));
+        }
+
         const nginxConfig = {
           frontendDomain: frontendUrl,
           apiDomain: apiUrl,
           frontendPort: 8080,
-          apiPort: 3001
+          apiPort: 3001,
+          cloudflareSsl
         };
 
         if (hasGateApp && gateAppUrl) {
@@ -845,10 +856,12 @@ export async function setDomain(options) {
 
       // Execute SSL setup if enabled
       if (enableSsl) {
+        // Use default email if not provided
         if (!sslEmail) {
-          console.log(chalk.yellow('\n⚠  SSL setup skipped: Email address required'));
-          console.log(chalk.gray('   Run "ante ssl enable --email your@email.com" to enable SSL later\n'));
-        } else {
+          sslEmail = 'geeritsolutions@gmail.com';
+          console.log(chalk.gray(`Using default email for SSL: ${sslEmail}\n`));
+        }
+        {
           try {
             console.log(chalk.bold('\n🔒 Setting up SSL/HTTPS...\n'));
 

package/src/utils/nginx.js

@@ -62,7 +62,8 @@ export async function installNginx(spinner) {
  * @param {number} [config.posAppPort] - POS app Docker port (default: 8084)
  * @param {number} [config.clientAppPort] - Client app Docker port (default: 9005)
  * @param {number} [config.backendClientPort] - Backend client API Docker port (default: 4001)
- * @param {boolean} config.ssl - Enable SSL configuration (default: false)
+ * @param {boolean} config.ssl - Enable SSL configuration with Let's Encrypt (default: false)
+ * @param {boolean} config.cloudflareSsl - Enable Cloudflare SSL mode with self-signed certs (default: false)
  * @returns {string} NGINX configuration content
  */
 export function generateNginxConfig(config) {
@@ -83,7 +84,8 @@ export function generateNginxConfig(config) {
     posAppPort = 8084,
     clientAppPort = 9005,
     backendClientPort = 4001,
-    ssl = false
+    ssl = false,
+    cloudflareSsl = false
   } = config;
 
   // Extract domain without protocol
@@ -96,6 +98,29 @@ export function generateNginxConfig(config) {
   const clientAppHost = clientAppDomain ? clientAppDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '') : null;
   const backendClientHost = backendClientDomain ? backendClientDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '') : null;
 
+  // Cloudflare SSL mode - uses self-signed certs for Cloudflare "Full" mode
+  if (cloudflareSsl) {
+    return generateCloudflareNginxConfig({
+      frontendHost,
+      apiHost,
+      gateAppHost,
+      guardianAppHost,
+      facialAppHost,
+      posAppHost,
+      clientAppHost,
+      backendClientHost,
+      frontendPort,
+      apiPort,
+      gateAppPort,
+      guardianAppPort,
+      facialWebPort,
+      posAppPort,
+      clientAppPort,
+      backendClientPort
+    });
+  }
+
+  // Let's Encrypt SSL mode
   if (ssl) {
     return generateSslNginxConfig({
       frontendHost,
@@ -371,6 +396,373 @@ server {
 ` : ''}`;
 }
 
+/**
+ * Generate NGINX configuration for Cloudflare SSL (Full mode)
+ * Uses self-signed certificates at /etc/nginx/ssl/cloudflare.crt and .key
+ * Cloudflare terminates SSL and re-encrypts to origin with these certs
+ * @param {Object} config - Configuration object
+ * @returns {string} NGINX configuration with Cloudflare SSL
+ */
+function generateCloudflareNginxConfig(config) {
+  const {
+    frontendHost,
+    apiHost,
+    gateAppHost,
+    guardianAppHost,
+    facialAppHost,
+    posAppHost,
+    clientAppHost,
+    backendClientHost,
+    frontendPort,
+    apiPort,
+    gateAppPort = 8081,
+    guardianAppPort = 8082,
+    facialWebPort = 8083,
+    posAppPort = 8084,
+    clientAppPort = 9005,
+    backendClientPort = 4001
+  } = config;
+
+  // SSL certificate paths for Cloudflare self-signed certs
+  const sslCert = '/etc/nginx/ssl/cloudflare.crt';
+  const sslKey = '/etc/nginx/ssl/cloudflare.key';
+
+  return `# ANTE Frontend Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${frontendHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${frontendPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+
+# ANTE API Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${apiHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${apiPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+    }
+}
+${gateAppHost ? `
+# ANTE Gate App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${gateAppHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${gateAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${guardianAppHost ? `
+# ANTE Guardian App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${guardianAppHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${guardianAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${facialAppHost ? `
+# ANTE Facial Web App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${facialAppHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for image uploads
+    client_max_body_size 50M;
+
+    location / {
+        proxy_pass http://localhost:${facialWebPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${posAppHost ? `
+# ANTE POS App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${posAppHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${posAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${clientAppHost ? `
+# ANTE Client App Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${clientAppHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${clientAppPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}${backendClientHost ? `
+# ANTE Backend Client API Configuration (Cloudflare SSL)
+server {
+    listen 80;
+    listen 443 ssl;
+    listen [::]:80;
+    listen [::]:443 ssl;
+    server_name ${backendClientHost};
+
+    # SSL Certificate (self-signed for Cloudflare Full mode)
+    ssl_certificate ${sslCert};
+    ssl_certificate_key ${sslKey};
+
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+
+    location / {
+        proxy_pass http://localhost:${backendClientPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+` : ''}`;
+}
+
+/**
+ * Generate self-signed SSL certificate for Cloudflare Full mode
+ * @returns {Promise<void>}
+ */
+export async function generateCloudflareCert() {
+  const sslDir = '/etc/nginx/ssl';
+  const certPath = join(sslDir, 'cloudflare.crt');
+  const keyPath = join(sslDir, 'cloudflare.key');
+
+  // Check if certs already exist
+  if (existsSync(certPath) && existsSync(keyPath)) {
+    return; // Certs already exist
+  }
+
+  // Create SSL directory if it doesn't exist
+  if (!existsSync(sslDir)) {
+    mkdirSync(sslDir, { recursive: true });
+  }
+
+  // Generate self-signed certificate (valid for 10 years)
+  await execa('openssl', [
+    'req', '-x509', '-nodes',
+    '-days', '3650',
+    '-newkey', 'rsa:2048',
+    '-keyout', keyPath,
+    '-out', certPath,
+    '-subj', '/CN=cloudflare-origin/O=ANTE/C=PH'
+  ], { stdio: 'pipe' });
+
+  // Set proper permissions
+  await execa('chmod', ['600', keyPath], { stdio: 'pipe' });
+  await execa('chmod', ['644', certPath], { stdio: 'pipe' });
+}
+
 /**
  * Generate NGINX configuration with SSL support
  * @param {Object} config - Configuration object

package/src/utils/ssl.js

@@ -147,13 +147,15 @@ export async function updateNginxForSSL(config) {
     facialAppDomain,
     posAppDomain,
     clientAppDomain,
+    backendClientDomain,
     frontendPort = 8080,
     apiPort = 3001,
     gateAppPort = 8081,
     guardianAppPort = 8082,
     facialWebPort = 8083,
     posAppPort = 8084,
-    clientAppPort = 9005
+    clientAppPort = 9005,
+    backendClientPort = 4001
   } = config;
   const spinner = ora('Updating NGINX configuration for HTTPS...').start();
 
@@ -181,6 +183,7 @@ export async function updateNginxForSSL(config) {
       facialAppDomain,
       posAppDomain,
       clientAppDomain,
+      backendClientDomain,
       frontendPort,
       apiPort,
       gateAppPort,
@@ -188,6 +191,7 @@ export async function updateNginxForSSL(config) {
       facialWebPort,
       posAppPort,
       clientAppPort,
+      backendClientPort,
       ssl: true
     });