npm - ante-erp-cli - Versions diffs - 1.7.1 → 1.7.2 - Mend

ante-erp-cli 1.7.1 → 1.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/src/commands/ssl-enable.js +30 -14
package/src/utils/nginx.js +138 -1
package/src/utils/ssl.js +55 -95

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.7.1",
+  "version": "1.7.2",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/ssl-enable.js CHANGED Viewed

@@ -196,28 +196,19 @@ export async function sslEnable(options) {
     console.log(chalk.bold('\n🚀 Starting SSL Configuration...\n'));
-    // Obtain and configure SSL for each domain
-    for (const domainConfig of domains) {
-      console.log(chalk.cyan(`\n📋 Configuring SSL for ${domainConfig.domain}...\n`));
+    // Step 1: Obtain SSL certificates for all domains
+    console.log(chalk.cyan('📋 Obtaining SSL certificates...\n'));
+    for (const domainConfig of domains) {
       try {
-        // Step 1: Obtain SSL certificate
+        console.log(chalk.gray(`   Obtaining certificate for ${domainConfig.domain}...`));
         await obtainSSLCertificate({
           domain: domainConfig.domain,
           email: options.email,
           staging: options.staging || false
         });
-        // Step 2: Update NGINX configuration
-        await updateNginxForSSL({
-          domain: domainConfig.domain,
-          port: domainConfig.port
-        });
-        console.log(chalk.green(`✓ SSL configured for ${domainConfig.domain}\n`));
       } catch (error) {
-        console.log(chalk.red(`✗ Failed to configure SSL for ${domainConfig.domain}:`), error.message);
+        console.log(chalk.red(`\n✗ Failed to obtain SSL certificate for ${domainConfig.domain}:`), error.message);
         console.log(chalk.yellow('\n⚠  Troubleshooting:'));
         console.log(chalk.gray('   1. Verify DNS points to this server'));
         console.log(chalk.gray('   2. Ensure ports 80 and 443 are open'));
@@ -227,6 +218,31 @@ export async function sslEnable(options) {
       }
     }
+    console.log(chalk.green('\n✓ All SSL certificates obtained\n'));
+    // Step 2: Update NGINX configuration with SSL
+    console.log(chalk.cyan('🔧 Configuring NGINX for HTTPS...\n'));
+    try {
+      // Extract frontend and API ports
+      const frontendPort = frontendUrl.match(/:(\d+)/) ? parseInt(frontendUrl.match(/:(\d+)/)[1]) : 8080;
+      const apiPort = apiUrl.match(/:(\d+)/) ? parseInt(apiUrl.match(/:(\d+)/)[1]) : 3001;
+      await updateNginxForSSL({
+        frontendDomain: frontendUrl,
+        apiDomain: apiUrl,
+        frontendPort,
+        apiPort
+      });
+    } catch (error) {
+      console.log(chalk.red('\n✗ Failed to configure NGINX:'), error.message);
+      console.log(chalk.yellow('\n⚠  Troubleshooting:'));
+      console.log(chalk.gray('   1. Check NGINX configuration: nginx -t'));
+      console.log(chalk.gray('   2. View NGINX logs: journalctl -u nginx'));
+      console.log(chalk.gray('   3. Restore backup: cp /etc/nginx/sites-enabled/ante.backup /etc/nginx/sites-enabled/ante\n'));
+      process.exit(1);
+    }
     // Setup automatic renewal
     console.log(chalk.cyan('\n🔄 Setting up automatic certificate renewal...\n'));
     await setupAutoRenewal();

package/src/utils/nginx.js CHANGED Viewed

@@ -50,15 +50,20 @@ export async function installNginx(spinner) {
  * @param {string} config.apiDomain - API domain (e.g., api.ante.example.com)
  * @param {number} config.frontendPort - Frontend Docker port (default: 8080)
  * @param {number} config.apiPort - API Docker port (default: 3001)
+ * @param {boolean} config.ssl - Enable SSL configuration (default: false)
  * @returns {string} NGINX configuration content
  */
 export function generateNginxConfig(config) {
-  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001 } = config;
+  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001, ssl = false } = config;
   // Extract domain without protocol
   const frontendHost = frontendDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
   const apiHost = apiDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+  if (ssl) {
+    return generateSslNginxConfig({ frontendHost, apiHost, frontendPort, apiPort });
+  }
   return `# ANTE Frontend Configuration
 server {
     listen 80;
@@ -127,6 +132,138 @@ server {
 `;
 }
+/**
+ * Generate NGINX configuration with SSL support
+ * @param {Object} config - Configuration object
+ * @param {string} config.frontendHost - Frontend hostname
+ * @param {string} config.apiHost - API hostname
+ * @param {number} config.frontendPort - Frontend port
+ * @param {number} config.apiPort - API port
+ * @returns {string} NGINX configuration with SSL
+ */
+function generateSslNginxConfig(config) {
+  const { frontendHost, apiHost, frontendPort, apiPort } = config;
+  return `# ANTE Frontend Configuration (HTTPS)
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ${frontendHost};
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/${frontendHost}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${frontendHost}/privkey.pem;
+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${frontendPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+}
+# HTTP to HTTPS redirect for ${frontendHost}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${frontendHost};
+    return 301 https://$server_name$request_uri;
+}
+# ANTE API Configuration (HTTPS)
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ${apiHost};
+    # SSL Certificate paths
+    ssl_certificate /etc/letsencrypt/live/${apiHost}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${apiHost}/privkey.pem;
+    # SSL Configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    # Increase buffer sizes for large headers
+    client_header_buffer_size 16k;
+    large_client_header_buffers 4 16k;
+    # Increase body size for file uploads
+    client_max_body_size 100M;
+    location / {
+        proxy_pass http://localhost:${apiPort};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        # Timeout settings
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        # WebSocket support
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+    }
+}
+# HTTP to HTTPS redirect for ${apiHost}
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ${apiHost};
+    return 301 https://$server_name$request_uri;
+}
+`;
+}
 /**
  * Configure NGINX for ANTE domains
  * @param {Object} config - Configuration object

package/src/utils/ssl.js CHANGED Viewed

@@ -1,7 +1,8 @@
 import chalk from 'chalk';
 import ora from 'ora';
 import { execa } from 'execa';
-import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { writeFileSync, existsSync, copyFileSync } from 'fs';
+import { generateNginxConfig } from './nginx.js';
 /**
  * Check if certbot is installed
@@ -121,16 +122,19 @@ export async function obtainSSLCertificate(config) {
 /**
  * Update NGINX configuration to use SSL
  * @param {Object} config - Configuration object
- * @param {string} config.domain - Domain name
- * @param {number} config.port - Backend port to proxy to
+ * @param {string} config.frontendDomain - Frontend domain URL
+ * @param {string} config.apiDomain - API domain URL
+ * @param {number} [config.frontendPort=8080] - Frontend port
+ * @param {number} [config.apiPort=3001] - API port
  * @returns {Promise<void>}
  */
 export async function updateNginxForSSL(config) {
-  const { domain, port } = config;
-  const spinner = ora(`Updating NGINX configuration for ${domain}...`).start();
+  const { frontendDomain, apiDomain, frontendPort = 8080, apiPort = 3001 } = config;
+  const spinner = ora('Updating NGINX configuration for HTTPS...').start();
   try {
     const configPath = '/etc/nginx/sites-enabled/ante';
+    const backupPath = `${configPath}.backup`;
     // Check if config exists
     if (!existsSync(configPath)) {
@@ -138,112 +142,68 @@ export async function updateNginxForSSL(config) {
       throw new Error('Please run "ante set-domain" first to configure NGINX');
     }
-    // Read existing config
-    let nginxConfig = readFileSync(configPath, 'utf8');
+    // Backup existing configuration
+    spinner.text = 'Backing up current NGINX configuration...';
+    copyFileSync(configPath, backupPath);
-    // Find the server block for this domain
-    const serverBlockRegex = new RegExp(
-      `server\\s*{[^}]*server_name\\s+${domain.replace('.', '\\.')}[^}]*}`,
-      's'
-    );
+    // Generate new SSL-enabled configuration
+    spinner.text = 'Generating SSL configuration...';
+    const sslConfig = generateNginxConfig({
+      frontendDomain,
+      apiDomain,
+      frontendPort,
+      apiPort,
+      ssl: true
+    });
-    const match = nginxConfig.match(serverBlockRegex);
-    if (!match) {
-      spinner.fail(`No NGINX configuration found for ${domain}`);
-      throw new Error(`Domain ${domain} not found in NGINX configuration`);
-    }
-    const oldServerBlock = match[0];
-    // Create HTTPS server block
-    const httpsServerBlock = `# HTTPS Configuration for ${domain}
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-    server_name ${domain};
-    # SSL Certificate paths
-    ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
-    # SSL Configuration
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers HIGH:!aNULL:!MD5;
-    ssl_prefer_server_ciphers on;
-    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 10m;
-    # Security headers
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-    add_header X-Frame-Options SAMEORIGIN always;
-    add_header X-Content-Type-Options nosniff always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    # Increase buffer sizes for large headers
-    client_header_buffer_size 16k;
-    large_client_header_buffers 4 16k;
-    # Increase body size for file uploads
-    client_max_body_size 100M;
-    location / {
-        proxy_pass http://localhost:${port};
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
-        # Timeout settings
-        proxy_connect_timeout 60s;
-        proxy_send_timeout 60s;
-        proxy_read_timeout 60s;
-        # WebSocket support
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-    }
-}
-# HTTP to HTTPS redirect for ${domain}
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ${domain};
-    # Redirect all HTTP requests to HTTPS
-    return 301 https://$server_name$request_uri;
-}`;
-    // Replace the old server block with HTTPS configuration
-    nginxConfig = nginxConfig.replace(oldServerBlock, httpsServerBlock);
-    // Write updated configuration
-    writeFileSync(configPath, nginxConfig);
-    spinner.text = 'Testing NGINX configuration...';
+    // Write new configuration
+    writeFileSync(configPath, sslConfig);
     // Test NGINX configuration
+    spinner.text = 'Testing NGINX configuration...';
     try {
-      await execa('nginx', ['-t'], { stdio: 'pipe' });
+      const { stderr } = await execa('nginx', ['-t'], { stdio: 'pipe' });
+      // Check for warnings
+      if (stderr && !stderr.includes('syntax is ok')) {
+        console.log(chalk.yellow('\n⚠  NGINX warnings:'));
+        console.log(chalk.gray(stderr));
+      }
     } catch (error) {
       spinner.fail('NGINX configuration test failed');
-      throw new Error(`Invalid NGINX configuration: ${error.message}`);
-    }
-    spinner.text = 'Reloading NGINX...';
+      // Restore backup
+      console.log(chalk.yellow('\n⚠  Restoring previous configuration...'));
+      copyFileSync(backupPath, configPath);
+      throw new Error(`Invalid NGINX configuration: ${error.stderr || error.message}`);
+    }
     // Reload NGINX
+    spinner.text = 'Reloading NGINX...';
     try {
       await execa('systemctl', ['reload', 'nginx'], { stdio: 'pipe' });
     } catch {
+      // If reload fails, try restart
       await execa('systemctl', ['restart', 'nginx'], { stdio: 'pipe' });
     }
-    spinner.succeed(`NGINX configured for HTTPS on ${domain}`);
+    // Verify NGINX is running
+    const { stdout } = await execa('systemctl', ['is-active', 'nginx'], { stdio: 'pipe' });
+    if (stdout.trim() !== 'active') {
+      throw new Error('NGINX failed to start after configuration update');
+    }
+    spinner.succeed('NGINX configured for HTTPS');
+    // Show configuration info
+    const frontendHost = frontendDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    const apiHost = apiDomain.replace(/^https?:\/\//, '').replace(/:\d+$/, '');
+    console.log(chalk.gray('\n📝 NGINX Configuration:'));
+    console.log(chalk.gray(`   Frontend: https://${frontendHost} → localhost:${frontendPort}`));
+    console.log(chalk.gray(`   API: https://${apiHost} → localhost:${apiPort}`));
+    console.log(chalk.gray(`   HTTP redirects to HTTPS: Enabled\n`));
   } catch (error) {
     spinner.fail('Failed to update NGINX configuration');
     throw error;