diff --git a/mailgun-webhook/Dockerfile b/mailgun-webhook/Dockerfile index 7543a81..79b0cb2 100644 --- a/mailgun-webhook/Dockerfile +++ b/mailgun-webhook/Dockerfile @@ -16,7 +16,7 @@ COPY ./src ./src RUN npm run build #-------------------------------------------- -# Stage: instaliram produkcijski node_modules +# Stage: installing production node_modules #-------------------------------------------- FROM node:20 AS package-stage @@ -24,11 +24,11 @@ WORKDIR /app COPY ./package*.json ./ -# instaliram SAMO produkcijske +# install ONLY production dependencies RUN npm i --omit=dev && npm cache clean --force #-------------------------------------------- -# Stage: priprema finalnog image-a +# Stage: preparing final image #-------------------------------------------- FROM gcr.io/distroless/nodejs:20 AS assembly-stage @@ -45,30 +45,22 @@ ENV PROMETHEUS_APP_LABEL=${PROMETHEUS_APP_LABEL}=${PROMETHEUS_APP_LABEL} ARG PROMETHEUS_HISTOGRAM_BUCKETS ENV PROMETHEUS_HISTOGRAM_BUCKETS=${PROMETHEUS_HISTOGRAM_BUCKETS}=${PROMETHEUS_HISTOGRAM_BUCKETS} -# CORS settings: kojim domenama dopuštam pristup slikama -ARG CORS_ALLOWED_ORIGINS -ENV CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS} - -# (optional) IP Address whitelist za metrics i prtg router -ARG METRICS_ALLOWED_IP_ADDRESSES -ENV METRICS_ALLOWED_IP_ADDRESSES=${METRICS_ALLOWED_IP_ADDRESSES} - -# (optional) uključuje logging u stdout +# (optional) enables logging to stdout ARG DEBUG ENV DEBUG=${DEBUG} -# kopiram node-modules +# copying node_modules COPY --from=package-stage /app/package*.json ./ COPY --from=package-stage /app/node_modules ./node_modules -# kopiram buildane datoteke +# copying built files COPY --from=build-stage /app/build ./server -# server vrtim pod ograničenim "nobody" korisnikom +# running the server under limited "nobody" user USER nobody:nobody HEALTHCHECK --interval=30s --timeout=3s --start-period=10s \ CMD ["/nodejs/bin/node", "./server/healthcheck.js"] -# pokrećem server +# starting the server CMD ["./server/entry.js"] diff --git a/mailgun-webhook/build-image.sh b/mailgun-webhook/build-image.sh index 929802a..4401670 100755 --- a/mailgun-webhook/build-image.sh +++ b/mailgun-webhook/build-image.sh @@ -9,18 +9,18 @@ fi read -p "BUILD: Push new image to registry [y/n]? " -n 1 -r echo # (optional) move to a new line -PUSH_IMAGE_TO_REPO="$REPLY" +PUSH_IMAGE="$REPLY" printf "\nBUILD START ...\n\n" +REGISTRY_URL="registry.budakova.org" IMAGE_NAME=$(node -p "require('./package.json').name") IMAGE_VERSION=$1 -IMAGE_TAG=$IMAGE_NAME:$IMAGE_VERSION - +IMAGE_TAG=$REGISTRY_URL/$IMAGE_NAME:$IMAGE_VERSION docker build . -t $IMAGE_TAG -if [[ "$PUSH_IMAGE_TO_REPO" =~ ^[Yy]$ ]] +if [[ "$PUSH_IMAGE" =~ ^[Yy]$ ]] then printf "\nPushing image ...\n\n" docker push $IMAGE_TAG diff --git a/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md b/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md index 0bd30bc..38f602f 100644 --- a/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md +++ b/mailgun-webhook/docs/MAILGUN_WEBHOOK_API_SPEC.md @@ -133,7 +133,7 @@ For **unsubscribed** events: ### Future Enhancements For production deployment, consider: - **Signature Verification**: Verify webhook authenticity using `timestamp`, `token`, and `signature` -- **IP Whitelisting**: Restrict to MailGun's IP ranges +- **IP Whitelisting**: Restrict to MailGun's IP ranges (implemented via CloudFlare) - **Rate Limiting**: Prevent abuse ## Database Integration diff --git a/mailgun-webhook/src/types/environment.d.ts b/mailgun-webhook/src/types/environment.d.ts index 6464acd..fb97f11 100644 --- a/mailgun-webhook/src/types/environment.d.ts +++ b/mailgun-webhook/src/types/environment.d.ts @@ -13,16 +13,6 @@ declare global { * @default "0.1, 0.5, 1, 5, 10" * */ PROMETHEUS_HISTOGRAM_BUCKETS?: string, - /** - * (optional) CORS settings: which domains are allowed to access resources - * @summary If parameter is not set, origin checking will be disabled - * */ - CORS_ALLOWED_ORIGINS?:string, - /** - * (optional) IP Address whitelist for prometheus metrics (if not set whitelisting will be disabled) - * @summary Although this param is optional, it is recommended for security reasons - * */ - METRICS_ALLOWED_IP_ADDRESSES?:string, } } }