From 230f9ffaf6aa0d94d99de5fd6f10ed4150aa71c2 Mon Sep 17 00:00:00 2001
From: "eve n.u" <eve@eatbigger.fish>
Date: Thu, 2 May 2024 14:37:02 -0700
Subject: [PATCH 1/3] fix: do not force sslmode at infrastructure level

---
 core/.env.docker                                          | 2 +-
 infrastructure/terraform/modules/core-services/outputs.tf | 6 ------
 infrastructure/terraform/modules/deployment/main.tf       | 2 --
 3 files changed, 1 insertion(+), 9 deletions(-)

diff --git a/core/.env.docker b/core/.env.docker
index b078bce2c..d7f38fe8c 100644
--- a/core/.env.docker
+++ b/core/.env.docker
@@ -1 +1 @@
-DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}?sslmode=require
+DATABASE_URL=postgresql://${PGUSER}:${PGPASSWORD}@${PGHOST}:${PGPORT}/${PGDATABASE}
diff --git a/infrastructure/terraform/modules/core-services/outputs.tf b/infrastructure/terraform/modules/core-services/outputs.tf
index 123279536..e55d3ace2 100644
--- a/infrastructure/terraform/modules/core-services/outputs.tf
+++ b/infrastructure/terraform/modules/core-services/outputs.tf
@@ -2,7 +2,6 @@ locals {
   db_user = aws_db_instance.core_postgres.username
   db_name = aws_db_instance.core_postgres.db_name
   db_host = aws_db_instance.core_postgres.address
-  db_sslmode = "require"
 }
 
 output "secrets" {
@@ -23,17 +22,12 @@ output "asset_uploader_key_id" {
   value = aws_iam_access_key.asset_uploader.id
 }
 
-output "rds_connection_string_sans_password" {
-  value = "postgresql://${local.db_user}@${local.db_host}:5432/${local.db_name}?sslmode=${local.db_sslmode}"
-}
-
 output "rds_connection_components" {
   value = {
     user = local.db_user
     database = local.db_name
     host = local.db_host
     port = "5432"
-    sslmode = local.db_sslmode
     id = aws_db_instance.core_postgres.id
   }
 }
diff --git a/infrastructure/terraform/modules/deployment/main.tf b/infrastructure/terraform/modules/deployment/main.tf
index 8cd0d45a1..18d6d7729 100644
--- a/infrastructure/terraform/modules/deployment/main.tf
+++ b/infrastructure/terraform/modules/deployment/main.tf
@@ -76,7 +76,6 @@ module "service_core" {
   configuration = {
     container_port = 3000
     environment = [
-      # { name = "DATABASE_URL", value = module.core_dependency_services.rds_connection_string_sans_password },
       { name = "PGUSER", value = module.core_dependency_services.rds_connection_components.user },
       { name = "PGDATABASE", value = module.core_dependency_services.rds_connection_components.database },
       { name = "PGHOST", value = module.core_dependency_services.rds_connection_components.host },
@@ -213,7 +212,6 @@ module "service_flock" {
 
    configuration = {
      environment = [
-       # { name = "DATABASE_URL", value = module.core_dependency_services.rds_connection_string_sans_password },
        { name = "PGUSER", value = module.core_dependency_services.rds_connection_components.user },
        { name = "PGDATABASE", value = module.core_dependency_services.rds_connection_components.database },
        { name = "PGHOST", value = module.core_dependency_services.rds_connection_components.host },

From a0a31bd31585f7ba4ff9b84cb87b8e8635512433 Mon Sep 17 00:00:00 2001
From: "eve n.u" <eve@eatbigger.fish>
Date: Mon, 6 May 2024 12:57:01 -0700
Subject: [PATCH 2/3] add RDS CA certs to all container dockerfiles

---
 Dockerfile | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 8f8cf24b9..99b27114b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,7 +16,14 @@ FROM node:${NODE_VERSION}-alpine as base
 ARG PNPM_VERSION=8.14.3
 
 # Install python deps for node-gyp
-RUN apk add g++ make py3-pip
+RUN apk add g++ make py3-pip ca-certificates curl
+
+# Setup RDS CA Certificates
+
+RUN curl -L \
+      -o  /usr/local/share/ca-certificates/rds-global-bundle.pem \
+      https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem \
+    && update-ca-certificates
 
 # Set working directory for all build stages.
 WORKDIR /usr/src/app

From 54181661769d3848c8b7e8a94928172beb26626f Mon Sep 17 00:00:00 2001
From: "eve n.u" <eve@eatbigger.fish>
Date: Mon, 6 May 2024 15:41:13 -0700
Subject: [PATCH 3/3] fix: nginx uses safe x-forwarded-host flag

---
 infrastructure/nginx/default.conf.template | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/infrastructure/nginx/default.conf.template b/infrastructure/nginx/default.conf.template
index 56b150b5c..a1c71bf41 100644
--- a/infrastructure/nginx/default.conf.template
+++ b/infrastructure/nginx/default.conf.template
@@ -8,6 +8,11 @@ server {
 
   location / {
     proxy_pass  $scheme://nextjs;
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Real-IP $remote_addr;
   }
 
   location /legacy_healthcheck {