From 20817d22b88da887a21c45664f85d2a0ea80e5f6 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sat, 3 Oct 2020 20:18:00 -0400 Subject: [PATCH 01/14] Adding HTTPS on Prod version Added certs and open both port 80 and 443. Port 80 will redirect to port 443. --- docker-compose.production.yml | 1 + src/web/nginx.conf | 16 +++++++++++++++- src/web/scripts/entrypoint.sh | 10 ++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 319c26c57..c4cbc1e8a 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -7,6 +7,7 @@ services: yacs_web: ports: - 80:80 + - 443:443 environment: # https://docs.docker.com/compose/compose-file/#variable-substitution - HOST=${HOST:-localhost} diff --git a/src/web/nginx.conf b/src/web/nginx.conf index f560c512b..569842caf 100644 --- a/src/web/nginx.conf +++ b/src/web/nginx.conf @@ -13,10 +13,24 @@ http { default_type application/octet-stream; keepalive_timeout 65; - server { + + server{ listen 80; + listen [::]:80; + server_name ${HOST}; + return 301 https://${HOST}; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/nginx/certs/${HOST}.crt; + ssl_certificate_key /etc/nginx/certs/${HOST}.key; + server_name ${HOST}; + # simple secure admin panel, will change later location ~* ^/admin { auth_basic "Admin Panel"; diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index ae69bb1d1..ea346063d 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -13,6 +13,16 @@ envsubst '\$HOST' < \ /etc/nginx/nginx.template.conf > \ /etc/nginx/nginx.conf +# Generating SSL Certificates +mkdir /etc/nginx/certs +cd /etc/nginx/certs +openssl genrsa -passout pass:x -out $HOST.pass.key 2048 +openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key +rm $HOST.pass.key +openssl req -new -key $HOST.key -out $HOST.csr \ + -subj "/C=US/ST=New York/O=RPI RCOS" +openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt + # start nginx echo "starting nginx:" nginx -g "daemon off;" From 5f5e855c3438fdca8d81784fa21d99383e881e7a Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sat, 3 Oct 2020 20:18:00 -0400 Subject: [PATCH 02/14] Adding HTTPS on Prod version Added certs and open both port 80 and 443. Port 80 will redirect to port 443. --- docker-compose.production.yml | 1 + src/web/nginx.conf | 16 +++++++++++++++- src/web/scripts/entrypoint.sh | 10 ++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 319c26c57..c4cbc1e8a 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -7,6 +7,7 @@ services: yacs_web: ports: - 80:80 + - 443:443 environment: # https://docs.docker.com/compose/compose-file/#variable-substitution - HOST=${HOST:-localhost} diff --git a/src/web/nginx.conf b/src/web/nginx.conf index f560c512b..569842caf 100644 --- a/src/web/nginx.conf +++ b/src/web/nginx.conf @@ -13,10 +13,24 @@ http { default_type application/octet-stream; keepalive_timeout 65; - server { + + server{ listen 80; + listen [::]:80; + server_name ${HOST}; + return 301 https://${HOST}; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/nginx/certs/${HOST}.crt; + ssl_certificate_key /etc/nginx/certs/${HOST}.key; + server_name ${HOST}; + # simple secure admin panel, will change later location ~* ^/admin { auth_basic "Admin Panel"; diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index ae69bb1d1..ea346063d 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -13,6 +13,16 @@ envsubst '\$HOST' < \ /etc/nginx/nginx.template.conf > \ /etc/nginx/nginx.conf +# Generating SSL Certificates +mkdir /etc/nginx/certs +cd /etc/nginx/certs +openssl genrsa -passout pass:x -out $HOST.pass.key 2048 +openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key +rm $HOST.pass.key +openssl req -new -key $HOST.key -out $HOST.csr \ + -subj "/C=US/ST=New York/O=RPI RCOS" +openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt + # start nginx echo "starting nginx:" nginx -g "daemon off;" From bba929b25ffcdd3025fa40ba4318c2c2039650f5 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Tue, 6 Oct 2020 17:37:59 -0400 Subject: [PATCH 03/14] just testing the https deployment --- ops/provision.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ops/provision.js b/ops/provision.js index d4ddcb176..26ac2ae06 100644 --- a/ops/provision.js +++ b/ops/provision.js @@ -69,8 +69,8 @@ const infraSync = async () => { // print ip // USED IN GITHUB ACTIONS PIPELINE TO SHOW MESSAGE IN PR - // DO NOT REFORMAT - console.log(`http://${info.ipv4[0]}`) + // Changing it to HTTPS instead of HTTP + console.log(`https://${info.ipv4[0]}`) } infraSync() From e45c1e893dbba4d21f8a76e2b999562cf89f24eb Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sat, 3 Oct 2020 20:18:00 -0400 Subject: [PATCH 04/14] Adding HTTPS on Prod version Added certs and open both port 80 and 443. Port 80 will redirect to port 443. --- docker-compose.production.yml | 1 + src/web/nginx.conf | 16 +++++++++++++++- src/web/scripts/entrypoint.sh | 10 ++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 319c26c57..c4cbc1e8a 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -7,6 +7,7 @@ services: yacs_web: ports: - 80:80 + - 443:443 environment: # https://docs.docker.com/compose/compose-file/#variable-substitution - HOST=${HOST:-localhost} diff --git a/src/web/nginx.conf b/src/web/nginx.conf index f560c512b..569842caf 100644 --- a/src/web/nginx.conf +++ b/src/web/nginx.conf @@ -13,10 +13,24 @@ http { default_type application/octet-stream; keepalive_timeout 65; - server { + + server{ listen 80; + listen [::]:80; + server_name ${HOST}; + return 301 https://${HOST}; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/nginx/certs/${HOST}.crt; + ssl_certificate_key /etc/nginx/certs/${HOST}.key; + server_name ${HOST}; + # simple secure admin panel, will change later location ~* ^/admin { auth_basic "Admin Panel"; diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index ae69bb1d1..ea346063d 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -13,6 +13,16 @@ envsubst '\$HOST' < \ /etc/nginx/nginx.template.conf > \ /etc/nginx/nginx.conf +# Generating SSL Certificates +mkdir /etc/nginx/certs +cd /etc/nginx/certs +openssl genrsa -passout pass:x -out $HOST.pass.key 2048 +openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key +rm $HOST.pass.key +openssl req -new -key $HOST.key -out $HOST.csr \ + -subj "/C=US/ST=New York/O=RPI RCOS" +openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt + # start nginx echo "starting nginx:" nginx -g "daemon off;" From 4c863c67a5e81ddd6a1c5986039f8c8713293eb1 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Tue, 6 Oct 2020 17:37:59 -0400 Subject: [PATCH 05/14] just testing the https deployment --- ops/provision.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ops/provision.js b/ops/provision.js index d4ddcb176..26ac2ae06 100644 --- a/ops/provision.js +++ b/ops/provision.js @@ -69,8 +69,8 @@ const infraSync = async () => { // print ip // USED IN GITHUB ACTIONS PIPELINE TO SHOW MESSAGE IN PR - // DO NOT REFORMAT - console.log(`http://${info.ipv4[0]}`) + // Changing it to HTTPS instead of HTTP + console.log(`https://${info.ipv4[0]}`) } infraSync() From 03a5a7b2498665d596949a9d415f8dd6f40a4c39 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sun, 11 Oct 2020 15:31:01 -0400 Subject: [PATCH 06/14] Adding the own certificate don't really know if this is implemented correctly --- src/web/Dockerfile | 1 + src/web/certificate/READMD.md | 4 ++++ src/web/certificate/localhost.crt | 18 ++++++++++++++++++ src/web/certificate/localhost.csr | 16 ++++++++++++++++ src/web/certificate/localhost.key | 27 +++++++++++++++++++++++++++ src/web/nginx.conf | 4 ++-- src/web/scripts/entrypoint.sh | 21 ++++++++++++--------- 7 files changed, 80 insertions(+), 11 deletions(-) create mode 100644 src/web/certificate/READMD.md create mode 100644 src/web/certificate/localhost.crt create mode 100644 src/web/certificate/localhost.csr create mode 100644 src/web/certificate/localhost.key diff --git a/src/web/Dockerfile b/src/web/Dockerfile index cef2c5b7b..f15b87b2a 100644 --- a/src/web/Dockerfile +++ b/src/web/Dockerfile @@ -12,6 +12,7 @@ RUN mkdir /app COPY --from=build-stage /app/dist /app COPY nginx.conf /etc/nginx/nginx.template.conf COPY scripts/entrypoint.sh /usr/local/bin/entrypoint.sh +ADD certificate/ /etc/nginx/certificate # get openssl to do crypt(3) RUN \ diff --git a/src/web/certificate/READMD.md b/src/web/certificate/READMD.md new file mode 100644 index 000000000..12daede96 --- /dev/null +++ b/src/web/certificate/READMD.md @@ -0,0 +1,4 @@ +# SSL Certificate for yacs-web + +The public/private keypairs are default and should be changed before deployment to production! +Generate your own certificate and verify it with a CA! \ No newline at end of file diff --git a/src/web/certificate/localhost.crt b/src/web/certificate/localhost.crt new file mode 100644 index 000000000..0cb766606 --- /dev/null +++ b/src/web/certificate/localhost.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdUCFFNNMUwxQFACL90EEGMsuY7R/RdiMA0GCSqGSIb3DQEBCwUAMDMx +CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UECgwIUlBJIFJD +T1MwHhcNMjAxMDExMTkyMDA2WhcNMjExMDExMTkyMDA2WjAzMQswCQYDVQQGEwJV +UzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAoMCFJQSSBSQ09TMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArF6EHLgyojK2dgh6Jjeh8tQQ8fi5KjCJ +R+wBHncYjReyRJm2bFAc/OTVokyqsI+0qgY0WFdaknGP+QcE9BUk0lj0aBgvR/av +s/RvJCWrE0GCdI836Z6LHo/iddBDK2NYYnWurCN3QNP8SViZJdTftSQzflfMTQVR +Pv5tP1r5xaYWUjv94sSSq1gVS6JiYH/yyBags8hgj341yui2mbSfWtxJ174aMNXD +jYew/dhFLdMZAfRKIcWgHUEzCyS63Rzlr9EM/bfj+ypw25knpScmeV8O5BJ0xpnR +HkzQpCJ6r4oGQDuoaiwwdVMBhkCHYocxO8X+M42z4I8VsXpoaf3EiwIDAQABMA0G +CSqGSIb3DQEBCwUAA4IBAQAP6ZWZzIdflw6XjgZaY/rvlc2F+AbulbUGJ6P+YWWa +3yemYfTNPuerjb70Ey/jIdAuPvEYSkUMUObfx1JofqUhO+S21BRg9qjvFKrea+xv +umafzl7Hem6Aab3RP/iPgMCYBCm5+Ao+fNS80QndLJ3W3dTjE8Ej396bkDNL8sIz +sCjK5S9FQ80es+H3ju49UaiSa+Hwz5UpOcrn9o7VNXjtdilkeZtSyoGNmTTDvaG3 +VLe6cln/W3sdRWw0X/FGzWD1bwUq9AorTt0nddKF6VKZe2QKczfeqdSZqjZ0EcdE +DDaQ6TxMz9fZBgZ5ELadjXn4moNz081nEyveUK/bF+X6 +-----END CERTIFICATE----- diff --git a/src/web/certificate/localhost.csr b/src/web/certificate/localhost.csr new file mode 100644 index 000000000..96704e714 --- /dev/null +++ b/src/web/certificate/localhost.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICeDCCAWACAQAwMzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw +DwYDVQQKDAhSUEkgUkNPUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKxehBy4MqIytnYIeiY3ofLUEPH4uSowiUfsAR53GI0XskSZtmxQHPzk1aJMqrCP +tKoGNFhXWpJxj/kHBPQVJNJY9GgYL0f2r7P0byQlqxNBgnSPN+meix6P4nXQQytj +WGJ1rqwjd0DT/ElYmSXU37UkM35XzE0FUT7+bT9a+cWmFlI7/eLEkqtYFUuiYmB/ +8sgWoLPIYI9+Ncrotpm0n1rcSde+GjDVw42HsP3YRS3TGQH0SiHFoB1BMwskut0c +5a/RDP234/sqcNuZJ6UnJnlfDuQSdMaZ0R5M0KQieq+KBkA7qGosMHVTAYZAh2KH +MTvF/jONs+CPFbF6aGn9xIsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAfkeBr +P6zQU8dy7lzgwlXSEnZyNuvk2Iplf9t4NgYGPiMcdEUWy5bSu85TQ2tKR0mFC0O6 +iuByOuMxKrbvbQTFjJbpUROCxEbS3VEgY/kCVsnsJgohhS2Qno7zgFWKo7UyYUVD +3zawhrakU8ttrPpRGuBvqxSSF/GbHn1o6B2YI5EpdjR0mk8lyRdXCEY2EzXeKRQT +GHAmXl5iDmvVnworSl4xhGFcOc0DF1u07rdGOOiSSVQABsnSTkFTyE5EjRwykKh4 +ZvZ1Q6DH4vg5enlujECOtPP1VjtNP1QhKid1gUQawSY2nzVESBa+L1oMfs3tvmpV +K3L6c0pciK831qqW +-----END CERTIFICATE REQUEST----- diff --git a/src/web/certificate/localhost.key b/src/web/certificate/localhost.key new file mode 100644 index 000000000..6a09dd52c --- /dev/null +++ b/src/web/certificate/localhost.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArF6EHLgyojK2dgh6Jjeh8tQQ8fi5KjCJR+wBHncYjReyRJm2 +bFAc/OTVokyqsI+0qgY0WFdaknGP+QcE9BUk0lj0aBgvR/avs/RvJCWrE0GCdI83 +6Z6LHo/iddBDK2NYYnWurCN3QNP8SViZJdTftSQzflfMTQVRPv5tP1r5xaYWUjv9 +4sSSq1gVS6JiYH/yyBags8hgj341yui2mbSfWtxJ174aMNXDjYew/dhFLdMZAfRK +IcWgHUEzCyS63Rzlr9EM/bfj+ypw25knpScmeV8O5BJ0xpnRHkzQpCJ6r4oGQDuo +aiwwdVMBhkCHYocxO8X+M42z4I8VsXpoaf3EiwIDAQABAoIBAQCpmYYcTBFmDsgB +c23c1LiAmbDipXxryr4JCmo/c6ewjDRX03bvNBSRsQeTXiRE/eEhumEe2zS/CwZC +XWm+UF+eqPAyzDkZcdyIEGabBoVBuR+HWLQHJnx0YdbNXVH6CxIYLvrjXTIlk2+V +K5vk4YQMU8Zm9jSLREQg227a+8Tvd1Lq/P7fuNGwveaeVNa7cEDOlWHlxRm7OzMR +dON230v8vvODcC+cB/Ks/ns39LKwNUOd+X/ZfjexCNeQY7sJ7+SRpifGS5jrsbH8 +jfB6XE30hxqr1j7j9y31LX3vITF+AX+uYMlD4haJ0504oZmdz1JE13pAdwUgCVy9 +l6YyT/EBAoGBANUE5+Rth81sIx8uV29w8qMX6HopfwpzTXkPSxUGWohMEToqmXvw +NztxRIxTTNFkAc5m5+xeAidWyuJhmVsIHi74fIgmYgzYCQsLhBH50afyNj7z97op +l/HrkRWuJu+ummG2G0pmyBAOHOuhpvYUOdzjmDFt0vI+0CCdvoZwcMurAoGBAM8l +6jiAFacVssvbaMBXXOyaKXrdqPOGvamMHn4yNBwfkQ0H4cye8prkgNoJbXHU3sIe +8UCElcfUEbKWusMjagk85rAUkhuVGyZ1fN8i8DYASYMdeDwjDqnXG8J4N5kr9XK1 +egrhF9RzLRns7PW/pi1f36yhtXZJEAl8pqLgSwqhAoGAdeCzGhrqbWiLvvN7+vU7 +r7jJMuDHplbL5lPqLoZHjujZF6D/MjBpwAEb97MY7T40Ka2UZZ5X/sDuoHt1y4Qg +f8mN0CG9XHIn/u6udOwTcqZ8EjYbPe9KX9sFfEPU1AmA8NU/INrjls7YfiQEKmRi +6LMhQykM9HSB46qnBeou4OUCgYByOJzbBL1rwUoyoEw1arbBfAwNRLZJee2Q1MNn +oHUdYMaRodv/AVIS2Ja4I2Sm1NLzxS4P/ku8wRH1IKngueFZMKyfQOiDrwcmgLgX +LeO4UxY15wUKW+ZU/li/NZyqqBOSacDeyNlj+xJOblcG9uNBt9DVFuHBVG40XPhh +bT3ToQKBgQDNkoegBGEC94CDVsTeCO9i3dVELDNB+YzriU1sDlOZuaLpeN83tXia +a5wHkt2pK/JPLdOPUN1B663FG/70lCP8S103x/jvqHV0blWLzMHpuJoOnQdNjbDE ++wQr/TQeMxH7yeJsViutQOhTVf+jhsTy2LXTJfg1CgZeHShQmMuzRw== +-----END RSA PRIVATE KEY----- diff --git a/src/web/nginx.conf b/src/web/nginx.conf index 569842caf..e64f0f767 100644 --- a/src/web/nginx.conf +++ b/src/web/nginx.conf @@ -25,8 +25,8 @@ http { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/nginx/certs/${HOST}.crt; - ssl_certificate_key /etc/nginx/certs/${HOST}.key; + ssl_certificate /etc/nginx/certificate/${HOST}.crt; + ssl_certificate_key /etc/nginx/certificate/${HOST}.key; server_name ${HOST}; diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index ea346063d..a94d5209f 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -13,15 +13,18 @@ envsubst '\$HOST' < \ /etc/nginx/nginx.template.conf > \ /etc/nginx/nginx.conf -# Generating SSL Certificates -mkdir /etc/nginx/certs -cd /etc/nginx/certs -openssl genrsa -passout pass:x -out $HOST.pass.key 2048 -openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key -rm $HOST.pass.key -openssl req -new -key $HOST.key -out $HOST.csr \ - -subj "/C=US/ST=New York/O=RPI RCOS" -openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt + +# If SSL Certificate folder isn't present, generate one +if [ ! -d "/etc/nginx/certificate" ];then + echo "--------------------------------------" + mkdir /etc/nginx/certificate + cd /etc/nginx/certificate + openssl genrsa -passout pass:x -out $HOST.pass.key 2048 + openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key + rm $HOST.pass.key + openssl req -new -key $HOST.key -out $HOST.csr -subj "/C=US/ST=New York/O=RPI RCOS" + openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt +fi # start nginx echo "starting nginx:" From c8b5df00f70585381210cc450e3fcb3a432b4e05 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sun, 11 Oct 2020 15:57:25 -0400 Subject: [PATCH 07/14] Small changes Removing the echo statement and changing it to https --- ops/provision.js | 2 +- src/web/scripts/entrypoint.sh | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/ops/provision.js b/ops/provision.js index c3c699458..9a04da828 100644 --- a/ops/provision.js +++ b/ops/provision.js @@ -69,7 +69,7 @@ const infraSync = async () => { // print ip // USED IN GITHUB ACTIONS PIPELINE TO SHOW MESSAGE IN PR // DO NOT REFORMAT - console.log(`http://${info.ipv4[0]}`) + console.log(`https://${info.ipv4[0]}`) } diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index a94d5209f..63bdec996 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -16,7 +16,6 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one if [ ! -d "/etc/nginx/certificate" ];then - echo "--------------------------------------" mkdir /etc/nginx/certificate cd /etc/nginx/certificate openssl genrsa -passout pass:x -out $HOST.pass.key 2048 From 0157a1bababbf53d47bc54ecc03e9bab3338c44c Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Wed, 14 Oct 2020 09:57:30 -0400 Subject: [PATCH 08/14] Changes Josh requested! --- src/web/Dockerfile | 2 +- src/web/scripts/entrypoint.sh | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/web/Dockerfile b/src/web/Dockerfile index f15b87b2a..56dd30ea0 100644 --- a/src/web/Dockerfile +++ b/src/web/Dockerfile @@ -12,7 +12,7 @@ RUN mkdir /app COPY --from=build-stage /app/dist /app COPY nginx.conf /etc/nginx/nginx.template.conf COPY scripts/entrypoint.sh /usr/local/bin/entrypoint.sh -ADD certificate/ /etc/nginx/certificate +COPY certificate/ /etc/nginx/certificate # get openssl to do crypt(3) RUN \ diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index 63bdec996..84f9b1bd9 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -15,7 +15,9 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one -if [ ! -d "/etc/nginx/certificate" ];then +if [ ! "/etc/nginx/certificate/$HOST.crt" ] && \ + [ ! "/etc/nginx/certificate/$HOST.csr" ] && \ + [ ! "/etc/nginx/certificate/$HOST.key" ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate openssl genrsa -passout pass:x -out $HOST.pass.key 2048 From 0f7947a835a3f5b2d1ad2d97f75b9dc16e35dd45 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Wed, 14 Oct 2020 11:02:08 -0400 Subject: [PATCH 09/14] small changes of removing spaces --- src/web/scripts/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index 84f9b1bd9..26a66eec2 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -16,8 +16,8 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one if [ ! "/etc/nginx/certificate/$HOST.crt" ] && \ - [ ! "/etc/nginx/certificate/$HOST.csr" ] && \ - [ ! "/etc/nginx/certificate/$HOST.key" ];then +[ ! "/etc/nginx/certificate/$HOST.csr" ] && \ +[ ! "/etc/nginx/certificate/$HOST.key" ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate openssl genrsa -passout pass:x -out $HOST.pass.key 2048 From cb2c1068e4927142290c282b8c63a25aef4d79fa Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Wed, 14 Oct 2020 11:05:49 -0400 Subject: [PATCH 10/14] removing the "\" character --- src/web/scripts/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index 26a66eec2..e708db6b1 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -15,8 +15,8 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one -if [ ! "/etc/nginx/certificate/$HOST.crt" ] && \ -[ ! "/etc/nginx/certificate/$HOST.csr" ] && \ +if [ ! "/etc/nginx/certificate/$HOST.crt" ] && +[ ! "/etc/nginx/certificate/$HOST.csr" ] && [ ! "/etc/nginx/certificate/$HOST.key" ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate From 12bf378e6bd21a7a8a0e9d6d48909b011dda3e1b Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Wed, 14 Oct 2020 11:08:16 -0400 Subject: [PATCH 11/14] idk what im doing... removing strings --- src/web/scripts/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index e708db6b1..b58d6d9ba 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -15,9 +15,9 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one -if [ ! "/etc/nginx/certificate/$HOST.crt" ] && -[ ! "/etc/nginx/certificate/$HOST.csr" ] && -[ ! "/etc/nginx/certificate/$HOST.key" ];then +if [ ! /etc/nginx/certificate/$HOST.crt ] && +[ ! /etc/nginx/certificate/$HOST.csr ] && +[ ! /etc/nginx/certificate/$HOST.key ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate openssl genrsa -passout pass:x -out $HOST.pass.key 2048 From eea4a6ca5e9117ca80b13f4c83cc80352c17539a Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Wed, 14 Oct 2020 11:09:21 -0400 Subject: [PATCH 12/14] forgot to add -f --- src/web/scripts/entrypoint.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index b58d6d9ba..0dac7848e 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -15,9 +15,9 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one -if [ ! /etc/nginx/certificate/$HOST.crt ] && -[ ! /etc/nginx/certificate/$HOST.csr ] && -[ ! /etc/nginx/certificate/$HOST.key ];then +if [ ! -f /etc/nginx/certificate/$HOST.crt ] && +[ ! -f /etc/nginx/certificate/$HOST.csr ] && +[ ! -f /etc/nginx/certificate/$HOST.key ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate openssl genrsa -passout pass:x -out $HOST.pass.key 2048 From 7058bfb6d710bf227feebe054d05cd3cb2810993 Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Sat, 3 Oct 2020 20:18:00 -0400 Subject: [PATCH 13/14] Adding HTTPS on Prod version Added certs and open both port 80 and 443. Port 80 will redirect to port 443. --- docker-compose.production.yml | 1 + src/web/nginx.conf | 16 +++++++++++++++- src/web/scripts/entrypoint.sh | 10 ++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index 319c26c57..c4cbc1e8a 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -7,6 +7,7 @@ services: yacs_web: ports: - 80:80 + - 443:443 environment: # https://docs.docker.com/compose/compose-file/#variable-substitution - HOST=${HOST:-localhost} diff --git a/src/web/nginx.conf b/src/web/nginx.conf index f560c512b..569842caf 100644 --- a/src/web/nginx.conf +++ b/src/web/nginx.conf @@ -13,10 +13,24 @@ http { default_type application/octet-stream; keepalive_timeout 65; - server { + + server{ listen 80; + listen [::]:80; + server_name ${HOST}; + return 301 https://${HOST}; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + ssl_certificate /etc/nginx/certs/${HOST}.crt; + ssl_certificate_key /etc/nginx/certs/${HOST}.key; + server_name ${HOST}; + # simple secure admin panel, will change later location ~* ^/admin { auth_basic "Admin Panel"; diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index ae69bb1d1..ea346063d 100755 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -13,6 +13,16 @@ envsubst '\$HOST' < \ /etc/nginx/nginx.template.conf > \ /etc/nginx/nginx.conf +# Generating SSL Certificates +mkdir /etc/nginx/certs +cd /etc/nginx/certs +openssl genrsa -passout pass:x -out $HOST.pass.key 2048 +openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key +rm $HOST.pass.key +openssl req -new -key $HOST.key -out $HOST.csr \ + -subj "/C=US/ST=New York/O=RPI RCOS" +openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt + # start nginx echo "starting nginx:" nginx -g "daemon off;" From 57b1a8b5abb631130856760aec814b09ed1388ff Mon Sep 17 00:00:00 2001 From: Richard Tsai Date: Fri, 30 Oct 2020 16:36:34 -0400 Subject: [PATCH 14/14] changes --- src/web/certificate/{READMD.md => README.md} | 0 src/web/scripts/entrypoint.sh | 1 - 2 files changed, 1 deletion(-) rename src/web/certificate/{READMD.md => README.md} (100%) diff --git a/src/web/certificate/READMD.md b/src/web/certificate/README.md similarity index 100% rename from src/web/certificate/READMD.md rename to src/web/certificate/README.md diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh index 0dac7848e..3e3cc0553 100644 --- a/src/web/scripts/entrypoint.sh +++ b/src/web/scripts/entrypoint.sh @@ -16,7 +16,6 @@ envsubst '\$HOST' < \ # If SSL Certificate folder isn't present, generate one if [ ! -f /etc/nginx/certificate/$HOST.crt ] && -[ ! -f /etc/nginx/certificate/$HOST.csr ] && [ ! -f /etc/nginx/certificate/$HOST.key ];then mkdir /etc/nginx/certificate cd /etc/nginx/certificate