From fbae88eed17a71e8b40bdb486af5e5a74b224180 Mon Sep 17 00:00:00 2001 From: viveksantayana Date: Fri, 17 Jun 2022 01:09:15 +0100 Subject: [PATCH] Production Ready --- .env.example | 20 +++++ docker-compose.yml | 30 ++----- init-letsencrypt.sh | 78 +++++++++++++++++++ ...ommon-location.conf => proxy_headers.conf} | 0 nginx/conf.d/ref-test-app.conf | 4 +- nginx/ssl.conf | 15 +++- 6 files changed, 120 insertions(+), 27 deletions(-) create mode 100644 .env.example create mode 100644 init-letsencrypt.sh rename nginx/conf.d/{common-location.conf => proxy_headers.conf} (100%) diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..39ebc57 --- /dev/null +++ b/.env.example @@ -0,0 +1,20 @@ +SERVER_NAME= # URL where this will be hosted. + +## Flask Configuration +SECRET_KEY= # Long, secure, secret string. +DATA=./data/ + +## Flask Mail Configuration +MAIL_SERVER=ref_test_postfix # Must match name of the Docker service +MAIL_PORT=25 +MAIL_USE_TLS=False +MAIL_USE_SSL=False +MAIL_USERNAME= # Username@domain, must match config values below +MAIL_PASSWORD= # Must match config value below +MAIL_DEFAULT_SENDER= # NoReply@domain or some such. +MAIL_MAX_EMAILS=25 +MAIL_ASCII_ATTACHMENTS=True + +# Postfix +maildomain= # Domain must match the section of username above +smtp_user= # username:password. Must match config values above. diff --git a/docker-compose.yml b/docker-compose.yml index 4e96688..1412d95 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,13 +3,14 @@ version: '3.9' services: ref_test_server: container_name: ref_test_server - image: nginx:1.21.4-alpine + image: nginx:alpine volumes: - ./certbot:/etc/letsencrypt:ro - ./nginx:/etc/nginx - ./src/html:/usr/share/nginx/html/ - - ./ref-test/admin/static:/usr/share/nginx/html/admin/static - - ./ref-test/quiz/static:/usr/share/nginx/html/quiz/static + - ./ref-test/app/admin/static:/usr/share/nginx/html/admin/static + - ./ref-test/app/quiz/static:/usr/share/nginx/html/quiz/static + - ./ref-test/app/root:/usr/share/nginx/html/root ports: - 80:80 - 443:443 @@ -18,6 +19,7 @@ services: - frontend depends_on: - ref_test_app + command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" ref_test_app: container_name: ref_test_app @@ -28,30 +30,14 @@ services: ports: - 5000 volumes: - - ./.security:/ref-test/.security - ./ref-test/data:/ref-test/data restart: unless-stopped networks: - frontend - backend depends_on: - - ref_test_db - ref_test_postfix - ref_test_db: - container_name: ref_test_db - image: mongo:5.0.4-focal - restart: unless-stopped - volumes: - - ./database/data:/data/db - - ./database/initdb.d/:/docker-entrypoint-initdb.d/ - env_file: - - ./.env - ports: - - 27017 - networks: - - backend - ref_test_postfix: container_name: ref_test_postfix image: catatnight/postfix:latest @@ -65,13 +51,11 @@ services: ref_test_certbot: container_name: ref_test_certbot - image: certbot/certbot:v1.21.0 + image: certbot/certbot volumes: - ./certbot:/etc/letsencrypt - ./src/html:/var/www/html - depends_on: - - ref_test_server - # command: certonly --webroot --webroot-path=/var/www/html --email (email) --agree-tos --no-eff-email -d (domain) + entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" networks: frontend: diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh new file mode 100644 index 0000000..c2811eb --- /dev/null +++ b/init-letsencrypt.sh @@ -0,0 +1,78 @@ +#!/bin/bash + +# Source https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71 + +if ! [ -x "$(command -v docker-compose)" ]; then + echo 'Error: docker-compose is not installed.' >&2 + exit 1 +fi + +domains=(example.org www.example.org) +rsa_key_size=4096 +data_path="./certbot" +email="" # Adding a valid address is strongly recommended +staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits + +if [ -d "$data_path" ]; then + read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision + if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then + exit + fi +fi + +if [ ! -e "$data_path/ssl-dhparams.pem" ]; then + echo "### Generating ssl-dhparams.pem ..." + docker-compose run --rm --entrypoint "\ + openssl dhparam 4096 -out /etc/letsencrypt/ssl-dhparams.pem" certbot + echo +fi + +echo "### Creating dummy certificate for $domains ..." +path="/etc/letsencrypt/live/$domains" +mkdir -p "$data_path/conf/live/$domains" +docker-compose run --rm --entrypoint "\ + openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\ + -keyout '$path/privkey.pem' \ + -out '$path/fullchain.pem' \ + -subj '/CN=localhost'" certbot +echo + +echo "### Starting nginx ..." +docker-compose up --force-recreate -d nginx +echo + +echo "### Deleting dummy certificate for $domains ..." +docker-compose run --rm --entrypoint "\ + rm -Rf /etc/letsencrypt/live/$domains && \ + rm -Rf /etc/letsencrypt/archive/$domains && \ + rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot +echo + +echo "### Requesting Let's Encrypt certificate for $domains ..." +#Join $domains to -d args +domain_args="" +for domain in "${domains[@]}"; do + domain_args="$domain_args -d $domain" +done + +# Select appropriate email arg +case "$email" in + "") email_arg="--register-unsafely-without-email" ;; + *) email_arg="--email $email" ;; +esac + +# Enable staging mode if needed +if [ $staging != "0" ]; then staging_arg="--staging"; fi + +docker-compose run --rm --entrypoint "\ + certbot certonly --webroot -w /var/www/certbot \ + $staging_arg \ + $email_arg \ + $domain_args \ + --rsa-key-size $rsa_key_size \ + --agree-tos \ + --force-renewal" certbot +echo + +echo "### Reloading nginx ..." +docker-compose exec nginx nginx -s reload diff --git a/nginx/conf.d/common-location.conf b/nginx/conf.d/proxy_headers.conf similarity index 100% rename from nginx/conf.d/common-location.conf rename to nginx/conf.d/proxy_headers.conf diff --git a/nginx/conf.d/ref-test-app.conf b/nginx/conf.d/ref-test-app.conf index 3c26989..763df59 100644 --- a/nginx/conf.d/ref-test-app.conf +++ b/nginx/conf.d/ref-test-app.conf @@ -3,7 +3,7 @@ upstream reftest { } server { - + server_name domain_name; listen 80 default_server; listen [::]:80 default_server; # Redirect to ssl @@ -11,7 +11,7 @@ server { } server { - + server_name domain_name; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; diff --git a/nginx/ssl.conf b/nginx/ssl.conf index 04afb12..c3f7f99 100644 --- a/nginx/ssl.conf +++ b/nginx/ssl.conf @@ -1,2 +1,13 @@ -ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem; # managed by Certbot -ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem; # managed by Certbot \ No newline at end of file +ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem; + +ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +ssl_prefer_server_ciphers on; +ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"; +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate /etc/letsencrypt/lets-encrypt-x3-cross-signed.pem; +add_header Strict-Transport-Security "max-age=31536000" always; +ssl_session_cache shared:SSL:40m; +ssl_session_timeout 4h; +ssl_session_tickets on; \ No newline at end of file