From 1f7079b51a239051bd350eddf67bf9cf8bf599f2 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Wed, 23 Mar 2016 21:41:00 +0100 Subject: [PATCH 01/29] Initial commit --- LICENSE | 21 +++++++++++++++++++++ README.md | 2 ++ 2 files changed, 23 insertions(+) create mode 100644 LICENSE create mode 100644 README.md diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..853b46d --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2016 + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..b51ea91 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# nginx +nginx proxy for lesspass From 23d711470bd1e989e464e60f2e9868356fe7fc2e Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Wed, 23 Mar 2016 22:13:59 +0100 Subject: [PATCH 02/29] add files --- Dockerfile | 9 ++++ README.md | 2 +- conf.d/backend.conf | 24 ++++++++++ conf.d/default.conf | 4 ++ mime.types | 135 ++++++++++++++++++++++++++++++++++++++++++++++++++++ nginx.conf | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 307 insertions(+), 1 deletion(-) create mode 100644 Dockerfile create mode 100644 conf.d/backend.conf create mode 100644 conf.d/default.conf create mode 100644 mime.types create mode 100644 nginx.conf diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..af5a17a --- /dev/null +++ b/Dockerfile @@ -0,0 +1,9 @@ +FROM nginx:1.8 + +RUN rm /etc/nginx/nginx.conf +RUN rm /etc/nginx/mime.types +COPY nginx.conf /etc/nginx/nginx.conf +COPY mime.types /etc/nginx/mime.types + +RUN rm /etc/nginx/conf.d/default.conf +COPY conf.d /etc/nginx/conf.d/ diff --git a/README.md b/README.md index b51ea91..160e53b 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ # nginx -nginx proxy for lesspass +nginx container for lesspass diff --git a/conf.d/backend.conf b/conf.d/backend.conf new file mode 100644 index 0000000..a583a4c --- /dev/null +++ b/conf.d/backend.conf @@ -0,0 +1,24 @@ +server { + listen 80; + server_name localhost *.oslab.fr; + + location ~ /(static|media)/ { + autoindex on; + root /backend/www; + } + + location ~ /(api|admin) { + proxy_pass http://backend:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location / { + proxy_pass http://frontend:8080; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + +} diff --git a/conf.d/default.conf b/conf.d/default.conf new file mode 100644 index 0000000..9b8f8ab --- /dev/null +++ b/conf.d/default.conf @@ -0,0 +1,4 @@ +server { + listen 80 default_server; + return 444; +} diff --git a/mime.types b/mime.types new file mode 100644 index 0000000..b295c78 --- /dev/null +++ b/mime.types @@ -0,0 +1,135 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + application/vnd.geo+json geojson; + application/xml rdf xml; + + + # JavaScript + + # Normalize to standard type. + # https://tools.ietf.org/html/rfc4329#section-7.2 + application/javascript js; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + application/font-woff woff; + application/font-woff2 woff2; + application/vnd.ms-fontobject eot; + + # Browsers usually ignore the font media types and simply sniff + # the bytes to figure out the font type. + # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + # + # However, Blink and WebKit based browsers will show a warning + # in the console if the following font types are served with any + # other media types. + + application/x-font-ttf ttc ttf; + font/opentype otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/css css; + text/html htm html shtml; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..988ca80 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,134 @@ +# nginx Configuration File +# http://wiki.nginx.org/Configuration + +# Run as a less privileged user for security reasons. +# user www www; + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +worker_processes auto; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 8000; +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +http { + + # Hide nginx version information. + server_tokens off; + + # Define the MIME types for files. + include mime.types; + default_type application/octet-stream; + + # Update charset_types due to updated mime.types + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + access_log /var/log/nginx/access.log main; + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + + # Compression + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed by HttpGzipModule + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + # gzip_static on; + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. + include conf.d/*.conf; +} From 5273ab5c1e31bf6f1ae0964a6f5f2c882119d461 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Fri, 25 Mar 2016 09:21:15 +0100 Subject: [PATCH 03/29] force https --- .gitignore | 1 + Dockerfile | 5 +++++ conf.d/backend.conf | 34 +++++++++++++++++++++++++++++++--- 3 files changed, 37 insertions(+), 3 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6a0b115 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +ssl/ diff --git a/Dockerfile b/Dockerfile index af5a17a..1a479c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,3 +7,8 @@ COPY mime.types /etc/nginx/mime.types RUN rm /etc/nginx/conf.d/default.conf COPY conf.d /etc/nginx/conf.d/ + +COPY ssl/lesspass.com.crt /etc/ssl/certs/lesspass.com.crt +COPY ssl/lesspass.com.key /etc/ssl/private/lesspass.com.key +COPY ssl/dhparam.pem /etc/ssl/certs/dhparam.pem +COPY ssl/AddTrustExternalCARoot.crt /etc/ssl/certs/AddTrustExternalCARoot.crt \ No newline at end of file diff --git a/conf.d/backend.conf b/conf.d/backend.conf index a583a4c..fa3207f 100644 --- a/conf.d/backend.conf +++ b/conf.d/backend.conf @@ -1,6 +1,35 @@ server { listen 80; - server_name localhost *.oslab.fr; + server_name localhost *.oslab.fr *.lesspass.com; + + return 301 https://$server_name$request_uri; +} + + +server { + listen [::]:443 ssl; + listen 443 ssl; + + server_name localhost *.oslab.fr *.lesspass.com; + + charset utf-8; + + ssl_certificate /etc/ssl/certs/lesspass.com.crt; + ssl_certificate_key /etc/ssl/private/lesspass.com.key; + + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 30m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_dhparam /etc/ssl/certs/dhparam.pem; + ssl_trusted_certificate /etc/ssl/certs/AddTrustExternalCARoot.crt; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location ~ /(static|media)/ { autoindex on; @@ -20,5 +49,4 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - -} +} \ No newline at end of file From 1ed5f0ae7fda2d923fc96f923e6aefc25ec5c249 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Fri, 15 Apr 2016 21:03:52 +0200 Subject: [PATCH 04/29] add self signed certificates if no certificates provided --- Dockerfile | 36 ++++++++++--- README.md | 1 + backend.conf.j2 | 56 +++++++++++++++++++ conf.d/backend.conf | 52 ------------------ conf.d/mime.types | 135 ++++++++++++++++++++++++++++++++++++++++++++++ conf.d/nginx.conf | 134 +++++++++++++++++++++++++++++++++++++++++++++ docker.env | 15 ++++++ dockersible/__init__.py | 0 dockersible/files.py | 44 +++++++++++++++ dockersible/ssl.py | 18 +++++++ entrypoint.sh | 5 ++ install.py | 59 ++++++++++++++++++++ mime.types | 135 ---------------------------------------------- nginx.conf | 134 --------------------------------------------- tests/templates/test.j2 | 3 ++ tests/test_dockersible.py | 85 +++++++++++++++++++++++++++++ 16 files changed, 583 insertions(+), 329 deletions(-) create mode 100644 backend.conf.j2 delete mode 100644 conf.d/backend.conf create mode 100644 conf.d/mime.types create mode 100644 conf.d/nginx.conf create mode 100644 docker.env create mode 100644 dockersible/__init__.py create mode 100644 dockersible/files.py create mode 100644 dockersible/ssl.py create mode 100644 entrypoint.sh create mode 100644 install.py delete mode 100644 mime.types delete mode 100644 nginx.conf create mode 100644 tests/templates/test.j2 create mode 100644 tests/test_dockersible.py diff --git a/Dockerfile b/Dockerfile index 1a479c6..b42c74f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,34 @@ -FROM nginx:1.8 +FROM nginx:1.8-alpine + +RUN apk update && apk add \ + python3 \ + openssl \ + && python3 -m ensurepip \ + && rm -r /usr/lib/python*/ensurepip \ + && pip3 install --upgrade pip setuptools \ + && rm -rf /var/cache/apk/* + +RUN pip3 install Jinja2==2.8 RUN rm /etc/nginx/nginx.conf RUN rm /etc/nginx/mime.types -COPY nginx.conf /etc/nginx/nginx.conf -COPY mime.types /etc/nginx/mime.types +COPY conf.d/nginx.conf /etc/nginx/nginx.conf +COPY conf.d/mime.types /etc/nginx/mime.types RUN rm /etc/nginx/conf.d/default.conf -COPY conf.d /etc/nginx/conf.d/ +COPY conf.d/default.conf /etc/nginx/conf.d/default.conf + +RUN mkdir /dockersible +COPY dockersible/ /dockersible +COPY backend.conf.j2 / +COPY install.py / + +RUN mkdir /certificates +VOLUME ["/certificates"] + +COPY entrypoint.sh / +RUN chmod 755 /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] -COPY ssl/lesspass.com.crt /etc/ssl/certs/lesspass.com.crt -COPY ssl/lesspass.com.key /etc/ssl/private/lesspass.com.key -COPY ssl/dhparam.pem /etc/ssl/certs/dhparam.pem -COPY ssl/AddTrustExternalCARoot.crt /etc/ssl/certs/AddTrustExternalCARoot.crt \ No newline at end of file +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/README.md b/README.md index 160e53b..9dbcef1 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,3 @@ # nginx nginx container for lesspass + diff --git a/backend.conf.j2 b/backend.conf.j2 new file mode 100644 index 0000000..8749bcc --- /dev/null +++ b/backend.conf.j2 @@ -0,0 +1,56 @@ +server { + listen 80; + server_name {{ server_name }}; + + return 301 https://$server_name$request_uri; +} + + +server { + listen [::]:443 ssl; + listen 443 ssl; + + server_name {{ server_name }}; + + charset utf-8; + + ssl_certificate /etc/ssl/certs/certificate.crt; + ssl_certificate_key /etc/ssl/private/private.key; + + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 30m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; + ssl_prefer_server_ciphers on; + ssl_stapling on; + ssl_stapling_verify on; + +{% if dhparam %} + ssl_dhparam {{ dhparam_path }}; +{% endif %} +{% if ssl_trusted_certificate %} + ssl_trusted_certificate {{ ssl_trusted_certificate_path }}; +{% endif %} + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + location ~ /(static|media)/ { + autoindex on; + root /backend/www; + } + + location ~ /(api|admin) { + proxy_pass http://backend:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location / { + proxy_pass http://frontend:8080; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} \ No newline at end of file diff --git a/conf.d/backend.conf b/conf.d/backend.conf deleted file mode 100644 index fa3207f..0000000 --- a/conf.d/backend.conf +++ /dev/null @@ -1,52 +0,0 @@ -server { - listen 80; - server_name localhost *.oslab.fr *.lesspass.com; - - return 301 https://$server_name$request_uri; -} - - -server { - listen [::]:443 ssl; - listen 443 ssl; - - server_name localhost *.oslab.fr *.lesspass.com; - - charset utf-8; - - ssl_certificate /etc/ssl/certs/lesspass.com.crt; - ssl_certificate_key /etc/ssl/private/lesspass.com.key; - - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 30m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - ssl_prefer_server_ciphers on; - ssl_stapling on; - ssl_stapling_verify on; - - ssl_dhparam /etc/ssl/certs/dhparam.pem; - ssl_trusted_certificate /etc/ssl/certs/AddTrustExternalCARoot.crt; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - - location ~ /(static|media)/ { - autoindex on; - root /backend/www; - } - - location ~ /(api|admin) { - proxy_pass http://backend:8000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - location / { - proxy_pass http://frontend:8080; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} \ No newline at end of file diff --git a/conf.d/mime.types b/conf.d/mime.types new file mode 100644 index 0000000..b295c78 --- /dev/null +++ b/conf.d/mime.types @@ -0,0 +1,135 @@ +types { + + # Data interchange + + application/atom+xml atom; + application/json json map topojson; + application/ld+json jsonld; + application/rss+xml rss; + application/vnd.geo+json geojson; + application/xml rdf xml; + + + # JavaScript + + # Normalize to standard type. + # https://tools.ietf.org/html/rfc4329#section-7.2 + application/javascript js; + + + # Manifest files + + application/manifest+json webmanifest; + application/x-web-app-manifest+json webapp; + text/cache-manifest appcache; + + + # Media files + + audio/midi mid midi kar; + audio/mp4 aac f4a f4b m4a; + audio/mpeg mp3; + audio/ogg oga ogg opus; + audio/x-realaudio ra; + audio/x-wav wav; + image/bmp bmp; + image/gif gif; + image/jpeg jpeg jpg; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-jng jng; + video/3gpp 3gp 3gpp; + video/mp4 f4p f4v m4v mp4; + video/mpeg mpeg mpg; + video/ogg ogv; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-mng mng; + video/x-ms-asf asf asx; + video/x-ms-wmv wmv; + video/x-msvideo avi; + + # Serving `.ico` image files with a different media type + # prevents Internet Explorer from displaying then as images: + # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee + + image/x-icon cur ico; + + + # Microsoft Office + + application/msword doc; + application/vnd.ms-excel xls; + application/vnd.ms-powerpoint ppt; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + + # Web fonts + + application/font-woff woff; + application/font-woff2 woff2; + application/vnd.ms-fontobject eot; + + # Browsers usually ignore the font media types and simply sniff + # the bytes to figure out the font type. + # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + # + # However, Blink and WebKit based browsers will show a warning + # in the console if the following font types are served with any + # other media types. + + application/x-font-ttf ttc ttf; + font/opentype otf; + + + # Other + + application/java-archive ear jar war; + application/mac-binhex40 hqx; + application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; + application/pdf pdf; + application/postscript ai eps ps; + application/rtf rtf; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.wap.wmlc wmlc; + application/x-7z-compressed 7z; + application/x-bb-appworld bbaw; + application/x-bittorrent torrent; + application/x-chrome-extension crx; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-opera-extension oex; + application/x-perl pl pm; + application/x-pilot pdb prc; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert crt der pem; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xslt+xml xsl; + application/zip zip; + text/css css; + text/html htm html shtml; + text/mathml mml; + text/plain txt; + text/vcard vcard vcf; + text/vnd.rim.location.xloc xloc; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/vtt vtt; + text/x-component htc; + +} diff --git a/conf.d/nginx.conf b/conf.d/nginx.conf new file mode 100644 index 0000000..988ca80 --- /dev/null +++ b/conf.d/nginx.conf @@ -0,0 +1,134 @@ +# nginx Configuration File +# http://wiki.nginx.org/Configuration + +# Run as a less privileged user for security reasons. +# user www www; + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +worker_processes auto; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 8000; +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +http { + + # Hide nginx version information. + server_tokens off; + + # Define the MIME types for files. + include mime.types; + default_type application/octet-stream; + + # Update charset_types due to updated mime.types + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + access_log /var/log/nginx/access.log main; + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + + # Compression + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed by HttpGzipModule + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + # gzip_static on; + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. + include conf.d/*.conf; +} diff --git a/docker.env b/docker.env new file mode 100644 index 0000000..9ff7907 --- /dev/null +++ b/docker.env @@ -0,0 +1,15 @@ +############################### +## self-signed certificates ## +############################### +domain=lesspass.com +server_name=localhost +############################### +## use custom certificate ## +############################### +#domain, server_name, private_key and certificate are mandatory +#domain=lesspass.com +#server_name=localhost *.lesspass.com +#private_key=lesspass.com.key +#certificate=lesspass.com.crt +#dhparam=dhparam.pem +#ssl_trusted_certificate=AddTrustExternalCARoot.crt diff --git a/dockersible/__init__.py b/dockersible/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/dockersible/files.py b/dockersible/files.py new file mode 100644 index 0000000..0350b5d --- /dev/null +++ b/dockersible/files.py @@ -0,0 +1,44 @@ +import os +import shutil +import fnmatch + +from jinja2 import Template + + +def pattern_filter(file, patterns=None): + if patterns is None: + return True + + for p in patterns: + if fnmatch.fnmatch(file, p): + return True + + return False + + +def find(paths, patterns=None): + certificates = [] + for root, dirs, files in os.walk(paths): + for file in files: + if pattern_filter(file, patterns.split(',')): + certificates.append({'path': os.path.normpath(os.path.join(root, file))}) + return certificates + + +def copy(source, destination, basename=None, mode='0755'): + if not os.path.exists(destination): + os.makedirs(destination) + + shutil.copy2(src=source, dst=destination) + + file_path = os.path.join(destination, os.path.basename(source)) + os.chmod(file_path, int(mode, 8)) + + if basename: + os.rename(file_path, os.path.join(destination, basename)) + + +def template(source, context, destination): + jinja_template = Template(open(source).read()) + with open(destination, 'w') as f: + f.write(jinja_template.render(context)) diff --git a/dockersible/ssl.py b/dockersible/ssl.py new file mode 100644 index 0000000..b6c6c6a --- /dev/null +++ b/dockersible/ssl.py @@ -0,0 +1,18 @@ +import os +import shutil + + +def copy_certificates(certificates, destination='/etc/ssl', domain='example.org'): + private_key_folder = os.path.join(destination, 'private') + if not os.path.exists(private_key_folder): + os.makedirs(private_key_folder) + private_key = os.path.join(private_key_folder, domain + '.key') + shutil.copy2(certificates['key'], private_key) + os.chmod(private_key, 0o600) + + certificates_folder = os.path.join(destination, 'certs') + if not os.path.exists(certificates_folder): + os.makedirs(certificates_folder) + certificate = os.path.join(certificates_folder, domain + '.crt') + shutil.copy2(certificates['crt'], certificate) + os.chmod(certificate, 0o644) diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..b06ce4c --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +python3 install.py + +exec "$@" \ No newline at end of file diff --git a/install.py b/install.py new file mode 100644 index 0000000..4ff5320 --- /dev/null +++ b/install.py @@ -0,0 +1,59 @@ +import os + +import subprocess + +from dockersible.files import copy, template + + +def copy_certificates(): + copy(source=(os.path.join('/certificates', os.environ['private_key'])), + destination='/etc/ssl/private', + basename='private.key', + mode='0600') + copy(source=os.path.join('/certificates', os.environ['certificate']), + destination='/etc/ssl/certs', + basename='certificate.crt', + mode='0644') + context = { + 'server_name': os.environ['server_name'], + 'dhparam': False, + 'ssl_trusted_certificate': False + } + cert_folder = os.path.join('/etc/ssl/certs') + if 'dhparam' in os.environ: + dhparam = os.environ['dhparam'] + copy(source=os.path.join('/certificates', dhparam), destination=cert_folder, mode='0644') + context['dhparam'] = True + context['dhparam_path'] = os.path.join(cert_folder, dhparam) + if 'certificate' in os.environ: + certificate = os.environ['ssl_trusted_certificate'] + copy(source=os.path.join('/certificates', certificate), destination=cert_folder, mode='0644') + context['ssl_trusted_certificate'] = True + context['ssl_trusted_certificate_path'] = os.path.join(cert_folder, certificate) + return context + + +def create_certificates(): + cmd = """openssl req \ + -new \ + -newkey rsa:4096 \ + -days 365 \ + -nodes \ + -x509 \ + -subj "/C=US/ST=State/L=City/O=Company/CN=%s" \ + -keyout /etc/ssl/private/private.key \ + -out /etc/ssl/certs/certificate.crt""".format(os.environ['domain']) + subprocess.call(cmd, shell=True) + return { + 'server_name': os.environ['server_name'], + 'dhparam': False, + 'ssl_trusted_certificate': False + } + + +if __name__ == "__main__": + if 'private_key' in os.environ and 'certificate' in os.environ: + context = copy_certificates() + else: + context = create_certificates() + template('/backend.conf.j2', context, '/etc/nginx/conf.d/backend.conf') diff --git a/mime.types b/mime.types deleted file mode 100644 index b295c78..0000000 --- a/mime.types +++ /dev/null @@ -1,135 +0,0 @@ -types { - - # Data interchange - - application/atom+xml atom; - application/json json map topojson; - application/ld+json jsonld; - application/rss+xml rss; - application/vnd.geo+json geojson; - application/xml rdf xml; - - - # JavaScript - - # Normalize to standard type. - # https://tools.ietf.org/html/rfc4329#section-7.2 - application/javascript js; - - - # Manifest files - - application/manifest+json webmanifest; - application/x-web-app-manifest+json webapp; - text/cache-manifest appcache; - - - # Media files - - audio/midi mid midi kar; - audio/mp4 aac f4a f4b m4a; - audio/mpeg mp3; - audio/ogg oga ogg opus; - audio/x-realaudio ra; - audio/x-wav wav; - image/bmp bmp; - image/gif gif; - image/jpeg jpeg jpg; - image/png png; - image/svg+xml svg svgz; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/webp webp; - image/x-jng jng; - video/3gpp 3gp 3gpp; - video/mp4 f4p f4v m4v mp4; - video/mpeg mpeg mpg; - video/ogg ogv; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-mng mng; - video/x-ms-asf asf asx; - video/x-ms-wmv wmv; - video/x-msvideo avi; - - # Serving `.ico` image files with a different media type - # prevents Internet Explorer from displaying then as images: - # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee - - image/x-icon cur ico; - - - # Microsoft Office - - application/msword doc; - application/vnd.ms-excel xls; - application/vnd.ms-powerpoint ppt; - application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; - application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; - - - # Web fonts - - application/font-woff woff; - application/font-woff2 woff2; - application/vnd.ms-fontobject eot; - - # Browsers usually ignore the font media types and simply sniff - # the bytes to figure out the font type. - # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern - # - # However, Blink and WebKit based browsers will show a warning - # in the console if the following font types are served with any - # other media types. - - application/x-font-ttf ttc ttf; - font/opentype otf; - - - # Other - - application/java-archive ear jar war; - application/mac-binhex40 hqx; - application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; - application/pdf pdf; - application/postscript ai eps ps; - application/rtf rtf; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/vnd.wap.wmlc wmlc; - application/x-7z-compressed 7z; - application/x-bb-appworld bbaw; - application/x-bittorrent torrent; - application/x-chrome-extension crx; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-opera-extension oex; - application/x-perl pl pm; - application/x-pilot pdb prc; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert crt der pem; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xslt+xml xsl; - application/zip zip; - text/css css; - text/html htm html shtml; - text/mathml mml; - text/plain txt; - text/vcard vcard vcf; - text/vnd.rim.location.xloc xloc; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/vtt vtt; - text/x-component htc; - -} diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index 988ca80..0000000 --- a/nginx.conf +++ /dev/null @@ -1,134 +0,0 @@ -# nginx Configuration File -# http://wiki.nginx.org/Configuration - -# Run as a less privileged user for security reasons. -# user www www; - -# How many worker threads to run; -# "auto" sets it to the number of CPU cores available in the system, and -# offers the best performance. Don't set it higher than the number of CPU -# cores if changing this parameter. - -# The maximum number of connections for Nginx is calculated by: -# max_clients = worker_processes * worker_connections -worker_processes auto; - -# Maximum open file descriptors per process; -# should be > worker_connections. -worker_rlimit_nofile 8192; - -events { - # When you need > 8000 * cpu_cores connections, you start optimizing your OS, - # and this is probably the point at which you hire people who are smarter than - # you, as this is *a lot* of requests. - worker_connections 8000; -} - -# Default error log file -# (this is only used when you don't override error_log on a server{} level) -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -http { - - # Hide nginx version information. - server_tokens off; - - # Define the MIME types for files. - include mime.types; - default_type application/octet-stream; - - # Update charset_types due to updated mime.types - charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; - - # Format to use in log files - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - # Default log file - # (this is only used when you don't override access_log on a server{} level) - access_log /var/log/nginx/access.log main; - - # How long to allow each connection to stay idle; longer values are better - # for each individual client, particularly for SSL, but means that worker - # connections are tied up longer. (Default: 65) - keepalive_timeout 20; - - # Speed up file transfers by using sendfile() to copy directly - # between descriptors rather than using read()/write(). - # For performance reasons, on FreeBSD systems w/ ZFS - # this option should be disabled as ZFS's ARC caches - # frequently used files in RAM by default. - sendfile on; - - # Tell Nginx not to send out partial frames; this increases throughput - # since TCP frames are filled up before being sent out. (adds TCP_CORK) - tcp_nopush on; - - - # Compression - - # Enable Gzip compressed. - gzip on; - - # Compression level (1-9). - # 5 is a perfect compromise between size and cpu usage, offering about - # 75% reduction for most ascii files (almost identical to level 9). - gzip_comp_level 5; - - # Don't compress anything that's already small and unlikely to shrink much - # if at all (the default is 20 bytes, which is bad as that usually leads to - # larger files after gzipping). - gzip_min_length 256; - - # Compress data even for clients that are connecting to us via proxies, - # identified by the "Via" header (required for CloudFront). - gzip_proxied any; - - # Tell proxies to cache both the gzipped and regular version of a resource - # whenever the client's Accept-Encoding capabilities header varies; - # Avoids the issue where a non-gzip capable client (which is extremely rare - # today) would display gibberish if their proxy gave them the gzipped version. - gzip_vary on; - - # Compress all output labeled with one of the following MIME-types. - gzip_types - application/atom+xml - application/javascript - application/json - application/ld+json - application/manifest+json - application/rss+xml - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy; - # text/html is always compressed by HttpGzipModule - - # This should be turned on if you are going to have pre-compressed copies (.gz) of - # static files available. If not it should be left off as it will cause extra I/O - # for the check. It is best if you enable this in a location{} block for - # a specific directory, or on an individual server{} level. - # gzip_static on; - - # Include files in the sites-enabled folder. server{} configuration files should be - # placed in the sites-available folder, and then the configuration should be enabled - # by creating a symlink to it in the sites-enabled folder. - # See doc/sites-enabled.md for more info. - include conf.d/*.conf; -} diff --git a/tests/templates/test.j2 b/tests/templates/test.j2 new file mode 100644 index 0000000..13c3927 --- /dev/null +++ b/tests/templates/test.j2 @@ -0,0 +1,3 @@ +{% if dhparam %} +ssl_dhparam {{ dhparam_path }}; +{% endif %} \ No newline at end of file diff --git a/tests/test_dockersible.py b/tests/test_dockersible.py new file mode 100644 index 0000000..07932d9 --- /dev/null +++ b/tests/test_dockersible.py @@ -0,0 +1,85 @@ +import os +import shutil +import tempfile +import unittest + +from dockersible.ssl import copy_certificates +from dockersible.files import find, copy, template + + +class DockersibleTestCase(unittest.TestCase): + def test_find(self): + parent_directory = os.path.dirname(os.path.realpath(__file__)) + ssl_directory = os.path.join(parent_directory, 'ssl') + certificates = find(paths=ssl_directory, patterns='*.key,*.crt') + for certificate in certificates: + expected_path = [os.path.join(ssl_directory, 'test.key'), os.path.join(ssl_directory, 'test.crt')] + self.assertTrue(certificate['path'] in expected_path) + + def test_copy_certificates(self): + temp_folder = tempfile.mkdtemp() + private_key_origin = os.path.join(temp_folder, 'test.key') + with open(private_key_origin, 'w') as f: f.write('') + certificate_origin = os.path.join(temp_folder, 'test.crt') + with open(certificate_origin, 'w') as f: f.write('') + certificates = { + 'key': private_key_origin, + 'crt': certificate_origin, + } + copy_certificates(certificates, temp_folder, 'oslab.fr') + private_key = os.path.join(temp_folder, 'private', 'oslab.fr.key') + self.assertTrue(os.path.exists(private_key)) + self.assertTrue((os.stat(private_key).st_mode & 0o777) == 0o600) + self.assertTrue(os.path.exists(private_key_origin)) + + certificate = os.path.join(temp_folder, 'certs', 'oslab.fr.crt') + self.assertTrue(os.path.exists(certificate)) + self.assertTrue((os.stat(certificate).st_mode & 0o777) == 0o644) + self.assertTrue(os.path.exists(certificate_origin)) + shutil.rmtree(temp_folder) + + def test_copy_file(self): + private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') + destination = tempfile.mkdtemp() + copy(source=private_key_path, destination=destination) + self.assertTrue(os.path.exists(os.path.join(destination, 'test.key'))) + shutil.rmtree(destination) + + def test_copy_file_change_basename(self): + private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') + destination = tempfile.mkdtemp() + copy(source=private_key_path, destination=destination, basename='lesspass.com.key', mode='0600') + self.assertTrue(os.path.exists(os.path.join(destination, 'lesspass.com.key'))) + shutil.rmtree(destination) + + def test_copy_file_change_mode(self): + private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') + destination = tempfile.mkdtemp() + + copy(source=private_key_path, destination=destination) + expected_private_key_path = os.path.join(destination, 'test.key') + self.assertTrue((os.stat(expected_private_key_path).st_mode & 0o777) == 0o755) + + copy(source=private_key_path, destination=destination, basename='lesspass.com.key', mode='0600') + expected_private_key_path = os.path.join(destination, 'lesspass.com.key') + self.assertTrue((os.stat(expected_private_key_path).st_mode & 0o777) == 0o600) + + shutil.rmtree(destination) + + def test_template_module_with_source_file(self): + template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates', 'test.j2') + destination = tempfile.mkdtemp() + context = { + 'dhparam': True, + 'dhparam_path': '/etc/ssl/certs/dhparam.pem' + } + destination_file = os.path.join(destination, 'test.txt') + + template(source=template_path, context=context, destination=destination_file) + + self.assertEqual('\nssl_dhparam /etc/ssl/certs/dhparam.pem;\n', open(destination_file).read()) + shutil.rmtree(destination) + + +if __name__ == '__main__': + unittest.main() From a296233acfa5050f18e7885f524ddc97a2272976 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 16 Apr 2016 13:52:05 +0200 Subject: [PATCH 05/29] simplify ssl generation --- README.md | 38 ++++++++++++++++++++++++++ backend.conf.j2 | 16 ++++++----- docker.env | 15 ----------- install.py | 84 ++++++++++++++++++++++++++------------------------------- 4 files changed, 86 insertions(+), 67 deletions(-) delete mode 100644 docker.env diff --git a/README.md b/README.md index 9dbcef1..1a2c741 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,41 @@ # nginx nginx container for lesspass +## custom SSL certificate + +change domain name in `docker-compose.yml` file + +replace YOUR_DOMAIN_NAME + + ..... + ports: + - "8080:8080" + nginx: + restart: always + build: ./nginx + ports: + - "80:80" + - "443:443" + environment: + - domain=YOUR_DOMAIN_NAME + volumes: + - ./nginx/ssl:/certificates + volumes_from: + - backend + links: + - backend + - frontend + ..... + +copy your private key to `ssl/YOUR_DOMAIN_NAME.key` +copy your certificate to `ssl/YOUR_DOMAIN_NAME.crt` + +if you have extra certificate authorities, copy the file to `ssl/YOUR_DOMAIN_NAME.ca.crt` +if you have a DH parameter file, copy the file to `ssl/YOUR_DOMAIN_NAME.dhparam.pem` + + +Example if your domain is `lesspass.com` + + ls ssl/ + lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key + diff --git a/backend.conf.j2 b/backend.conf.j2 index 8749bcc..53cbb8d 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,6 +1,6 @@ server { listen 80; - server_name {{ server_name }}; + server_name localhost *.{{ domain }}; return 301 https://$server_name$request_uri; } @@ -10,7 +10,7 @@ server { listen [::]:443 ssl; listen 443 ssl; - server_name {{ server_name }}; + server_name localhost *.{{ domain }}; charset utf-8; @@ -23,14 +23,18 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; ssl_prefer_server_ciphers on; - ssl_stapling on; - ssl_stapling_verify on; + {% if dhparam %} - ssl_dhparam {{ dhparam_path }}; + ssl_dhparam /etc/ssl/certs/dhparam.pem; {% endif %} {% if ssl_trusted_certificate %} - ssl_trusted_certificate {{ ssl_trusted_certificate_path }}; + resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; + resolver_timeout 10s; + + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/ssl/certs/ca.crt; {% endif %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; diff --git a/docker.env b/docker.env deleted file mode 100644 index 9ff7907..0000000 --- a/docker.env +++ /dev/null @@ -1,15 +0,0 @@ -############################### -## self-signed certificates ## -############################### -domain=lesspass.com -server_name=localhost -############################### -## use custom certificate ## -############################### -#domain, server_name, private_key and certificate are mandatory -#domain=lesspass.com -#server_name=localhost *.lesspass.com -#private_key=lesspass.com.key -#certificate=lesspass.com.crt -#dhparam=dhparam.pem -#ssl_trusted_certificate=AddTrustExternalCARoot.crt diff --git a/install.py b/install.py index 4ff5320..7b254c5 100644 --- a/install.py +++ b/install.py @@ -5,55 +5,47 @@ import subprocess from dockersible.files import copy, template -def copy_certificates(): - copy(source=(os.path.join('/certificates', os.environ['private_key'])), - destination='/etc/ssl/private', - basename='private.key', - mode='0600') - copy(source=os.path.join('/certificates', os.environ['certificate']), - destination='/etc/ssl/certs', - basename='certificate.crt', - mode='0644') - context = { - 'server_name': os.environ['server_name'], - 'dhparam': False, - 'ssl_trusted_certificate': False - } - cert_folder = os.path.join('/etc/ssl/certs') - if 'dhparam' in os.environ: - dhparam = os.environ['dhparam'] - copy(source=os.path.join('/certificates', dhparam), destination=cert_folder, mode='0644') - context['dhparam'] = True - context['dhparam_path'] = os.path.join(cert_folder, dhparam) - if 'certificate' in os.environ: - certificate = os.environ['ssl_trusted_certificate'] - copy(source=os.path.join('/certificates', certificate), destination=cert_folder, mode='0644') - context['ssl_trusted_certificate'] = True - context['ssl_trusted_certificate_path'] = os.path.join(cert_folder, certificate) - return context - - -def create_certificates(): - cmd = """openssl req \ - -new \ - -newkey rsa:4096 \ - -days 365 \ - -nodes \ - -x509 \ - -subj "/C=US/ST=State/L=City/O=Company/CN=%s" \ - -keyout /etc/ssl/private/private.key \ - -out /etc/ssl/certs/certificate.crt""".format(os.environ['domain']) - subprocess.call(cmd, shell=True) - return { - 'server_name': os.environ['server_name'], +def get_ssl_context(environ): + domain = environ['domain'] + nginx_info = { + 'domain': domain, 'dhparam': False, 'ssl_trusted_certificate': False } + dhparam = os.path.join('/certificates', domain + '.dhparam.pem') + if os.path.exists(dhparam): + nginx_info['dhparam'] = True + copy(source=dhparam, destination='/etc/ssl/certs', basename='dhparam.pem', mode='0644') + + trusted_certificates = os.path.join('/certificates', domain + '.ca.crt') + if os.path.exists(trusted_certificates): + nginx_info['ssl_trusted_certificate'] = True + copy(source=trusted_certificates, destination='/etc/ssl/certs', basename='ca.crt', mode='0644') + + return nginx_info + + +def get_certificates(domain): + private_key = os.path.join('/certificates', domain + '.key') + certificate = os.path.join('/certificates', domain + '.crt') + if not os.path.exists(private_key) or not os.path.exists(certificate): + cmd = """openssl req \ + -new \ + -newkey rsa:4096 \ + -days 365 \ + -nodes \ + -x509 \ + -subj "/C=US/ST=State/L=City/O=Company/CN={}" \ + -keyout {} \ + -out {}""".format(domain, private_key, certificate) + subprocess.call(cmd, shell=True) + return private_key, certificate + if __name__ == "__main__": - if 'private_key' in os.environ and 'certificate' in os.environ: - context = copy_certificates() - else: - context = create_certificates() - template('/backend.conf.j2', context, '/etc/nginx/conf.d/backend.conf') + pk, crt = get_certificates(os.environ['domain']) + copy(source=pk, destination='/etc/ssl/private', basename='private.key', mode='0600') + copy(source=crt, destination='/etc/ssl/certs', basename='certificate.crt', mode='0644') + + template('/backend.conf.j2', get_ssl_context(os.environ), '/etc/nginx/conf.d/backend.conf') From 0f7f31d5fe10efaba84c302706142bdf9f469341 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Tue, 17 May 2016 15:56:42 +0200 Subject: [PATCH 06/29] standardization of sub modules --- LICENSE | 21 --------------------- README.md | 41 ----------------------------------------- license | 21 +++++++++++++++++++++ readme.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 62 deletions(-) delete mode 100644 LICENSE delete mode 100644 README.md create mode 100644 license create mode 100644 readme.md diff --git a/LICENSE b/LICENSE deleted file mode 100644 index 853b46d..0000000 --- a/LICENSE +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2016 - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/README.md b/README.md deleted file mode 100644 index 1a2c741..0000000 --- a/README.md +++ /dev/null @@ -1,41 +0,0 @@ -# nginx -nginx container for lesspass - -## custom SSL certificate - -change domain name in `docker-compose.yml` file - -replace YOUR_DOMAIN_NAME - - ..... - ports: - - "8080:8080" - nginx: - restart: always - build: ./nginx - ports: - - "80:80" - - "443:443" - environment: - - domain=YOUR_DOMAIN_NAME - volumes: - - ./nginx/ssl:/certificates - volumes_from: - - backend - links: - - backend - - frontend - ..... - -copy your private key to `ssl/YOUR_DOMAIN_NAME.key` -copy your certificate to `ssl/YOUR_DOMAIN_NAME.crt` - -if you have extra certificate authorities, copy the file to `ssl/YOUR_DOMAIN_NAME.ca.crt` -if you have a DH parameter file, copy the file to `ssl/YOUR_DOMAIN_NAME.dhparam.pem` - - -Example if your domain is `lesspass.com` - - ls ssl/ - lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key - diff --git a/license b/license new file mode 100644 index 0000000..6a8501b --- /dev/null +++ b/license @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) Guillaume Vincent (guillaumevincent.com) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..f4a3c61 --- /dev/null +++ b/readme.md @@ -0,0 +1,42 @@ +# nginx +nginx container for lesspass + +## custom SSL certificate + +change domain name in `docker-compose.yml` file + +replace YOUR_DOMAIN_NAME + + ..... + ports: + - "8080:8080" + nginx: + restart: always + build: ./nginx + ports: + - "80:80" + - "443:443" + environment: + - domain=YOUR_DOMAIN_NAME + volumes: + - ./nginx/ssl:/certificates + volumes_from: + - backend + links: + - backend + - frontend + ..... + +copy your private key to `ssl/YOUR_DOMAIN_NAME.key` +copy your certificate to `ssl/YOUR_DOMAIN_NAME.crt` + +if you have extra certificate authorities, copy the file to `ssl/YOUR_DOMAIN_NAME.ca.crt` +if you have a DH parameter file, copy the file to `ssl/YOUR_DOMAIN_NAME.dhparam.pem` + + +Example if your domain is `lesspass.com` + + ls ssl/ + lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key + +[lesspass submodule](https://github.com/lesspass/lesspass) \ No newline at end of file From b86f6f2e596492a24187eb1fe3cd31d296476dc1 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Fri, 3 Jun 2016 15:09:49 +0200 Subject: [PATCH 07/29] fix documentation --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index f4a3c61..0ed8c42 100644 --- a/readme.md +++ b/readme.md @@ -39,4 +39,4 @@ Example if your domain is `lesspass.com` ls ssl/ lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key -[lesspass submodule](https://github.com/lesspass/lesspass) \ No newline at end of file +see [lesspass](https://github.com/lesspass/lesspass) project \ No newline at end of file From ab5780e6b2454844e406b2d0c85c18b5b900815d Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 4 Jun 2016 22:58:51 +0200 Subject: [PATCH 08/29] update readme --- readme.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 0ed8c42..c51dcbb 100644 --- a/readme.md +++ b/readme.md @@ -1,4 +1,5 @@ -# nginx +# LessPass nginx + nginx container for lesspass ## custom SSL certificate From 129c83806d770dd451aa55a38855bd61f5187031 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Mon, 6 Jun 2016 08:49:18 +0200 Subject: [PATCH 09/29] update documentation --- readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index c51dcbb..12bb19b 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,6 @@ # LessPass nginx -nginx container for lesspass +nginx container for LessPass ## custom SSL certificate @@ -40,4 +40,4 @@ Example if your domain is `lesspass.com` ls ssl/ lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key -see [lesspass](https://github.com/lesspass/lesspass) project \ No newline at end of file +see [LessPass](https://github.com/lesspass/lesspass) project \ No newline at end of file From 14cc12d27ddd424a56d9b26eef975632c02cc3fc Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Tue, 7 Jun 2016 17:11:34 +0200 Subject: [PATCH 10/29] fix error in nginx config --- backend.conf.j2 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 53cbb8d..d159ae8 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,16 +1,18 @@ server { - listen 80; - server_name localhost *.{{ domain }}; + server_name www.{{ domain }}; + return 301 $scheme://{{ domain }}$request_uri; +} +server { + server_name {{ domain }} localhost; return 301 https://$server_name$request_uri; } - server { listen [::]:443 ssl; listen 443 ssl; - server_name localhost *.{{ domain }}; + server_name {{ domain }} localhost; charset utf-8; From ad4e9531dcf908ffea5782b23709aca1496b3794 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Fri, 10 Jun 2016 18:53:37 +0200 Subject: [PATCH 11/29] update nginx to 1.10.1 and open ssl 1.0.2h --- Dockerfile | 2 +- backend.conf.j2 | 51 ++++++++++++++++++++++++--------------------------- 2 files changed, 25 insertions(+), 28 deletions(-) diff --git a/Dockerfile b/Dockerfile index b42c74f..97ea3fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.8-alpine +FROM nginx:1.10-alpine RUN apk update && apk add \ python3 \ diff --git a/backend.conf.j2 b/backend.conf.j2 index d159ae8..3b054a8 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,45 +1,42 @@ server { - server_name www.{{ domain }}; - return 301 $scheme://{{ domain }}$request_uri; -} - -server { server_name {{ domain }} localhost; return 301 https://$server_name$request_uri; } server { - listen [::]:443 ssl; - listen 443 ssl; - - server_name {{ domain }} localhost; - - charset utf-8; - - ssl_certificate /etc/ssl/certs/certificate.crt; - ssl_certificate_key /etc/ssl/private/private.key; - - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 30m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; - ssl_prefer_server_ciphers on; + listen 443 ssl http2; + listen [::]:443 ssl http2; + ssl_certificate /etc/ssl/certs/certificate.crt; + ssl_certificate_key /etc/ssl/private/private.key; + ssl_session_timeout 30m; + ssl_session_cache shared:SSL:20m; + ssl_session_tickets off; {% if dhparam %} + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/certs/dhparam.pem; {% endif %} + + # modern configuration. tweak to your needs. + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + {% if ssl_trusted_certificate %} - resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; - resolver_timeout 10s; + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; - ssl_stapling on; - ssl_stapling_verify on; + ## verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/ssl/certs/ca.crt; -{% endif %} - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; +{% endif %} location ~ /(static|media)/ { autoindex on; From 34c2913c10e889a68ee8e14fcd10b9a34f8f335c Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Tue, 14 Jun 2016 08:19:35 +0200 Subject: [PATCH 12/29] update nginx template for dev and prod deployment --- backend.conf.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 3b054a8..03a542a 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,5 +1,9 @@ server { - server_name {{ domain }} localhost; +{% if domain %} + server_name {{ domain }}; +{% else %} + server_name localhost; +{% endif %} return 301 https://$server_name$request_uri; } From 8b1f3a3d759c037b45115c2c36499fbea262acbd Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 6 Oct 2016 00:24:55 +0200 Subject: [PATCH 13/29] add issue template --- ISSUE_TEMPLATE | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ISSUE_TEMPLATE diff --git a/ISSUE_TEMPLATE b/ISSUE_TEMPLATE new file mode 100644 index 0000000..6b2ed8e --- /dev/null +++ b/ISSUE_TEMPLATE @@ -0,0 +1,9 @@ +**Thank you for taking your time to fill out an issue.** + +To make it easier to manage, can you put this issue in LessPass super project ? + +https://github.com/lesspass/lesspass/issues + +:heart: + +Thanks \ No newline at end of file From 0d55032eb84c44c1f64097d036fc7f8869d510fa Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 15 Oct 2016 09:07:52 +0200 Subject: [PATCH 14/29] simplify nginx conf --- backend.conf.j2 | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 03a542a..4dbcee1 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -42,22 +42,29 @@ server { resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; {% endif %} - location ~ /(static|media)/ { - autoindex on; - root /backend/www; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + + location / { + proxy_pass http://frontend:8080; } - location ~ /(api|admin) { + location /admin/ { proxy_pass http://backend:8000; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - location / { - proxy_pass http://frontend:8080; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + location /api/ { + proxy_pass http://backend:8000; } -} \ No newline at end of file + + location /static/ { + autoindex on; + root /backend/www; + } + + location /media/ { + autoindex on; + root /backend/www; + } +} From b042948973cd03c4e8b51e6bcfa08dea1fd1f6c7 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 15 Oct 2016 13:12:42 +0200 Subject: [PATCH 15/29] try to fix admin redirect loop with ssl --- backend.conf.j2 | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 4dbcee1..6309d42 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,6 +1,7 @@ server { + listen 80; {% if domain %} - server_name {{ domain }}; + server_name {{ domain }} www.{{ domain }}; {% else %} server_name localhost; {% endif %} @@ -42,20 +43,32 @@ server { resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; {% endif %} - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; location / { proxy_pass http://frontend:8080; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; } location /admin/ { proxy_pass http://backend:8000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; } location /api/ { proxy_pass http://backend:8000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; } location /static/ { From c885735ca7bf1f99bafa429f2ea498c343e4c3b3 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sun, 16 Oct 2016 11:02:28 +0200 Subject: [PATCH 16/29] clean backend with new folder structure --- backend.conf.j2 | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 6309d42..5700a47 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -43,32 +43,22 @@ server { resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; {% endif %} + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; location / { proxy_pass http://frontend:8080; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_redirect off; } location /admin/ { proxy_pass http://backend:8000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_redirect off; } - location /api/ { + location /backend/ { proxy_pass http://backend:8000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_redirect off; } location /static/ { From 4242fd37a69347eccd8c38b68b7eba94375ddffa Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sun, 16 Oct 2016 16:11:53 +0200 Subject: [PATCH 17/29] use a more generic base image name --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 97ea3fc..49387ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM nginx:1.10-alpine +FROM nginx:stable-alpine RUN apk update && apk add \ python3 \ From 9155a112e0e7f552114199bced2e88d3d73ca3d0 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sun, 16 Oct 2016 23:20:52 +0200 Subject: [PATCH 18/29] set proxy_set_header in location block --- backend.conf.j2 | 37 ++++++++++++++++--------------------- 1 file changed, 16 insertions(+), 21 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 5700a47..f91a633 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -43,31 +43,26 @@ server { resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; {% endif %} - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_redirect off; - - location / { - proxy_pass http://frontend:8080; - } - - location /admin/ { - proxy_pass http://backend:8000; + location ~ /(static|media)/ { + autoindex on; + root /backend/www; } - location /backend/ { + location ~ /(api|admin) { proxy_pass http://backend:8000; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect off; } - location /static/ { - autoindex on; - root /backend/www; - } - - location /media/ { - autoindex on; - root /backend/www; + location / { + proxy_pass http://frontend:8080; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_redirect off; } } From 03381a84158009383f5c918e4dbdc13b1d68b3d5 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Mon, 17 Oct 2016 00:47:01 +0200 Subject: [PATCH 19/29] configure default server --- Dockerfile | 1 - backend.conf.j2 | 5 ++++- conf.d/default.conf | 4 ---- install.py | 6 +++--- 4 files changed, 7 insertions(+), 9 deletions(-) delete mode 100644 conf.d/default.conf diff --git a/Dockerfile b/Dockerfile index 49387ea..2963f99 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,7 +16,6 @@ COPY conf.d/nginx.conf /etc/nginx/nginx.conf COPY conf.d/mime.types /etc/nginx/mime.types RUN rm /etc/nginx/conf.d/default.conf -COPY conf.d/default.conf /etc/nginx/conf.d/default.conf RUN mkdir /dockersible COPY dockersible/ /dockersible diff --git a/backend.conf.j2 b/backend.conf.j2 index f91a633..de3d4ba 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,5 +1,6 @@ server { - listen 80; + listen 80 default_server; + listen [::]:80 default_server; {% if domain %} server_name {{ domain }} www.{{ domain }}; {% else %} @@ -54,6 +55,7 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Url-Scheme $scheme; proxy_redirect off; } @@ -63,6 +65,7 @@ server { proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Url-Scheme $scheme; proxy_redirect off; } } diff --git a/conf.d/default.conf b/conf.d/default.conf deleted file mode 100644 index 9b8f8ab..0000000 --- a/conf.d/default.conf +++ /dev/null @@ -1,4 +0,0 @@ -server { - listen 80 default_server; - return 444; -} diff --git a/install.py b/install.py index 7b254c5..c5aca90 100644 --- a/install.py +++ b/install.py @@ -6,7 +6,7 @@ from dockersible.files import copy, template def get_ssl_context(environ): - domain = environ['domain'] + domain = environ['DOMAIN'] nginx_info = { 'domain': domain, 'dhparam': False, @@ -44,8 +44,8 @@ def get_certificates(domain): if __name__ == "__main__": - pk, crt = get_certificates(os.environ['domain']) + pk, crt = get_certificates(os.environ['DOMAIN']) copy(source=pk, destination='/etc/ssl/private', basename='private.key', mode='0600') copy(source=crt, destination='/etc/ssl/certs', basename='certificate.crt', mode='0644') - template('/backend.conf.j2', get_ssl_context(os.environ), '/etc/nginx/conf.d/backend.conf') + template('/backend.conf.j2', get_ssl_context(os.environ), '/etc/nginx/conf.d/default.conf') From 2d7d8b675ca0a9e68d2d315781a7912ee51893c0 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 20 Oct 2016 11:20:56 +0200 Subject: [PATCH 20/29] add license in readme --- readme.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 12bb19b..c8da8fb 100644 --- a/readme.md +++ b/readme.md @@ -40,4 +40,9 @@ Example if your domain is `lesspass.com` ls ssl/ lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key -see [LessPass](https://github.com/lesspass/lesspass) project \ No newline at end of file +## License + +MIT © [Guillaume Vincent](http://guillaumevincent.com) + + +## [LessPass project](https://github.com/lesspass/lesspass) \ No newline at end of file From 8896f5cc6f6e4023474741a026333cfbbc6a1735 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 20 Oct 2016 14:00:22 +0200 Subject: [PATCH 21/29] update ISSUE_TEMPLATE file --- ISSUE_TEMPLATE | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ISSUE_TEMPLATE b/ISSUE_TEMPLATE index 6b2ed8e..f6acdd8 100644 --- a/ISSUE_TEMPLATE +++ b/ISSUE_TEMPLATE @@ -1,3 +1,5 @@ + + **Thank you for taking your time to fill out an issue.** To make it easier to manage, can you put this issue in LessPass super project ? From 287609f5c138f8ff26c11d335fd492a48b19577e Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 20 Oct 2016 16:23:52 +0200 Subject: [PATCH 22/29] update readme --- readme.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/readme.md b/readme.md index c8da8fb..c7b69e0 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,4 @@ -# LessPass nginx - -nginx container for LessPass +> nginx container for LessPass ## custom SSL certificate From 704749c79490455810fb44d616fd2006d2ae5e2d Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Tue, 25 Oct 2016 17:53:04 +0200 Subject: [PATCH 23/29] update readme --- readme.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/readme.md b/readme.md index c7b69e0..0694e0c 100644 --- a/readme.md +++ b/readme.md @@ -43,4 +43,6 @@ Example if your domain is `lesspass.com` MIT © [Guillaume Vincent](http://guillaumevincent.com) -## [LessPass project](https://github.com/lesspass/lesspass) \ No newline at end of file +## Issues + +report issues on [LessPass project](https://github.com/lesspass/lesspass/issues) \ No newline at end of file From 93bc83da31d079992cc4e9368f571f4ab771b402 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 29 Oct 2016 19:00:40 +0200 Subject: [PATCH 24/29] change license from MIT to GNU GPLv3 --- LICENSE | 674 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ license | 21 -- readme.md | 2 +- 3 files changed, 675 insertions(+), 22 deletions(-) create mode 100644 LICENSE delete mode 100644 license diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..9cecc1d --- /dev/null +++ b/LICENSE @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + {one line to give the program's name and a brief idea of what it does.} + Copyright (C) {year} {name of author} + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + {project} Copyright (C) {year} {fullname} + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/license b/license deleted file mode 100644 index 6a8501b..0000000 --- a/license +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) Guillaume Vincent (guillaumevincent.com) - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/readme.md b/readme.md index 0694e0c..4100cbd 100644 --- a/readme.md +++ b/readme.md @@ -40,7 +40,7 @@ Example if your domain is `lesspass.com` ## License -MIT © [Guillaume Vincent](http://guillaumevincent.com) +This project is licensed under the terms of the GNU GPLv3. ## Issues From ed80a2f89204c8c2c99eb1194586fcc5b3929135 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Mon, 7 Nov 2016 14:58:26 +0100 Subject: [PATCH 25/29] remove useless ISSUE_TEMPLATE --- ISSUE_TEMPLATE | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 ISSUE_TEMPLATE diff --git a/ISSUE_TEMPLATE b/ISSUE_TEMPLATE deleted file mode 100644 index f6acdd8..0000000 --- a/ISSUE_TEMPLATE +++ /dev/null @@ -1,11 +0,0 @@ - - -**Thank you for taking your time to fill out an issue.** - -To make it easier to manage, can you put this issue in LessPass super project ? - -https://github.com/lesspass/lesspass/issues - -:heart: - -Thanks \ No newline at end of file From 14b33a260f6be16cdf9aeb13ef8b363162953733 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 29 Jul 2017 13:12:54 +0200 Subject: [PATCH 26/29] Use LetsEncrypt certificate --- .gitignore | 1 - Dockerfile | 9 +---- backend.conf.j2 | 16 +++------ dockersible/__init__.py | 0 dockersible/files.py | 44 ------------------------ dockersible/ssl.py | 18 ---------- install.py | 53 ++++------------------------- readme.md | 38 --------------------- tests/templates/test.j2 | 3 -- tests/test_dockersible.py | 85 ----------------------------------------------- 10 files changed, 12 insertions(+), 255 deletions(-) delete mode 100644 .gitignore delete mode 100644 dockersible/__init__.py delete mode 100644 dockersible/files.py delete mode 100644 dockersible/ssl.py delete mode 100644 tests/templates/test.j2 delete mode 100644 tests/test_dockersible.py diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 6a0b115..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -ssl/ diff --git a/Dockerfile b/Dockerfile index 2963f99..21f466b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,7 @@ FROM nginx:stable-alpine RUN apk update && apk add \ python3 \ openssl \ - && python3 -m ensurepip \ - && rm -r /usr/lib/python*/ensurepip \ - && pip3 install --upgrade pip setuptools \ + && pip3 install --upgrade pip \ && rm -rf /var/cache/apk/* RUN pip3 install Jinja2==2.8 @@ -17,14 +15,9 @@ COPY conf.d/mime.types /etc/nginx/mime.types RUN rm /etc/nginx/conf.d/default.conf -RUN mkdir /dockersible -COPY dockersible/ /dockersible COPY backend.conf.j2 / COPY install.py / -RUN mkdir /certificates -VOLUME ["/certificates"] - COPY entrypoint.sh / RUN chmod 755 /entrypoint.sh diff --git a/backend.conf.j2 b/backend.conf.j2 index de3d4ba..1fbd216 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -1,11 +1,7 @@ server { listen 80 default_server; listen [::]:80 default_server; -{% if domain %} server_name {{ domain }} www.{{ domain }}; -{% else %} - server_name localhost; -{% endif %} return 301 https://$server_name$request_uri; } @@ -13,16 +9,14 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/ssl/certs/certificate.crt; - ssl_certificate_key /etc/ssl/private/private.key; + ssl_certificate /etc/letsencrypt/live/{{ domain }}/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; ssl_session_timeout 30m; ssl_session_cache shared:SSL:20m; ssl_session_tickets off; -{% if dhparam %} # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits - ssl_dhparam /etc/ssl/certs/dhparam.pem; -{% endif %} + ssl_dhparam /etc/letsencrypt/live/{{ domain }}/dhparam.pem; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; @@ -32,17 +26,15 @@ server { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; -{% if ssl_trusted_certificate %} # OCSP Stapling --- # fetch OCSP records from URL in ssl_certificate and cache them ssl_stapling on; ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/ssl/certs/ca.crt; + ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem; resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; -{% endif %} location ~ /(static|media)/ { autoindex on; diff --git a/dockersible/__init__.py b/dockersible/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/dockersible/files.py b/dockersible/files.py deleted file mode 100644 index 0350b5d..0000000 --- a/dockersible/files.py +++ /dev/null @@ -1,44 +0,0 @@ -import os -import shutil -import fnmatch - -from jinja2 import Template - - -def pattern_filter(file, patterns=None): - if patterns is None: - return True - - for p in patterns: - if fnmatch.fnmatch(file, p): - return True - - return False - - -def find(paths, patterns=None): - certificates = [] - for root, dirs, files in os.walk(paths): - for file in files: - if pattern_filter(file, patterns.split(',')): - certificates.append({'path': os.path.normpath(os.path.join(root, file))}) - return certificates - - -def copy(source, destination, basename=None, mode='0755'): - if not os.path.exists(destination): - os.makedirs(destination) - - shutil.copy2(src=source, dst=destination) - - file_path = os.path.join(destination, os.path.basename(source)) - os.chmod(file_path, int(mode, 8)) - - if basename: - os.rename(file_path, os.path.join(destination, basename)) - - -def template(source, context, destination): - jinja_template = Template(open(source).read()) - with open(destination, 'w') as f: - f.write(jinja_template.render(context)) diff --git a/dockersible/ssl.py b/dockersible/ssl.py deleted file mode 100644 index b6c6c6a..0000000 --- a/dockersible/ssl.py +++ /dev/null @@ -1,18 +0,0 @@ -import os -import shutil - - -def copy_certificates(certificates, destination='/etc/ssl', domain='example.org'): - private_key_folder = os.path.join(destination, 'private') - if not os.path.exists(private_key_folder): - os.makedirs(private_key_folder) - private_key = os.path.join(private_key_folder, domain + '.key') - shutil.copy2(certificates['key'], private_key) - os.chmod(private_key, 0o600) - - certificates_folder = os.path.join(destination, 'certs') - if not os.path.exists(certificates_folder): - os.makedirs(certificates_folder) - certificate = os.path.join(certificates_folder, domain + '.crt') - shutil.copy2(certificates['crt'], certificate) - os.chmod(certificate, 0o644) diff --git a/install.py b/install.py index c5aca90..e7cd339 100644 --- a/install.py +++ b/install.py @@ -1,51 +1,12 @@ import os -import subprocess - -from dockersible.files import copy, template - - -def get_ssl_context(environ): - domain = environ['DOMAIN'] - nginx_info = { - 'domain': domain, - 'dhparam': False, - 'ssl_trusted_certificate': False - } - - dhparam = os.path.join('/certificates', domain + '.dhparam.pem') - if os.path.exists(dhparam): - nginx_info['dhparam'] = True - copy(source=dhparam, destination='/etc/ssl/certs', basename='dhparam.pem', mode='0644') - - trusted_certificates = os.path.join('/certificates', domain + '.ca.crt') - if os.path.exists(trusted_certificates): - nginx_info['ssl_trusted_certificate'] = True - copy(source=trusted_certificates, destination='/etc/ssl/certs', basename='ca.crt', mode='0644') - - return nginx_info - - -def get_certificates(domain): - private_key = os.path.join('/certificates', domain + '.key') - certificate = os.path.join('/certificates', domain + '.crt') - if not os.path.exists(private_key) or not os.path.exists(certificate): - cmd = """openssl req \ - -new \ - -newkey rsa:4096 \ - -days 365 \ - -nodes \ - -x509 \ - -subj "/C=US/ST=State/L=City/O=Company/CN={}" \ - -keyout {} \ - -out {}""".format(domain, private_key, certificate) - subprocess.call(cmd, shell=True) - return private_key, certificate +from jinja2 import Template if __name__ == "__main__": - pk, crt = get_certificates(os.environ['DOMAIN']) - copy(source=pk, destination='/etc/ssl/private', basename='private.key', mode='0600') - copy(source=crt, destination='/etc/ssl/certs', basename='certificate.crt', mode='0644') - - template('/backend.conf.j2', get_ssl_context(os.environ), '/etc/nginx/conf.d/default.conf') + context = { + 'domain': os.environ['DOMAIN'] + } + jinja_template = Template(open('/backend.conf.j2').read()) + with open('/etc/nginx/conf.d/default.conf', 'w') as f: + f.write(jinja_template.render(context)) diff --git a/readme.md b/readme.md index 4100cbd..5b969a1 100644 --- a/readme.md +++ b/readme.md @@ -1,43 +1,5 @@ > nginx container for LessPass -## custom SSL certificate - -change domain name in `docker-compose.yml` file - -replace YOUR_DOMAIN_NAME - - ..... - ports: - - "8080:8080" - nginx: - restart: always - build: ./nginx - ports: - - "80:80" - - "443:443" - environment: - - domain=YOUR_DOMAIN_NAME - volumes: - - ./nginx/ssl:/certificates - volumes_from: - - backend - links: - - backend - - frontend - ..... - -copy your private key to `ssl/YOUR_DOMAIN_NAME.key` -copy your certificate to `ssl/YOUR_DOMAIN_NAME.crt` - -if you have extra certificate authorities, copy the file to `ssl/YOUR_DOMAIN_NAME.ca.crt` -if you have a DH parameter file, copy the file to `ssl/YOUR_DOMAIN_NAME.dhparam.pem` - - -Example if your domain is `lesspass.com` - - ls ssl/ - lesspass.com.ca.crt lesspass.com.crt lesspass.com.dhparam.pem lesspass.com.key - ## License This project is licensed under the terms of the GNU GPLv3. diff --git a/tests/templates/test.j2 b/tests/templates/test.j2 deleted file mode 100644 index 13c3927..0000000 --- a/tests/templates/test.j2 +++ /dev/null @@ -1,3 +0,0 @@ -{% if dhparam %} -ssl_dhparam {{ dhparam_path }}; -{% endif %} \ No newline at end of file diff --git a/tests/test_dockersible.py b/tests/test_dockersible.py deleted file mode 100644 index 07932d9..0000000 --- a/tests/test_dockersible.py +++ /dev/null @@ -1,85 +0,0 @@ -import os -import shutil -import tempfile -import unittest - -from dockersible.ssl import copy_certificates -from dockersible.files import find, copy, template - - -class DockersibleTestCase(unittest.TestCase): - def test_find(self): - parent_directory = os.path.dirname(os.path.realpath(__file__)) - ssl_directory = os.path.join(parent_directory, 'ssl') - certificates = find(paths=ssl_directory, patterns='*.key,*.crt') - for certificate in certificates: - expected_path = [os.path.join(ssl_directory, 'test.key'), os.path.join(ssl_directory, 'test.crt')] - self.assertTrue(certificate['path'] in expected_path) - - def test_copy_certificates(self): - temp_folder = tempfile.mkdtemp() - private_key_origin = os.path.join(temp_folder, 'test.key') - with open(private_key_origin, 'w') as f: f.write('') - certificate_origin = os.path.join(temp_folder, 'test.crt') - with open(certificate_origin, 'w') as f: f.write('') - certificates = { - 'key': private_key_origin, - 'crt': certificate_origin, - } - copy_certificates(certificates, temp_folder, 'oslab.fr') - private_key = os.path.join(temp_folder, 'private', 'oslab.fr.key') - self.assertTrue(os.path.exists(private_key)) - self.assertTrue((os.stat(private_key).st_mode & 0o777) == 0o600) - self.assertTrue(os.path.exists(private_key_origin)) - - certificate = os.path.join(temp_folder, 'certs', 'oslab.fr.crt') - self.assertTrue(os.path.exists(certificate)) - self.assertTrue((os.stat(certificate).st_mode & 0o777) == 0o644) - self.assertTrue(os.path.exists(certificate_origin)) - shutil.rmtree(temp_folder) - - def test_copy_file(self): - private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') - destination = tempfile.mkdtemp() - copy(source=private_key_path, destination=destination) - self.assertTrue(os.path.exists(os.path.join(destination, 'test.key'))) - shutil.rmtree(destination) - - def test_copy_file_change_basename(self): - private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') - destination = tempfile.mkdtemp() - copy(source=private_key_path, destination=destination, basename='lesspass.com.key', mode='0600') - self.assertTrue(os.path.exists(os.path.join(destination, 'lesspass.com.key'))) - shutil.rmtree(destination) - - def test_copy_file_change_mode(self): - private_key_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'ssl', 'test.key') - destination = tempfile.mkdtemp() - - copy(source=private_key_path, destination=destination) - expected_private_key_path = os.path.join(destination, 'test.key') - self.assertTrue((os.stat(expected_private_key_path).st_mode & 0o777) == 0o755) - - copy(source=private_key_path, destination=destination, basename='lesspass.com.key', mode='0600') - expected_private_key_path = os.path.join(destination, 'lesspass.com.key') - self.assertTrue((os.stat(expected_private_key_path).st_mode & 0o777) == 0o600) - - shutil.rmtree(destination) - - def test_template_module_with_source_file(self): - template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'templates', 'test.j2') - destination = tempfile.mkdtemp() - context = { - 'dhparam': True, - 'dhparam_path': '/etc/ssl/certs/dhparam.pem' - } - destination_file = os.path.join(destination, 'test.txt') - - template(source=template_path, context=context, destination=destination_file) - - self.assertEqual('\nssl_dhparam /etc/ssl/certs/dhparam.pem;\n', open(destination_file).read()) - shutil.rmtree(destination) - - -if __name__ == '__main__': - unittest.main() From 02537a2f6e8f6aa11b3125dbdf59cbbd46a7a31d Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 29 Jul 2017 18:09:55 +0200 Subject: [PATCH 27/29] Use debian instead of Alpine to fix a problem with docker-ce 17 --- Dockerfile | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 21f466b..a23bfc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,12 @@ -FROM nginx:stable-alpine +FROM nginx:stable -RUN apk update && apk add \ +RUN apt-get update && apt-get install -y \ python3 \ + python3-pip \ openssl \ - && pip3 install --upgrade pip \ - && rm -rf /var/cache/apk/* + && rm -rf /var/lib/apt/lists/* +RUN pip3 install --upgrade pip RUN pip3 install Jinja2==2.8 RUN rm /etc/nginx/nginx.conf From dccd50d9c599058d363e3b6fa5e5dc451392c683 Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Mon, 31 Jul 2017 09:34:29 +0200 Subject: [PATCH 28/29] Use fullchain ssl certificate --- backend.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend.conf.j2 b/backend.conf.j2 index 1fbd216..a586145 100644 --- a/backend.conf.j2 +++ b/backend.conf.j2 @@ -9,7 +9,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - ssl_certificate /etc/letsencrypt/live/{{ domain }}/cert.pem; + ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem; ssl_session_timeout 30m; ssl_session_cache shared:SSL:20m; @@ -32,7 +32,7 @@ server { ssl_stapling_verify on; ## verify chain of trust of OCSP response using Root CA and Intermediate certs - ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem; resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; From 9280ca7c3014bbfb261ceaac3b08278830d23e5e Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Thu, 14 Sep 2017 08:48:02 +0200 Subject: [PATCH 29/29] Update README.md --- README.md | 10 ++++++++++ readme.md | 10 ---------- 2 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 README.md delete mode 100644 readme.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..5b969a1 --- /dev/null +++ b/README.md @@ -0,0 +1,10 @@ +> nginx container for LessPass + +## License + +This project is licensed under the terms of the GNU GPLv3. + + +## Issues + +report issues on [LessPass project](https://github.com/lesspass/lesspass/issues) \ No newline at end of file diff --git a/readme.md b/readme.md deleted file mode 100644 index 5b969a1..0000000 --- a/readme.md +++ /dev/null @@ -1,10 +0,0 @@ -> nginx container for LessPass - -## License - -This project is licensed under the terms of the GNU GPLv3. - - -## Issues - -report issues on [LessPass project](https://github.com/lesspass/lesspass/issues) \ No newline at end of file