[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt
This commit is contained in:
parent
06b5fe2cdf
commit
e0b26ad38b
4
.gitignore
vendored
4
.gitignore
vendored
@ -23,4 +23,6 @@
|
|||||||
/file
|
/file
|
||||||
|
|
||||||
DOCUMENTATION/database/*
|
DOCUMENTATION/database/*
|
||||||
!DOCUMENTATION/database/database.pdf
|
!DOCUMENTATION/database/database.pdf
|
||||||
|
|
||||||
|
docker/certbot
|
40
bin/bootstrap_certificates.sh
Executable file
40
bin/bootstrap_certificates.sh
Executable file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
echo "Domain: "
|
||||||
|
read doamin
|
||||||
|
echo "Email: "
|
||||||
|
read email
|
||||||
|
|
||||||
|
cat > ../docker/bootstrap/bootstrap.env <<EOF
|
||||||
|
email=${email}
|
||||||
|
domain=${domain}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "Social database name: "
|
||||||
|
read db
|
||||||
|
echo "Database user: "
|
||||||
|
read user
|
||||||
|
echo "Database password: "
|
||||||
|
read password
|
||||||
|
echo "Sitename: "
|
||||||
|
read sitename
|
||||||
|
echo "Admin nickname: "
|
||||||
|
read admin_nick
|
||||||
|
echo "Admin password: "
|
||||||
|
read admin_password
|
||||||
|
echo "Site profile (public|private|community|singleuser): "
|
||||||
|
read profile
|
||||||
|
|
||||||
|
cat > ../docker/social/social.env <<EOF
|
||||||
|
SOCIAL_DB=${db}
|
||||||
|
SOCIAL_USER=${user}
|
||||||
|
SOCIAL_PASSWORD=${password}
|
||||||
|
SOCIAL_DOMAIN=${domain}
|
||||||
|
SOCIAL_SITENAME=${sitename}
|
||||||
|
SOCIAL_ADMIN_NICK=${nick}
|
||||||
|
SOCIAL_ADMIN_PASSWORD=${admin_password}
|
||||||
|
SOCIAL_ADMIN_EMAIL=${email}
|
||||||
|
SOCIAL_SITE_PROFILE=${profile}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docker-compose -f docker/bootstrap/bootstrap.yaml up
|
@ -3,35 +3,67 @@ version: '3.3'
|
|||||||
services:
|
services:
|
||||||
nginx:
|
nginx:
|
||||||
image: nginx:latest
|
image: nginx:latest
|
||||||
|
depends_on:
|
||||||
|
- php
|
||||||
restart: always
|
restart: always
|
||||||
tty: false
|
tty: false
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 80:80
|
||||||
- 443:443
|
- 443:443
|
||||||
volumes:
|
volumes:
|
||||||
- .:/var/www/gnusocial
|
- ./public:/var/www/social/public
|
||||||
- ./nginx.conf:/etc/nginx/conf.d/gnusocial.conf
|
- ./docker/nginx/nginx.conf:/etc/nginx/conf.d/social.conf
|
||||||
|
command: /bin/sh -c 'sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/social.conf
|
||||||
|
while :; do sleep 6h & wait $${!};
|
||||||
|
nginx -s reload;
|
||||||
|
done &
|
||||||
|
nginx -g "daemon off;"'
|
||||||
|
|
||||||
|
certbot:
|
||||||
|
image: certbot/certbot
|
||||||
|
depends_on:
|
||||||
|
- nginx
|
||||||
|
# Check for certificate renewal every 12h as
|
||||||
|
# recomnended by Let's Encryot
|
||||||
|
entrypoint: /bin/sh -c 'trap exit TERM;
|
||||||
|
while :; do
|
||||||
|
certbot renew > /dev/null;
|
||||||
|
sleep 12h & wait $${!};
|
||||||
|
done'
|
||||||
|
volumes:
|
||||||
|
- ./docker/certbot/www:/var/www/certbot
|
||||||
|
- ./docker/certbot/files:/etc/letsencrypt
|
||||||
|
|
||||||
php:
|
php:
|
||||||
build: docker/php
|
build: docker/php
|
||||||
|
depends_on:
|
||||||
|
- db
|
||||||
restart: always
|
restart: always
|
||||||
tty: true
|
tty: true
|
||||||
ports:
|
ports:
|
||||||
- 9000:9000
|
- 9000:9000
|
||||||
volumes:
|
volumes:
|
||||||
- .:/var/www/gnusocial
|
# Entrypoint
|
||||||
|
- ./docker/php/entrypoint.sh:/entrypoint.sh
|
||||||
|
- ./docker/db/wait_for_db.sh:/wait_for_db.sh
|
||||||
|
- ./docker/social/install.sh:/var/entrypoint.d/social_install.sh
|
||||||
|
# Main files
|
||||||
|
- .:/var/www/social
|
||||||
|
env_files:
|
||||||
|
- ./docker/social/social.env
|
||||||
|
- ./docker/db/db.env
|
||||||
|
command: /entrypoint.sh
|
||||||
|
|
||||||
postgres:
|
db:
|
||||||
image: postgres:alpine
|
image: postgres:alpine
|
||||||
restart: always
|
restart: always
|
||||||
tty: false
|
tty: false
|
||||||
ports:
|
ports:
|
||||||
- 5432:5432
|
- 5432:5432
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_USER=postgres
|
|
||||||
- POSTGRES_PASSWORD=foobar
|
|
||||||
- POSTGRES_DB=social
|
|
||||||
- PGDATA=/var/lib/postgresql/data
|
- PGDATA=/var/lib/postgresql/data
|
||||||
|
env_file:
|
||||||
|
- ./docker/db/db.env
|
||||||
volumes:
|
volumes:
|
||||||
- database:/var/lib/postgresql/data
|
- database:/var/lib/postgresql/data
|
||||||
|
|
||||||
|
16
docker/bootstrap/Dockerfile
Normal file
16
docker/bootstrap/Dockerfile
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
FROM nginx:alpine
|
||||||
|
|
||||||
|
RUN echo "Installing bootstrap utils"
|
||||||
|
|
||||||
|
RUN apk add curl certbot openssl > /dev/null
|
||||||
|
|
||||||
|
RUN echo ' \
|
||||||
|
server { \
|
||||||
|
listen [::]:80; \
|
||||||
|
listen 80; \
|
||||||
|
server_name %hostname%; \
|
||||||
|
location /.well-known/acme-challenge/ { \
|
||||||
|
root /var/www/certbot; \
|
||||||
|
} \
|
||||||
|
} \
|
||||||
|
' > /etc/nginx/conf.d/challenge.conf
|
2
docker/bootstrap/bootstrap.env
Normal file
2
docker/bootstrap/bootstrap.env
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
email=example@foo.bar
|
||||||
|
domain=domain.foo
|
52
docker/bootstrap/bootstrap.sh
Executable file
52
docker/bootstrap/bootstrap.sh
Executable file
@ -0,0 +1,52 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
|
||||||
|
|
||||||
|
nginx
|
||||||
|
|
||||||
|
rsa_key_size=4096
|
||||||
|
certbot_path="/var/www/certbot"
|
||||||
|
lets_path="/etc/letsencrypt"
|
||||||
|
|
||||||
|
echo "Starting bootstrap"
|
||||||
|
|
||||||
|
if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
|
||||||
|
|| [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
|
||||||
|
|
||||||
|
echo "### Downloading recommended TLS parameters ..."
|
||||||
|
mkdir -p "${lets_path}/live"
|
||||||
|
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
|
||||||
|
"${lets_path}/options-ssl-nginx.conf"
|
||||||
|
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
|
||||||
|
"${lets_path}/ssl-dhparams.pem"
|
||||||
|
|
||||||
|
echo "### Creating dummy certificate for ${root_domain} ..."
|
||||||
|
openssl req -x509 -nodes -newkey rsa:1024 -days 1\
|
||||||
|
-keyout "${lets_path}/live/privkey.pem" \
|
||||||
|
-out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
|
||||||
|
|
||||||
|
nginx -s reload
|
||||||
|
|
||||||
|
rm -Rf "${lets_path}/live/${root_domain}"
|
||||||
|
rm -Rf "${lets_path}/archive/${root_domain}"
|
||||||
|
rm -Rf "${lets_path}/renewal/${root_domain}.conf"
|
||||||
|
|
||||||
|
echo "### Requesting Let's Encrypt certificate for $root_domain ..."
|
||||||
|
# Format domain_args with the cartesian product of `root_domain` and `subdomains`
|
||||||
|
|
||||||
|
email_arg="--email $email"
|
||||||
|
domain_arg="-d $domain"
|
||||||
|
|
||||||
|
# Ask Let's Encrypt to create certificates, if challenge passed
|
||||||
|
certbot certonly --webroot -w /var/www/certbot \
|
||||||
|
$email_arg \
|
||||||
|
$domain_arg \
|
||||||
|
--non-interactive \
|
||||||
|
--rsa-key-size $rsa_key_size \
|
||||||
|
--agree-tos \
|
||||||
|
--force-renewal
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "Certificate related files exists, exiting"
|
||||||
|
fi
|
14
docker/bootstrap/bootstrap.yaml
Normal file
14
docker/bootstrap/bootstrap.yaml
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
version: "3.3"
|
||||||
|
|
||||||
|
services:
|
||||||
|
bootstrap:
|
||||||
|
build: .
|
||||||
|
volumes:
|
||||||
|
- ../certbot/www:/var/www/certbot
|
||||||
|
- ../certbot/files:/etc/letsencrypt
|
||||||
|
- ./bootstrap.sh:/bootstrap.sh
|
||||||
|
ports:
|
||||||
|
- 80:80
|
||||||
|
env_file:
|
||||||
|
- bootstrap.env
|
||||||
|
entrypoint: /bootstrap.sh
|
19
docker/db/wait_for_db.sh
Executable file
19
docker/db/wait_for_db.sh
Executable file
@ -0,0 +1,19 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
case $SOCIAL_DBMS in
|
||||||
|
"mariadb")
|
||||||
|
CMD=mysqladmin ping --silent -hdb -uroot -p${MYSQL_ROOT_PASSWORD}
|
||||||
|
;;
|
||||||
|
"postgres")
|
||||||
|
CMD=su postgres && pg_isready -hdb -q
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
exit 1
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
while ! $CMD;
|
||||||
|
do
|
||||||
|
echo "Waiting for DB..."
|
||||||
|
sleep 3
|
||||||
|
done
|
@ -1,20 +1,22 @@
|
|||||||
# server {
|
|
||||||
|
|
||||||
# server_name social.localhost;
|
|
||||||
|
|
||||||
# # redirect all traffic to HTTPS
|
|
||||||
# rewrite ^ https://$host$request_uri? permanent;
|
|
||||||
# }
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
|
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
listen 80;
|
listen 80;
|
||||||
|
|
||||||
# Root
|
server_name %hostname%;
|
||||||
root /var/www/gnusocial/public;
|
|
||||||
|
# redirect all traffic to HTTPS
|
||||||
|
rewrite ^ https://$host$request_uri? permanent;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
|
||||||
|
include ssl-common.conf
|
||||||
|
|
||||||
|
root /var/www/social/public;
|
||||||
|
|
||||||
# Server name
|
# Server name
|
||||||
server_name social.localhost;
|
server_name %hostname%;
|
||||||
|
|
||||||
# Index
|
# Index
|
||||||
index index.php;
|
index index.php;
|
||||||
@ -22,9 +24,7 @@ server {
|
|||||||
# X-Accel/X-Sendfile. Still needs to be enabled in the config
|
# X-Accel/X-Sendfile. Still needs to be enabled in the config
|
||||||
location /file {
|
location /file {
|
||||||
internal;
|
internal;
|
||||||
# FIXME: Change "/path/to/gnusocial/root/" to the folder where
|
root /var/www/social;
|
||||||
# attachments are stored (normally the same as the site root)
|
|
||||||
root /var/www/gnusocial;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# PHP
|
# PHP
|
||||||
@ -68,23 +68,23 @@ server {
|
|||||||
#
|
#
|
||||||
# Hardening (optional)
|
# Hardening (optional)
|
||||||
#
|
#
|
||||||
# add_header Strict-Transport-Security "max-age=15768000; preload;";
|
add_header Strict-Transport-Security "max-age=15768000; preload;";
|
||||||
# add_header X-Content-Type-Options nosniff;
|
add_header X-Content-Type-Options nosniff;
|
||||||
# add_header Referrer-Policy strict-origin-when-cross-origin;
|
add_header Referrer-Policy strict-origin-when-cross-origin;
|
||||||
# add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
||||||
# add_header X-Permitted-Cross-Domain-Policies none;
|
add_header X-Permitted-Cross-Domain-Policies none;
|
||||||
# add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
|
add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
|
||||||
#
|
|
||||||
# client_max_body_size 15M;
|
client_max_body_size 15M;
|
||||||
# client_body_buffer_size 128k;
|
client_body_buffer_size 128k;
|
||||||
# gzip_vary on;
|
gzip_vary on;
|
||||||
#
|
|
||||||
# location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
|
location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
|
||||||
# gzip on;
|
gzip on;
|
||||||
# gzip_comp_level 4;
|
gzip_comp_level 4;
|
||||||
# add_header Cache-Control "public";
|
add_header Cache-Control "public";
|
||||||
# expires 30d;
|
expires 30d;
|
||||||
# access_log off;
|
access_log off;
|
||||||
# log_not_found off;
|
log_not_found off;
|
||||||
# }
|
}
|
||||||
}
|
}
|
10
docker/nginx/ssl-common.conf
Normal file
10
docker/nginx/ssl-common.conf
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
listen 443 ssl http2;
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/hsal.es/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/hsal.es/privkey.pem;
|
||||||
|
|
||||||
|
# Let's Encrypt best practices
|
||||||
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||||
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
@ -1,17 +1,12 @@
|
|||||||
FROM php:fpm-alpine
|
FROM php:fpm-alpine
|
||||||
|
|
||||||
RUN apk update && apk add gettext-dev icu-dev zlib-dev libpng-dev gmp-dev postgresql-dev
|
RUN apk update && apk add gettext-dev icu-dev zlib-dev libpng-dev gmp-dev postgresql-dev composer > /dev/null
|
||||||
|
|
||||||
ARG exts=" bcmath exif gd gettext gmp intl mysqli opcache pdo pdo_pgsql pgsql"
|
ARG exts=" bcmath exif gd gettext gmp intl mysqli opcache pdo_mysql"
|
||||||
|
|
||||||
ARG MEMCACHED_DEPS="zlib-dev libmemcached-dev cyrus-sasl-dev"
|
|
||||||
RUN apk add libmemcached-libs zlib
|
|
||||||
RUN apk add --virtual .phpize-deps $PHPIZE_DEPS \
|
RUN apk add --virtual .phpize-deps $PHPIZE_DEPS \
|
||||||
&& apk add --virtual .memcached-deps $MEMCACHED_DEPS \
|
|
||||||
&& pecl install memcached \
|
|
||||||
&& echo "extension=memcached.so" > /usr/local/etc/php/conf.d/20_memcached.ini \
|
|
||||||
&& rm -rf /usr/share/php7 \
|
&& rm -rf /usr/share/php7 \
|
||||||
&& rm -rf /tmp/* \
|
&& rm -rf /tmp/* \
|
||||||
&& apk del .memcached-deps .phpize-deps
|
&& apk del .phpize-deps > /dev/null
|
||||||
|
|
||||||
RUN docker-php-ext-install ${exts}
|
RUN docker-php-ext-install ${exts}
|
||||||
|
11
docker/php/entrypoint.sh
Executable file
11
docker/php/entrypoint.sh
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
/wait_for_db.sh
|
||||||
|
|
||||||
|
echo "Got response from DB"
|
||||||
|
|
||||||
|
for script in /var/entrypoint.d/*.sh; do
|
||||||
|
$script
|
||||||
|
done
|
||||||
|
|
||||||
|
exec php-fpm
|
20
docker/social/install.sh
Executable file
20
docker/social/install.sh
Executable file
@ -0,0 +1,20 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ ! -e /var/www/social/config.php ]; then
|
||||||
|
|
||||||
|
echo -e "Installing GNU social\nInstalling composer dependencies"
|
||||||
|
|
||||||
|
cd /var/www/social
|
||||||
|
|
||||||
|
composer install
|
||||||
|
|
||||||
|
chmod g+w -R /var/www/social
|
||||||
|
chown -R :www-data /var/www/social
|
||||||
|
|
||||||
|
php /var/www/social/scripts/install_cli.php --server="${SOCIAL_DOMAIN}" --sitename="${SOCIAL_SITENAME}" \
|
||||||
|
--host=db --fancy=yes --database="${SOCIAL_DB}" \
|
||||||
|
--username="${SOCIAL_USER}" --password="${SOCIAL_PASSWORD}" \
|
||||||
|
--admin-nick="${SOCIAL_ADMIN_NICK}" --admin-pass="${SOCIAL_ADMIN_PASSWORD}" || exit 1
|
||||||
|
|
||||||
|
echo "GNU social is installed"
|
||||||
|
fi
|
10
social.env
Normal file
10
social.env
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
SOCIAL_DB=social
|
||||||
|
SOCIAL_USER=social
|
||||||
|
SOCIAL_PASSWORD=foobar
|
||||||
|
SOCIAL_DOMAIN=social.hsal.es
|
||||||
|
SOCIAL_SITENAME="Test instance"
|
||||||
|
SOCIAL_ADMIN_NICK=foo
|
||||||
|
SOCIAL_ADMIN_PASSWORD=foobar
|
||||||
|
SOCIAL_SITE_PROFILE=public
|
Loading…
Reference in New Issue
Block a user