[TOOLS][SSL] Added bin/boostrap_certificates.sh, allowing for easy configuration of SSL certificates with Let's Encrypt

docker/bootstrap/Dockerfile

@@ -0,0 +1,16 @@
+FROM nginx:alpine
+
+RUN echo "Installing bootstrap utils"
+
+RUN apk add curl certbot openssl > /dev/null
+
+RUN echo '                                  \
+server {                                    \
+    listen [::]:80;                         \
+    listen 80;                              \
+    server_name %hostname%;                 \
+    location /.well-known/acme-challenge/ { \
+        root /var/www/certbot;              \
+    }                                       \
+}                                           \
+' > /etc/nginx/conf.d/challenge.conf

docker/bootstrap/bootstrap.env

@@ -0,0 +1,2 @@
+email=example@foo.bar
+domain=domain.foo

docker/bootstrap/bootstrap.sh

@@ -0,0 +1,52 @@
+#!/bin/sh
+
+sed -ri "s/%hostname%/$domain/" /etc/nginx/conf.d/challenge.conf
+
+nginx
+
+rsa_key_size=4096
+certbot_path="/var/www/certbot"
+lets_path="/etc/letsencrypt"
+
+echo "Starting bootstrap"
+
+if [ ! -e "${lets_path}/live//options-ssl-nginx.conf" ] \
+    || [ ! -e "${lets_path}/live/ssl-dhparams.pem" ]; then
+
+    echo "### Downloading recommended TLS parameters ..."
+    mkdir -p "${lets_path}/live"
+
+    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > \
+         "${lets_path}/options-ssl-nginx.conf"
+    curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > \
+         "${lets_path}/ssl-dhparams.pem"
+
+    echo "### Creating dummy certificate for ${root_domain} ..."
+    openssl req -x509 -nodes -newkey rsa:1024 -days 1\
+            -keyout "${lets_path}/live/privkey.pem" \
+            -out "${lets_path}/live/fullchain.pem" -subj '/CN=localhost'
+
+    nginx -s reload
+
+    rm -Rf "${lets_path}/live/${root_domain}"
+    rm -Rf "${lets_path}/archive/${root_domain}"
+    rm -Rf "${lets_path}/renewal/${root_domain}.conf"
+
+    echo "### Requesting Let's Encrypt certificate for $root_domain ..."
+    # Format domain_args with the cartesian product of `root_domain` and `subdomains`
+
+    email_arg="--email $email"
+    domain_arg="-d $domain"
+
+    # Ask Let's Encrypt to create certificates, if challenge passed
+    certbot certonly --webroot -w /var/www/certbot \
+            $email_arg \
+            $domain_arg \
+            --non-interactive \
+            --rsa-key-size $rsa_key_size \
+            --agree-tos \
+            --force-renewal
+
+else
+    echo "Certificate related files exists, exiting"
+fi

docker/bootstrap/bootstrap.yaml

@@ -0,0 +1,14 @@
+version: "3.3"
+
+services:
+  bootstrap:
+    build: .
+    volumes:
+      - ../certbot/www:/var/www/certbot
+      - ../certbot/files:/etc/letsencrypt
+      - ./bootstrap.sh:/bootstrap.sh
+    ports:
+      - 80:80
+    env_file:
+      - bootstrap.env
+    entrypoint: /bootstrap.sh

docker/db/wait_for_db.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+case $SOCIAL_DBMS in
+    "mariadb")
+        CMD=mysqladmin ping --silent -hdb -uroot -p${MYSQL_ROOT_PASSWORD}
+        ;;
+    "postgres")
+        CMD=su postgres && pg_isready -hdb -q
+        ;;
+    *)
+        exit 1
+
+esac
+
+while ! $CMD;
+do
+    echo "Waiting for DB..."
+    sleep 3
+done

docker/nginx/nginx.conf

@@ -0,0 +1,90 @@
+server {
+
+    listen [::]:80;
+    listen 80;
+
+    server_name %hostname%;
+
+    # redirect all traffic to HTTPS
+    rewrite ^ https://$host$request_uri? permanent;
+}
+
+server {
+
+    include ssl-common.conf
+
+    root /var/www/social/public;
+
+    # Server name
+    server_name %hostname%;
+
+    # Index
+    index index.php;
+
+    # X-Accel/X-Sendfile. Still needs to be enabled in the config
+    location /file {
+        internal;
+        root /var/www/social;
+    }
+
+    # PHP
+    location ~ ^/(index|install)\.php(/.*)?$ {
+        include fastcgi_params;
+
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+        try_files $fastcgi_script_name =404;
+
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    }
+
+    # Don't allow any PHP file other than index.php to be executed
+    # This will ensure that nor config.php nor plugin files with eventual hardcoded security information are downloadable
+    # And this is better than allowing php files to be executed in case of forgotten `if (!defined('GNUSOCIAL')) { exit(1); }`
+    location ~ \.php$ {
+        deny all;
+    }
+
+    # Location
+    location / {
+        try_files $uri $uri/ @index_handler;
+    }
+
+    # Fancy URLs
+    error_page 404 @index_handler;
+    location @index_handler {
+        rewrite ^(.*)$ /index.php?p=$1 last;
+    }
+
+    # Restrict access that is unnecessary anyway
+    location ~ /\.(ht|git) {
+        deny all;
+    }
+
+#
+# Hardening (optional)
+#
+    add_header Strict-Transport-Security "max-age=15768000; preload;";
+    add_header X-Content-Type-Options nosniff;
+    add_header Referrer-Policy strict-origin-when-cross-origin;
+    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
+    add_header X-Permitted-Cross-Domain-Policies none;
+    add_header X-Robots-Tag all; # Not really hardening, just here for strictness purposes
+
+    client_max_body_size 15M;
+    client_body_buffer_size 128k;
+    gzip_vary on;
+
+    location ~* \.(?:css|js|woff|svg|gif|png|webp|ttf|ico|jpe?g)$ {
+        gzip on;
+        gzip_comp_level 4;
+        add_header Cache-Control "public";
+        expires 30d;
+        access_log off;
+        log_not_found off;
+    }
+}

docker/nginx/ssl-common.conf

@@ -0,0 +1,10 @@
+
+listen [::]:443 ssl http2;
+listen 443 ssl http2;
+
+ssl_certificate /etc/letsencrypt/live/hsal.es/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/hsal.es/privkey.pem;
+
+# Let's Encrypt best practices
+include /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

docker/php/Dockerfile

@@ -1,17 +1,12 @@
 FROM php:fpm-alpine
 
-RUN apk update && apk add gettext-dev icu-dev zlib-dev libpng-dev gmp-dev postgresql-dev
+RUN apk update && apk add gettext-dev icu-dev zlib-dev libpng-dev gmp-dev postgresql-dev composer > /dev/null
 
-ARG exts=" bcmath exif gd gettext gmp intl mysqli opcache pdo pdo_pgsql pgsql"
+ARG exts=" bcmath exif gd gettext gmp intl mysqli opcache pdo_mysql"
 
-ARG MEMCACHED_DEPS="zlib-dev libmemcached-dev cyrus-sasl-dev"
-RUN apk add libmemcached-libs zlib
 RUN apk add --virtual .phpize-deps $PHPIZE_DEPS \
-        && apk add --virtual .memcached-deps $MEMCACHED_DEPS \
-        && pecl install memcached \
-        && echo "extension=memcached.so" > /usr/local/etc/php/conf.d/20_memcached.ini \
         && rm -rf /usr/share/php7 \
         && rm -rf /tmp/* \
-        && apk del .memcached-deps .phpize-deps
+        && apk del .phpize-deps > /dev/null
 
 RUN docker-php-ext-install ${exts}

docker/php/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+/wait_for_db.sh
+
+echo "Got response from DB"
+
+for script in /var/entrypoint.d/*.sh; do
+    $script
+done
+
+exec php-fpm

docker/social/install.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+if [ ! -e /var/www/social/config.php ]; then
+
+    echo -e "Installing GNU social\nInstalling composer dependencies"
+
+    cd /var/www/social
+
+    composer install
+
+    chmod g+w -R /var/www/social
+    chown -R :www-data /var/www/social
+
+    php /var/www/social/scripts/install_cli.php --server="${SOCIAL_DOMAIN}" --sitename="${SOCIAL_SITENAME}" \
+        --host=db --fancy=yes --database="${SOCIAL_DB}" \
+        --username="${SOCIAL_USER}" --password="${SOCIAL_PASSWORD}" \
+        --admin-nick="${SOCIAL_ADMIN_NICK}" --admin-pass="${SOCIAL_ADMIN_PASSWORD}" || exit 1
+
+    echo "GNU social is installed"
+fi