reverse: add certificate transprency support

2025-04-19 20:09:16 +00:00 · 2017-09-18 19:50:56 +02:00 · 2017-09-18 19:50:56 +02:00 · 3ade350cd8
commit 3ade350cd8
parent c8ca237ca7
5 changed files with 40 additions and 5 deletions
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@ -27,7 +27,8 @@ ARG NGINX_MODULES=" \

 ARG NGINX_3RD_PARTY_MODULES=" \
    --add-module=/tmp/headers-more-nginx-module \
-    --add-module=/tmp/ngx_brotli"
+    --add-module=/tmp/ngx_brotli \
+    --add-module=/tmp/nginx-ct"

 RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \

@ -72,10 +73,13 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \
 && cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
 && cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \
- && cd ngx_brotli && git submodule update --init \
+ && cd ngx_brotli && git submodule update --init && cd /tmp \

 # Headers More
- && cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
+ && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
+
+# nginx-ct
+&& git clone https://github.com/grahamedgecombe/nginx-ct --depth=1 \

 # OpenSSL
 && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \
@ -126,6 +130,10 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && go get github.com/xenolf/lego \
 && mv /tmp/go/bin/lego /usr/local/bin/lego \

+# ct-submit
+ && go get github.com/grahamedgecombe/ct-submit \
+ && mv /tmp/go/bin/ct-submit /usr/local/bin/ct-submit \
+
 # Clean
 && apk del build-dependencies \
 && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
--- a/reverse/rootfs/nginx/conf.d/ct.conf
+++ b/reverse/rootfs/nginx/conf.d/ct.conf
@ -0,0 +1,2 @@
+ssl_ct on;
+add_header Expect-CT "enforce; max-age=86400";
--- a/reverse/rootfs/nginx/sites-enabled/template_ssl
+++ b/reverse/rootfs/nginx/sites-enabled/template_ssl
@ -15,10 +15,12 @@ server {
  ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
  ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
  ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
+  ssl_ct_static_scts /nginx/ssl/timestamps/<frontend_domain>;
  include /nginx/conf.d/ssl.conf;
  include /nginx/conf.d/headers.conf;
  include /nginx/conf.d/hsts.conf;
  include /nginx/conf.d/ocsp.conf;
+  include /nginx/conf.d/ct.conf;

  include /nginx/path.d/<frontend_domain>/*.conf;

--- a/reverse/rootfs/usr/local/bin/check_certs
+++ b/reverse/rootfs/usr/local/bin/check_certs
@ -35,6 +35,7 @@ f_check_certs() {
        KEYFILE=/nginx/ssl/certificates/${domain}.key
        CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
        FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
+        SCTFILE=/nginx/ssl/timestamps/${domain}/fullchain.sct
        
        mkdir -p /nginx/www/${domain}
        openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
@ -48,6 +49,9 @@ f_check_certs() {
                    head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
                    tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
                    RELOAD_NGINX=1
+                    if [ -f ${SCTFILE} ]; then
+                        ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
+                    fi
                    f_log INF "New Certificate for ${domain} generated" 
                fi
            else 
--- a/reverse/rootfs/usr/local/bin/startup
+++ b/reverse/rootfs/usr/local/bin/startup
@ -45,6 +45,10 @@ f_gen_sites_enabled() {
    if [ "${FRONTEND_OCSP}" == "false" ]; then
        sed -i -e "s|include /nginx/conf.d/ocsp.conf|#include /nginx/conf.d/ocsp.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
    fi
+    if [ "${FRONTEND_CT}" == "false" ]; then
+        sed -i -e "s|ssl_ct_static_scts|#ssl_ct_static_scts|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+        sed -i -e "s|include /nginx/conf.d/ct.conf|#include /nginx/conf.d/ct.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+    fi
 }

 f_gen_location() {
@ -99,7 +103,17 @@ f_gen_certs() {
    fi
 }

-
+f_gen_scts() {
+    container_name=$1
+    if [ "${FRONTEND_SSL}" == "true" ] && [ "${FRONTEND_CT}" == "true" ]; then
+        mkdir -p /nginx/ssl/timestamps/${FRONTEND_DOMAIN}
+        FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
+        SCTFILE=nginx/ssl/timestamps/${FRONTEND_DOMAIN}/fullchain.sct
+        if [ ! -f ${SCTFILE} ]; then
+            ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
+        fi
+    fi
+}

 f_make_conf() {

@ -113,6 +127,7 @@ f_make_conf() {
    FRONTEND_HSTS=true
    FRONTEND_HEADERS=true
    FRONTEND_OCSP=true
+    FRONTEND_CT=true

    container_name=$1
    IFS=$'\n'
@ -147,15 +162,19 @@ f_make_conf() {
                "reverse.frontend.ocsp")
                    FRONTEND_OCSP="$(echo ${label} | awk '{print $2}')"
                ;;
+                "reverse.frontend.ct")
+                    FRONTEND_CT="$(echo ${label} | awk '{print $2}')"
+                ;;
                "reverse.backend.port")
                    BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
                ;;
            esac
        done
-        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP} and port=${BACKEND_PORT}"
+        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP}, ct=${FRONTEND_CT} and port=${BACKEND_PORT}"
        f_gen_location ${container_name}
        f_gen_sites_enabled
        f_gen_certs ${container_name}
+        f_gen_scts ${container_name}
    fi
 }