From 3ade350cd8aa316d6c0fc6c0a430140f91acb9a3 Mon Sep 17 00:00:00 2001
From: root <root@static.106.81.4.46.clients.your-server.de>
Date: Mon, 18 Sep 2017 19:50:56 +0200
Subject: [PATCH] reverse: add certificate transprency support

---
 reverse/Dockerfile                            | 14 ++++++++---
 reverse/rootfs/nginx/conf.d/ct.conf           |  2 ++
 .../rootfs/nginx/sites-enabled/template_ssl   |  2 ++
 reverse/rootfs/usr/local/bin/check_certs      |  4 ++++
 reverse/rootfs/usr/local/bin/startup          | 23 +++++++++++++++++--
 5 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 reverse/rootfs/nginx/conf.d/ct.conf

diff --git a/reverse/Dockerfile b/reverse/Dockerfile
index fa0486f..eed9ce4 100644
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@@ -27,7 +27,8 @@ ARG NGINX_MODULES=" \
 
 ARG NGINX_3RD_PARTY_MODULES=" \
     --add-module=/tmp/headers-more-nginx-module \
-    --add-module=/tmp/ngx_brotli"
+    --add-module=/tmp/ngx_brotli \
+    --add-module=/tmp/nginx-ct"
 
 RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 
@@ -72,10 +73,13 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
  && cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \
  && cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
  && cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \
- && cd ngx_brotli && git submodule update --init \
+ && cd ngx_brotli && git submodule update --init && cd /tmp \
 
 # Headers More
- && cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
+ && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
+
+# nginx-ct
+&& git clone https://github.com/grahamedgecombe/nginx-ct --depth=1 \
 
 # OpenSSL
  && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \
@@ -126,6 +130,10 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
  && go get github.com/xenolf/lego \
  && mv /tmp/go/bin/lego /usr/local/bin/lego \
 
+# ct-submit
+ && go get github.com/grahamedgecombe/ct-submit \
+ && mv /tmp/go/bin/ct-submit /usr/local/bin/ct-submit \
+
 # Clean
  && apk del build-dependencies \
  && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg
diff --git a/reverse/rootfs/nginx/conf.d/ct.conf b/reverse/rootfs/nginx/conf.d/ct.conf
new file mode 100644
index 0000000..5da2b76
--- /dev/null
+++ b/reverse/rootfs/nginx/conf.d/ct.conf
@@ -0,0 +1,2 @@
+ssl_ct on;
+add_header Expect-CT "enforce; max-age=86400";
diff --git a/reverse/rootfs/nginx/sites-enabled/template_ssl b/reverse/rootfs/nginx/sites-enabled/template_ssl
index 180ac47..33a80fe 100644
--- a/reverse/rootfs/nginx/sites-enabled/template_ssl
+++ b/reverse/rootfs/nginx/sites-enabled/template_ssl
@@ -15,10 +15,12 @@ server {
   ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
   ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
   ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
+  ssl_ct_static_scts /nginx/ssl/timestamps/<frontend_domain>;
   include /nginx/conf.d/ssl.conf;
   include /nginx/conf.d/headers.conf;
   include /nginx/conf.d/hsts.conf;
   include /nginx/conf.d/ocsp.conf;
+  include /nginx/conf.d/ct.conf;
 
   include /nginx/path.d/<frontend_domain>/*.conf;
 
diff --git a/reverse/rootfs/usr/local/bin/check_certs b/reverse/rootfs/usr/local/bin/check_certs
index 8054b3a..3fd4242 100644
--- a/reverse/rootfs/usr/local/bin/check_certs
+++ b/reverse/rootfs/usr/local/bin/check_certs
@@ -35,6 +35,7 @@ f_check_certs() {
         KEYFILE=/nginx/ssl/certificates/${domain}.key
         CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
         FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
+        SCTFILE=/nginx/ssl/timestamps/${domain}/fullchain.sct
         
         mkdir -p /nginx/www/${domain}
         openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
@@ -48,6 +49,9 @@ f_check_certs() {
                     head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
                     tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
                     RELOAD_NGINX=1
+                    if [ -f ${SCTFILE} ]; then
+                        ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
+                    fi
                     f_log INF "New Certificate for ${domain} generated" 
                 fi
             else 
diff --git a/reverse/rootfs/usr/local/bin/startup b/reverse/rootfs/usr/local/bin/startup
index bfccc0c..d897b5a 100644
--- a/reverse/rootfs/usr/local/bin/startup
+++ b/reverse/rootfs/usr/local/bin/startup
@@ -45,6 +45,10 @@ f_gen_sites_enabled() {
     if [ "${FRONTEND_OCSP}" == "false" ]; then
         sed -i -e "s|include /nginx/conf.d/ocsp.conf|#include /nginx/conf.d/ocsp.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
     fi
+    if [ "${FRONTEND_CT}" == "false" ]; then
+        sed -i -e "s|ssl_ct_static_scts|#ssl_ct_static_scts|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+        sed -i -e "s|include /nginx/conf.d/ct.conf|#include /nginx/conf.d/ct.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
+    fi
 }
 
 f_gen_location() {
@@ -99,7 +103,17 @@ f_gen_certs() {
     fi
 }
 
-
+f_gen_scts() {
+    container_name=$1
+    if [ "${FRONTEND_SSL}" == "true" ] && [ "${FRONTEND_CT}" == "true" ]; then
+        mkdir -p /nginx/ssl/timestamps/${FRONTEND_DOMAIN}
+        FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
+        SCTFILE=nginx/ssl/timestamps/${FRONTEND_DOMAIN}/fullchain.sct
+        if [ ! -f ${SCTFILE} ]; then
+            ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
+        fi
+    fi
+}
 
 f_make_conf() {
 
@@ -113,6 +127,7 @@ f_make_conf() {
     FRONTEND_HSTS=true
     FRONTEND_HEADERS=true
     FRONTEND_OCSP=true
+    FRONTEND_CT=true
 
     container_name=$1
     IFS=$'\n'
@@ -147,15 +162,19 @@ f_make_conf() {
                 "reverse.frontend.ocsp")
                     FRONTEND_OCSP="$(echo ${label} | awk '{print $2}')"
                 ;;
+                "reverse.frontend.ct")
+                    FRONTEND_CT="$(echo ${label} | awk '{print $2}')"
+                ;;
                 "reverse.backend.port")
                     BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
                 ;;
             esac
         done
-        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP} and port=${BACKEND_PORT}"
+        f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP}, ct=${FRONTEND_CT} and port=${BACKEND_PORT}"
         f_gen_location ${container_name}
         f_gen_sites_enabled
         f_gen_certs ${container_name}
+        f_gen_scts ${container_name}
     fi
 }