hoellen/dockerfiles
1
0
Fork 0
mirror of https://github.com/hoellen/dockerfiles.git synced 2025-04-20 04:19:18 +00:00
Code Issues Projects Releases Wiki Activity

reverse: add certificate transprency support

Browse Source
This commit is contained in:
root 2017-09-18 19:50:56 +02:00
parent c8ca237ca7
commit 3ade350cd8
5 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
reverse/Dockerfile
View File

@ -27,7 +27,8 @@ ARG NGINX_MODULES=" \
ARG NGINX_3RD_PARTY_MODULES=" \ ARG NGINX_3RD_PARTY_MODULES=" \
--add-module=/tmp/headers-more-nginx-module \ --add-module=/tmp/headers-more-nginx-module \
--add-module=/tmp/ngx_brotli" --add-module=/tmp/ngx_brotli \
--add-module=/tmp/nginx-ct"
RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
@ -72,10 +73,13 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
&& cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \ && cd /tmp && git clone https://github.com/bagder/libbrotli --depth=1 \
&& cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \ && cd libbrotli && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
&& cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \ && cd /tmp && git clone https://github.com/google/ngx_brotli --depth=1 \
&& cd ngx_brotli && git submodule update --init \ && cd ngx_brotli && git submodule update --init && cd /tmp \
# Headers More # Headers More
&& cd /tmp && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \ && git clone https://github.com/openresty/headers-more-nginx-module --depth=1 \
# nginx-ct
&& git clone https://github.com/grahamedgecombe/nginx-ct --depth=1 \
# OpenSSL # OpenSSL
&& OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \ && OPENSSL_TARBALL="openssl-${OPENSSL_VERSION}.tar.gz" \
@ -126,6 +130,10 @@ RUN NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
&& go get github.com/xenolf/lego \ && go get github.com/xenolf/lego \
&& mv /tmp/go/bin/lego /usr/local/bin/lego \ && mv /tmp/go/bin/lego /usr/local/bin/lego \
# ct-submit
&& go get github.com/grahamedgecombe/ct-submit \
&& mv /tmp/go/bin/ct-submit /usr/local/bin/ct-submit \
# Clean # Clean
&& apk del build-dependencies \ && apk del build-dependencies \
&& rm -rf /tmp/* /var/cache/apk/* /root/.gnupg && rm -rf /tmp/* /var/cache/apk/* /root/.gnupg

2
reverse/rootfs/nginx/conf.d/ct.conf Normal file
View File

@ -0,0 +1,2 @@
ssl_ct on;
add_header Expect-CT "enforce; max-age=86400";

2
reverse/rootfs/nginx/sites-enabled/template_ssl
View File

@ -15,10 +15,12 @@ server {
ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt; ssl_certificate /nginx/ssl/certificates/<frontend_domain>.crt;
ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key; ssl_certificate_key /nginx/ssl/certificates/<frontend_domain>.key;
ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem; ssl_trusted_certificate /nginx/ssl/certificates/<frontend_domain>.chain.pem;
ssl_ct_static_scts /nginx/ssl/timestamps/<frontend_domain>;
include /nginx/conf.d/ssl.conf; include /nginx/conf.d/ssl.conf;
include /nginx/conf.d/headers.conf; include /nginx/conf.d/headers.conf;
include /nginx/conf.d/hsts.conf; include /nginx/conf.d/hsts.conf;
include /nginx/conf.d/ocsp.conf; include /nginx/conf.d/ocsp.conf;
include /nginx/conf.d/ct.conf;
include /nginx/path.d/<frontend_domain>/*.conf; include /nginx/path.d/<frontend_domain>/*.conf;

4
reverse/rootfs/usr/local/bin/check_certs
View File

@ -35,6 +35,7 @@ f_check_certs() {
KEYFILE=/nginx/ssl/certificates/${domain}.key KEYFILE=/nginx/ssl/certificates/${domain}.key
CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem CHAINFILE=/nginx/ssl/certificates/${domain}.chain.pem
FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt FULLCHAINFILE=/nginx/ssl/certificates/${domain}.crt
SCTFILE=/nginx/ssl/timestamps/${domain}/fullchain.sct
mkdir -p /nginx/www/${domain} mkdir -p /nginx/www/${domain}
openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}" openssl x509 -checkend 864000 -noout -in "${FULLCHAINFILE}"
@ -48,6 +49,9 @@ f_check_certs() {
head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE} head -$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1) ${FULLCHAINFILE} > ${CERTFILE}
tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE} tail -$(($(wc -l ${FULLCHAINFILE} | awk '{print $1}')-$(grep -n "END CERTIFICATE" ${FULLCHAINFILE} | head -1 | cut -d: -f1))) ${FULLCHAINFILE} > ${CHAINFILE}
RELOAD_NGINX=1 RELOAD_NGINX=1
if [ -f ${SCTFILE} ]; then
ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
fi
f_log INF "New Certificate for ${domain} generated" f_log INF "New Certificate for ${domain} generated"
fi fi
else else

23
reverse/rootfs/usr/local/bin/startup
View File

@ -45,6 +45,10 @@ f_gen_sites_enabled() {
if [ "${FRONTEND_OCSP}" == "false" ]; then if [ "${FRONTEND_OCSP}" == "false" ]; then
sed -i -e "s|include /nginx/conf.d/ocsp.conf|#include /nginx/conf.d/ocsp.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf sed -i -e "s|include /nginx/conf.d/ocsp.conf|#include /nginx/conf.d/ocsp.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
fi fi
if [ "${FRONTEND_CT}" == "false" ]; then
sed -i -e "s|ssl_ct_static_scts|#ssl_ct_static_scts|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
sed -i -e "s|include /nginx/conf.d/ct.conf|#include /nginx/conf.d/ct.conf|g" /nginx/sites-enabled/${FRONTEND_DOMAIN}.conf
fi
} }
f_gen_location() { f_gen_location() {
@ -99,7 +103,17 @@ f_gen_certs() {
fi fi
} }
f_gen_scts() {
container_name=$1
if [ "${FRONTEND_SSL}" == "true" ] && [ "${FRONTEND_CT}" == "true" ]; then
mkdir -p /nginx/ssl/timestamps/${FRONTEND_DOMAIN}
FULLCHAINFILE=/nginx/ssl/certificates/${FRONTEND_DOMAIN}.crt
SCTFILE=nginx/ssl/timestamps/${FRONTEND_DOMAIN}/fullchain.sct
if [ ! -f ${SCTFILE} ]; then
ct-submit ct.googleapis.com/pilot <${FULLCHAINFILE}>${SCTFILE}
fi
fi
}
f_make_conf() { f_make_conf() {
@ -113,6 +127,7 @@ f_make_conf() {
FRONTEND_HSTS=true FRONTEND_HSTS=true
FRONTEND_HEADERS=true FRONTEND_HEADERS=true
FRONTEND_OCSP=true FRONTEND_OCSP=true
FRONTEND_CT=true
container_name=$1 container_name=$1
IFS=$'\n' IFS=$'\n'
@ -147,15 +162,19 @@ f_make_conf() {
"reverse.frontend.ocsp") "reverse.frontend.ocsp")
FRONTEND_OCSP="$(echo ${label} | awk '{print $2}')" FRONTEND_OCSP="$(echo ${label} | awk '{print $2}')"
;; ;;
"reverse.frontend.ct")
FRONTEND_CT="$(echo ${label} | awk '{print $2}')"
;;
"reverse.backend.port") "reverse.backend.port")
BACKEND_PORT="$(echo ${label} | awk '{print $2}')" BACKEND_PORT="$(echo ${label} | awk '{print $2}')"
;; ;;
esac esac
done done
f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP} and port=${BACKEND_PORT}" f_log INF "Generate files for ${FRONTEND_DOMAIN}, with path=${FRONTEND_PATH}, auth=${FRONTEND_AUTH}, headers=${FRONTEND_HEADERS}, ssl_type=${FRONTEND_SSLTYPE}, ssl=${FRONTEND_SSL}, hsts=${FRONTEND_HSTS}, ocsp=${FRONTEND_OCSP}, ct=${FRONTEND_CT} and port=${BACKEND_PORT}"
f_gen_location ${container_name} f_gen_location ${container_name}
f_gen_sites_enabled f_gen_sites_enabled
f_gen_certs ${container_name} f_gen_certs ${container_name}
f_gen_scts ${container_name}
fi fi
} }