From 0f86b3608a6d6e9b003c4b17da48ebf7109bcb43 Mon Sep 17 00:00:00 2001 From: Hubert Van De Walle Date: Thu, 30 Apr 2020 17:29:34 +0200 Subject: [PATCH 1/2] Start ssl --- docker-compose.yml | 12 +++++-- init-letsencrypt.sh | 77 +++++++++++++++++++++++++++++++++++++++++++++ nginx/nginx.conf | 33 ------------------- nginx/server.conf | 28 ++++++++++++----- 4 files changed, 106 insertions(+), 44 deletions(-) create mode 100755 init-letsencrypt.sh delete mode 100644 nginx/nginx.conf diff --git a/docker-compose.yml b/docker-compose.yml index 0064d57..b1a800b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,14 +11,20 @@ services: - TZ=Europe/Brussels volumes: - ./frontend/dist:/usr/share/nginx/html - - ./nginx/nginx.conf:/etc/nginx/nginx.conf - - ./nginx/server.conf:/etc/nginx/server.conf + - ./nginx:/etc/nginx/conf.d + - ./nginx/certbot/conf:/etc/letsencrypt + - ./nginx/certbot/www:/var/www/certbot ports: - 80:80 - 443:443 depends_on: - api + certbot: + image: certbot/certbot + volumes: + - ./nginx/certbot/conf:/etc/letsencrypt + - ./nginx/certbot/www:/var/www/certbot db: image: mariadb @@ -33,7 +39,7 @@ services: # This is only for testing - 3306:3306 volumes: - - notes-db-volume:/var/lib/mysql + - notes-db-volume:/var/lib/mysql healthcheck: test: ["CMD", "mysqladmin" ,"ping", "-h", "localhost"] timeout: 10s diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh new file mode 100755 index 0000000..673fcf9 --- /dev/null +++ b/init-letsencrypt.sh @@ -0,0 +1,77 @@ +#!/bin/bash + +if ! [ -x "$(command -v docker-compose)" ]; then + echo 'Error: docker-compose is not installed.' >&2 + exit 1 +fi + +domains=(simplenotes.be www.simplenotes.be) +rsa_key_size=4096 +data_path="./nginx/certbot" +email="" +staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits + +if [ -d "$data_path" ]; then + read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision + if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then + exit + fi +fi + +if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then + echo "### Downloading recommended TLS parameters ..." + mkdir -p "$data_path/conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf >"$data_path/conf/options-ssl-nginx.conf" + curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem >"$data_path/conf/ssl-dhparams.pem" + echo +fi + +echo "### Creating dummy certificate for $domains ..." +path="/etc/letsencrypt/live/$domains" +mkdir -p "$data_path/conf/live/$domains" +docker-compose run --rm --entrypoint "\ + openssl req -x509 -nodes -newkey rsa:1024 -days 1\ + -keyout '$path/privkey.pem' \ + -out '$path/fullchain.pem' \ + -subj '/CN=localhost'" certbot +echo + +echo "### Starting nginx ..." +docker-compose up --force-recreate -d nginx +echo + +echo "### Deleting dummy certificate for $domains ..." +docker-compose run --rm --entrypoint "\ + rm -Rf /etc/letsencrypt/live/$domains && \ + rm -Rf /etc/letsencrypt/archive/$domains && \ + rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot +echo + +echo "### Requesting Let's Encrypt certificate for $domains ..." +#Join $domains to -d args +domain_args="" +for domain in "${domains[@]}"; do + domain_args="$domain_args -d $domain" +done + +# Select appropriate email arg +case "$email" in +"") email_arg="--register-unsafely-without-email" ;; +*) email_arg="--email $email" ;; +esac + +# Enable staging mode if needed +if [ $staging != "0" ]; then staging_arg="--staging"; fi + +docker-compose run --rm --entrypoint "\ + certbot certonly --webroot -w /var/www/certbot \ + $staging_arg \ + $email_arg \ + $domain_args \ + --rsa-key-size $rsa_key_size \ + --agree-tos \ + --force-renewal" certbot +echo + +echo "### Reloading nginx ..." +docker-compose exec nginx nginx -s reload diff --git a/nginx/nginx.conf b/nginx/nginx.conf deleted file mode 100644 index 22e53f6..0000000 --- a/nginx/nginx.conf +++ /dev/null @@ -1,33 +0,0 @@ - -user nginx; -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - #tcp_nopush on; - - keepalive_timeout 65; - - #gzip on; - - include /etc/nginx/server.conf; -} - diff --git a/nginx/server.conf b/nginx/server.conf index c5a171f..1168ca9 100644 --- a/nginx/server.conf +++ b/nginx/server.conf @@ -1,19 +1,31 @@ server { - listen 80; - server_name localhost; + listen 80; + server_name simplenotes.be; - #charset koi8-r; - #access_log /var/log/nginx/host.access.log main; + location /.well-known/acme-challenge/ { + root /var/www/certbot; + } + + location / { + return 301 https://$host$request_uri; + } +} + +server { + listen 443 ssl; + server_name simplenotes.be; + + ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; + + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; location / { root /usr/share/nginx/html; index index.html index.htm; } - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; From 8a6e1e821e1f4217211b544e312c1b4e2478263b Mon Sep 17 00:00:00 2001 From: Hubert Van De Walle Date: Thu, 30 Apr 2020 17:06:36 +0000 Subject: [PATCH 2/2] It's working ! --- .gitignore | 4 ++++ docker-compose.yml | 10 +++++----- init-letsencrypt.sh | 6 +++--- nginx/server.conf | 4 ++-- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 1c226f9..a4a1eb5 100644 --- a/.gitignore +++ b/.gitignore @@ -119,3 +119,7 @@ dist # Service worker sw.* *.private.env.json + +# Certificates +data/ +letsencrypt/ diff --git a/docker-compose.yml b/docker-compose.yml index b1a800b..8b50012 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,8 +12,8 @@ services: volumes: - ./frontend/dist:/usr/share/nginx/html - ./nginx:/etc/nginx/conf.d - - ./nginx/certbot/conf:/etc/letsencrypt - - ./nginx/certbot/www:/var/www/certbot + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot ports: - 80:80 - 443:443 @@ -23,8 +23,8 @@ services: certbot: image: certbot/certbot volumes: - - ./nginx/certbot/conf:/etc/letsencrypt - - ./nginx/certbot/www:/var/www/certbot + - ./data/certbot/conf:/etc/letsencrypt + - ./data/certbot/www:/var/www/certbot db: image: mariadb @@ -62,4 +62,4 @@ services: condition: service_healthy volumes: - notes-db-volume: \ No newline at end of file + notes-db-volume: diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh index 673fcf9..f0ac2e4 100755 --- a/init-letsencrypt.sh +++ b/init-letsencrypt.sh @@ -5,10 +5,10 @@ if ! [ -x "$(command -v docker-compose)" ]; then exit 1 fi -domains=(simplenotes.be www.simplenotes.be) +domains=(simplenotes.be) rsa_key_size=4096 -data_path="./nginx/certbot" -email="" +data_path="./data/certbot" +email="hubv@protonmail.com" staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits if [ -d "$data_path" ]; then diff --git a/nginx/server.conf b/nginx/server.conf index 1168ca9..3792a75 100644 --- a/nginx/server.conf +++ b/nginx/server.conf @@ -15,8 +15,8 @@ server { listen 443 ssl; server_name simplenotes.be; - ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; + ssl_certificate /etc/letsencrypt/live/simplenotes.be/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/simplenotes.be/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;