From 2ad1418b8ca24bbb6d2c6fc7c60fd77c14bfe4b3 Mon Sep 17 00:00:00 2001 From: nicomiguelino Date: Fri, 21 Jun 2024 15:12:03 -0700 Subject: [PATCH 1/2] feat: lay the groundwork for enabling HTTPS in Anthias --- docker-compose.yml.tmpl | 2 +- docker/Dockerfile.nginx.tmpl | 5 +++++ docker/nginx/cert.pem | 22 ++++++++++++++++++++++ docker/nginx/key.pem | 28 ++++++++++++++++++++++++++++ docker/nginx/nginx.conf | 7 +++++++ 5 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 docker/nginx/cert.pem create mode 100644 docker/nginx/key.pem diff --git a/docker-compose.yml.tmpl b/docker-compose.yml.tmpl index 451c244ba..93298e394 100644 --- a/docker-compose.yml.tmpl +++ b/docker-compose.yml.tmpl @@ -131,7 +131,7 @@ services: context: . dockerfile: docker/Dockerfile.nginx ports: - - 80:80 + - 443:443 environment: - HOME=/data depends_on: diff --git a/docker/Dockerfile.nginx.tmpl b/docker/Dockerfile.nginx.tmpl index 82a56e49a..48155aaef 100644 --- a/docker/Dockerfile.nginx.tmpl +++ b/docker/Dockerfile.nginx.tmpl @@ -13,6 +13,11 @@ ENV GIT_SHORT_HASH=$GIT_SHORT_HASH ENV GIT_BRANCH=$GIT_BRANCH COPY docker/nginx/nginx.conf /etc/nginx/sites-enabled/anthias.conf + +# @TODO: Find a way to generate the cert and key files ad-hoc. +COPY docker/nginx/cert.pem /etc/nginx/cert.pem +COPY docker/nginx/key.pem /etc/nginx/key.pem + RUN rm -f /etc/nginx/sites-enabled/default CMD ["nginx", "-g", "daemon off;"] diff --git a/docker/nginx/cert.pem b/docker/nginx/cert.pem new file mode 100644 index 000000000..56c0a6700 --- /dev/null +++ b/docker/nginx/cert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuTCCAqGgAwIBAgIUbZ2GDSnWfb0f3RVtF6541590gzowDQYJKoZIhvcNAQEL +BQAwbDELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u +ZG9uMQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDETMBEG +A1UEAwwKbG9jYWxob3N0fjAeFw0yNDA2MjExOTU4MTFaFw0yNTA2MjExOTU4MTFa +MGwxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRv +bjEOMAwGA1UECgwFQWxyb3MxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxEzARBgNV +BAMMCmxvY2FsaG9zdH4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD +41AgDdDmjX9O1oKTZ9XNMj5hfitpW6CFj2pvIDSRll8Vrex3K/tD/GmiKPFbQ5cK +gl35nGXEsDyefdCKepc0orKGt7RZvYTH2+wggOwuuCrQw9D8f3xjU93GuWjq/pbk +OzSVzCwYMlJe0FOAW8Wm3NeHki+nUmeQ+2L6uHCIT71HbxLkTr9f+kt+irqib7m+ +Igdzvc5Qn6d5foHHMYIb1EZcrIELErNBhcK/M6kb1FwbObYzBkP6zXuVMgHzsMxc +6CV2b8eAKt/scZxXcBTH0qhk8fxShgs5yTvQhiJ5RmlEYLm79GBBpT0Ed/ftt/YJ +S045Ycowyu7kBhPmxZrrAgMBAAGjUzBRMB0GA1UdDgQWBBQM03JhuQQjiOorjLLq +VQzb8IHCejAfBgNVHSMEGDAWgBQM03JhuQQjiOorjLLqVQzb8IHCejAPBgNVHRMB +Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCVwN8EV/Ds2q2cstuSdxiCeiZj +d33O4W++gaw+3QZjXW3LwNjeQM2yMxJ4VwjXIk98aGLgGWvl24Gkd+TBcIy/5pad +PLDEQPaQpFR+9qy9ni5OKNRJn3jkJGl/kPFS7mgZV4BToEDs3OUiTd/ZkgKld31O +y7THxRLjVDwNA2s6VZ5QVxNkSmcz8L81FspjFdnE/s9LwyyZfevPDN1jDSouhqzV +j4g2pNYAearQ4r8BA93muMAPjmFEeKWWWVgygHV8tsos40tI2SEA7Ne5KK7pmUJj +ptVHwtsWLdF3y3JTDirZMvmdzY9I7/Qc+qNzwnZSQL/NzUBo7fayr8NMwyaN +-----END CERTIFICATE----- diff --git a/docker/nginx/key.pem b/docker/nginx/key.pem new file mode 100644 index 000000000..f850ace8c --- /dev/null +++ b/docker/nginx/key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDD41AgDdDmjX9O +1oKTZ9XNMj5hfitpW6CFj2pvIDSRll8Vrex3K/tD/GmiKPFbQ5cKgl35nGXEsDye +fdCKepc0orKGt7RZvYTH2+wggOwuuCrQw9D8f3xjU93GuWjq/pbkOzSVzCwYMlJe +0FOAW8Wm3NeHki+nUmeQ+2L6uHCIT71HbxLkTr9f+kt+irqib7m+Igdzvc5Qn6d5 +foHHMYIb1EZcrIELErNBhcK/M6kb1FwbObYzBkP6zXuVMgHzsMxc6CV2b8eAKt/s +cZxXcBTH0qhk8fxShgs5yTvQhiJ5RmlEYLm79GBBpT0Ed/ftt/YJS045Ycowyu7k +BhPmxZrrAgMBAAECggEAIgR2pKphjbgi1JkR4fFVQqYoCRw1A73iuW73Z8bq+iFn +78bdWrCrmNnbqkp754JsV2neUfuj/K0ySb/FmFbDrWNXp2d9jVwJFAAQGHDrEw3u +eYSX5VFqU4F78Qe/vZdqssXJUv465hTPEyIQbikBwQF2+FcdqWv5Ckdtn+apvDH2 +YAW6nBjvvpPa2SOx2K+K9IyP4yidZvvC549y37hKU/+NKUiuDyrc727CXyZJW9Ev +yfbAuKRwZGQlpFEPFmAwq6TvTUBYjMjoHnYjWkIwRAsIjBTKJ45yn80kB2II4aCJ +cWm+dUuS/e7PUFnxKpQtp8oMYtbQoztczMYVl3pskQKBgQD+QZVCkDWVuvT/4Lh7 +hpD8DFew4ERfMy/Jj4cNCbkJ6mk0r/TxhaP4arpN6LrSYeibgKSKERvOY4ufmRlE +ExmvxnpNl8i7xM4adMdd+TRfJvH3KQ9u6wtDdDLBAc01u3gHhtVXYCxwj87oY119 +PxnGdgrTJCWj8vy8+fISU3TaaQKBgQDFOz+VTyMtB5MEpjL9768QBOSIkC3SAYqL +/CIvJBr2YDUrtBk4YmOjXxzuxx3XMj/jLFRJDOc4L+MMRKU0kQBnP2j8X2n651mD +DtbDQGT++ZX6SmiE5NK0Ml9OgXpRrY5uSwCw/tBo8kkzMz0hWSJl66iTzlScmhMG +V1USbtpYMwKBgQCTT8Y+GbWiOf8HXdklYLMSBcis51NV4R9X5fu2VyLJlvI7n5MI +eIinPpcQ2r2bdTTDHAa5I+57ZvuXjamw4mwohpOH72BTQlSzyWNVlDR+yN66eCTD +/BS7kVByuSt/bU2+9qUXCdbVpMyZojChh3TUosHk0XWphvheOWbCrW3vuQKBgDfu +UlysIYSOhlGmNAWxJ8r6KDjV8jiAuWJzMNp/eanupIVtQE2uESVuPo00KDEzjcyF +cK16nENhyRhciyD6Ecw1vjb7c9l0K/0vgxXBuCJacv6UhUlSfrIdKsvfiemJtz9t +w5dt23o3YyzC1g4T8d5HUvn/ZB040DZXI8fjacXjAoGBALGDnzjcbhKgPVW+vh55 +3uZBx0nt7T+INWDJOKiH0CCu3DoNJCBNHzIUJbwrhknvyjrQ2ASa26n8gA+s/E3Q +RsKml49R8N7PosLyyQGQ/yaH+ZPaAl8YnqA5GvTE/Q0neQViy9FErXfqBatJm/FU +0PvGNkBGnDVxEtTPGMDLE/uU +-----END PRIVATE KEY----- diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf index 22f3d96ec..067fae3ba 100644 --- a/docker/nginx/nginx.conf +++ b/docker/nginx/nginx.conf @@ -14,9 +14,16 @@ upstream websocket { server { server_tokens off; + listen 80 default_server; listen [::]:80 default_server; + listen 443 ssl; + listen [::]:443 ssl; + + ssl_certificate /etc/nginx/cert.pem; + ssl_certificate_key /etc/nginx/key.pem; + location / { # Temporarily disables wifi-connect From 48ddcf87428d1306ac262cb454339dbd777b3316 Mon Sep 17 00:00:00 2001 From: nicomiguelino Date: Fri, 21 Jun 2024 16:57:06 -0700 Subject: [PATCH 2/2] security: remove .pem files --- docker/nginx/cert.pem | 22 ---------------------- docker/nginx/key.pem | 28 ---------------------------- 2 files changed, 50 deletions(-) delete mode 100644 docker/nginx/cert.pem delete mode 100644 docker/nginx/key.pem diff --git a/docker/nginx/cert.pem b/docker/nginx/cert.pem deleted file mode 100644 index 56c0a6700..000000000 --- a/docker/nginx/cert.pem +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDuTCCAqGgAwIBAgIUbZ2GDSnWfb0f3RVtF6541590gzowDQYJKoZIhvcNAQEL -BQAwbDELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEPMA0GA1UEBwwGTG9u -ZG9uMQ4wDAYDVQQKDAVBbHJvczEWMBQGA1UECwwNSVQgRGVwYXJ0bWVudDETMBEG -A1UEAwwKbG9jYWxob3N0fjAeFw0yNDA2MjExOTU4MTFaFw0yNTA2MjExOTU4MTFa -MGwxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzANBgNVBAcMBkxvbmRv -bjEOMAwGA1UECgwFQWxyb3MxFjAUBgNVBAsMDUlUIERlcGFydG1lbnQxEzARBgNV -BAMMCmxvY2FsaG9zdH4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD -41AgDdDmjX9O1oKTZ9XNMj5hfitpW6CFj2pvIDSRll8Vrex3K/tD/GmiKPFbQ5cK -gl35nGXEsDyefdCKepc0orKGt7RZvYTH2+wggOwuuCrQw9D8f3xjU93GuWjq/pbk -OzSVzCwYMlJe0FOAW8Wm3NeHki+nUmeQ+2L6uHCIT71HbxLkTr9f+kt+irqib7m+ -Igdzvc5Qn6d5foHHMYIb1EZcrIELErNBhcK/M6kb1FwbObYzBkP6zXuVMgHzsMxc -6CV2b8eAKt/scZxXcBTH0qhk8fxShgs5yTvQhiJ5RmlEYLm79GBBpT0Ed/ftt/YJ -S045Ycowyu7kBhPmxZrrAgMBAAGjUzBRMB0GA1UdDgQWBBQM03JhuQQjiOorjLLq -VQzb8IHCejAfBgNVHSMEGDAWgBQM03JhuQQjiOorjLLqVQzb8IHCejAPBgNVHRMB -Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCVwN8EV/Ds2q2cstuSdxiCeiZj -d33O4W++gaw+3QZjXW3LwNjeQM2yMxJ4VwjXIk98aGLgGWvl24Gkd+TBcIy/5pad -PLDEQPaQpFR+9qy9ni5OKNRJn3jkJGl/kPFS7mgZV4BToEDs3OUiTd/ZkgKld31O -y7THxRLjVDwNA2s6VZ5QVxNkSmcz8L81FspjFdnE/s9LwyyZfevPDN1jDSouhqzV -j4g2pNYAearQ4r8BA93muMAPjmFEeKWWWVgygHV8tsos40tI2SEA7Ne5KK7pmUJj -ptVHwtsWLdF3y3JTDirZMvmdzY9I7/Qc+qNzwnZSQL/NzUBo7fayr8NMwyaN ------END CERTIFICATE----- diff --git a/docker/nginx/key.pem b/docker/nginx/key.pem deleted file mode 100644 index f850ace8c..000000000 --- a/docker/nginx/key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDD41AgDdDmjX9O -1oKTZ9XNMj5hfitpW6CFj2pvIDSRll8Vrex3K/tD/GmiKPFbQ5cKgl35nGXEsDye -fdCKepc0orKGt7RZvYTH2+wggOwuuCrQw9D8f3xjU93GuWjq/pbkOzSVzCwYMlJe -0FOAW8Wm3NeHki+nUmeQ+2L6uHCIT71HbxLkTr9f+kt+irqib7m+Igdzvc5Qn6d5 -foHHMYIb1EZcrIELErNBhcK/M6kb1FwbObYzBkP6zXuVMgHzsMxc6CV2b8eAKt/s -cZxXcBTH0qhk8fxShgs5yTvQhiJ5RmlEYLm79GBBpT0Ed/ftt/YJS045Ycowyu7k -BhPmxZrrAgMBAAECggEAIgR2pKphjbgi1JkR4fFVQqYoCRw1A73iuW73Z8bq+iFn -78bdWrCrmNnbqkp754JsV2neUfuj/K0ySb/FmFbDrWNXp2d9jVwJFAAQGHDrEw3u -eYSX5VFqU4F78Qe/vZdqssXJUv465hTPEyIQbikBwQF2+FcdqWv5Ckdtn+apvDH2 -YAW6nBjvvpPa2SOx2K+K9IyP4yidZvvC549y37hKU/+NKUiuDyrc727CXyZJW9Ev -yfbAuKRwZGQlpFEPFmAwq6TvTUBYjMjoHnYjWkIwRAsIjBTKJ45yn80kB2II4aCJ -cWm+dUuS/e7PUFnxKpQtp8oMYtbQoztczMYVl3pskQKBgQD+QZVCkDWVuvT/4Lh7 -hpD8DFew4ERfMy/Jj4cNCbkJ6mk0r/TxhaP4arpN6LrSYeibgKSKERvOY4ufmRlE -ExmvxnpNl8i7xM4adMdd+TRfJvH3KQ9u6wtDdDLBAc01u3gHhtVXYCxwj87oY119 -PxnGdgrTJCWj8vy8+fISU3TaaQKBgQDFOz+VTyMtB5MEpjL9768QBOSIkC3SAYqL -/CIvJBr2YDUrtBk4YmOjXxzuxx3XMj/jLFRJDOc4L+MMRKU0kQBnP2j8X2n651mD -DtbDQGT++ZX6SmiE5NK0Ml9OgXpRrY5uSwCw/tBo8kkzMz0hWSJl66iTzlScmhMG -V1USbtpYMwKBgQCTT8Y+GbWiOf8HXdklYLMSBcis51NV4R9X5fu2VyLJlvI7n5MI -eIinPpcQ2r2bdTTDHAa5I+57ZvuXjamw4mwohpOH72BTQlSzyWNVlDR+yN66eCTD -/BS7kVByuSt/bU2+9qUXCdbVpMyZojChh3TUosHk0XWphvheOWbCrW3vuQKBgDfu -UlysIYSOhlGmNAWxJ8r6KDjV8jiAuWJzMNp/eanupIVtQE2uESVuPo00KDEzjcyF -cK16nENhyRhciyD6Ecw1vjb7c9l0K/0vgxXBuCJacv6UhUlSfrIdKsvfiemJtz9t -w5dt23o3YyzC1g4T8d5HUvn/ZB040DZXI8fjacXjAoGBALGDnzjcbhKgPVW+vh55 -3uZBx0nt7T+INWDJOKiH0CCu3DoNJCBNHzIUJbwrhknvyjrQ2ASa26n8gA+s/E3Q -RsKml49R8N7PosLyyQGQ/yaH+ZPaAl8YnqA5GvTE/Q0neQViy9FErXfqBatJm/FU -0PvGNkBGnDVxEtTPGMDLE/uU ------END PRIVATE KEY-----