From 270e20806df4a0cbd384a0a160ad785e61410768 Mon Sep 17 00:00:00 2001
From: Jason Kendall <coolacid@gmail.com>
Date: Thu, 28 May 2020 20:23:33 -0400
Subject: [PATCH] Move SSL certs /etc/nginx/certs - fixes #53

---
 docker-compose.yml                 |  2 +-
 server/Dockerfile                  |  2 +-
 server/files/entrypoint_nginx.sh   | 29 +++++++++++++++++++++++------
 server/files/etc/nginx/misp        |  6 +++---
 server/files/etc/nginx/misp-secure |  4 ++--
 5 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 13a9528..008e918 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -32,7 +32,7 @@ services:
       - "./server-configs/:/var/www/MISP/app/Config/"
       - "./logs/:/var/www/MISP/app/tmp/logs/"
       - "./files/:/var/www/MISP/app/files"
-      - "./ssl/:/etc/ssl/certs"
+      - "./ssl/:/etc/nginx/certs"
 #      - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
     environment:
       - "HOSTNAME=https://localhost"
diff --git a/server/Dockerfile b/server/Dockerfile
index 4d8a4a4..a6a7018 100644
--- a/server/Dockerfile
+++ b/server/Dockerfile
@@ -120,7 +120,7 @@ ARG PHP_VER
         ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
 
 # nginx
-    RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
+    RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
     COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
     COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
     COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh
index 530223d..e97602c 100755
--- a/server/files/entrypoint_nginx.sh
+++ b/server/files/entrypoint_nginx.sh
@@ -58,9 +58,9 @@ init_misp_files(){
 }
 
 init_ssl() {
-    if [[ (! -f /etc/ssl/certs/cert.pem) || (! -f /etc/ssl/certs/key.pem) ]];
+    if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
     then
-        cd /etc/ssl/certs
+        cd /etc/nginx/certs
         openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
     fi
 }
@@ -93,6 +93,15 @@ sync_files(){
     done
 }
 
+# Ensure SSL certs are where we expect them, for backward comparibility See issue #53
+for CERT in cert.pem dhparams.pem key.pem; do
+    echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
+    if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
+        WARNING53=true
+        cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
+    fi
+done
+
 # Things we should do when we have the INITIALIZE Env Flag
 if [[ "$INIT" == true ]]; then
     echo "Import MySQL scheme..." && init_mysql
@@ -137,14 +146,14 @@ if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
 elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
     echo "Configure NGINX | Using Standard SSL"
     ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
-    if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then
-        echo "Configure NGINX | Building dhparams.pem"
-        openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
-    fi
 else
     echo "Configure NGINX | SSL already configured"
 fi
 
+if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
+    echo "Configure NGINX | Building dhparams.pem"
+    openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
+fi
 
 if [[ "$DISIPV6" == true ]]; then
     echo "Configure NGINX | Disabling IPv6"
@@ -159,5 +168,13 @@ fi
 # delete pid file
 [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
 
+if [[ "$WARNING53" == true ]]; then
+    echo "WARNING - WARNING - WARNING"
+    echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
+    echo "This needs to be changed to /etc/nginx/certs."
+    echo "See: https://github.com/coolacid/docker-misp/issues/53"
+    echo "WARNING - WARNING - WARNING"
+fi 
+
 # Start NGINX
 nginx -g 'daemon off;'
diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp
index a1fb26f..f38f2bb 100644
--- a/server/files/etc/nginx/misp
+++ b/server/files/etc/nginx/misp
@@ -11,14 +11,14 @@ server {
     log_not_found off;
     error_log  /dev/stderr error;
 
-    ssl_certificate /etc/ssl/certs/cert.pem;
-    ssl_certificate_key /etc/ssl/certs/key.pem;
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/certs/key.pem;
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;
 
     # intermediate configuration
-    ssl_dhparam /etc/ssl/certs/dhparams.pem;
+    ssl_dhparam /etc/nginx/certs/dhparams.pem;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers off;
diff --git a/server/files/etc/nginx/misp-secure b/server/files/etc/nginx/misp-secure
index 87b7f08..f5b98d0 100644
--- a/server/files/etc/nginx/misp-secure
+++ b/server/files/etc/nginx/misp-secure
@@ -11,8 +11,8 @@ server {
     log_not_found off;
     error_log  /dev/stderr error;
 
-    ssl_certificate /etc/ssl/certs/cert.pem;
-    ssl_certificate_key /etc/ssl/certs/key.pem;
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/certs/key.pem;
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
     ssl_session_tickets off;