From 270e20806df4a0cbd384a0a160ad785e61410768 Mon Sep 17 00:00:00 2001 From: Jason Kendall Date: Thu, 28 May 2020 20:23:33 -0400 Subject: [PATCH] Move SSL certs /etc/nginx/certs - fixes #53 --- docker-compose.yml | 2 +- server/Dockerfile | 2 +- server/files/entrypoint_nginx.sh | 29 +++++++++++++++++++++++------ server/files/etc/nginx/misp | 6 +++--- server/files/etc/nginx/misp-secure | 4 ++-- 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 13a9528..008e918 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -32,7 +32,7 @@ services: - "./server-configs/:/var/www/MISP/app/Config/" - "./logs/:/var/www/MISP/app/tmp/logs/" - "./files/:/var/www/MISP/app/files" - - "./ssl/:/etc/ssl/certs" + - "./ssl/:/etc/nginx/certs" # - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh environment: - "HOSTNAME=https://localhost" diff --git a/server/Dockerfile b/server/Dockerfile index 4d8a4a4..a6a7018 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -120,7 +120,7 @@ ARG PHP_VER ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php # nginx - RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php + RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs COPY files/etc/nginx/misp /etc/nginx/sites-available/misp COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 diff --git a/server/files/entrypoint_nginx.sh b/server/files/entrypoint_nginx.sh index 530223d..e97602c 100755 --- a/server/files/entrypoint_nginx.sh +++ b/server/files/entrypoint_nginx.sh @@ -58,9 +58,9 @@ init_misp_files(){ } init_ssl() { - if [[ (! -f /etc/ssl/certs/cert.pem) || (! -f /etc/ssl/certs/key.pem) ]]; + if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]]; then - cd /etc/ssl/certs + cd /etc/nginx/certs openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 fi } @@ -93,6 +93,15 @@ sync_files(){ done } +# Ensure SSL certs are where we expect them, for backward comparibility See issue #53 +for CERT in cert.pem dhparams.pem key.pem; do + echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT" + if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then + WARNING53=true + cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT + fi +done + # Things we should do when we have the INITIALIZE Env Flag if [[ "$INIT" == true ]]; then echo "Import MySQL scheme..." && init_mysql @@ -137,14 +146,14 @@ if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then echo "Configure NGINX | Using Standard SSL" ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp - if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then - echo "Configure NGINX | Building dhparams.pem" - openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 - fi else echo "Configure NGINX | SSL already configured" fi +if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then + echo "Configure NGINX | Building dhparams.pem" + openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048 +fi if [[ "$DISIPV6" == true ]]; then echo "Configure NGINX | Disabling IPv6" @@ -159,5 +168,13 @@ fi # delete pid file [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE +if [[ "$WARNING53" == true ]]; then + echo "WARNING - WARNING - WARNING" + echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs." + echo "This needs to be changed to /etc/nginx/certs." + echo "See: https://github.com/coolacid/docker-misp/issues/53" + echo "WARNING - WARNING - WARNING" +fi + # Start NGINX nginx -g 'daemon off;' diff --git a/server/files/etc/nginx/misp b/server/files/etc/nginx/misp index a1fb26f..f38f2bb 100644 --- a/server/files/etc/nginx/misp +++ b/server/files/etc/nginx/misp @@ -11,14 +11,14 @@ server { log_not_found off; error_log /dev/stderr error; - ssl_certificate /etc/ssl/certs/cert.pem; - ssl_certificate_key /etc/ssl/certs/key.pem; + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # intermediate configuration - ssl_dhparam /etc/ssl/certs/dhparams.pem; + ssl_dhparam /etc/nginx/certs/dhparams.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; diff --git a/server/files/etc/nginx/misp-secure b/server/files/etc/nginx/misp-secure index 87b7f08..f5b98d0 100644 --- a/server/files/etc/nginx/misp-secure +++ b/server/files/etc/nginx/misp-secure @@ -11,8 +11,8 @@ server { log_not_found off; error_log /dev/stderr error; - ssl_certificate /etc/ssl/certs/cert.pem; - ssl_certificate_key /etc/ssl/certs/key.pem; + ssl_certificate /etc/nginx/certs/cert.pem; + ssl_certificate_key /etc/nginx/certs/key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off;