mirror of https://github.com/MISP/misp-docker
Move SSL certs /etc/nginx/certs - fixes #53
parent
6fb8b182a9
commit
270e20806d
|
@ -32,7 +32,7 @@ services:
|
||||||
- "./server-configs/:/var/www/MISP/app/Config/"
|
- "./server-configs/:/var/www/MISP/app/Config/"
|
||||||
- "./logs/:/var/www/MISP/app/tmp/logs/"
|
- "./logs/:/var/www/MISP/app/tmp/logs/"
|
||||||
- "./files/:/var/www/MISP/app/files"
|
- "./files/:/var/www/MISP/app/files"
|
||||||
- "./ssl/:/etc/ssl/certs"
|
- "./ssl/:/etc/nginx/certs"
|
||||||
# - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
|
# - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
|
||||||
environment:
|
environment:
|
||||||
- "HOSTNAME=https://localhost"
|
- "HOSTNAME=https://localhost"
|
||||||
|
|
|
@ -120,7 +120,7 @@ ARG PHP_VER
|
||||||
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
|
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
|
||||||
|
|
||||||
# nginx
|
# nginx
|
||||||
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php
|
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
|
||||||
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
|
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
|
||||||
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
|
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
|
||||||
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80
|
||||||
|
|
|
@ -58,9 +58,9 @@ init_misp_files(){
|
||||||
}
|
}
|
||||||
|
|
||||||
init_ssl() {
|
init_ssl() {
|
||||||
if [[ (! -f /etc/ssl/certs/cert.pem) || (! -f /etc/ssl/certs/key.pem) ]];
|
if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
|
||||||
then
|
then
|
||||||
cd /etc/ssl/certs
|
cd /etc/nginx/certs
|
||||||
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
|
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
@ -93,6 +93,15 @@ sync_files(){
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53
|
||||||
|
for CERT in cert.pem dhparams.pem key.pem; do
|
||||||
|
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
|
||||||
|
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
|
||||||
|
WARNING53=true
|
||||||
|
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
# Things we should do when we have the INITIALIZE Env Flag
|
# Things we should do when we have the INITIALIZE Env Flag
|
||||||
if [[ "$INIT" == true ]]; then
|
if [[ "$INIT" == true ]]; then
|
||||||
echo "Import MySQL scheme..." && init_mysql
|
echo "Import MySQL scheme..." && init_mysql
|
||||||
|
@ -137,14 +146,14 @@ if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
|
||||||
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
|
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
|
||||||
echo "Configure NGINX | Using Standard SSL"
|
echo "Configure NGINX | Using Standard SSL"
|
||||||
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
|
||||||
if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then
|
|
||||||
echo "Configure NGINX | Building dhparams.pem"
|
|
||||||
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
|
|
||||||
fi
|
|
||||||
else
|
else
|
||||||
echo "Configure NGINX | SSL already configured"
|
echo "Configure NGINX | SSL already configured"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
|
||||||
|
echo "Configure NGINX | Building dhparams.pem"
|
||||||
|
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
|
||||||
|
fi
|
||||||
|
|
||||||
if [[ "$DISIPV6" == true ]]; then
|
if [[ "$DISIPV6" == true ]]; then
|
||||||
echo "Configure NGINX | Disabling IPv6"
|
echo "Configure NGINX | Disabling IPv6"
|
||||||
|
@ -159,5 +168,13 @@ fi
|
||||||
# delete pid file
|
# delete pid file
|
||||||
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
|
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
|
||||||
|
|
||||||
|
if [[ "$WARNING53" == true ]]; then
|
||||||
|
echo "WARNING - WARNING - WARNING"
|
||||||
|
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
|
||||||
|
echo "This needs to be changed to /etc/nginx/certs."
|
||||||
|
echo "See: https://github.com/coolacid/docker-misp/issues/53"
|
||||||
|
echo "WARNING - WARNING - WARNING"
|
||||||
|
fi
|
||||||
|
|
||||||
# Start NGINX
|
# Start NGINX
|
||||||
nginx -g 'daemon off;'
|
nginx -g 'daemon off;'
|
||||||
|
|
|
@ -11,14 +11,14 @@ server {
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
error_log /dev/stderr error;
|
error_log /dev/stderr error;
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/certs/cert.pem;
|
ssl_certificate /etc/nginx/certs/cert.pem;
|
||||||
ssl_certificate_key /etc/ssl/certs/key.pem;
|
ssl_certificate_key /etc/nginx/certs/key.pem;
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
# intermediate configuration
|
# intermediate configuration
|
||||||
ssl_dhparam /etc/ssl/certs/dhparams.pem;
|
ssl_dhparam /etc/nginx/certs/dhparams.pem;
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
ssl_prefer_server_ciphers off;
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
|
@ -11,8 +11,8 @@ server {
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
error_log /dev/stderr error;
|
error_log /dev/stderr error;
|
||||||
|
|
||||||
ssl_certificate /etc/ssl/certs/cert.pem;
|
ssl_certificate /etc/nginx/certs/cert.pem;
|
||||||
ssl_certificate_key /etc/ssl/certs/key.pem;
|
ssl_certificate_key /etc/nginx/certs/key.pem;
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
Loading…
Reference in New Issue