Move SSL certs /etc/nginx/certs - fixes #53

pull/1/head
Jason Kendall 2020-05-28 20:23:33 -04:00
parent 6fb8b182a9
commit 270e20806d
5 changed files with 30 additions and 13 deletions

View File

@ -32,7 +32,7 @@ services:
- "./server-configs/:/var/www/MISP/app/Config/" - "./server-configs/:/var/www/MISP/app/Config/"
- "./logs/:/var/www/MISP/app/tmp/logs/" - "./logs/:/var/www/MISP/app/tmp/logs/"
- "./files/:/var/www/MISP/app/files" - "./files/:/var/www/MISP/app/files"
- "./ssl/:/etc/ssl/certs" - "./ssl/:/etc/nginx/certs"
# - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh # - "./examples/custom-entrypoint.sh:/custom-entrypoint.sh" # Use the example custom-entrypoint.sh
environment: environment:
- "HOSTNAME=https://localhost" - "HOSTNAME=https://localhost"

View File

@ -120,7 +120,7 @@ ARG PHP_VER
;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php ;cp -fa /var/www/MISP/INSTALL/setup/config.php /var/www/MISP/app/Plugin/CakeResque/Config/config.php
# nginx # nginx
RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php RUN rm /etc/nginx/sites-enabled/*; mkdir /run/php /etc/nginx/certs
COPY files/etc/nginx/misp /etc/nginx/sites-available/misp COPY files/etc/nginx/misp /etc/nginx/sites-available/misp
COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure COPY files/etc/nginx/misp-secure /etc/nginx/sites-available/misp-secure
COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80 COPY files/etc/nginx/misp80 /etc/nginx/sites-available/misp80

View File

@ -58,9 +58,9 @@ init_misp_files(){
} }
init_ssl() { init_ssl() {
if [[ (! -f /etc/ssl/certs/cert.pem) || (! -f /etc/ssl/certs/key.pem) ]]; if [[ (! -f /etc/nginx/certs/cert.pem) || (! -f /etc/nginx/certs/key.pem) ]];
then then
cd /etc/ssl/certs cd /etc/nginx/certs
openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 openssl req -x509 -subj '/CN=localhost' -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
fi fi
} }
@ -93,6 +93,15 @@ sync_files(){
done done
} }
# Ensure SSL certs are where we expect them, for backward comparibility See issue #53
for CERT in cert.pem dhparams.pem key.pem; do
echo "/etc/nginx/certs/$CERT /etc/ssl/certs/$CERT"
if [[ ! -f "/etc/nginx/certs/$CERT" && -f "/etc/ssl/certs/$CERT" ]]; then
WARNING53=true
cp /etc/ssl/certs/$CERT /etc/nginx/certs/$CERT
fi
done
# Things we should do when we have the INITIALIZE Env Flag # Things we should do when we have the INITIALIZE Env Flag
if [[ "$INIT" == true ]]; then if [[ "$INIT" == true ]]; then
echo "Import MySQL scheme..." && init_mysql echo "Import MySQL scheme..." && init_mysql
@ -137,14 +146,14 @@ if [[ ! -L "/etc/nginx/sites-enabled/misp" && "$SECURESSL" == true ]]; then
elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then elif [[ ! -L "/etc/nginx/sites-enabled/misp" ]]; then
echo "Configure NGINX | Using Standard SSL" echo "Configure NGINX | Using Standard SSL"
ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp ln -s /etc/nginx/sites-available/misp /etc/nginx/sites-enabled/misp
if [[ ! -f /etc/ssl/certs/dhparams.pem ]]; then
echo "Configure NGINX | Building dhparams.pem"
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
fi
else else
echo "Configure NGINX | SSL already configured" echo "Configure NGINX | SSL already configured"
fi fi
if [[ ! "$SECURESSL" == true && ! -f /etc/nginx/certs/dhparams.pem ]]; then
echo "Configure NGINX | Building dhparams.pem"
openssl dhparam -out /etc/nginx/certs/dhparams.pem 2048
fi
if [[ "$DISIPV6" == true ]]; then if [[ "$DISIPV6" == true ]]; then
echo "Configure NGINX | Disabling IPv6" echo "Configure NGINX | Disabling IPv6"
@ -159,5 +168,13 @@ fi
# delete pid file # delete pid file
[ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE [ -f $ENTRYPOINT_PID_FILE ] && rm $ENTRYPOINT_PID_FILE
if [[ "$WARNING53" == true ]]; then
echo "WARNING - WARNING - WARNING"
echo "The SSL certs have moved. You currently have them mounted to /etc/ssl/certs."
echo "This needs to be changed to /etc/nginx/certs."
echo "See: https://github.com/coolacid/docker-misp/issues/53"
echo "WARNING - WARNING - WARNING"
fi
# Start NGINX # Start NGINX
nginx -g 'daemon off;' nginx -g 'daemon off;'

View File

@ -11,14 +11,14 @@ server {
log_not_found off; log_not_found off;
error_log /dev/stderr error; error_log /dev/stderr error;
ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/ssl/certs/key.pem; ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;
# intermediate configuration # intermediate configuration
ssl_dhparam /etc/ssl/certs/dhparams.pem; ssl_dhparam /etc/nginx/certs/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; ssl_prefer_server_ciphers off;

View File

@ -11,8 +11,8 @@ server {
log_not_found off; log_not_found off;
error_log /dev/stderr error; error_log /dev/stderr error;
ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/ssl/certs/key.pem; ssl_certificate_key /etc/nginx/certs/key.pem;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off; ssl_session_tickets off;