Adding HTTPS on Prod version (#214)

RichtXO · web-flow · commit dc82c3de168a · 2020-10-30T17:26:34.000-04:00
* Adding HTTPS on Prod version

Added certs and open both port 80 and 443. Port 80 will redirect to port 443.
diff --git a/docker-compose.production.yml b/docker-compose.production.yml
@@ -7,6 +7,7 @@ services:
   yacs_web:
     ports:
       - 80:80
+      - 443:443
     environment:
       # https://docs.docker.com/compose/compose-file/#variable-substitution
       - HOST=${HOST:-localhost}
diff --git a/ops/provision.js b/ops/provision.js
@@ -69,7 +69,8 @@ const infraSync = async () => {
   // print ip
   // USED IN GITHUB ACTIONS PIPELINE TO SHOW MESSAGE IN PR
   // DO NOT REFORMAT
-  console.log(`http://${info.ipv4[0]}`)
+  console.log(`https://${info.ipv4[0]}`)
+
 }
 
 infraSync()
diff --git a/src/web/Dockerfile b/src/web/Dockerfile
@@ -12,6 +12,7 @@ RUN mkdir /app
 COPY --from=build-stage /app/dist /app
 COPY nginx.conf /etc/nginx/nginx.template.conf
 COPY scripts/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY certificate/ /etc/nginx/certificate
 
 # get openssl to do crypt(3)
 RUN \
diff --git a/src/web/certificate/README.md b/src/web/certificate/README.md
@@ -0,0 +1,4 @@
+# SSL Certificate for yacs-web
+
+The public/private keypairs are default and should be changed before deployment to production!
+Generate your own certificate and verify it with a CA!
diff --git a/src/web/certificate/localhost.crt b/src/web/certificate/localhost.crt
@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7TCCAdUCFFNNMUwxQFACL90EEGMsuY7R/RdiMA0GCSqGSIb3DQEBCwUAMDMx
+CzAJBgNVBAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazERMA8GA1UECgwIUlBJIFJD
+T1MwHhcNMjAxMDExMTkyMDA2WhcNMjExMDExMTkyMDA2WjAzMQswCQYDVQQGEwJV
+UzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAoMCFJQSSBSQ09TMIIBIjANBgkq
+hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArF6EHLgyojK2dgh6Jjeh8tQQ8fi5KjCJ
+R+wBHncYjReyRJm2bFAc/OTVokyqsI+0qgY0WFdaknGP+QcE9BUk0lj0aBgvR/av
+s/RvJCWrE0GCdI836Z6LHo/iddBDK2NYYnWurCN3QNP8SViZJdTftSQzflfMTQVR
+Pv5tP1r5xaYWUjv94sSSq1gVS6JiYH/yyBags8hgj341yui2mbSfWtxJ174aMNXD
+jYew/dhFLdMZAfRKIcWgHUEzCyS63Rzlr9EM/bfj+ypw25knpScmeV8O5BJ0xpnR
+HkzQpCJ6r4oGQDuoaiwwdVMBhkCHYocxO8X+M42z4I8VsXpoaf3EiwIDAQABMA0G
+CSqGSIb3DQEBCwUAA4IBAQAP6ZWZzIdflw6XjgZaY/rvlc2F+AbulbUGJ6P+YWWa
+3yemYfTNPuerjb70Ey/jIdAuPvEYSkUMUObfx1JofqUhO+S21BRg9qjvFKrea+xv
+umafzl7Hem6Aab3RP/iPgMCYBCm5+Ao+fNS80QndLJ3W3dTjE8Ej396bkDNL8sIz
+sCjK5S9FQ80es+H3ju49UaiSa+Hwz5UpOcrn9o7VNXjtdilkeZtSyoGNmTTDvaG3
+VLe6cln/W3sdRWw0X/FGzWD1bwUq9AorTt0nddKF6VKZe2QKczfeqdSZqjZ0EcdE
+DDaQ6TxMz9fZBgZ5ELadjXn4moNz081nEyveUK/bF+X6
+-----END CERTIFICATE-----
diff --git a/src/web/certificate/localhost.csr b/src/web/certificate/localhost.csr
@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICeDCCAWACAQAwMzELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw
+DwYDVQQKDAhSUEkgUkNPUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKxehBy4MqIytnYIeiY3ofLUEPH4uSowiUfsAR53GI0XskSZtmxQHPzk1aJMqrCP
+tKoGNFhXWpJxj/kHBPQVJNJY9GgYL0f2r7P0byQlqxNBgnSPN+meix6P4nXQQytj
+WGJ1rqwjd0DT/ElYmSXU37UkM35XzE0FUT7+bT9a+cWmFlI7/eLEkqtYFUuiYmB/
+8sgWoLPIYI9+Ncrotpm0n1rcSde+GjDVw42HsP3YRS3TGQH0SiHFoB1BMwskut0c
+5a/RDP234/sqcNuZJ6UnJnlfDuQSdMaZ0R5M0KQieq+KBkA7qGosMHVTAYZAh2KH
+MTvF/jONs+CPFbF6aGn9xIsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAfkeBr
+P6zQU8dy7lzgwlXSEnZyNuvk2Iplf9t4NgYGPiMcdEUWy5bSu85TQ2tKR0mFC0O6
+iuByOuMxKrbvbQTFjJbpUROCxEbS3VEgY/kCVsnsJgohhS2Qno7zgFWKo7UyYUVD
+3zawhrakU8ttrPpRGuBvqxSSF/GbHn1o6B2YI5EpdjR0mk8lyRdXCEY2EzXeKRQT
+GHAmXl5iDmvVnworSl4xhGFcOc0DF1u07rdGOOiSSVQABsnSTkFTyE5EjRwykKh4
+ZvZ1Q6DH4vg5enlujECOtPP1VjtNP1QhKid1gUQawSY2nzVESBa+L1oMfs3tvmpV
+K3L6c0pciK831qqW
+-----END CERTIFICATE REQUEST-----
diff --git a/src/web/certificate/localhost.key b/src/web/certificate/localhost.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArF6EHLgyojK2dgh6Jjeh8tQQ8fi5KjCJR+wBHncYjReyRJm2
+bFAc/OTVokyqsI+0qgY0WFdaknGP+QcE9BUk0lj0aBgvR/avs/RvJCWrE0GCdI83
+6Z6LHo/iddBDK2NYYnWurCN3QNP8SViZJdTftSQzflfMTQVRPv5tP1r5xaYWUjv9
+4sSSq1gVS6JiYH/yyBags8hgj341yui2mbSfWtxJ174aMNXDjYew/dhFLdMZAfRK
+IcWgHUEzCyS63Rzlr9EM/bfj+ypw25knpScmeV8O5BJ0xpnRHkzQpCJ6r4oGQDuo
+aiwwdVMBhkCHYocxO8X+M42z4I8VsXpoaf3EiwIDAQABAoIBAQCpmYYcTBFmDsgB
+c23c1LiAmbDipXxryr4JCmo/c6ewjDRX03bvNBSRsQeTXiRE/eEhumEe2zS/CwZC
+XWm+UF+eqPAyzDkZcdyIEGabBoVBuR+HWLQHJnx0YdbNXVH6CxIYLvrjXTIlk2+V
+K5vk4YQMU8Zm9jSLREQg227a+8Tvd1Lq/P7fuNGwveaeVNa7cEDOlWHlxRm7OzMR
+dON230v8vvODcC+cB/Ks/ns39LKwNUOd+X/ZfjexCNeQY7sJ7+SRpifGS5jrsbH8
+jfB6XE30hxqr1j7j9y31LX3vITF+AX+uYMlD4haJ0504oZmdz1JE13pAdwUgCVy9
+l6YyT/EBAoGBANUE5+Rth81sIx8uV29w8qMX6HopfwpzTXkPSxUGWohMEToqmXvw
+NztxRIxTTNFkAc5m5+xeAidWyuJhmVsIHi74fIgmYgzYCQsLhBH50afyNj7z97op
+l/HrkRWuJu+ummG2G0pmyBAOHOuhpvYUOdzjmDFt0vI+0CCdvoZwcMurAoGBAM8l
+6jiAFacVssvbaMBXXOyaKXrdqPOGvamMHn4yNBwfkQ0H4cye8prkgNoJbXHU3sIe
+8UCElcfUEbKWusMjagk85rAUkhuVGyZ1fN8i8DYASYMdeDwjDqnXG8J4N5kr9XK1
+egrhF9RzLRns7PW/pi1f36yhtXZJEAl8pqLgSwqhAoGAdeCzGhrqbWiLvvN7+vU7
+r7jJMuDHplbL5lPqLoZHjujZF6D/MjBpwAEb97MY7T40Ka2UZZ5X/sDuoHt1y4Qg
+f8mN0CG9XHIn/u6udOwTcqZ8EjYbPe9KX9sFfEPU1AmA8NU/INrjls7YfiQEKmRi
+6LMhQykM9HSB46qnBeou4OUCgYByOJzbBL1rwUoyoEw1arbBfAwNRLZJee2Q1MNn
+oHUdYMaRodv/AVIS2Ja4I2Sm1NLzxS4P/ku8wRH1IKngueFZMKyfQOiDrwcmgLgX
+LeO4UxY15wUKW+ZU/li/NZyqqBOSacDeyNlj+xJOblcG9uNBt9DVFuHBVG40XPhh
+bT3ToQKBgQDNkoegBGEC94CDVsTeCO9i3dVELDNB+YzriU1sDlOZuaLpeN83tXia
+a5wHkt2pK/JPLdOPUN1B663FG/70lCP8S103x/jvqHV0blWLzMHpuJoOnQdNjbDE
++wQr/TQeMxH7yeJsViutQOhTVf+jhsTy2LXTJfg1CgZeHShQmMuzRw==
+-----END RSA PRIVATE KEY-----
diff --git a/src/web/nginx.conf b/src/web/nginx.conf
@@ -13,10 +13,24 @@ http {
   default_type application/octet-stream;
   keepalive_timeout  65;
 
-  server {
+
+  server{
     listen 80;
+    listen [::]:80;
+    server_name ${HOST};
+    return 301 https://${HOST};
+  }
+
+  server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    
+    ssl_certificate      /etc/nginx/certificate/${HOST}.crt;
+    ssl_certificate_key  /etc/nginx/certificate/${HOST}.key;
+
     server_name ${HOST};
 
+
     # simple secure admin panel, will change later
     location ~* ^/admin {
       auth_basic           "Admin Panel";
diff --git a/src/web/scripts/entrypoint.sh b/src/web/scripts/entrypoint.sh
@@ -13,6 +13,19 @@ envsubst '\$HOST' < \
   /etc/nginx/nginx.template.conf > \
   /etc/nginx/nginx.conf
 
+
+# If SSL Certificate folder isn't present, generate one
+if [ ! -f /etc/nginx/certificate/$HOST.crt ] &&
+[ ! -f /etc/nginx/certificate/$HOST.key ];then
+  mkdir /etc/nginx/certificate
+  cd /etc/nginx/certificate
+  openssl genrsa -passout pass:x -out $HOST.pass.key 2048
+  openssl rsa -passin pass:x -in $HOST.pass.key -out $HOST.key
+  rm $HOST.pass.key
+  openssl req -new -key $HOST.key -out $HOST.csr -subj "/C=US/ST=New York/O=RPI RCOS"
+  openssl x509 -req -days 365 -in $HOST.csr -signkey $HOST.key -out $HOST.crt
+fi
+
 # start nginx
 echo "starting nginx:"
 nginx -g "daemon off;"

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,8 @@ const infraSync = async () => {`
`69`	`69`	`// print ip`
`70`	`70`	`// USED IN GITHUB ACTIONS PIPELINE TO SHOW MESSAGE IN PR`
`71`	`71`	`// DO NOT REFORMAT`
`72`		- console.log(`http://${info.ipv4[0]}`)
	`72`	+ console.log(`https://${info.ipv4[0]}`)
	`73`	`+`
`73`	`74`	`}`
`74`	`75`
`75`	`76`	`infraSync()`