Skip to content
Permalink
Browse files

Updated production configuration to utilize SSL by default. (#8)

  • Loading branch information...
covertgeek committed Aug 2, 2019
1 parent 25aa057 commit 110d97dad9ab3161149dc8d96d999745ecb94710
Showing with 60 additions and 60 deletions.
  1. +5 −0 .gitignore
  2. +23 −59 compose/production/nginx/nginx.conf
  3. +1 −1 config/settings/production.py
  4. +31 −0 ssl/readme.md
@@ -271,3 +271,8 @@ ghostwriter/media/
.idea/
.env
.envs/*

# SSL certificates
ssl/*.crt
ssl/*.key
ssl/dhparam.pem
@@ -29,23 +29,44 @@ http {
server django:5000;
}

# Basic setup without SSL encryption
# Begin redirect for port 80
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
# End redirect for port 80

# Begin SSL site setup
server {
listen 443 ssl http2 default_server;
server_name ghostwriter.local;
charset utf-8;

root /var/www/html;

# ssl on;
ssl_certificate /ssl/ghostwriter.crt;
ssl_certificate_key /ssl/ghostwriter.key;
#ssl_stapling on;
#ssl_stapling_verify on;

# SSL from stock default's ssl section
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
resolver 8.8.8.8;

location /admin {
try_files $uri @proxy_to_app;
}

location /static {
alias /app/staticfiles;
}

location / {
try_files $uri @proxy_to_app;
}
@@ -63,63 +84,6 @@ http {
}

}

# Begin redirect for port 80
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# return 301 https://$host$request_uri;
# }
# End redirect for port 80

# Begin SSL site setup
# server {
# listen 443 ssl http2 default_server;
# listen 8080 ssl http2 default_server;
# server_name ghostwriter.local;
# charset utf-8;

# root /var/www/html;

# # ssl on;
# ssl_certificate /ssl/ghostwriter.crt;
# ssl_certificate_key /ssl/ghostwriter.key;
# #ssl_stapling on;
# #ssl_stapling_verify on;

# # SSL from stock default's ssl section
# ssl_session_timeout 60m;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# ssl_dhparam /ssl/dhparam.pem;
# ssl_prefer_server_ciphers on;
# resolver 8.8.8.8;

# location /admin {
# try_files $uri @proxy_to_app;
# }

# location /static {
# alias /app/staticfiles;
# }

# location / {
# try_files $uri @proxy_to_app;
# }

# location @proxy_to_app {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Protocol ssl;
# proxy_connect_timeout 60;
# proxy_read_timeout 60;
# proxy_pass http://app;
# }

# }
# End setup for SSL site

}
@@ -6,7 +6,7 @@
# https://docs.djangoproject.com/en/dev/ref/settings/#secret-key
SECRET_KEY = env("DJANGO_SECRET_KEY")
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["specterops.io"])
ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["ghostwriter.local", "localhost"])

# DATABASES
# ------------------------------------------------------------------------------
@@ -0,0 +1,31 @@
# Production Setup: SSL Encryption

Before running in production, it is necessary to setup a SSL certificate. A self-signed certificate can be created using the following commands. Other options include purchasing a certificate or using [LetsEncrypt](https://letsencrypt.org/) for a free certificate.

Certificates should be placed in the `ssl/` folder. The files referenced in `compose/production/nginx/nginx.conf` use the following files names:

- ghostwriter.crt
- ghostwriter.key
- dhparam.pem

If different filenames are used, update the `nginx.conf` to reflect the correct filenames.

## Creating a self-signed SSL certificate

### With Prompts

```
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout ghostwriter.key -out ghostwriter.crt
```

### Without Prompts

```
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=/ST=/L=/O=Ghostwriter/CN=ghostwriter.local" -keyout ghostwriter.key -out ghostwriter.crt
```

### Creating the dhparam.pem

```
openssl dhparam -out dhparam.pem 4096
```

0 comments on commit 110d97d

Please sign in to comment.
You can’t perform that action at this time.