diff --git a/Dockerfile b/Dockerfile index 80e8dc4..fc89ce2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ENV CONTAINER_ROLE=web \ # Using a non-privileged port to prevent having to use setcap internally EXPOSE ${CONTAINER_PORT} +# - Update security packages, only, plus ca-certificates for https # - Update security packages, only # - Install pre-reqs # - Install latest nginx (development PPA is actually mainline development) @@ -22,6 +23,7 @@ RUN /bin/bash -e /security_updates.sh && \ apt-get update -yqq && \ apt-get install -yqq --no-install-recommends \ nginx-light \ + ca-certificates \ && \ apt-get remove --purge -yq \ manpages \ diff --git a/Dockerfile-alpine b/Dockerfile-alpine index 2b422a2..8e2e3a8 100644 --- a/Dockerfile-alpine +++ b/Dockerfile-alpine @@ -18,6 +18,7 @@ RUN adduser -D -S -H $NOT_ROOT_USER RUN apk update --no-cache && \ apk add \ nginx \ + ca-certificates \ && \ /bin/bash -e /clean.sh diff --git a/README.md b/README.md index 5b10d2f..d3a76c4 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ Variable | Example | Description `SERVER_LOG_MINIMAL` | `SERVER_LOG_MINIMAL=1` | Minimize the logging format, appropriate for development environments `S6_KILL_FINISH_MAXTIME` | `S6_KILL_FINISH_MAXTIME=1000` | Wait time (in ms) for zombie reaping before sending a kill signal `S6_KILL_GRACETIME` | `S6_KILL_GRACETIME=500` | Wait time (in ms) for S6 finish scripts before sending kill signal +`SERVER_ENABLE_SSL` | `SERVER_ENABLE_SSL=` | Enable SSL directives in default configuration ### Startup/Runtime Modification @@ -52,6 +53,20 @@ To inject changes just before runtime, shell scripts (ending in .sh) may be plac `/etc/cont-init.d` folder. For example, the above environment variables are used to drive nginx configuration at runtime. As part of the process manager, these scripts are run in advance of the supervised processes. @see https://github.com/just-containers/s6-overlay#executing-initialization-andor-finalization-tasks +### HTTPS/SSL support for local development + +Follow these steps to create an image and run a container that hosts a static website or a service using nginx. + +* On your development machine, download or generate an x509 certificate and key appropriate for use with apache or nginx. Install these with the names certificate.crt and certificate.key, respectively, in a local folder. +* Add an entry to your /etc/hosts to map 127.0.0.1 to the server host name corresponding to your certificate. +* Run the image using --env SERVER_ENABLE_SSL=true +* Start a container using: + * -v {folder-containing-certificate.crt}:/etc/nginx/certs:ro + * -v {folder-containing-certificate.key}:/etc/nginx/certs:ro + * -p 443:8080 (or whatever host port you are using) +* Test + * curl https://{your-server-hostname}, or, + * curl -k https://localhost ### Advanced Modification diff --git a/container/root/etc/cont-init.d/10-nginx.sh b/container/root/etc/cont-init.d/10-nginx.sh index 4685143..cde1a26 100755 --- a/container/root/etc/cont-init.d/10-nginx.sh +++ b/container/root/etc/cont-init.d/10-nginx.sh @@ -74,3 +74,10 @@ then echo "[nginx] setting client_body_buffer_size to ${SERVER_CLIENT_BODY_BUFFER_SIZE}" sed -i "s/client_body_buffer_size .*;/client_body_buffer_size ${SERVER_CLIENT_BODY_BUFFER_SIZE};/" $CONF_NGINX_SERVER fi + +if [[ $SERVER_ENABLE_SSL ]] +then + echo "[nginx] enabling ssl" + sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE +fi + diff --git a/container/root/etc/nginx/sites-available/default b/container/root/etc/nginx/sites-available/default index f278d36..84fe3c3 100644 --- a/container/root/etc/nginx/sites-available/default +++ b/container/root/etc/nginx/sites-available/default @@ -1,6 +1,15 @@ server { listen 8080; + #ssl on; + #ssl_protocols TLSv1.2; + #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ######ssl_dhparam /etc/nginx/certs/dhparams.pem; + #ssl_prefer_server_ciphers on; + #ssl_session_cache shared:SSL:10m; + #ssl_certificate /etc/nginx/certs/certificate.crt; + #ssl_certificate_key /etc/nginx/certs/certificate.key; + root /var/www/html; # Doesn't broadcast version level of server software