From 1fb1519a03e9887e3fe10bc2ed0a67418c8da059 Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 26 Jan 2017 14:24:17 -0800 Subject: [PATCH 1/7] Enable SSL termination for the container for local dev --- Dockerfile | 12 ++++++-- README.md | 28 ++++++++++++++++--- container/root/etc/cont-init.d/10-nginx.sh | 7 +++++ .../root/etc/nginx/sites-available/default | 9 ++++++ 4 files changed, 50 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index e75ff7d..2b05d34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,10 @@ FROM behance/docker-base:1.6 MAINTAINER Bryan Latten +ARG CONTAINER_PORT=8080 +ARG CONTAINER_SSL + ENV CONTAINER_ROLE=web \ - CONTAINER_PORT=8080 \ CONF_NGINX_SITE="/etc/nginx/sites-available/default" \ CONF_NGINX_SERVER="/etc/nginx/nginx.conf" \ NOT_ROOT_USER=www-data @@ -10,7 +12,7 @@ ENV CONTAINER_ROLE=web \ # Using a non-privileged port to prevent having to use setcap internally EXPOSE ${CONTAINER_PORT} -# - Update security packages, only +# - Update security packages, only, plus ca-certificates for https RUN /bin/bash -e /security_updates.sh && \ # Install pre-reqs \ apt-get install --no-install-recommends -yqq \ @@ -22,6 +24,9 @@ RUN /bin/bash -e /security_updates.sh && \ apt-get install -yqq --no-install-recommends \ nginx-light \ && \ + apt-get install -yqq --no-install-recommends \ + ca-certificates \ + && \ # Perform cleanup, ensure unnecessary packages are removed \ apt-get remove --purge -yq \ manpages \ @@ -37,6 +42,9 @@ RUN /bin/bash -e /security_updates.sh && \ # Overlay the root filesystem from this repo COPY ./container/root / +# Uncomment the ssl directives +RUN /bin/bash -c 'if [[ $CONTAINER_SSL ]]; then sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE; fi;' + # Set nginx to listen on defined port # NOTE: order of operations is important, new config had to already installed from repo (above) RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \ diff --git a/README.md b/README.md index 4e183df..14bd372 100644 --- a/README.md +++ b/README.md @@ -7,23 +7,29 @@ Ubuntu used by default, Alpine builds also available tagged as `-alpine` Provides base OS, patches and stable nginx for quick and easy spinup. -[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation +[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation -[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. +[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. -See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration +See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration ### Expectations Applications using this as a container parent must copy their html/app into the `/var/www/html` folder -NOTE: Nginx is exposed and bound to an unprivileged port, `8080` +NOTE: Nginx is exposed and bound to an unprivileged port, `8080`, by default ### Security For Ubuntu-based variants, a convenience script is provided for security-only package updates. To run: `/bin/bash -e /security_updates.sh` +### Dockerfile arguments +Variable | Example | Description +--- | --- | --- +`CONTAINER_PORT` | `CONTAINER_PORT=8080` | Allows the runtime to listen on a different port. For example, set it to 8443 would be typical for HTTPS. +`CONTAINER_SSL` | `CONTAINER_SSL=` | Enable SSL directives in default configuration (Not working @alshamma) + ### Environment Variables @@ -43,6 +49,7 @@ Variable | Example | Description `SERVER_LOG_MINIMAL` | `SERVER_LOG_MINIMAL=1` | Minimize the logging format, appropriate for development environments `S6_KILL_FINISH_MAXTIME` | `S6_KILL_FINISH_MAXTIME=1000` | Wait time (in ms) for zombie reaping before sending a kill signal `S6_KILL_GRACETIME` | `S6_KILL_GRACETIME=500` | Wait time (in ms) for S6 finish scripts before sending kill signal +`SERVER_ENABLE_SSL` | `SERVER_ENABLE_SSL=` | Enable SSL directives in default configuration (@alshamma: remove this before merge) ### Startup/Runtime Modification @@ -51,6 +58,19 @@ To inject changes just before runtime, shell scripts (ending in .sh) may be plac `/etc/cont-init.d` folder. For example, the above environment variables are used to drive nginx configuration at runtime. As part of the process manager, these scripts are run in advance of the supervised processes. @see https://github.com/just-containers/s6-overlay#executing-initialization-andor-finalization-tasks +### HTTPS support for local development + +Follow these steps to create an image and run a container that hosts a static website or a service using nginx. + +* On your development machine, download or generate an x509 certificate and key appropriate for use with apache or nginx. Install these with the names certificate.crt and certificate.key, respectively, in a local folder. +* Add an entry to your /etc/hosts to map 127.0.0.1 to the server host name corresponding to your certificate. +* Build an image using --build-args CONTAINER_PORT=8443 --build-args CONTAINER_SSL=true +* Start a container using: + * -v {folder-containing-certificate.crt/key}:/etc/nginx/certs:ro + * -p 443:8443 (or whatever ports you are using) +* Test + * curl https://{your-server-hostname}, or, + * curl -k https://localhost ### Advanced Modification diff --git a/container/root/etc/cont-init.d/10-nginx.sh b/container/root/etc/cont-init.d/10-nginx.sh index 4685143..7b6f8d3 100755 --- a/container/root/etc/cont-init.d/10-nginx.sh +++ b/container/root/etc/cont-init.d/10-nginx.sh @@ -74,3 +74,10 @@ then echo "[nginx] setting client_body_buffer_size to ${SERVER_CLIENT_BODY_BUFFER_SIZE}" sed -i "s/client_body_buffer_size .*;/client_body_buffer_size ${SERVER_CLIENT_BODY_BUFFER_SIZE};/" $CONF_NGINX_SERVER fi + +# if [[ $SERVER_ENABLE_SSL ]] +# then +# echo "[nginx] enabling ssl" +# sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE +# fi + diff --git a/container/root/etc/nginx/sites-available/default b/container/root/etc/nginx/sites-available/default index f278d36..5b34f48 100644 --- a/container/root/etc/nginx/sites-available/default +++ b/container/root/etc/nginx/sites-available/default @@ -1,6 +1,15 @@ server { listen 8080; + #ssl on; + #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ######ssl_dhparam /etc/nginx/certs/dhparams.pem; + #ssl_prefer_server_ciphers on; + #ssl_session_cache shared:SSL:10m; + #ssl_certificate /etc/nginx/certs/certificate.crt; + #ssl_certificate_key /etc/nginx/certs/certificate.key; + root /var/www/html; # Doesn't broadcast version level of server software From a8f2e974b6e950830c89a7ee958242877bf6db16 Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 16 Feb 2017 10:24:42 -0800 Subject: [PATCH 2/7] Remove build time args; re-enable run time env setting for SSL --- Dockerfile | 7 +------ README.md | 17 +++++------------ container/root/etc/cont-init.d/10-nginx.sh | 10 +++++----- 3 files changed, 11 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2b05d34..e2f3686 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,8 @@ FROM behance/docker-base:1.6 MAINTAINER Bryan Latten -ARG CONTAINER_PORT=8080 -ARG CONTAINER_SSL - ENV CONTAINER_ROLE=web \ + CONTAINER_PORT=8080 \ CONF_NGINX_SITE="/etc/nginx/sites-available/default" \ CONF_NGINX_SERVER="/etc/nginx/nginx.conf" \ NOT_ROOT_USER=www-data @@ -42,9 +40,6 @@ RUN /bin/bash -e /security_updates.sh && \ # Overlay the root filesystem from this repo COPY ./container/root / -# Uncomment the ssl directives -RUN /bin/bash -c 'if [[ $CONTAINER_SSL ]]; then sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE; fi;' - # Set nginx to listen on defined port # NOTE: order of operations is important, new config had to already installed from repo (above) RUN sed -i "s/listen [0-9]*;/listen ${CONTAINER_PORT};/" $CONF_NGINX_SITE && \ diff --git a/README.md b/README.md index 14bd372..a7c5358 100644 --- a/README.md +++ b/README.md @@ -17,20 +17,13 @@ See parent(s) [docker-base](https://github.com/behance/docker-base) for addition ### Expectations Applications using this as a container parent must copy their html/app into the `/var/www/html` folder -NOTE: Nginx is exposed and bound to an unprivileged port, `8080`, by default +NOTE: Nginx is exposed and bound to an unprivileged port, `8080` ### Security For Ubuntu-based variants, a convenience script is provided for security-only package updates. To run: `/bin/bash -e /security_updates.sh` -### Dockerfile arguments -Variable | Example | Description ---- | --- | --- -`CONTAINER_PORT` | `CONTAINER_PORT=8080` | Allows the runtime to listen on a different port. For example, set it to 8443 would be typical for HTTPS. -`CONTAINER_SSL` | `CONTAINER_SSL=` | Enable SSL directives in default configuration (Not working @alshamma) - - ### Environment Variables Variable | Example | Description @@ -49,7 +42,7 @@ Variable | Example | Description `SERVER_LOG_MINIMAL` | `SERVER_LOG_MINIMAL=1` | Minimize the logging format, appropriate for development environments `S6_KILL_FINISH_MAXTIME` | `S6_KILL_FINISH_MAXTIME=1000` | Wait time (in ms) for zombie reaping before sending a kill signal `S6_KILL_GRACETIME` | `S6_KILL_GRACETIME=500` | Wait time (in ms) for S6 finish scripts before sending kill signal -`SERVER_ENABLE_SSL` | `SERVER_ENABLE_SSL=` | Enable SSL directives in default configuration (@alshamma: remove this before merge) +`SERVER_ENABLE_SSL` | `SERVER_ENABLE_SSL=` | Enable SSL directives in default configuration ### Startup/Runtime Modification @@ -58,16 +51,16 @@ To inject changes just before runtime, shell scripts (ending in .sh) may be plac `/etc/cont-init.d` folder. For example, the above environment variables are used to drive nginx configuration at runtime. As part of the process manager, these scripts are run in advance of the supervised processes. @see https://github.com/just-containers/s6-overlay#executing-initialization-andor-finalization-tasks -### HTTPS support for local development +### HTTPS/SSL support for local development Follow these steps to create an image and run a container that hosts a static website or a service using nginx. * On your development machine, download or generate an x509 certificate and key appropriate for use with apache or nginx. Install these with the names certificate.crt and certificate.key, respectively, in a local folder. * Add an entry to your /etc/hosts to map 127.0.0.1 to the server host name corresponding to your certificate. -* Build an image using --build-args CONTAINER_PORT=8443 --build-args CONTAINER_SSL=true +* Run the image using --env SERVER_ENABLE_SSL=true * Start a container using: * -v {folder-containing-certificate.crt/key}:/etc/nginx/certs:ro - * -p 443:8443 (or whatever ports you are using) + * -p 443:8080 (or whatever host port you are using) * Test * curl https://{your-server-hostname}, or, * curl -k https://localhost diff --git a/container/root/etc/cont-init.d/10-nginx.sh b/container/root/etc/cont-init.d/10-nginx.sh index 7b6f8d3..cde1a26 100755 --- a/container/root/etc/cont-init.d/10-nginx.sh +++ b/container/root/etc/cont-init.d/10-nginx.sh @@ -75,9 +75,9 @@ then sed -i "s/client_body_buffer_size .*;/client_body_buffer_size ${SERVER_CLIENT_BODY_BUFFER_SIZE};/" $CONF_NGINX_SERVER fi -# if [[ $SERVER_ENABLE_SSL ]] -# then -# echo "[nginx] enabling ssl" -# sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE -# fi +if [[ $SERVER_ENABLE_SSL ]] +then + echo "[nginx] enabling ssl" + sed -ig "s/^[ ]*#ssl/ ssl/" $CONF_NGINX_SITE +fi From e7e1ceb097e1f86ab88fc002354f68b895f2f333 Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 16 Feb 2017 10:34:43 -0800 Subject: [PATCH 3/7] Add ca-certificates for -alpine --- Dockerfile-alpine | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile-alpine b/Dockerfile-alpine index 75e5f99..a5ce0b8 100644 --- a/Dockerfile-alpine +++ b/Dockerfile-alpine @@ -19,6 +19,9 @@ RUN apk update --no-cache && \ apk add \ nginx \ && \ + apk add \ + ca-certificates \ + && \ /bin/bash -e /clean.sh # Overlay the root filesystem from this repo From 026935b93b8b14b4c2c8b610236f5784409ec37b Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 16 Feb 2017 11:03:17 -0800 Subject: [PATCH 4/7] Simplify command for install of ca-certificates --- Dockerfile | 2 -- Dockerfile-alpine | 2 -- 2 files changed, 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e2f3686..0ba7459 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,8 +21,6 @@ RUN /bin/bash -e /security_updates.sh && \ apt-get update -yqq && \ apt-get install -yqq --no-install-recommends \ nginx-light \ - && \ - apt-get install -yqq --no-install-recommends \ ca-certificates \ && \ # Perform cleanup, ensure unnecessary packages are removed \ diff --git a/Dockerfile-alpine b/Dockerfile-alpine index a5ce0b8..6f5f2d1 100644 --- a/Dockerfile-alpine +++ b/Dockerfile-alpine @@ -18,8 +18,6 @@ RUN adduser -D -S -H $NOT_ROOT_USER RUN apk update --no-cache && \ apk add \ nginx \ - && \ - apk add \ ca-certificates \ && \ /bin/bash -e /clean.sh From 2fc8623c7b978ebca87f3f3f046290264fd973fc Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 16 Feb 2017 11:04:02 -0800 Subject: [PATCH 5/7] Fix inadvertent edits; clarify volume mapping for certs --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a7c5358..df5ebea 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,11 @@ Ubuntu used by default, Alpine builds also available tagged as `-alpine` Provides base OS, patches and stable nginx for quick and easy spinup. -[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation +[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation -[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. +[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. -See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration +See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration ### Expectations @@ -24,6 +24,7 @@ NOTE: Nginx is exposed and bound to an unprivileged port, `8080` For Ubuntu-based variants, a convenience script is provided for security-only package updates. To run: `/bin/bash -e /security_updates.sh` + ### Environment Variables Variable | Example | Description @@ -59,7 +60,8 @@ Follow these steps to create an image and run a container that hosts a static we * Add an entry to your /etc/hosts to map 127.0.0.1 to the server host name corresponding to your certificate. * Run the image using --env SERVER_ENABLE_SSL=true * Start a container using: - * -v {folder-containing-certificate.crt/key}:/etc/nginx/certs:ro + * -v {folder-containing-certificate.crt}:/etc/nginx/certs:ro + * -v {folder-containing-certificate.key}:/etc/nginx/certs:ro * -p 443:8080 (or whatever host port you are using) * Test * curl https://{your-server-hostname}, or, From 58840148c0fdd2ae63a1c7ea187f7e5e6f006a9c Mon Sep 17 00:00:00 2001 From: Nabeel Al-Shamma Date: Thu, 16 Feb 2017 11:17:57 -0800 Subject: [PATCH 6/7] Really fix inadvertent edits --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df5ebea..4e023b9 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,11 @@ Ubuntu used by default, Alpine builds also available tagged as `-alpine` Provides base OS, patches and stable nginx for quick and easy spinup. -[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation +[S6](https://github.com/just-containers/s6-overlay) process supervisor is used for `only` for zombie reaping (as PID 1), boot coordination, and termination signal translation -[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. +[Goss](https://github.com/aelsabbahy/goss) is used for build-time testing. -See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration +See parent(s) [docker-base](https://github.com/behance/docker-base) for additional configuration ### Expectations From efcab09b1c94ef0d202fded5a9119fcdb977f8cb Mon Sep 17 00:00:00 2001 From: nalshamma Date: Tue, 6 Mar 2018 10:22:30 -0800 Subject: [PATCH 7/7] Remove TLSv1 TLSv1.1 --- container/root/etc/nginx/sites-available/default | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container/root/etc/nginx/sites-available/default b/container/root/etc/nginx/sites-available/default index 5b34f48..84fe3c3 100644 --- a/container/root/etc/nginx/sites-available/default +++ b/container/root/etc/nginx/sites-available/default @@ -2,7 +2,7 @@ server { listen 8080; #ssl on; - #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + #ssl_protocols TLSv1.2; #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ######ssl_dhparam /etc/nginx/certs/dhparams.pem; #ssl_prefer_server_ciphers on;