Test letsencrypt (#1)

.github/workflows/docker-image.yml

@@ -14,11 +14,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: Build the Docker image
-        run: docker build . --file Dockerfile --tag byrnedo/lurch:latest
       - name: Run
-        run: docker run --rm -d --name test -e APPS_CONFIG_PATH=/etc/lurch/test/apps.yaml -p 8090:80 byrnedo/lurch:latest
-      - run: sleep 5
+        run: cd test && docker compose up --build -d
+      - run: sleep 10
       - name: Test
-        run: docker exec test hurl  --test --glob '/etc/lurch/test/**/*.hurl'
+        run: cd test && docker compose exec lurch hurl  --test --glob '/etc/lurch/test/**/*.hurl'
+
 

Dockerfile

@@ -16,6 +16,7 @@ RUN DEBIAN_FRONTEND=noninteractive \
     curl \
     unzip \
     make \
+    bsdmainutils \
     python3 && \
     rm -rf /var/lib/apt/lists/* && \
     curl -L https://luarocks.org/releases/luarocks-2.0.13.tar.gz --output /tmp/luarocks-2.0.13.tar.gz && \
@@ -37,7 +38,9 @@ RUN DEBIAN_FRONTEND=noninteractive \
     mkdir /etc/resty-auto-ssl && \
     chown nobody /etc/resty-auto-ssl && \
     curl -L https://raw.githubusercontent.com/slomkowski/nginx-config-formatter/master/nginxfmt.py > /usr/local/bin/nginxfmt && \
-    chmod +x /usr/local/bin/nginxfmt
+    chmod +x /usr/local/bin/nginxfmt && \
+    curl -L https://raw.githubusercontent.com/dehydrated-io/dehydrated/v0.7.1/dehydrated > /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated && \
+    chmod +x /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated
 
 COPY docker_entrypoint.sh /docker_entrypoint.sh
 

docker_entrypoint.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -eu
 
 GOMP_DIR=${GOMP_DIR:-/etc/gomplate}
@@ -22,16 +22,35 @@ if [ -n "$APPS_CONFIG_JSON" ]; then
   echo "$APPS_CONFIG_JSON" >"$DEFAULT_APPS_CONFIG_PATH"
 fi
 
+
 pidfile=/usr/local/openresty/nginx/logs/nginx.pid
+
+ensure_self_signed() {
+  domain=$1
+  ssl_path="/usr/local/openresty/nginx/ssl/${domain}"
+  if [ ! -d "$ssl_path" ]; then
+    echo "generating self signed cert for $domain"
+    mkdir -p $ssl_path
+    country=SE
+    state=Kalmar
+    city=Kalmar
+    # This line generates a self signed SSL certificate and key without user intervention.
+    openssl req -x509 -newkey rsa:4096 -keyout "${ssl_path}/server.key" -out "${ssl_path}/server.crt" \
+      -days 365 -nodes -subj "/C=$country/ST=$state/L=$city/O=Internet/OU=./CN=$domain/emailAddress=postmaster@$domain"
+  fi
+}
+
 kill_child() {
   pid="$(cat $pidfile 2>/dev/null || echo '')"
   if [ -n "${pid:-}" ]; then
     echo "killing child pid $pid"
     kill "$pid"
+    wait "$pid"
   fi
 }
 
-trap 'echo kill signal received; kill_child' INT TERM
+trap 'echo kill signal received; kill_child' INT TERM QUIT
+
 
 ## Chown storage of ssl certs
 mkdir -p /etc/resty-auto-ssl/storage
@@ -49,6 +68,12 @@ make_config() {
   mv $CONF_PATH ${CONF_PATH}.old
   /usr/local/bin/gomplate -d apps="$APPS_CONFIG_PATH" --file "$TEMPLATE_PATH" --out $CONF_PATH
 
+  # all good, ensure self signed cert exists for base url
+  domains=$(grep "# anchor::domain" "$CONF_PATH" | awk '{print $3}' | sort -u)
+  for domain in $domains; do
+    ensure_self_signed $domain
+  done
+
   # Format it
   echo "formatting..."
   nginxfmt -v $CONF_PATH
@@ -60,6 +85,7 @@ make_config() {
     # restore prev config
     mv ${CONF_PATH}.old $CONF_PATH
   fi
+
 }
 
 # hack to wait for pid to appear

lua/templates/error_page/error.html

@@ -1,35 +1,14 @@
-<html lang="sv-SE">
+<html lang="en-US">
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0">
     <title>Error</title>
 </head>
-<body class="header--sticky header--static">
-<div id="wrapper">
-    <header>
-        <div class="__group">
-            <div id="logo">
-                <a href="https://foo.bar/">
-                </a>
-            </div>
-        </div>
-    </header>
-    <section>
-        <div style="display:inline-block;">
-            <h1 style="display:inline-block;">{{ title }}</h1>
-        </div>
-    </section>
+<body>
+<h1>{{ title }}</h1>
 
-    <section>
-        <div>
-            <div>
-                <br/>
-                <p>
-                    {{ message }}
-                </p>
-            </div>
-        </div>
-    </section>
-</div>
+<p>
+    {{ message }}
+</p>
 </body>
 </html>

nginx.conf.tmpl

@@ -109,15 +109,19 @@
     {{if (has . "enableSsl")}}
         {{ if .enableSsl}}
 
+            # anchor::domain {{.baseUrl}}
+
             ssl_certificate_by_lua_block {
             auto_ssl:ssl_certificate()
             }
             {{template "sslSettings"}}
-            ssl_certificate "/usr/local/openresty/nginx/ssl/{{.baseUrl}}/server.crt";
-            ssl_certificate_key "/usr/local/openresty/nginx/ssl/{{.baseUrl}}/server.key";
+            {{$sslPath := "/usr/local/openresty/nginx/ssl/"}}
+            # fallback certs
+            ssl_certificate "{{$sslPath}}{{.baseUrl}}/server.crt";
+            ssl_certificate_key "{{$sslPath}}{{.baseUrl}}/server.key";
             {{/*Turn on client ssl??*/}}
-            {{if .enableClientCerts }}
-                ssl_client_certificate "/usr/local/openresty/nginx/ssl/{{.baseUrl}}/client/ca.crt";
+            {{if index . "enableClientCerts" }}
+                ssl_client_certificate "{{$sslPath}}{{.baseUrl}}/client/ca.crt";
                 ssl_verify_client on;
                 ssl_verify_depth 2;
             {{end}}
@@ -209,6 +213,9 @@
 
 
 {{with $apps := datasource "apps"}}
+    {{if has $apps "baseUrl"}}
+        # anchor::domain {{$apps.baseUrl}}
+    {{end}}
 
     events {
     worker_connections  {{if (has $apps "workerConnections") }}{{$apps.workerConnections}}{{else}}1024{{end}};
@@ -287,6 +294,9 @@
 
     init_by_lua_block {
     auto_ssl = (require "resty.auto-ssl").new()
+    {{if ( and (has $apps "letsEncrypt") (has $apps.letsEncrypt "endpoint"))}}
+        auto_ssl:set("ca", "{{$apps.letsEncrypt.endpoint}}")
+    {{end}}
 
     -- Define a function to determine which SNI domains to automatically handle
     -- and register new certificates for. Defaults to not allowing any domains,

test/apps.yaml

@@ -2,6 +2,8 @@
 authRequestRedirect: "http://www.static.com"
 authRequestUpstream: "http://non.exis.tant"
 authRequestCookie: "sso-cookie"
+letsEncrypt:
+  endpoint: https://pebble:14000/dir
 services:
   - name: static # serves a static site from fil
     subdomains:
@@ -63,4 +65,21 @@ services:
       port: 80
       headers:
         host: www.static.com
+  - name: tls
+    subdomains:
+      - name: www
+        enabled: true
+        baseUrl: tls.com
+        enableSsl: true
+      - name: le
+        enabled: true
+        baseUrl: tls.com
+        enableSsl: true
+        enableLetsEncrypt: true
+    origin:
+      type: "remote"
+      host: localhost
+      port: 80
+      headers:
+        host: www.static.com
 

test/dehydrated-conf.sh

@@ -0,0 +1 @@
+CURL_OPTS="--cacert /usr/local/share/ca-certificates/pebble-minica.crt"

test/docker-compose.yml

@@ -0,0 +1,28 @@
+version: "4"
+
+services:
+  pebble:
+    image: letsencrypt/pebble
+    #    command: pebble -config /test/my-pebble-config.json
+    ports:
+      - 14000:14000  # ACME port
+      - 15000:15000  # Management port
+    environment:
+      - PEBBLE_VA_NOSLEEP=1
+      - PEBBLE_VA_ALWAYS_VALID=1
+
+  lurch:
+    build:
+      context: ../
+    environment:
+      - APPS_CONFIG_PATH=/etc/lurch/test/apps.yaml
+    networks:
+      default:
+        aliases:
+          - "le.tls.com"
+    volumes:
+      - "./pebble-minica.crt:/usr/local/share/ca-certificates/pebble-minica.crt"
+      - "./dehydrated-conf.sh:/etc/resty-auto-ssl/letsencrypt/conf.d/custom.sh"
+    ports:
+      - "8090:80"
+      - "8093:443"

test/pebble-minica.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIIJOLbes8sTr4wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMTcx
+MjA2MTk0MjEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyNGUyZGIwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5WgZNoVJandj43kkLyU50vzCZ
+alozvdRo3OFiKoDtmqKPNWRNO2hC9AUNxTDJco51Yc42u/WV3fPbbhSznTiOOVtn
+Ajm6iq4I5nZYltGGZetGDOQWr78y2gWY+SG078MuOO2hyDIiKtVc3xiXYA+8Hluu
+9F8KbqSS1h55yxZ9b87eKR+B0zu2ahzBCIHKmKWgc6N13l7aDxxY3D6uq8gtJRU0
+toumyLbdzGcupVvjbjDP11nl07RESDWBLG1/g3ktJvqIa4BWgU2HMh4rND6y8OD3
+Hy3H8MY6CElL+MOCbFJjWqhtOxeFyZZV9q3kYnk9CAuQJKMEGuN4GU6tzhW1AgMB
+AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
+BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAF85v
+d40HK1ouDAtWeO1PbnWfGEmC5Xa478s9ddOd9Clvp2McYzNlAFfM7kdcj6xeiNhF
+WPIfaGAi/QdURSL/6C1KsVDqlFBlTs9zYfh2g0UXGvJtj1maeih7zxFLvet+fqll
+xseM4P9EVJaQxwuK/F78YBt0tCNfivC6JNZMgxKF59h0FBpH70ytUSHXdz7FKwix
+Mfn3qEb9BXSk0Q3prNV5sOV3vgjEtB4THfDxSz9z3+DepVnW3vbbqwEbkXdk3j82
+2muVldgOUgTwK8eT+XdofVdntzU/kzygSAtAQwLJfn51fS1GvEcYGBc1bDryIqmF
+p9BI7gVKtWSZYegicA==
+-----END CERTIFICATE-----

test/ssl.hurl

@@ -0,0 +1,21 @@
+GET https://localhost:443
+Host: www.tls.com
+
+[Options]
+insecure: true
+
+HTTP 200
+
+GET https://le.tls.com:443/
+[Options]
+insecure: true
+
+HTTP 200
+
+[Asserts]
+# add back once v3 is out
+#certificate "Subject" == "C=US, ST=Denial, L=Springfield, O=Dis, CN=localhost"
+#certificate "Issuer" == "C=US, ST=Denial, L=Springfield, O=Dis, CN=localhost"
+
+
+