Force SSL #101

Closed
joshuacox opened this Issue Feb 9, 2015 · 7 comments

Comments

Projects
None yet
2 participants
@joshuacox
Contributor

joshuacox commented Feb 9, 2015

Force SSL with a magic comment, forcing another nginx template which merely does something like this:

server {
    listen   80;
    listen   [::]:80;

    server_name www.example.com;

    return 301 https://$server_name$request_uri;
}
server {
    listen   443 default_server ssl;

    server_name www.example.com;

    ssl_certificate        /path/to/my/cert;
    ssl_certificate_key  /path/to/my/key;
}

read more here for other possibilities:
http://serverfault.com/questions/250476/how-to-force-or-redirect-to-ssl-in-nginx

double bonus points for giving a cert to be used with said site.

@darron

This comment has been minimized.

Show comment
Hide comment
@darron

darron Feb 9, 2015

Member

I don't think that doing that by default is possible.

It's certainly technically possible - but it means that any deploy of octohost is broken by default, until they install SSL keys / certs.

With the way things are done now, it's really easy to change the default template - just take a look at /etc/nginx/template.ctmpl:

upstream REPLACEME {
  {{range service "REPLACEME"}}server {{ .Address }}:{{ .Port }};
  {{else}}server 127.0.0.1:404;
  {{end}}
}
server {
  listen 80;
  listen 443 ssl spdy;
  include /etc/nginx/ssl.conf;
  server_name {{key "octohost/REPLACEME/DOMAINS"}};
  location / {
    include /etc/nginx/location.conf;
    proxy_pass http://REPLACEME;
  }
}

You can adjust that on your own server and then have them automatically be used when a new site is deployed.

Member

darron commented Feb 9, 2015

I don't think that doing that by default is possible.

It's certainly technically possible - but it means that any deploy of octohost is broken by default, until they install SSL keys / certs.

With the way things are done now, it's really easy to change the default template - just take a look at /etc/nginx/template.ctmpl:

upstream REPLACEME {
  {{range service "REPLACEME"}}server {{ .Address }}:{{ .Port }};
  {{else}}server 127.0.0.1:404;
  {{end}}
}
server {
  listen 80;
  listen 443 ssl spdy;
  include /etc/nginx/ssl.conf;
  server_name {{key "octohost/REPLACEME/DOMAINS"}};
  location / {
    include /etc/nginx/location.conf;
    proxy_pass http://REPLACEME;
  }
}

You can adjust that on your own server and then have them automatically be used when a new site is deployed.

@joshuacox

This comment has been minimized.

Show comment
Hide comment
@joshuacox

joshuacox Feb 9, 2015

Contributor

not by default, I'm thinking only if a magic comment is present, and perhaps the magic comment can also specify the SSL cert, I'm going to tinker around with this a bit. Certainly I wouldn't mind just mandating SSL across the board for all sites, but if I can work it out I'll give a pull request.

Contributor

joshuacox commented Feb 9, 2015

not by default, I'm thinking only if a magic comment is present, and perhaps the magic comment can also specify the SSL cert, I'm going to tinker around with this a bit. Certainly I wouldn't mind just mandating SSL across the board for all sites, but if I can work it out I'll give a pull request.

@darron

This comment has been minimized.

Show comment
Hide comment
@darron

darron Feb 9, 2015

Member

I think I'd rather have a ENV variable for that - that way during the build it happens - I don't think this belongs in a Dockerfile. That doesn't feel quite right.

octo config:set container/SSL_FORCED true - optional
octo config:set container/SSL_CERTIFICATE "/etc/nginx/certs/file.crt"
octo config:set container/SSL_KEY "/etc/nginx/certs/file.key"

Then it's done behind the scenes.

What do you think?

Member

darron commented Feb 9, 2015

I think I'd rather have a ENV variable for that - that way during the build it happens - I don't think this belongs in a Dockerfile. That doesn't feel quite right.

octo config:set container/SSL_FORCED true - optional
octo config:set container/SSL_CERTIFICATE "/etc/nginx/certs/file.crt"
octo config:set container/SSL_KEY "/etc/nginx/certs/file.key"

Then it's done behind the scenes.

What do you think?

@joshuacox

This comment has been minimized.

Show comment
Hide comment
@joshuacox

joshuacox Feb 9, 2015

Contributor

This is definitely a better way to do it.

Contributor

joshuacox commented Feb 9, 2015

This is definitely a better way to do it.

@joshuacox

This comment has been minimized.

Show comment
Hide comment
@joshuacox

joshuacox Feb 13, 2015

Contributor

Sorry for the delay, after @darron mentioned the better way to do it I got sidetracked by other events this week. Let me wrap my brain around how the config:set functions work and I'll implement this and get a pull request in.

Contributor

joshuacox commented Feb 13, 2015

Sorry for the delay, after @darron mentioned the better way to do it I got sidetracked by other events this week. Let me wrap my brain around how the config:set functions work and I'll implement this and get a pull request in.

joshuacox added a commit to joshuacox/octohost that referenced this issue Feb 13, 2015

This was referenced Feb 14, 2015

@joshuacox

This comment has been minimized.

Show comment
Hide comment
@joshuacox

joshuacox Feb 14, 2015

Contributor

I think that does it, but I'm open to suggestions for improvements

Contributor

joshuacox commented Feb 14, 2015

I think that does it, but I'm open to suggestions for improvements

@darron

This comment has been minimized.

Show comment
Hide comment
@darron

darron Apr 2, 2015

Member

Looks good and is merged. Closing.

Member

darron commented Apr 2, 2015

Looks good and is merged. Closing.

@darron darron closed this Apr 2, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment