From 954d9bb014ffaa863062ec8456b07bcbeec01d66 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 2 Apr 2022 13:01:52 +0200 Subject: [PATCH] Run nginx as docker container instead of on the host system (#36) --- README.md | 4 +- acme_tiny.py | 2 +- backup | 2 +- commander | 22 +++---- gui/apply | 2 - gui/apply-nginx | 2 - gui/main.go | 35 ++++------ install | 60 +++++++++++------- logrotate_d | 2 +- nginx.conf | 42 ++++++++---- patches/docker-compose.patch | 17 ++++- renew | 8 +-- restore | 2 +- smartrenew | 8 +-- {www => static}/502.html | 0 {www => static}/certs/index.html | 0 {www => static}/cps/index.html | 0 {www => static}/css/bootstrap.min.css | 0 {www => static}/css/bootstrap.min.css.map | 0 {www => static}/css/dataTables.bootstrap.css | 0 {www => static}/css/dataTables.responsive.css | 0 {www => static}/css/font-awesome.min.css | 0 {www => static}/css/labca.css | 0 {www => static}/css/metisMenu.min.css | 0 {www => static}/css/sb-admin-2.min.css | 0 {www => static}/fonts/FontAwesome.otf | Bin {www => static}/fonts/fontawesome-webfont.eot | Bin {www => static}/fonts/fontawesome-webfont.svg | 0 {www => static}/fonts/fontawesome-webfont.ttf | Bin .../fonts/fontawesome-webfont.woff | Bin .../fonts/fontawesome-webfont.woff2 | Bin .../fonts/glyphicons-halflings-regular.eot | Bin .../fonts/glyphicons-halflings-regular.svg | 0 .../fonts/glyphicons-halflings-regular.ttf | Bin .../fonts/glyphicons-halflings-regular.woff | Bin .../fonts/glyphicons-halflings-regular.woff2 | Bin {www => static}/img/fav-admin.png | Bin {www => static}/img/fav-public.png | Bin {www => static}/img/spinner.gif | Bin {www => static}/img/warning.png | Bin {www => static}/index.html | 0 {www => static}/js/bootstrap-dialog.min.js | 0 {www => static}/js/bootstrap.min.js | 0 .../js/dataTables.bootstrap.min.js | 0 {www => static}/js/dataTables.responsive.js | 0 {www => static}/js/jquery.dataTables.min.js | 0 {www => static}/js/jquery.min.js | 0 {www => static}/js/jquery.stickytabs.js | 0 {www => static}/js/labca.js | 0 {www => static}/js/metisMenu.min.js | 0 {www => static}/js/pwdux.js | 0 {www => static}/js/sb-admin-2.min.js | 0 {www => static}/js/zxcvbn.js | 0 {www => static}/js/zxcvbn.js.map | 0 {www => static}/rate-limits.html | 0 {www => static}/terms/v1.html | 0 56 files changed, 117 insertions(+), 91 deletions(-) rename {www => static}/502.html (100%) rename {www => static}/certs/index.html (100%) rename {www => static}/cps/index.html (100%) rename {www => static}/css/bootstrap.min.css (100%) rename {www => static}/css/bootstrap.min.css.map (100%) rename {www => static}/css/dataTables.bootstrap.css (100%) rename {www => static}/css/dataTables.responsive.css (100%) rename {www => static}/css/font-awesome.min.css (100%) rename {www => static}/css/labca.css (100%) rename {www => static}/css/metisMenu.min.css (100%) rename {www => static}/css/sb-admin-2.min.css (100%) rename {www => static}/fonts/FontAwesome.otf (100%) rename {www => static}/fonts/fontawesome-webfont.eot (100%) rename {www => static}/fonts/fontawesome-webfont.svg (100%) rename {www => static}/fonts/fontawesome-webfont.ttf (100%) rename {www => static}/fonts/fontawesome-webfont.woff (100%) rename {www => static}/fonts/fontawesome-webfont.woff2 (100%) rename {www => static}/fonts/glyphicons-halflings-regular.eot (100%) rename {www => static}/fonts/glyphicons-halflings-regular.svg (100%) rename {www => static}/fonts/glyphicons-halflings-regular.ttf (100%) rename {www => static}/fonts/glyphicons-halflings-regular.woff (100%) rename {www => static}/fonts/glyphicons-halflings-regular.woff2 (100%) rename {www => static}/img/fav-admin.png (100%) rename {www => static}/img/fav-public.png (100%) rename {www => static}/img/spinner.gif (100%) rename {www => static}/img/warning.png (100%) rename {www => static}/index.html (100%) rename {www => static}/js/bootstrap-dialog.min.js (100%) rename {www => static}/js/bootstrap.min.js (100%) rename {www => static}/js/dataTables.bootstrap.min.js (100%) rename {www => static}/js/dataTables.responsive.js (100%) rename {www => static}/js/jquery.dataTables.min.js (100%) rename {www => static}/js/jquery.min.js (100%) rename {www => static}/js/jquery.stickytabs.js (100%) rename {www => static}/js/labca.js (100%) rename {www => static}/js/metisMenu.min.js (100%) rename {www => static}/js/pwdux.js (100%) rename {www => static}/js/sb-admin-2.min.js (100%) rename {www => static}/js/zxcvbn.js (100%) rename {www => static}/js/zxcvbn.js.map (100%) rename {www => static}/rate-limits.html (100%) rename {www => static}/terms/v1.html (100%) diff --git a/README.md b/README.md index dc9d3ee..fb2d8ee 100644 --- a/README.md +++ b/README.md @@ -97,7 +97,7 @@ The end users in your organization / lab can visit the public pages of you LabCA ## Troubleshooting After installing sometimes the application is not starting up properly and it can be quite hard to figure out why. Some log files to check in case of issues are: -* /etc/nginx/ssl/acme_tiny.log +* /home/labca/nginx_data/ssl/acme_tiny.log * /home/labca/logs/commander.log * cd /home/labca/boulder; docker-compose logs labca * cd /home/labca/boulder; docker-compose logs boulder @@ -106,7 +106,7 @@ After installing sometimes the application is not starting up properly and it ca ### Common error messages -If you get "**No valid IP addresses found for **" in /etc/nginx/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: **" in /var/log/labca.err. +If you get "**No valid IP addresses found for **" in /home/labca/nginx_data/ssl/acme_tiny.log, solve it by entering the hostname in your local DNS. Same for "**Could not resolve host: **" in /var/log/labca.err. When issuing a certificate, LabCA/boulder checks for CAA (Certification Authority Authorization) records in DNS, which specify what CAs are allowed to issue certificates for the domain. If you get an error like "**SERVFAIL looking up CAA for internal**" or "**CAA record for ca01.foo.internal prevents issuance**", you can try to add something like this to your DNS domain: ``` diff --git a/acme_tiny.py b/acme_tiny.py index f919937..7f5de06 100644 --- a/acme_tiny.py +++ b/acme_tiny.py @@ -202,7 +202,7 @@ def main(argv=None): ## openssl genrsa 4096 > account.key ## openssl genrsa 4096 > domain.key ## openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:tessie.hakwerk.local")) > domain.csr -## python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt +## python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/labca/nginx_data/static/.well-known/acme-challenge/ > domain_chain.crt ## cp domain_chain.crt ~/boulder/test/ ## docker exec -ti boulder_boulder_1 /bin/bash diff --git a/backup b/backup index d2c30c7..73d64eb 100755 --- a/backup +++ b/backup @@ -15,7 +15,7 @@ mkdir -p /home/labca/backup cd /home/labca/boulder docker-compose exec -T bmysql mysqldump boulder_sa_integration >$TMPDIR/boulder_sa_integration.sql -cp -p /etc/nginx/ssl/*key* /etc/nginx/ssl/*cert.pem /etc/nginx/ssl/*.csr $TMPDIR/ +cp -p /home/labca/nginx_data/ssl/*key* /home/labca/nginx_data/ssl/*cert.pem /home/labca/nginx_data/ssl/*.csr $TMPDIR/ cp -rp /home/labca/admin/data $TMPDIR/ diff --git a/commander b/commander index 317289d..5e6ba97 100755 --- a/commander +++ b/commander @@ -38,7 +38,7 @@ function wait_server() { read txt case $txt in "trust-store") - cp /etc/nginx/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt + cp /home/labca/nginx_data/ssl/labca_cert.pem /usr/local/share/ca-certificates/labca_cert.crt cp ~labca/admin/data/root-ca.pem /usr/local/share/ca-certificates/root-ca.crt update-ca-certificates &>>$LOGFILE echo "Waiting for initial startup of the docker containers..." &>>$LOGFILE @@ -58,12 +58,11 @@ case $txt in wait_up $PS_BOULDER $PS_BOULDER_COUNT &>>$LOGFILE ;; "acme-request") - cd /etc/nginx/ssl + cd /home/labca/nginx_data/ssl [ -e account.key ] || openssl genrsa 4096 > account.key [ -e labca_key.pem ] || openssl genrsa 4096 > labca_key.pem san=$(openssl x509 -noout -text -in labca_cert.pem | grep DNS:) openssl req -new -sha256 -key labca_key.pem -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > domain.csr - chown -R www-data:www-data * url=$(grep 'DEFAULT_DIRECTORY_URL =' /home/labca/acme_tiny.py | sed -e 's/.*=[ ]*//' | sed -e 's/\"//g') wait_server $url sleep 10 @@ -72,16 +71,18 @@ case $txt in ln -sf /home/labca/labca/logrotate_d /etc/logrotate.d/labca ;; "nginx-remove-redirect") - perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /etc/nginx/sites-available/labca + perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /home/labca/nginx_data/conf.d/labca.conf ;; "nginx-reload") - service nginx reload + cd /home/labca/boulder + docker-compose exec -T nginx nginx -s reload &>>$LOGFILE ;; "nginx-restart") - service nginx restart + cd /home/labca/boulder + docker-compose restart nginx &>>$LOGFILE ;; "log-cert") - [ -f /etc/nginx/ssl/acme_tiny.log ] && tail -200 /etc/nginx/ssl/acme_tiny.log || /bin/true + [ -f /home/labca/nginx_data/ssl/acme_tiny.log ] && tail -200 /home/labca/nginx_data/ssl/acme_tiny.log || /bin/true exit 0 ;; "log-commander") @@ -120,11 +121,8 @@ case $txt in exit 0 ;; "log-web") - tail -f -n 50 /var/log/nginx/access.log - ;; -"log-weberr") - [ -f /var/log/nginx/error.log ] && tail -200 /var/log/nginx/error.log || /bin/true - exit 0 + cd /home/labca/boulder + docker-compose logs -f --no-color --tail=50 nginx ;; "log-components") timezone=$(cat /etc/timezone) diff --git a/gui/apply b/gui/apply index 789c65f..c08d3e0 100755 --- a/gui/apply +++ b/gui/apply @@ -16,8 +16,6 @@ cp $PKI_ROOT_CERT_BASE.der certs/ cp $PKI_INT_CERT_BASE.pem certs/ cp $PKI_INT_CERT_BASE.der certs/ -chown -R www-data:www-data . - cd /boulder/labca $PKI_PWD/apply-boulder diff --git a/gui/apply-nginx b/gui/apply-nginx index 78b161d..65bdc57 100755 --- a/gui/apply-nginx +++ b/gui/apply-nginx @@ -18,5 +18,3 @@ sed -i -e "s|\[PKI_ROOT_FINGERPRINT\]|$PKI_ROOT_FINGERPRINT|g" cps/index.html sed -i -e "s|\[PKI_ROOT_VALIDITY\]|$PKI_ROOT_VALIDITY|g" cps/index.html sed -i -e "s|\[PKI_COMPANY_NAME\]|$PKI_DEFAULT_O|g" terms/v1.html - -chown -R www-data:www-data . diff --git a/gui/main.go b/gui/main.go index dbd9b88..865b911 100644 --- a/gui/main.go +++ b/gui/main.go @@ -232,7 +232,7 @@ func errorHandler(w http.ResponseWriter, r *http.Request, err error, status int) var FileErrors []interface{} data := getLog(w, r, "cert") if data != "" { - FileErrors = append(FileErrors, map[string]interface{}{"FileName": "/etc/nginx/ssl/acme_tiny.log", "Content": data}) + FileErrors = append(FileErrors, map[string]interface{}{"FileName": "/home/labca/nginx_data/ssl/acme_tiny.log", "Content": data}) } data = getLog(w, r, "commander") if data != "" { @@ -1006,7 +1006,7 @@ func _manageGet(w http.ResponseWriter, r *http.Request) { components := _parseComponents(getLog(w, r, "components")) for i := 0; i < len(components); i++ { if components[i].Name == "NGINX Webserver" { - components[i].LogURL = r.Header.Get("X-Request-Base") + "/logs/weberr" + components[i].LogURL = r.Header.Get("X-Request-Base") + "/logs/web" components[i].LogTitle = "Web Error Log" btn := make(map[string]interface{}) @@ -1185,11 +1185,6 @@ func logsHandler(w http.ResponseWriter, r *http.Request) { case "web": name = "Web Access Log" message = "Live view on the NGINX web server access log." - case "weberr": - name = "Web Error Log" - message = "Log file for the NGINX web server error log." - wsurl = "" - data = getLog(w, r, logType) default: errorHandler(w, r, fmt.Errorf("unknown log type '%s'", logType), http.StatusBadRequest) return @@ -2272,21 +2267,13 @@ func activeNav(active string, uri string, requestBase string) []navItem { }, } web := navItem{ - Name: "Web Access", + Name: "Web Server", Icon: "fa-globe", Attrs: map[template.HTMLAttr]string{ "href": requestBase + "/logs/web", "title": "Live view on the NGINX web server access log", }, } - weberr := navItem{ - Name: "Web Error", - Icon: "fa-times", - Attrs: map[template.HTMLAttr]string{ - "href": requestBase + "/logs/weberr", - "title": "Log file for the NGINX web server error log", - }, - } logs := navItem{ Name: "Logs", Icon: "fa-files-o", @@ -2295,7 +2282,7 @@ func activeNav(active string, uri string, requestBase string) []navItem { "title": "Log Files", }, IsActive: strings.HasPrefix(uri, "/logs/"), - SubMenu: []navItem{cert, boulder, audit, labca, web, weberr}, + SubMenu: []navItem{cert, boulder, audit, labca, web}, } manage := navItem{ Name: "Manage", @@ -2491,13 +2478,13 @@ func main() { r.NotFoundHandler = http.HandlerFunc(notFoundHandler) if isDev { - r.PathPrefix("/accounts/static/").Handler(http.StripPrefix("/accounts/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/authz/static/").Handler(http.StripPrefix("/authz/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/challenges/static/").Handler(http.StripPrefix("/challenges/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/certificates/static/").Handler(http.StripPrefix("/certificates/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/orders/static/").Handler(http.StripPrefix("/orders/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/logs/static/").Handler(http.StripPrefix("/logs/static/", http.FileServer(http.Dir("../www")))) - r.PathPrefix("/static/").Handler(http.StripPrefix("/static/", http.FileServer(http.Dir("../www")))) + r.PathPrefix("/accounts/static/").Handler(http.StripPrefix("/accounts/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/authz/static/").Handler(http.StripPrefix("/authz/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/challenges/static/").Handler(http.StripPrefix("/challenges/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/certificates/static/").Handler(http.StripPrefix("/certificates/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/orders/static/").Handler(http.StripPrefix("/orders/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/logs/static/").Handler(http.StripPrefix("/logs/static/", http.FileServer(http.Dir("../static")))) + r.PathPrefix("/static/").Handler(http.StripPrefix("/static/", http.FileServer(http.Dir("../static")))) } r.Use(authorized) diff --git a/install b/install index 7cd8fd6..c4a326c 100755 --- a/install +++ b/install @@ -203,7 +203,7 @@ clone_or_pull() { # Checkout the latest release tag checkout_release() { local branch="$1" - if [ "$branch" == "" ] || [ "$branch" == "master" ]; then + if [ "$branch" == "" ] || [ "$branch" == "master" ] || [ "$branch" == "main" ]; then cd "$cloneDir" TAG=$(git describe --tags $(git rev-list --tags --max-count=1)) sudo -u labca -H git reset --hard $TAG &>>$installLog @@ -393,7 +393,7 @@ install_pkg() { } install_extra() { - local packages=(apt-transport-https ca-certificates curl gnupg2 net-tools nginx software-properties-common tzdata ucspi-tcp zip python) + local packages=(apt-transport-https ca-certificates curl gnupg2 net-tools software-properties-common tzdata ucspi-tcp zip python) for package in "${packages[@]}"; do install_pkg "$package" done @@ -425,11 +425,22 @@ static_web() { local msg="Static web pages" msg_info "$msg" - [ -e /etc/nginx/sites-available/labca ] || cp $cloneDir/nginx.conf /etc/nginx/sites-available/labca - [ -e /etc/nginx/sites-enabled/labca ] || ln -s ../sites-available/labca /etc/nginx/sites-enabled/ - rm -f /etc/nginx/sites-enabled/default + if [ -d /etc/nginx ]; then + # Migrate cert from host nginx to dockerized nginx + [ -d /home/labca/nginx_data/ssl ] || mkdir -p /home/labca/nginx_data/ssl + mv /etc/nginx/ssl/* /home/labca/nginx_data/ssl/ + mv /etc/nginx /etc/nginx.backup + fi + + [ -d /home/labca/nginx_data/conf.d ] || mkdir -p /home/labca/nginx_data/conf.d + [ -d /home/labca/nginx_data/ssl ] || mkdir -p /home/labca/nginx_data/ssl + cp $cloneDir/nginx.conf /home/labca/nginx_data/conf.d/labca.conf + if [ -f "$boulderLabCADir/setup_complete" ]; then + perl -i -p0e 's/\n # BEGIN temporary redirect\n location = \/ \{\n return 302 \/admin\/;\n }\n # END temporary redirect\n//igs' /home/labca/nginx_data/conf.d/labca.conf + fi - cd /var/www/html + [ -d /home/labca/nginx_data/static ] || mkdir /home/labca/nginx_data/static + cd /home/labca/nginx_data/static git status --short &> /dev/null || rc=$? if [ $rc -gt 0 ]; then git init >>$installLog @@ -438,9 +449,10 @@ static_web() { git commit --all --quiet -m "LabCA before update $runId" &>>$installLog && { msg_ok "Commit existing modifications of $adminDir"; msg_info "$msg"; } || true mkdir -p .well-known/acme-challenge + find .well-known/acme-challenge/ -mtime +10 -exec rm {} \; # Clean up files older than 10 days mkdir -p crl [ -e cert ] || ln -s certs cert - cp -rp $cloneDir/www/* . + cp -rp $cloneDir/static/* . sed -i -e "s|\[LABCA_CPS_LOCATION\]|http://$LABCA_FQDN/cps/|g" cps/index.html sed -i -e "s|\[LABCA_CERTS_LOCATION\]|http://$LABCA_FQDN/certs/|g" cps/index.html @@ -451,8 +463,6 @@ static_web() { export PKI_DEFAULT_O=$(grep organization $adminDir/data/config.json | sed -e 's/.*:[ ]*//' | sed -e 's/\",//g' | sed -e 's/\"//g') $adminDir/apply-nginx - else - chown -R www-data:www-data . fi git add --all &>/dev/null || true @@ -463,19 +473,16 @@ static_web() { # Create a temporary self-signed certificate if there is no certificate yet selfsigned_cert() { - if [ -e /etc/nginx/ssl/labca_cert.pem ]; then + if [ -e /home/labca/nginx_data/ssl/labca_cert.pem ]; then msg_ok "Certificate is present" else local msg="Create self-signed certificate" msg_info "$msg" - mkdir -p /etc/nginx/ssl - cd /etc/nginx/ssl + mkdir -p /home/labca/nginx_data/ssl + cd /home/labca/nginx_data/ssl openssl req -x509 -nodes -sha256 -newkey rsa:2048 -keyout labca_key.pem -out labca_cert.pem -days 7 \ -subj "/O=LabCA/CN=$LABCA_FQDN" -reqexts SAN -extensions SAN \ -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nbasicConstraints=CA:FALSE\nnsCertType=server\nsubjectAltName=DNS:$LABCA_FQDN")) &>>$installLog - chown -R www-data:www-data labca_* - - service nginx restart &>>$installLog msg_ok "$msg" fi } @@ -720,13 +727,15 @@ cleanup() { local msg="Cleaning up obsolete files" msg_info "$msg" - rm -f /var/www/html/css/skeleton.css - rm -f /var/www/html/css/skeleton-tabs.css - rm -f /var/www/html/css/normalize.css - rm -f /var/www/html/css/font.css - rm -f /var/www/html/img/favicon.ico - rm -f /var/www/html/js/jquery-3.3.1.min.js - rm -f /var/www/html/js/skeleton-tabs.js + if [ -d /var/www/html ]; then + rm -f /var/www/html/css/skeleton.css + rm -f /var/www/html/css/skeleton-tabs.css + rm -f /var/www/html/css/normalize.css + rm -f /var/www/html/css/font.css + rm -f /var/www/html/img/favicon.ico + rm -f /var/www/html/js/jquery-3.3.1.min.js + rm -f /var/www/html/js/skeleton-tabs.js + fi rm -f $adminDir/templates/cert.tmpl rm -f $adminDir/templates/error.tmpl rm -f $adminDir/templates/final.tmpl @@ -739,6 +748,11 @@ cleanup() { rm -f $adminDir/templates/setup.tmpl rm -f $adminDir/templates/wrapup.tmpl + # Remove host nginx if installed, as we are now using the docker container + systemctl stop nginx &>>$installLog || true + systemctl disable nginx &>>$installLog || true + apt remove -y nginx &>>$installLog + msg_ok "$msg" } @@ -784,7 +798,7 @@ startup() { # If the nginx certificate is self-signed then show extra text first_time() { - local certFile="/etc/nginx/ssl/labca_cert.pem" + local certFile="/home/labca/nginx_data/ssl/labca_cert.pem" [ -e "$certFile" ] || msg_fatal "The SSL certificate $certFile does not exist" local subject=$(openssl x509 -noout -in "$certFile" -subject_hash) diff --git a/logrotate_d b/logrotate_d index d27d3ce..978c567 100644 --- a/logrotate_d +++ b/logrotate_d @@ -1,4 +1,4 @@ -/etc/nginx/ssl/*.log +/home/labca/nginx_data/ssl/*.log /home/labca/logs/cron-*.log { rotate 4 diff --git a/nginx.conf b/nginx.conf index 7408689..fdd2693 100644 --- a/nginx.conf +++ b/nginx.conf @@ -19,8 +19,11 @@ server { } location /ocsp/ { - include proxy_params; - proxy_pass http://127.0.0.1:4002/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://boulder:4002/; } location /rate-limits { @@ -52,33 +55,48 @@ server { } location /admin/ { - include proxy_params; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Base "/admin"; - proxy_pass http://127.0.0.1:3000/; + proxy_pass http://labca:3000/; error_page 502 504 /502.html; } location /admin/ws { - include proxy_params; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Base "/admin"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_pass http://127.0.0.1:3000/ws; + proxy_pass http://labca:3000/ws; } location /acme/ { - include proxy_params; - proxy_pass http://127.0.0.1:4001; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://boulder:4001; } location /directory { - include proxy_params; - proxy_pass http://127.0.0.1:4001; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://boulder:4001; } location /ocsp/ { - include proxy_params; - proxy_pass http://127.0.0.1:4002/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://boulder:4002/; } location /rate-limits { diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index a2c8ebb..20c80fb 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -40,7 +40,7 @@ index b7e5656c5..d771aa011 100644 networks: bluenet: aliases: -@@ -56,21 +65,38 @@ services: +@@ -56,21 +65,51 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -64,7 +64,7 @@ index b7e5656c5..d771aa011 100644 volumes: + - /home/labca/admin:/go/src/labca + - ./.gocache:/root/.cache/go-build -+ - /var/www/html:/wwwstatic ++ - /home/labca/nginx_data/static:/wwwstatic - .:/boulder - working_dir: *boulder_working_dir - entrypoint: test/entrypoint-netaccess.sh @@ -82,6 +82,19 @@ index b7e5656c5..d771aa011 100644 + max-file: "5" + restart: always + ++ nginx: ++ image: nginx:1.21.6 ++ restart: always ++ networks: ++ - bluenet ++ ports: ++ - 80:80 ++ - 443:443 ++ volumes: ++ - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d ++ - /home/labca/nginx_data/ssl:/etc/nginx/ssl ++ - /home/labca/nginx_data/static:/var/www/html ++ +volumes: + dbdata: diff --git a/renew b/renew index c5e227c..2b3f184 100755 --- a/renew +++ b/renew @@ -2,10 +2,10 @@ set -e -cd /etc/nginx/ssl +cd /home/labca/nginx_data/ssl date >> acme_tiny.log -python ~labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /var/www/html/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1 +python ~labca/acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/labca/nginx_data/static/.well-known/acme-challenge/ > domain_chain.crt 2>> acme_tiny.log || exit 1 mv domain_chain.crt labca_cert.pem -chown -R www-data:www-data labca_cert.pem -service nginx reload +cd /home/labca/boulder +docker-compose restart nginx diff --git a/restore b/restore index f50edb6..65500db 100755 --- a/restore +++ b/restore @@ -16,7 +16,7 @@ tar xzf $FILE cd /home/labca/boulder docker-compose exec bmysql mysql boulder_sa_integration <$TMPDIR/boulder_sa_integration.sql -mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /etc/nginx/ssl/ +mv -f $TMPDIR/*key* $TMPDIR/*cert.pem $TMPDIR/*.csr /home/labca/nginx_data/ssl/ rm -rf /home/labca/admin/data && mv $TMPDIR/data /home/labca/admin/ diff --git a/smartrenew b/smartrenew index fd66ab6..6a04ec9 100755 --- a/smartrenew +++ b/smartrenew @@ -5,10 +5,10 @@ set -e RENEW=30 TODAY=`date '+%Y_%m_%d'` -echo $TODAY >> /etc/nginx/ssl/cron.log +echo $TODAY >> /home/labca/nginx_data/ssl/cron.log -if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /etc/nginx/ssl/labca_cert.pem`; then - echo " renewing!" >> /etc/nginx/ssl/cron.log - cp /etc/nginx/ssl/labca_cert.pem /etc/nginx/ssl/labca_cert_$TODAY.pem +if ! expires=`openssl x509 -checkend $[ 86400 * $RENEW ] -noout -in /home/labca/nginx_data/ssl/labca_cert.pem`; then + echo " renewing!" >> /home/labca/nginx_data/ssl/cron.log + cp /home/labca/nginx_data/ssl/labca_cert.pem /home/labca/nginx_data/ssl/labca_cert_$TODAY.pem ~labca/labca/renew fi diff --git a/www/502.html b/static/502.html similarity index 100% rename from www/502.html rename to static/502.html diff --git a/www/certs/index.html b/static/certs/index.html similarity index 100% rename from www/certs/index.html rename to static/certs/index.html diff --git a/www/cps/index.html b/static/cps/index.html similarity index 100% rename from www/cps/index.html rename to static/cps/index.html diff --git a/www/css/bootstrap.min.css b/static/css/bootstrap.min.css similarity index 100% rename from www/css/bootstrap.min.css rename to static/css/bootstrap.min.css diff --git a/www/css/bootstrap.min.css.map b/static/css/bootstrap.min.css.map similarity index 100% rename from www/css/bootstrap.min.css.map rename to static/css/bootstrap.min.css.map diff --git a/www/css/dataTables.bootstrap.css b/static/css/dataTables.bootstrap.css similarity index 100% rename from www/css/dataTables.bootstrap.css rename to static/css/dataTables.bootstrap.css diff --git a/www/css/dataTables.responsive.css b/static/css/dataTables.responsive.css similarity index 100% rename from www/css/dataTables.responsive.css rename to static/css/dataTables.responsive.css diff --git a/www/css/font-awesome.min.css b/static/css/font-awesome.min.css similarity index 100% rename from www/css/font-awesome.min.css rename to static/css/font-awesome.min.css diff --git a/www/css/labca.css b/static/css/labca.css similarity index 100% rename from www/css/labca.css rename to static/css/labca.css diff --git a/www/css/metisMenu.min.css b/static/css/metisMenu.min.css similarity index 100% rename from www/css/metisMenu.min.css rename to static/css/metisMenu.min.css diff --git a/www/css/sb-admin-2.min.css b/static/css/sb-admin-2.min.css similarity index 100% rename from www/css/sb-admin-2.min.css rename to static/css/sb-admin-2.min.css diff --git a/www/fonts/FontAwesome.otf b/static/fonts/FontAwesome.otf similarity index 100% rename from www/fonts/FontAwesome.otf rename to static/fonts/FontAwesome.otf diff --git a/www/fonts/fontawesome-webfont.eot b/static/fonts/fontawesome-webfont.eot similarity index 100% rename from www/fonts/fontawesome-webfont.eot rename to static/fonts/fontawesome-webfont.eot diff --git a/www/fonts/fontawesome-webfont.svg b/static/fonts/fontawesome-webfont.svg similarity index 100% rename from www/fonts/fontawesome-webfont.svg rename to static/fonts/fontawesome-webfont.svg diff --git a/www/fonts/fontawesome-webfont.ttf b/static/fonts/fontawesome-webfont.ttf similarity index 100% rename from www/fonts/fontawesome-webfont.ttf rename to static/fonts/fontawesome-webfont.ttf diff --git a/www/fonts/fontawesome-webfont.woff b/static/fonts/fontawesome-webfont.woff similarity index 100% rename from www/fonts/fontawesome-webfont.woff rename to static/fonts/fontawesome-webfont.woff diff --git a/www/fonts/fontawesome-webfont.woff2 b/static/fonts/fontawesome-webfont.woff2 similarity index 100% rename from www/fonts/fontawesome-webfont.woff2 rename to static/fonts/fontawesome-webfont.woff2 diff --git a/www/fonts/glyphicons-halflings-regular.eot b/static/fonts/glyphicons-halflings-regular.eot similarity index 100% rename from www/fonts/glyphicons-halflings-regular.eot rename to static/fonts/glyphicons-halflings-regular.eot diff --git a/www/fonts/glyphicons-halflings-regular.svg b/static/fonts/glyphicons-halflings-regular.svg similarity index 100% rename from www/fonts/glyphicons-halflings-regular.svg rename to static/fonts/glyphicons-halflings-regular.svg diff --git a/www/fonts/glyphicons-halflings-regular.ttf b/static/fonts/glyphicons-halflings-regular.ttf similarity index 100% rename from www/fonts/glyphicons-halflings-regular.ttf rename to static/fonts/glyphicons-halflings-regular.ttf diff --git a/www/fonts/glyphicons-halflings-regular.woff b/static/fonts/glyphicons-halflings-regular.woff similarity index 100% rename from www/fonts/glyphicons-halflings-regular.woff rename to static/fonts/glyphicons-halflings-regular.woff diff --git a/www/fonts/glyphicons-halflings-regular.woff2 b/static/fonts/glyphicons-halflings-regular.woff2 similarity index 100% rename from www/fonts/glyphicons-halflings-regular.woff2 rename to static/fonts/glyphicons-halflings-regular.woff2 diff --git a/www/img/fav-admin.png b/static/img/fav-admin.png similarity index 100% rename from www/img/fav-admin.png rename to static/img/fav-admin.png diff --git a/www/img/fav-public.png b/static/img/fav-public.png similarity index 100% rename from www/img/fav-public.png rename to static/img/fav-public.png diff --git a/www/img/spinner.gif b/static/img/spinner.gif similarity index 100% rename from www/img/spinner.gif rename to static/img/spinner.gif diff --git a/www/img/warning.png b/static/img/warning.png similarity index 100% rename from www/img/warning.png rename to static/img/warning.png diff --git a/www/index.html b/static/index.html similarity index 100% rename from www/index.html rename to static/index.html diff --git a/www/js/bootstrap-dialog.min.js b/static/js/bootstrap-dialog.min.js similarity index 100% rename from www/js/bootstrap-dialog.min.js rename to static/js/bootstrap-dialog.min.js diff --git a/www/js/bootstrap.min.js b/static/js/bootstrap.min.js similarity index 100% rename from www/js/bootstrap.min.js rename to static/js/bootstrap.min.js diff --git a/www/js/dataTables.bootstrap.min.js b/static/js/dataTables.bootstrap.min.js similarity index 100% rename from www/js/dataTables.bootstrap.min.js rename to static/js/dataTables.bootstrap.min.js diff --git a/www/js/dataTables.responsive.js b/static/js/dataTables.responsive.js similarity index 100% rename from www/js/dataTables.responsive.js rename to static/js/dataTables.responsive.js diff --git a/www/js/jquery.dataTables.min.js b/static/js/jquery.dataTables.min.js similarity index 100% rename from www/js/jquery.dataTables.min.js rename to static/js/jquery.dataTables.min.js diff --git a/www/js/jquery.min.js b/static/js/jquery.min.js similarity index 100% rename from www/js/jquery.min.js rename to static/js/jquery.min.js diff --git a/www/js/jquery.stickytabs.js b/static/js/jquery.stickytabs.js similarity index 100% rename from www/js/jquery.stickytabs.js rename to static/js/jquery.stickytabs.js diff --git a/www/js/labca.js b/static/js/labca.js similarity index 100% rename from www/js/labca.js rename to static/js/labca.js diff --git a/www/js/metisMenu.min.js b/static/js/metisMenu.min.js similarity index 100% rename from www/js/metisMenu.min.js rename to static/js/metisMenu.min.js diff --git a/www/js/pwdux.js b/static/js/pwdux.js similarity index 100% rename from www/js/pwdux.js rename to static/js/pwdux.js diff --git a/www/js/sb-admin-2.min.js b/static/js/sb-admin-2.min.js similarity index 100% rename from www/js/sb-admin-2.min.js rename to static/js/sb-admin-2.min.js diff --git a/www/js/zxcvbn.js b/static/js/zxcvbn.js similarity index 100% rename from www/js/zxcvbn.js rename to static/js/zxcvbn.js diff --git a/www/js/zxcvbn.js.map b/static/js/zxcvbn.js.map similarity index 100% rename from www/js/zxcvbn.js.map rename to static/js/zxcvbn.js.map diff --git a/www/rate-limits.html b/static/rate-limits.html similarity index 100% rename from www/rate-limits.html rename to static/rate-limits.html diff --git a/www/terms/v1.html b/static/terms/v1.html similarity index 100% rename from www/terms/v1.html rename to static/terms/v1.html