misc: add ssl support (#75)

* misc: add SSL support for docker config * add extra files * feat: Add support for LAGO_DISABLE_SIGNUP env var (#73) * chore: remove .DS_Store file * misc: add SSL support for docker config * fix rebase issue * fix review Co-authored-by: Vincent Pochet <vincent@getlago.com>
2024-12-22 16:53:19 +07:00 · 2022-07-26 11:52:08 +02:00 · 2022-07-26 11:52:08 +02:00 · 7e2d2cd944
commit 7e2d2cd944
parent efb1a61eb5
9 changed files with 160 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,6 @@
 *.code-workspace
 .env
 .DS_Store
+/extra/ssl/certbot
+/extra/ssl/nginx*
+/extra/ssl/dhparam.pem
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 61bdb2fc295f68ce8a859e317c42f8627d2f63cb
+Subproject commit b3fd218b2be30f8e6eccee494bf67f0a259b7883
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -64,6 +64,8 @@ services:
    container_name: lago-front
    image: getlago/front:v0.4.0-alpha
    restart: unless-stopped
+    # Use this command if you want to use SSL with Let's Encrypt
+    # command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    depends_on:
      - api
    environment:
@ -73,6 +75,26 @@ services:
      - LAGO_DISABLE_SIGNUP=${LAGO_DISABLE_SIGNUP}
    ports:
      - ${FRONT_PORT:-80}:80
+      - 443:443
+    # Using SSL with Let's Encrypt
+    # volumes:
+    #   - ./extra/nginx-letsencrypt.conf:/etc/nginx/conf.d/default.conf
+    #   - ./extra/certbot/conf:/etc/letsencrypt
+    #   - ./extra/certbot/www:/var/www/certbot
+    # Using SSL with self signed certificates
+    # volumes:
+    #   - ./extra/nginx-selfsigned.conf:/etc/nginx/conf.d/default.conf
+    #   - ./extra/ssl/nginx-selfsigned.crt:/etc/ssl/certs/nginx-selfsigned.crt
+    #   - ./extra/ssl/nginx-selfsigned.key:/etc/ssl/private/nginx-selfsigned.key
+    #   - ./extra/ssl/dhparam.pem:/etc/ssl/certs/dhparam.pem
+
+  # Only used for SSL support with Let's Encrypt
+  certbot:
+    image: certbot/certbot
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
+    volumes:
+      - ./extra/certbot/conf:/etc/letsencrypt
+      - ./extra/certbot/www:/var/www/certbot

  api-worker:
    container_name: lago-worker
--- a/extra/init-letsencrypt.sh
+++ b/extra/init-letsencrypt.sh
@ -0,0 +1,80 @@
+#!/bin/bash
+
+if ! [ -x "$(command -v docker-compose)" ]; then
+  echo 'Error: docker-compose is not installed.' >&2
+  exit 1
+fi
+
+domains=(lago.example www.lago.example)
+rsa_key_size=4096
+data_path="./extra/ssl/certbot"
+email="jeremy@getlago.com" # Adding a valid address is strongly recommended
+staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits
+
+if [ -d "$data_path" ]; then
+  read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
+  if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then
+    exit
+  fi
+fi
+
+
+if [ ! -e "$data_path/conf/options-ssl-nginx.conf" ] || [ ! -e "$data_path/conf/ssl-dhparams.pem" ]; then
+  echo "### Downloading recommended TLS parameters ..."
+  mkdir -p "$data_path/conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "$data_path/conf/options-ssl-nginx.conf"
+  curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "$data_path/conf/ssl-dhparams.pem"
+  echo
+fi
+
+echo "### Creating dummy certificate for $domains ..."
+path="/etc/letsencrypt/live/$domains"
+mkdir -p "$data_path/conf/live/$domains"
+docker-compose run --rm --entrypoint "\
+  openssl req -x509 -nodes -newkey rsa:$rsa_key_size -days 1\
+    -keyout '$path/privkey.pem' \
+    -out '$path/fullchain.pem' \
+    -subj '/CN=localhost'" certbot
+echo
+
+
+echo "### Starting front ..."
+docker-compose up --force-recreate -d front
+echo
+
+echo "### Deleting dummy certificate for $domains ..."
+docker-compose run --rm --entrypoint "\
+  rm -Rf /etc/letsencrypt/live/$domains && \
+  rm -Rf /etc/letsencrypt/archive/$domains && \
+  rm -Rf /etc/letsencrypt/renewal/$domains.conf" certbot
+echo
+
+
+echo "### Requesting Let's Encrypt certificate for $domains ..."
+#Join $domains to -d args
+domain_args=""
+for domain in "${domains[@]}"; do
+  domain_args="$domain_args -d $domain"
+done
+
+# Select appropriate email arg
+case "$email" in
+  "") email_arg="--register-unsafely-without-email" ;;
+  *) email_arg="--email $email" ;;
+esac
+
+# Enable staging mode if needed
+if [ $staging != "0" ]; then staging_arg="--staging"; fi
+
+docker-compose run --rm --entrypoint "\
+  certbot certonly --webroot -w /var/www/certbot \
+    $staging_arg \
+    $email_arg \
+    $domain_args \
+    --rsa-key-size $rsa_key_size \
+    --agree-tos \
+    --force-renewal" certbot
+echo
+
+echo "### Reloading nginx ..."
+docker-compose exec front nginx -s reload
--- a/extra/init-selfsigned.sh
+++ b/extra/init-selfsigned.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+
+sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./extra/ssl/nginx-selfsigned.key -out ./extra/ssl/nginx-selfsigned.crt
+sudo openssl dhparam -out ./extra/ssl/dhparam.pem 2048
--- a/extra/nginx-letsencrypt.conf
+++ b/extra/nginx-letsencrypt.conf
@ -0,0 +1,30 @@
+server {
+  listen 80;
+  server_name lago.example;
+  
+  location / {
+    root /usr/share/nginx/html;
+    index index.html index.htm;
+    try_files $uri $uri/ /index.html =404;
+    return 301 https://$host$request_uri;
+  }
+
+  location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name lago.example;
+
+  location / {
+    proxy_pass http://lago.example;
+  }
+
+  ssl_certificate /etc/letsencrypt/live/lago.example/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/lago.example/privkey.pem;
+
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
--- a/extra/nginx-selfsigned.conf
+++ b/extra/nginx-selfsigned.conf
@ -0,0 +1,19 @@
+server {
+  listen 80;
+  
+  location / {
+    root /usr/share/nginx/html;
+    index index.html index.htm;
+    try_files $uri $uri/ /index.html =404;
+    return 301 https://$host$request_uri;
+  }
+
+}
+
+server {
+  listen 443 ssl;
+
+  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+  ssl_dhparam /etc/ssl/certs/dhparam.pem;
+}
--- a/extra/ssl/.keep
+++ b/extra/ssl/.keep
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 91886a01ac38a4c30c7f08ffe9f4f6100a815bf4
+Subproject commit 9ff36b4540d8cbe1100b1eae198c88cb7b2b6bb1