feat: support TLS auth
This commit is contained in:
parent
f896569f4c
commit
e5bbdadd6a
@ -21,7 +21,7 @@
|
||||
"joi": "^10.6.0",
|
||||
"joyent-cp-gql-schema": "^1.2.0",
|
||||
"piloted": "^3.1.1",
|
||||
"portal-api": "^1.3.2",
|
||||
"portal-api": "^1.3.3",
|
||||
"toppsy": "^1.1.0",
|
||||
"triton": "^5.2.0"
|
||||
}
|
||||
|
@ -5,7 +5,7 @@ FROM node:8-alpine
|
||||
# Install dependencies
|
||||
RUN set -x \
|
||||
&& apk update \
|
||||
&& apk add --update curl bash build-base git nginx python \
|
||||
&& apk add --update curl bash build-base git nginx python openssl \
|
||||
&& apk upgrade \
|
||||
&& rm -rf /var/cache/apk/*
|
||||
|
||||
|
@ -1,8 +1,27 @@
|
||||
#!/bin/sh
|
||||
#!/bin/bash
|
||||
|
||||
# Render Nginx configuration template using values from Consul,
|
||||
# but do not reload because Nginx has't started yet
|
||||
# but do not reload because Nginx has't started yet.
|
||||
# Install key files for TLS auth in nginx
|
||||
preStart() {
|
||||
# Copy creds from env vars to files on disk
|
||||
if [ -n ${!NGINX_CA_CRT} ] \
|
||||
&& [ -n ${!NGINX_SERVER_KEY} ] \
|
||||
&& [ -n ${!NGINX_SERVER_CRT} ]
|
||||
then
|
||||
local nginx_path=/etc/nginx/certs
|
||||
mkdir -p $nginx_path
|
||||
mkdir -p $nginx_path/ca
|
||||
mkdir -p $nginx_path/server
|
||||
echo -e "${NGINX_CA_CRT}" | tr '#' '\n' > $nginx_path/ca/ca.crt
|
||||
echo -e "${NGINX_SERVER_KEY}" | tr '#' '\n' > $nginx_path/server/server.key
|
||||
echo -e "${NGINX_SERVER_CRT}" | tr '#' '\n' > $nginx_path/server/server.crt
|
||||
|
||||
chmod 444 $nginx_path/ca/ca.crt
|
||||
chmod 444 $nginx_path/server/server.key
|
||||
chmod 444 $nginx_path/server/server.crt
|
||||
fi
|
||||
|
||||
consul-template \
|
||||
-once \
|
||||
-consul localhost:8500 \
|
||||
|
@ -37,8 +37,8 @@
|
||||
once: 'exitSuccess'
|
||||
},
|
||||
health: {
|
||||
exec: '/usr/bin/curl -o /dev/null --fail -s http://localhost:{{.PORT}}',
|
||||
interval: 5,
|
||||
exec: 'pstree nginx',
|
||||
interval: 10,
|
||||
ttl: 25
|
||||
}
|
||||
},
|
||||
|
@ -25,6 +25,15 @@ events {
|
||||
http {
|
||||
index index.html index.htm;
|
||||
|
||||
server {
|
||||
server_name _;
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
location / {
|
||||
rewrite ^ https://$host$request_uri? permanent;
|
||||
}
|
||||
}
|
||||
|
||||
{{ if service "api" }}
|
||||
upstream api_hosts {
|
||||
{{range service "api"}}
|
||||
@ -33,10 +42,19 @@ http {
|
||||
}{{ end }}
|
||||
|
||||
server {
|
||||
server_name _;
|
||||
listen {{ env "PORT" }} default_server;
|
||||
listen [::]:{{ env "PORT" }} default_server;
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
root /opt/app/packages/cp-frontend/build;
|
||||
|
||||
ssl_certificate /etc/nginx/certs/server/server.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/server/server.key;
|
||||
ssl_client_certificate /etc/nginx/certs/ca/ca.crt;
|
||||
ssl_verify_client on;
|
||||
ssl_session_timeout 1d;
|
||||
|
||||
ssl_protocols TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
|
||||
|
||||
location / {
|
||||
try_files $uri /index.html;
|
||||
}
|
||||
@ -44,7 +62,9 @@ http {
|
||||
rewrite /api/(.*) /$1 break;
|
||||
proxy_pass http://api_hosts;
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Client-Dn $ssl_client_s_dn;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -51,13 +51,17 @@ frontend:
|
||||
mem_limit: 512m
|
||||
links:
|
||||
- consul:consul
|
||||
env_file:
|
||||
- _env
|
||||
environment:
|
||||
- CONSUL=consul
|
||||
- PORT=80
|
||||
- REACT_APP_GQL_HOSTNAME=localhost
|
||||
- REACT_APP_GQL_PORT=80
|
||||
- PORT=443
|
||||
- REACT_APP_GQL_HOSTNAME=workshop.host
|
||||
- REACT_APP_GQL_PORT=443
|
||||
- REACT_APP_GQL_PROTOCOL=https
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
dns:
|
||||
- 127.0.0.1
|
||||
|
||||
|
@ -13,9 +13,9 @@ const GLOBAL =
|
||||
}
|
||||
};
|
||||
|
||||
const GQL_PORT = process.env.REACT_APP_GQL_PORT || 80;
|
||||
const GQL_HOSTNAME =
|
||||
process.env.REACT_APP_GQL_HOSTNAME || GLOBAL.location.hostname;
|
||||
const GQL_PORT = process.env.REACT_APP_GQL_PORT || 443;
|
||||
const GQL_HOSTNAME = process.env.REACT_APP_GQL_HOSTNAME || GLOBAL.location.hostname;
|
||||
const GQL_PROTOCOL = process.env.REACT_APP_GQL_PROTOCOL || 'https';
|
||||
|
||||
export const client = new ApolloClient({
|
||||
dataIdFromObject: o => {
|
||||
@ -31,7 +31,7 @@ export const client = new ApolloClient({
|
||||
return `${o.__typename}:${id}`;
|
||||
},
|
||||
networkInterface: createNetworkInterface({
|
||||
uri: `http://${GQL_HOSTNAME}:${GQL_PORT}/api/graphql`
|
||||
uri: `${GQL_PROTOCOL}://${GQL_HOSTNAME}:${GQL_PORT}/api/graphql`
|
||||
})
|
||||
});
|
||||
|
||||
|
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "joyent-cp-gql-schema",
|
||||
"version": "1.2.0",
|
||||
"version": "1.3.0",
|
||||
"license": "MPL-2.0",
|
||||
"repository": "github:yldio/joyent-portal",
|
||||
"main": "index.js",
|
||||
|
@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "portal-api",
|
||||
"version": "1.3.2",
|
||||
"version": "1.3.3",
|
||||
"description": "",
|
||||
"main": "./lib/index.js",
|
||||
"scripts": {
|
||||
@ -40,7 +40,7 @@
|
||||
"force-array": "^3.1.0",
|
||||
"graphi": "^2.2.1",
|
||||
"hoek": "^4.1.1",
|
||||
"joyent-cp-gql-schema": "^1.0.4",
|
||||
"joyent-cp-gql-schema": "^1.3.0",
|
||||
"lodash.find": "^4.6.0",
|
||||
"lodash.flatten": "^4.4.0",
|
||||
"lodash.get": "^4.4.2",
|
||||
|
77
setup.sh
77
setup.sh
@ -3,7 +3,7 @@ set -e -o pipefail
|
||||
|
||||
help() {
|
||||
echo
|
||||
echo 'Usage ./setup.sh ~/path/to/TRITON_PRIVATE_KEY'
|
||||
echo 'Usage ./setup.sh ~/path/to/TRITON_PRIVATE_KEY ~/path/to/CA_CRT ~/path/to/SERVER_KEY ~/path/to/SERVER_CRT'
|
||||
echo
|
||||
echo 'Checks that your Triton and Docker environment is sane and configures'
|
||||
echo 'an environment file to use.'
|
||||
@ -39,6 +39,75 @@ check() {
|
||||
# Assign args to named vars
|
||||
TRITON_PRIVATE_KEY_PATH=$1
|
||||
|
||||
|
||||
if [ -z "$2" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'Please provide a path to the NGINX CA crt file.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$2" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'CA certificate for NGINX is unreadable.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
NGINX_CA_CRT_PATH=$2
|
||||
|
||||
|
||||
if [ -z "$3" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'Please provide a path to the server key file.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$3" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'Server key file for NGINX is unreadable.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
NGINX_SERVER_KEY_PATH=$3
|
||||
|
||||
|
||||
if [ -z "$4" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'Please provide a path to the server crt file.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -f "$4" ]; then
|
||||
tput rev # reverse
|
||||
tput bold # bold
|
||||
echo 'Server crt file for NGINX is unreadable.'
|
||||
tput sgr0 # clear
|
||||
|
||||
help
|
||||
exit 1
|
||||
fi
|
||||
|
||||
NGINX_SERVER_CRT_PATH=$4
|
||||
|
||||
command -v docker >/dev/null 2>&1 || {
|
||||
echo
|
||||
tput rev # reverse
|
||||
@ -83,8 +152,14 @@ check() {
|
||||
echo TRITON_KEY_PATH=${TRITON_CREDS_PATH}/key.pem >> _env
|
||||
echo TRITON_CERT=$(cat "${DOCKER_CERT_PATH}"/cert.pem | tr '\n' '#') >> _env
|
||||
echo TRITON_CERT_PATH=${TRITON_CREDS_PATH}/cert.pem >> _env
|
||||
|
||||
echo SDC_KEY=$(cat "${TRITON_PRIVATE_KEY_PATH}" | tr '\n' '#') >> _env
|
||||
echo SDC_KEY_PUB=$(cat "${TRITON_PRIVATE_KEY_PATH}.pub" | tr '\n' '#') >> _env
|
||||
|
||||
echo NGINX_CA_CRT=$(cat "${NGINX_CA_CRT_PATH}" | tr '\n' '#') >> _env
|
||||
echo NGINX_SERVER_KEY=$(cat "${NGINX_SERVER_KEY_PATH}" | tr '\n' '#') >> _env
|
||||
echo NGINX_SERVER_CRT=$(cat "${NGINX_SERVER_CRT_PATH}" | tr '\n' '#') >> _env
|
||||
|
||||
echo >> _env
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user