prod
This commit is contained in:
parent
104fe6512d
commit
431063ab32
8 changed files with 85 additions and 39 deletions
|
@ -3,27 +3,19 @@ FROM openjdk:11-jre-stretch
|
||||||
RUN apt-get update && apt-get install -y openssl
|
RUN apt-get update && apt-get install -y openssl
|
||||||
|
|
||||||
ENV KEYSTORE_PWD=
|
ENV KEYSTORE_PWD=
|
||||||
ENV SERVER_CN="localhost"
|
|
||||||
ENV CLIENT_CN="localhost"
|
|
||||||
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
|
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
|
||||||
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
|
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
|
||||||
ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}"
|
|
||||||
ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}"
|
|
||||||
|
|
||||||
COPY gencerts.sh /
|
|
||||||
RUN chmod +x /gencerts.sh
|
|
||||||
|
|
||||||
VOLUME /certs
|
VOLUME /certs
|
||||||
|
|
||||||
WORKDIR /certs
|
WORKDIR /certs
|
||||||
|
|
||||||
# This works on windows
|
# This works on windows
|
||||||
CMD openssl genrsa -out ca-key.pem 2048 \
|
CMD openssl genrsa -out ca-key.pem 2048 \
|
||||||
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
|
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
|
||||||
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \
|
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \
|
||||||
&& openssl rsa -in server-key.pem -out server-key.pem \
|
&& openssl rsa -in server-key.pem -out server-key.pem \
|
||||||
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
|
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
|
||||||
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \
|
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \
|
||||||
&& openssl rsa -in client-key.pem -out client-key.pem \
|
&& openssl rsa -in client-key.pem -out client-key.pem \
|
||||||
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
|
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
|
||||||
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
|
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
|
||||||
|
|
23
docker/gencerts/certs.cnf
Normal file
23
docker/gencerts/certs.cnf
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
x509_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = CH
|
||||||
|
ST = Zuerich
|
||||||
|
L = Zuerich
|
||||||
|
O = ETH
|
||||||
|
CN = localhost
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer
|
||||||
|
basicConstraints = CA:TRUE
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = localhost
|
||||||
|
DNS.2 = 127.0.0.1
|
||||||
|
DNS.3 = seb-server-mariadb
|
||||||
|
DNS.4 = seb-server
|
|
@ -1,5 +1,13 @@
|
||||||
spring.profiles.include=prod-ws,prod-gui
|
spring.profiles.include=prod-ws,prod-gui
|
||||||
|
|
||||||
|
file.encoding=UTF-8
|
||||||
|
logging.level.org.apache.tomcat.util.net.NioEndpoint=DEBUG
|
||||||
|
logging.level.ch=DEBUG
|
||||||
|
|
||||||
|
sebserver.certs.password=[SET_PWD]
|
||||||
|
sebserver.mariadb.password=[SET_PWD]
|
||||||
|
sebserver.password=[SET_PWD]
|
||||||
|
|
||||||
server.address=0.0.0.0
|
server.address=0.0.0.0
|
||||||
server.port=443
|
server.port=443
|
||||||
server.servlet.context-path=/
|
server.servlet.context-path=/
|
||||||
|
@ -7,21 +15,20 @@ server.servlet.context-path=/
|
||||||
security.require-ssl=true
|
security.require-ssl=true
|
||||||
server.ssl.key-store-type=PKCS12
|
server.ssl.key-store-type=PKCS12
|
||||||
server.ssl.key-store=file:/certs/seb-server-keystore.pkcs12
|
server.ssl.key-store=file:/certs/seb-server-keystore.pkcs12
|
||||||
server.ssl.key-store-password=[SET_PWD]
|
server.ssl.key-store-password=${sebserver.certs.password}
|
||||||
server.ssl.key-alias=1
|
server.ssl.key-alias=sebserver
|
||||||
|
server.ssl.key-password=${sebserver.certs.password}
|
||||||
|
server.ssl.trust-store=file:/certs/seb-server-truststore.pkcs12
|
||||||
file.encoding=UTF-8
|
server.ssl.trust-store-password=${sebserver.certs.password}
|
||||||
|
server.ssl.enabled-protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||||
|
|
||||||
javax.net.ssl.keyStore=/certs/seb-server-keystore.pkcs12
|
javax.net.ssl.keyStore=/certs/seb-server-keystore.pkcs12
|
||||||
javax.net.ssl.keyStorePassword=[SET_PWD]
|
javax.net.ssl.keyStorePassword=${sebserver.certs.password}
|
||||||
javax.net.ssl.trustStore=/certs/seb-server-truststore.pkcs12
|
javax.net.ssl.trustStore=/certs/seb-server-truststore.pkcs12
|
||||||
javax.net.ssl.trustStorePassword=[SET_PWD]
|
javax.net.ssl.trustStorePassword=${sebserver.certs.password}
|
||||||
|
|
||||||
|
sebserver.webservice.api.admin.clientSecret=${sebserver.password}
|
||||||
spring.datasource.password=[SET_PWD]
|
sebserver.webservice.internalSecret=${sebserver.password}
|
||||||
sebserver.webservice.api.admin.clientSecret=[SET_PWD]
|
|
||||||
sebserver.webservice.internalSecret=[SET_PWD]
|
|
||||||
|
|
||||||
##########################################################
|
##########################################################
|
||||||
### SEB Server Webservice configuration
|
### SEB Server Webservice configuration
|
||||||
|
@ -43,11 +50,12 @@ spring.datasource.hikari.initializationFailTimeout=1
|
||||||
spring.datasource.hikari.connectionTimeout=30000
|
spring.datasource.hikari.connectionTimeout=30000
|
||||||
spring.datasource.hikari.idleTimeout=600000
|
spring.datasource.hikari.idleTimeout=600000
|
||||||
spring.datasource.hikari.maxLifetime=1800000
|
spring.datasource.hikari.maxLifetime=1800000
|
||||||
|
spring.datasource.password=${sebserver.mariadb.password}
|
||||||
|
|
||||||
# webservice configuration
|
# webservice configuration
|
||||||
sebserver.webservice.distributed=false
|
sebserver.webservice.distributed=false
|
||||||
sebserver.webservice.http.scheme=https
|
sebserver.webservice.http.scheme=https
|
||||||
sebserver.webservice.http.server.name=${server.address}
|
sebserver.webservice.http.server.name=0.0.0.0
|
||||||
sebserver.webservice.http.redirect.gui=/gui
|
sebserver.webservice.http.redirect.gui=/gui
|
||||||
sebserver.webservice.api.admin.clientId=guiClient
|
sebserver.webservice.api.admin.clientId=guiClient
|
||||||
sebserver.webservice.api.admin.endpoint=/admin-api/v1
|
sebserver.webservice.api.admin.endpoint=/admin-api/v1
|
||||||
|
@ -76,8 +84,8 @@ server.servlet.session.tracking-modes=cookie
|
||||||
|
|
||||||
sebserver.gui.entrypoint=/gui
|
sebserver.gui.entrypoint=/gui
|
||||||
sebserver.gui.webservice.protocol=https
|
sebserver.gui.webservice.protocol=https
|
||||||
sebserver.gui.webservice.address=${server.address}
|
sebserver.gui.webservice.address=0.0.0.0
|
||||||
sebserver.gui.webservice.port=80
|
sebserver.gui.webservice.port=443
|
||||||
sebserver.gui.webservice.apipath=/admin-api/v1
|
sebserver.gui.webservice.apipath=/admin-api/v1
|
||||||
# defines the polling interval that is used to poll the webservice for client connection data on a monitored exam page
|
# defines the polling interval that is used to poll the webservice for client connection data on a monitored exam page
|
||||||
sebserver.gui.webservice.poll-interval=500
|
sebserver.gui.webservice.poll-interval=500
|
||||||
|
|
|
@ -3,28 +3,25 @@ FROM openjdk:11-jre-stretch
|
||||||
RUN apt-get update && apt-get install -y openssl
|
RUN apt-get update && apt-get install -y openssl
|
||||||
|
|
||||||
ENV KEYSTORE_PWD=
|
ENV KEYSTORE_PWD=
|
||||||
ENV SERVER_CN="seb-server-mariadb"
|
|
||||||
ENV CLIENT_CN="seb-server-mariadb"
|
|
||||||
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
|
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
|
||||||
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
|
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=SEB_SEVER_CN"
|
||||||
ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=${SERVER_CN}"
|
|
||||||
ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=${CLIENT_CN}"
|
|
||||||
|
|
||||||
VOLUME /certs
|
VOLUME /certs
|
||||||
|
|
||||||
WORKDIR /certs
|
WORKDIR /certs
|
||||||
|
|
||||||
# This works on windows
|
|
||||||
CMD openssl genrsa -out ca-key.pem 2048 \
|
CMD openssl genrsa -out ca-key.pem 2048 \
|
||||||
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
|
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
|
||||||
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \
|
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout server-key.pem -out server-req.pem \
|
||||||
&& openssl rsa -in server-key.pem -out server-key.pem \
|
&& openssl rsa -in server-key.pem -out server-key.pem \
|
||||||
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
|
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
|
||||||
&& openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \
|
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config /certs/config/certs.cnf -keyout client-key.pem -out client-req.pem \
|
||||||
&& openssl rsa -in client-key.pem -out client-key.pem \
|
&& openssl rsa -in client-key.pem -out client-key.pem \
|
||||||
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
|
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
|
||||||
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
|
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
|
||||||
&& openssl x509 -in ca.pem -inform pem -out ca.der -outform der \
|
&& openssl x509 -in ca.pem -inform pem -out ca.der -outform der \
|
||||||
&& openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
|
&& openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
|
||||||
&& keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \
|
&& keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \
|
||||||
&& keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt
|
&& keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \
|
||||||
|
&& keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zuerich, S=Zuerich, C=CH" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \
|
||||||
|
&& keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
|
||||||
|
&& keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt
|
23
docker/prod/standalone/selfsigned/certs.cnf
Normal file
23
docker/prod/standalone/selfsigned/certs.cnf
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
[req]
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
x509_extensions = v3_req
|
||||||
|
prompt = no
|
||||||
|
|
||||||
|
[req_distinguished_name]
|
||||||
|
C = CH
|
||||||
|
ST = Zuerich
|
||||||
|
L = Zuerich
|
||||||
|
O = ETHZ
|
||||||
|
CN = localhost
|
||||||
|
|
||||||
|
[v3_req]
|
||||||
|
subjectKeyIdentifier = hash
|
||||||
|
authorityKeyIdentifier = keyid,issuer
|
||||||
|
basicConstraints = CA:TRUE
|
||||||
|
subjectAltName = @alt_names
|
||||||
|
|
||||||
|
[alt_names]
|
||||||
|
DNS.1 = localhost
|
||||||
|
DNS.2 = 127.0.0.1
|
||||||
|
DNS.3 = seb-server-mariadb
|
||||||
|
DNS.4 = seb-server
|
|
@ -2,11 +2,12 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
selfsigned:
|
selfsigned:
|
||||||
build:
|
build:
|
||||||
context: ./gencerts
|
context: .
|
||||||
dockerfile: Dockerfile
|
dockerfile: certs.Dockerfile
|
||||||
container_name: gencerts
|
container_name: gencerts
|
||||||
volumes:
|
volumes:
|
||||||
- ./certs:/certs
|
- ./certs:/certs
|
||||||
|
- .:/certs/config
|
||||||
environment:
|
environment:
|
||||||
- SERVER_CN=seb-server-mariadb
|
- SERVER_CN=seb-server-mariadb
|
||||||
- CLIENT_CN=seb-server-mariadb
|
- CLIENT_CN=seb-server-mariadb
|
||||||
|
@ -31,6 +32,7 @@ services:
|
||||||
seb-server:
|
seb-server:
|
||||||
build:
|
build:
|
||||||
context: .
|
context: .
|
||||||
|
dockerfile: sebserver.Dockerfile
|
||||||
args:
|
args:
|
||||||
- GIT_TAG=
|
- GIT_TAG=
|
||||||
- SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT
|
- SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT
|
||||||
|
@ -39,7 +41,7 @@ services:
|
||||||
- .:/config
|
- .:/config
|
||||||
- ./certs:/certs
|
- ./certs:/certs
|
||||||
ports:
|
ports:
|
||||||
- 80:80
|
- 443:443
|
||||||
networks:
|
networks:
|
||||||
- seb-server-network
|
- seb-server-network
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|
|
@ -25,6 +25,6 @@ ENV SEBSERVER_VERSION=${SEBSERVER_VERSION}
|
||||||
WORKDIR /sebserver
|
WORKDIR /sebserver
|
||||||
COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
|
COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
|
||||||
|
|
||||||
ENTRYPOINT exec java -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/
|
ENTRYPOINT exec java -Djavax.net.debug=SSL -jar seb-server-"${SEBSERVER_VERSION}".jar --spring.profiles.active=prod --spring.config.location=file:/config/,classpath:/config/
|
||||||
|
|
||||||
EXPOSE 80
|
EXPOSE 443
|
|
@ -174,6 +174,7 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter implements E
|
||||||
final SSLContext sslContext = SSLContextBuilder
|
final SSLContext sslContext = SSLContextBuilder
|
||||||
.create()
|
.create()
|
||||||
.loadTrustMaterial(trustStoreFile, password)
|
.loadTrustMaterial(trustStoreFile, password)
|
||||||
|
.setKeyStoreType("pkcs12")
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
final HttpClient client = HttpClients.custom()
|
final HttpClient client = HttpClients.custom()
|
||||||
|
|
Loading…
Reference in a new issue