From 9b47374373c789bb67cdc007d162f54fe4f9bb66 Mon Sep 17 00:00:00 2001 From: anhefti Date: Thu, 29 Aug 2019 14:12:13 +0200 Subject: [PATCH] prod --- docker/gencerts/Dockerfile | 28 ------------------- docker/gencerts/certs.cnf | 23 --------------- docker/mariadb/mariadb.cnf | 9 ------ .../selfsigned/application-prod.properties | 7 +++-- .../standalone/selfsigned/certs.Dockerfile | 17 +++++------ docker/prod/standalone/selfsigned/certs.cnf | 23 --------------- .../standalone/selfsigned/docker-compose.yml | 20 +++++++++---- .../selfsigned/sebserver.Dockerfile | 14 ++++++---- .../java/ch/ethz/seb/sebserver/SEBServer.java | 3 +- 9 files changed, 37 insertions(+), 107 deletions(-) delete mode 100644 docker/gencerts/Dockerfile delete mode 100644 docker/gencerts/certs.cnf delete mode 100644 docker/mariadb/mariadb.cnf delete mode 100644 docker/prod/standalone/selfsigned/certs.cnf diff --git a/docker/gencerts/Dockerfile b/docker/gencerts/Dockerfile deleted file mode 100644 index 5dfb9366..00000000 --- a/docker/gencerts/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -FROM openjdk:11-jre-stretch - -RUN apt-get update && apt-get install -y openssl - -ENV KEYSTORE_PWD= -ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" -ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" - -VOLUME /certs -WORKDIR /certs - -# This works on windows -CMD openssl genrsa -out ca-key.pem 2048 \ - && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \ - && openssl rsa -in server-key.pem -out server-key.pem \ - && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \ - && openssl rsa -in client-key.pem -out client-key.pem \ - && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ - && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ - && openssl x509 -in ca.pem -inform pem -out ca.der -outform der \ - && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ - && keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \ - && keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt - -# This doesn't work on windows!? -#CMD /gencerts.sh \ No newline at end of file diff --git a/docker/gencerts/certs.cnf b/docker/gencerts/certs.cnf deleted file mode 100644 index 38e3a964..00000000 --- a/docker/gencerts/certs.cnf +++ /dev/null @@ -1,23 +0,0 @@ -[req] -distinguished_name = req_distinguished_name -x509_extensions = v3_req -prompt = no - -[req_distinguished_name] -C = CH -ST = Zuerich -L = Zuerich -O = ETH -CN = localhost - -[v3_req] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -basicConstraints = CA:TRUE -subjectAltName = @alt_names - -[alt_names] -DNS.1 = localhost -DNS.2 = 127.0.0.1 -DNS.3 = seb-server-mariadb -DNS.4 = seb-server diff --git a/docker/mariadb/mariadb.cnf b/docker/mariadb/mariadb.cnf deleted file mode 100644 index 99df9666..00000000 --- a/docker/mariadb/mariadb.cnf +++ /dev/null @@ -1,9 +0,0 @@ -[mysqld] -ssl-ca=/etc/mysql/certs/ca.pem -ssl-cert=/etc/mysql/certs/server-cert.pem -ssl-key=/etc/mysql/certs/server-key.pem - -[client] -ssl-ca=/etc/mysql/certs/ca.pem -ssl-cert=/etc/mysql/certs/client-cert.pem -ssl-key=/etc/mysql/certs/client-key.pem \ No newline at end of file diff --git a/docker/prod/standalone/selfsigned/application-prod.properties b/docker/prod/standalone/selfsigned/application-prod.properties index 19a0e3e0..617c4377 100644 --- a/docker/prod/standalone/selfsigned/application-prod.properties +++ b/docker/prod/standalone/selfsigned/application-prod.properties @@ -10,10 +10,10 @@ server.servlet.context-path=/ security.require-ssl=true server.ssl.key-store-type=PKCS12 -server.ssl.key-store=C:/dev/workspaces/sebserver/seb-server/docker/prod/standalone/selfsigned/certs/seb-server-keystore.pkcs12 +server.ssl.key-store=/certs/seb-server-keystore.pkcs12 server.ssl.key-store-password=${sebserver.certs.password} server.ssl.key-password=${sebserver.certs.password} -server.ssl.trust-store=C:/dev/workspaces/sebserver/seb-server/docker/prod/standalone/selfsigned/certs/seb-server-truststore.pkcs12 +server.ssl.trust-store=/certs/seb-server-truststore.pkcs12 server.ssl.trust-store-password=${sebserver.certs.password} server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2 @@ -21,12 +21,13 @@ server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2 ### SEB Server Overall # Default logging level in the form "logging.level" + namespace=LEVEL -logging.level.ch=DEBUG +logging.level.ch=INFO logging.file=log/sebserver.log # If webservice or gui runs on ssl and this flag is true, an integrated redirect from http to https is activated # Disable this if a redirect is done by a pre-processing proxy sebserver.ssl.redirect.enabled=true +sebserver.ssl.redirect.html.port=8080 ########################################################## ### SEB Server Webservice configuration diff --git a/docker/prod/standalone/selfsigned/certs.Dockerfile b/docker/prod/standalone/selfsigned/certs.Dockerfile index ff7631d0..35c0e0df 100644 --- a/docker/prod/standalone/selfsigned/certs.Dockerfile +++ b/docker/prod/standalone/selfsigned/certs.Dockerfile @@ -2,26 +2,27 @@ FROM openjdk:11-jre-stretch RUN apt-get update && apt-get install -y openssl -ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" -ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=SEB_SEVER_CN" +ENV OPENSSL_SUBJ="/C=CH/ST=Zurich/L=Zurich" +ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA" +ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=localhost" +ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=localhost" +ENV ADDITIONAL_DNS="dns:localhost,dns:127.0.0.1,dns:seb-server" +ENV KEYSTORE_PWD= VOLUME /certs WORKDIR /certs -RUN export $(grep -v '^#' secrets | xargs) - CMD openssl genrsa -out ca-key.pem 2048 \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \ && openssl rsa -in server-key.pem -out server-key.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ - && openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \ + && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \ && openssl rsa -in client-key.pem -out client-key.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ - && openssl x509 -in ca.pem -inform pem -out ca.der -outform der \ && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ - && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zuerich, S=Zuerich, C=CH" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \ + && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \ && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ diff --git a/docker/prod/standalone/selfsigned/certs.cnf b/docker/prod/standalone/selfsigned/certs.cnf deleted file mode 100644 index 9e6e418c..00000000 --- a/docker/prod/standalone/selfsigned/certs.cnf +++ /dev/null @@ -1,23 +0,0 @@ -[req] -distinguished_name = req_distinguished_name -x509_extensions = v3_req -prompt = no - -[req_distinguished_name] -C = CH -ST = Zuerich -L = Zuerich -O = ETHZ -CN = localhost - -[v3_req] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer -basicConstraints = CA:TRUE -subjectAltName = @alt_names - -[alt_names] -DNS.1 = localhost -DNS.2 = 127.0.0.1 -DNS.3 = seb-server-mariadb -DNS.4 = seb-server diff --git a/docker/prod/standalone/selfsigned/docker-compose.yml b/docker/prod/standalone/selfsigned/docker-compose.yml index 94d911e9..e08db015 100644 --- a/docker/prod/standalone/selfsigned/docker-compose.yml +++ b/docker/prod/standalone/selfsigned/docker-compose.yml @@ -7,11 +7,8 @@ services: container_name: gencerts volumes: - ./certs:/certs - - ./certs.cnf:/certs/certs.cnf - - ./secrets:/certs/secrets - environment: - - SERVER_CN=seb-server-mariadb - - CLIENT_CN=seb-server-mariadb + env_file: + - secrets mariadb: image: "mariadb/server:10.3" @@ -37,11 +34,22 @@ services: - GIT_TAG= - SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT container_name: seb-server + env_file: + - secrets + environment: + - ADDITIONAL_DNS=dns:127.0.0.1,dns:seb-server volumes: - - .:/config + - ./application-prod.properties:/sebserver/application-prod.properties - ./certs:/certs + - ./secrets:/sebserver/secrets ports: - 443:443 + - 8080:80 + logging: + driver: "json-file" + options: + max-size: "200k" + max-file: "10" networks: - seb-server-network depends_on: diff --git a/docker/prod/standalone/selfsigned/sebserver.Dockerfile b/docker/prod/standalone/selfsigned/sebserver.Dockerfile index 18843153..2cc12bec 100644 --- a/docker/prod/standalone/selfsigned/sebserver.Dockerfile +++ b/docker/prod/standalone/selfsigned/sebserver.Dockerfile @@ -21,19 +21,21 @@ FROM openjdk:11-jre-stretch ARG SEBSERVER_VERSION ENV SEBSERVER_VERSION=${SEBSERVER_VERSION} +ENV KEYSTORE_PWD= +ENV MYSQL_ROOT_PASSWORD= +ENV SEBSERVER_PWD= +ENV JAVA_NET_DEBUG="ssl:handshake" WORKDIR /sebserver COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver -RUN export $(grep -v '^#' secrets | xargs) - ENTRYPOINT exec java \ - -Djavax.net.debug=SSL \ + -Djavax.net.debug="${JAVA_NET_DEBUG}" \ -jar seb-server-"${SEBSERVER_VERSION}".jar \ --spring.profiles.active=prod \ - --spring.config.location=file:/config/,classpath:/config/ \ + --spring.config.location=file:/sebserver/,classpath:/config/ \ --sebserver.certs.password="${KEYSTORE_PWD}" \ --sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \ - --sebserver.password="${SEBSERVER_PWD}" \ + --sebserver.password="${SEBSERVER_PWD}" -EXPOSE 443 \ No newline at end of file +EXPOSE 443 8080 \ No newline at end of file diff --git a/src/main/java/ch/ethz/seb/sebserver/SEBServer.java b/src/main/java/ch/ethz/seb/sebserver/SEBServer.java index 0601212f..d60ec37b 100644 --- a/src/main/java/ch/ethz/seb/sebserver/SEBServer.java +++ b/src/main/java/ch/ethz/seb/sebserver/SEBServer.java @@ -92,9 +92,10 @@ public class SEBServer { private Connector redirectConnector(final Environment env) { final String sslPort = env.getRequiredProperty("server.port"); + final String httpPort = env.getProperty("sebserver.ssl.redirect.html.port", "80"); final Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol"); connector.setScheme("http"); - connector.setPort(80); + connector.setPort(Integer.valueOf(httpPort)); connector.setSecure(false); connector.setRedirectPort(Integer.valueOf(sslPort)); return connector;