zervo/seb-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

prod

Browse source
This commit is contained in:
anhefti 2019-08-29 14:12:13 +02:00
parent 956df03cc1
commit 9b47374373
9 changed files with 37 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
docker/gencerts/Dockerfile
View file

@ -1,28 +0,0 @@
FROM openjdk:11-jre-stretch
RUN apt-get update && apt-get install -y openssl
ENV KEYSTORE_PWD=
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich"
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
VOLUME /certs
WORKDIR /certs
# This works on windows
CMD openssl genrsa -out ca-key.pem 2048 \
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \
&& openssl rsa -in server-key.pem -out server-key.pem \
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \
&& openssl rsa -in client-key.pem -out client-key.pem \
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
&& openssl x509 -in ca.pem -inform pem -out ca.der -outform der \
&& openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
&& keytool -importkeystore -destkeystore seb-server-keystore.pkcs12 -deststorepass "${KEYSTORE_PWD}" -srckeystore client-cert.pkcs12 -srcstoretype PKCS12 -srcstorepass "${KEYSTORE_PWD}" \
&& keytool -import -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt
# This doesn't work on windows!?
#CMD /gencerts.sh

23
docker/gencerts/certs.cnf
View file

@ -1,23 +0,0 @@
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
ST = Zuerich
L = Zuerich
O = ETH
CN = localhost
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = seb-server-mariadb
DNS.4 = seb-server

9
docker/mariadb/mariadb.cnf
View file

@ -1,9 +0,0 @@
[mysqld]
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/server-cert.pem
ssl-key=/etc/mysql/certs/server-key.pem
[client]
ssl-ca=/etc/mysql/certs/ca.pem
ssl-cert=/etc/mysql/certs/client-cert.pem
ssl-key=/etc/mysql/certs/client-key.pem

7
docker/prod/standalone/selfsigned/application-prod.properties
View file

@ -10,10 +10,10 @@ server.servlet.context-path=/
security.require-ssl=true security.require-ssl=true
server.ssl.key-store-type=PKCS12 server.ssl.key-store-type=PKCS12
server.ssl.key-store=C:/dev/workspaces/sebserver/seb-server/docker/prod/standalone/selfsigned/certs/seb-server-keystore.pkcs12 server.ssl.key-store=/certs/seb-server-keystore.pkcs12
server.ssl.key-store-password=${sebserver.certs.password} server.ssl.key-store-password=${sebserver.certs.password}
server.ssl.key-password=${sebserver.certs.password} server.ssl.key-password=${sebserver.certs.password}
server.ssl.trust-store=C:/dev/workspaces/sebserver/seb-server/docker/prod/standalone/selfsigned/certs/seb-server-truststore.pkcs12 server.ssl.trust-store=/certs/seb-server-truststore.pkcs12
server.ssl.trust-store-password=${sebserver.certs.password} server.ssl.trust-store-password=${sebserver.certs.password}
server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2 server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2
@ -21,12 +21,13 @@ server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2
### SEB Server Overall ### SEB Server Overall
# Default logging level in the form "logging.level" + namespace=LEVEL # Default logging level in the form "logging.level" + namespace=LEVEL
logging.level.ch=DEBUG logging.level.ch=INFO
logging.file=log/sebserver.log logging.file=log/sebserver.log
# If webservice or gui runs on ssl and this flag is true, an integrated redirect from http to https is activated # If webservice or gui runs on ssl and this flag is true, an integrated redirect from http to https is activated
# Disable this if a redirect is done by a pre-processing proxy # Disable this if a redirect is done by a pre-processing proxy
sebserver.ssl.redirect.enabled=true sebserver.ssl.redirect.enabled=true
sebserver.ssl.redirect.html.port=8080
########################################################## ##########################################################
### SEB Server Webservice configuration ### SEB Server Webservice configuration

17
docker/prod/standalone/selfsigned/certs.Dockerfile
View file

@ -2,26 +2,27 @@ FROM openjdk:11-jre-stretch
RUN apt-get update && apt-get install -y openssl RUN apt-get update && apt-get install -y openssl
ENV OPENSSL_SUBJ="/C=CH/ST=Zuerich/L=Zuerich" ENV OPENSSL_SUBJ="/C=CH/ST=Zurich/L=Zurich"
ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=SEB_SEVER_CN" ENV OPENSSL_CA="${OPENSSL_SUBJ}/CN=demo-CA"
ENV OPENSSL_SERVER="${OPENSSL_SUBJ}/CN=localhost"
ENV OPENSSL_CLIENT="${OPENSSL_SUBJ}/CN=localhost"
ENV ADDITIONAL_DNS="dns:localhost,dns:127.0.0.1,dns:seb-server"
ENV KEYSTORE_PWD=
VOLUME /certs VOLUME /certs
WORKDIR /certs WORKDIR /certs
RUN export $(grep -v '^#' secrets | xargs)
CMD openssl genrsa -out ca-key.pem 2048 \ CMD openssl genrsa -out ca-key.pem 2048 \
&& openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \ && openssl req -new -x509 -key ca-key.pem -nodes -days 3600 -subj "${OPENSSL_CA}" -out ca.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout server-key.pem -out server-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_SERVER}" -keyout server-key.pem -out server-req.pem \
&& openssl rsa -in server-key.pem -out server-key.pem \ && openssl rsa -in server-key.pem -out server-key.pem \
&& openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \ && openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem \
&& openssl req -newkey rsa:2048 -days 3600 -nodes -config certs.cnf -keyout client-key.pem -out client-req.pem \ && openssl req -newkey rsa:2048 -days 3600 -nodes -subj "${OPENSSL_CLIENT}" -keyout client-key.pem -out client-req.pem \
&& openssl rsa -in client-key.pem -out client-key.pem \ && openssl rsa -in client-key.pem -out client-key.pem \
&& openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \ && openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem \
&& openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \ && openssl verify -CAfile ca.pem server-cert.pem client-cert.pem \
&& openssl x509 -in ca.pem -inform pem -out ca.der -outform der \
&& openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \ && openssl pkcs12 -export -out client-cert.pkcs12 -in client-cert.pem -inkey client-key.pem -passout pass:"${KEYSTORE_PWD}" \
&& keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zuerich, S=Zuerich, C=CH" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \ && keytool -genkeypair -alias sebserver -dname "CN=localhost, OU=ETHZ, O=ETHZ, L=Zurich, S=Zurich, C=CH" -ext san="${ADDITIONAL_DNS}" -keyalg RSA -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore seb-server-keystore.pkcs12 -storepass "${KEYSTORE_PWD}" -validity 3650 \
&& keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ && keytool -export -alias sebserver -keystore seb-server-keystore.pkcs12 -rfc -file sebserver.cert -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
&& keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \ && keytool -importcert -trustcacerts -alias sebserver -file sebserver.cert -keystore seb-server-truststore.pkcs12 -storetype PKCS12 -storepass "${KEYSTORE_PWD}" -noprompt \
&& keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \ && keytool -import -alias mariadb-ca -file ca.pem -keystore seb-server-truststore.pkcs12 -storepass "${KEYSTORE_PWD}" -srcstoretype PKCS12 -noprompt \

23
docker/prod/standalone/selfsigned/certs.cnf
View file

@ -1,23 +0,0 @@
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
ST = Zuerich
L = Zuerich
O = ETHZ
CN = localhost
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = seb-server-mariadb
DNS.4 = seb-server

20
docker/prod/standalone/selfsigned/docker-compose.yml
View file

@ -7,11 +7,8 @@ services:
container_name: gencerts container_name: gencerts
volumes: volumes:
- ./certs:/certs - ./certs:/certs
- ./certs.cnf:/certs/certs.cnf env_file:
- ./secrets:/certs/secrets - secrets
environment:
- SERVER_CN=seb-server-mariadb
- CLIENT_CN=seb-server-mariadb
mariadb: mariadb:
image: "mariadb/server:10.3" image: "mariadb/server:10.3"
@ -37,11 +34,22 @@ services:
- GIT_TAG= - GIT_TAG=
- SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT - SEBSERVER_VERSION=0.4.1-beta-SNAPSHOT
container_name: seb-server container_name: seb-server
env_file:
- secrets
environment:
- ADDITIONAL_DNS=dns:127.0.0.1,dns:seb-server
volumes: volumes:
- .:/config - ./application-prod.properties:/sebserver/application-prod.properties
- ./certs:/certs - ./certs:/certs
- ./secrets:/sebserver/secrets
ports: ports:
- 443:443 - 443:443
- 8080:80
logging:
driver: "json-file"
options:
max-size: "200k"
max-file: "10"
networks: networks:
- seb-server-network - seb-server-network
depends_on: depends_on:

14
docker/prod/standalone/selfsigned/sebserver.Dockerfile
View file

@ -21,19 +21,21 @@ FROM openjdk:11-jre-stretch
ARG SEBSERVER_VERSION ARG SEBSERVER_VERSION
ENV SEBSERVER_VERSION=${SEBSERVER_VERSION} ENV SEBSERVER_VERSION=${SEBSERVER_VERSION}
ENV KEYSTORE_PWD=
ENV MYSQL_ROOT_PASSWORD=
ENV SEBSERVER_PWD=
ENV JAVA_NET_DEBUG="ssl:handshake"
WORKDIR /sebserver WORKDIR /sebserver
COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver COPY --from=1 /sebserver/target/seb-server-"$SEBSERVER_VERSION".jar /sebserver
RUN export $(grep -v '^#' secrets | xargs)
ENTRYPOINT exec java \ ENTRYPOINT exec java \
-Djavax.net.debug=SSL \ -Djavax.net.debug="${JAVA_NET_DEBUG}" \
-jar seb-server-"${SEBSERVER_VERSION}".jar \ -jar seb-server-"${SEBSERVER_VERSION}".jar \
--spring.profiles.active=prod \ --spring.profiles.active=prod \
--spring.config.location=file:/config/,classpath:/config/ \ --spring.config.location=file:/sebserver/,classpath:/config/ \
--sebserver.certs.password="${KEYSTORE_PWD}" \ --sebserver.certs.password="${KEYSTORE_PWD}" \
--sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \ --sebserver.mariadb.password="${MYSQL_ROOT_PASSWORD}" \
--sebserver.password="${SEBSERVER_PWD}" \ --sebserver.password="${SEBSERVER_PWD}"
EXPOSE 443 EXPOSE 443 8080

3
src/main/java/ch/ethz/seb/sebserver/SEBServer.java
View file

@ -92,9 +92,10 @@ public class SEBServer {
private Connector redirectConnector(final Environment env) { private Connector redirectConnector(final Environment env) {
final String sslPort = env.getRequiredProperty("server.port"); final String sslPort = env.getRequiredProperty("server.port");
final String httpPort = env.getProperty("sebserver.ssl.redirect.html.port", "80");
final Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol"); final Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("http"); connector.setScheme("http");
connector.setPort(80); connector.setPort(Integer.valueOf(httpPort));
connector.setSecure(false); connector.setSecure(false);
connector.setRedirectPort(Integer.valueOf(sslPort)); connector.setRedirectPort(Integer.valueOf(sslPort));
return connector; return connector;