From e2dbd3cc6f25dbb8d4acdd989f49c915351bbd86 Mon Sep 17 00:00:00 2001 From: status404 Date: Fri, 17 Mar 2023 07:05:41 -0100 Subject: [PATCH] Dockerfile: add ssl --- docker-compose.yml | 2 +- docker/Dockerfile | 21 ++++---- docker/README.md | 4 +- ...bitdeals-test.asc => bitdeals-testnet.asc} | 0 docker/entrypoint.sh | 51 ++++++++++++------ docker/nginx.conf | 53 +++++++++++++++---- 6 files changed, 92 insertions(+), 39 deletions(-) rename docker/{bitdeals-test.asc => bitdeals-testnet.asc} (100%) diff --git a/docker-compose.yml b/docker-compose.yml index 709f56b..e98ef9c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,7 +13,7 @@ services: -----END PGP PRIVATE KEY BLOCK----- volumes: - - dm:/etc/dm + - dm:/home/dm ports: - 4999:4999 - 80:80 diff --git a/docker/Dockerfile b/docker/Dockerfile index ef6c1df..e0d54c5 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,9 +1,9 @@ -# syntax=docker/dockerfile:3 +## syntax=docker/dockerfile:3 ## BitDeals Module Dockerfile ## the Module user -ARG UNAME="module" +ARG UNAME="dm" ARG UHOME="/home/$UNAME" ## Base image @@ -12,15 +12,17 @@ FROM debian:bullseye AS updated-debian SHELL ["/bin/bash", "-exo", "pipefail", "-c"] LABEL name="BitDeals Module" -EXPOSE 4999/tcp 80/tcp +EXPOSE 4999/tcp 80/tcp 443/tcp ## Debian update; install dependencies -ARG DEBIAN_FRONTEND=noninteractive +ARG DEBIAN_FRONTEND="noninteractive" \ + DEBCONF_NOWARNINGS="yes" RUN apt-get update -y ; \ apt-get upgrade -y ; \ apt-get -y install --no-install-recommends locales ; \ apt-get -y install --no-install-recommends gpg gpg-agent ; \ apt-get -y install --no-install-recommends nginx ; \ + apt-get -y install --no-install-recommends openssl ca-certificates ; \ apt-get clean ; \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -36,7 +38,8 @@ RUN useradd --create-home --home-dir $UHOME $UNAME FROM updated-debian AS development ## Debian update; install dependencies for: C++ compiler; OpenPGP; Libbitcoin -ARG DEBIAN_FRONTEND=noninteractive +ARG DEBIAN_FRONTEND="noninteractive" \ + DEBCONF_NOWARNINGS="yes" RUN apt-get -y update RUN apt-get -y install --no-install-recommends build-essential libssl-dev libcurl4-openssl-dev make cmake gcc g++ git RUN apt-get -y install --no-install-recommends libgmp-dev libbz2-dev libzip-dev @@ -71,9 +74,10 @@ RUN su -l --shell /bin/bash $UNAME -c 'wget https://raw.githubusercontent.com/li cd $UHOME ; \ sed -i '/git clone / s/git.*$/while true; do & \&\& break; done/' install.sh ; \ sed -i '/$WGET / s/$WGET.*$/while true; do & \&\& break; done/' install.sh ; \ - ./install.sh --build-boost --build-zmq --disable-shared + ./install.sh --verbose --build-boost --build-zmq --disable-shared ## Install BitDeals module (apostol-dm) +#cmake -DCMAKE_BUILD_TYPE=Debug . -B cmake-build-debug' ; \ RUN su -l --shell /bin/bash $UNAME -c 'cd '$UHOME' ; \ git clone https://git.bitdeals.org/private/apostol-dm.git ; \ cd apostol-dm ; \ @@ -97,16 +101,15 @@ FROM updated-debian ARG UNAME ARG UHOME - ENV UNAME=$UNAME -ENV LC_ALL=ru_RU.UTF-8 +ENV UHOME=$UHOME COPY --from=development /usr/local/ /usr/local/ COPY --from=development /etc/dm/ /etc/dm/ COPY --from=development /usr/sbin/dm /usr/sbin/dm COPY --from=development /etc/init.d/dm /etc/init.d/dm COPY --from=development --chown=www-data:www-data $UHOME/web-build/build /var/www/web -COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals-test.asc /etc/dm/bitdeals-test.asc +COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals-test.asc /etc/dm/bitdeals-testnet.asc #COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals.asc /etc/dm/bitdeals.asc COPY --from=development $UHOME/apostol-dm/docker/entrypoint.sh /entrypoint.sh COPY nginx.conf /etc/nginx/sites-enabled/default diff --git a/docker/README.md b/docker/README.md index ff6520e..ecef53d 100644 --- a/docker/README.md +++ b/docker/README.md @@ -36,7 +36,7 @@ services: -----END PGP PRIVATE KEY BLOCK----- volumes: - - dm:/etc/dm + - dm:/home/dm ports: - 127.0.0.1:4999:4999 - 80:80 @@ -56,7 +56,7 @@ docker run -d \ -e DM_LC_ALL=en_US.UTF-8 \ -p 127.0.0.1:4999:4999 \ -p 127.0.0.1:80:80 \ - -v /home/dm/:/etc/dm/ \ + -v /home/dm/:/home/dm/ \ bitdeals/apostol-dm ``` diff --git a/docker/bitdeals-test.asc b/docker/bitdeals-testnet.asc similarity index 100% rename from docker/bitdeals-test.asc rename to docker/bitdeals-testnet.asc diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 87013cb..cd85d99 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -7,21 +7,25 @@ ## ## Web app requires the dmHost address should be accessable from your browser -DM_FORWEB=${DM_FORWEB:-http://127.0.0.1:4999} +DM_FORWEB=${DM_FORWEB:-https://127.0.0.1} DM_WEBAUTH=${DM_WEBAUTH:-0} DM_TESTNET=${DM_TESTNET:-0} ## Daemon config files CONF_FILES=$(find /etc/dm/ -type f -name "*.conf" -not -name "default.conf") BITDEALS_PGP_FILE="/etc/dm/bitdeals.asc" -BITDEALS_TEST_PGP_FILE="/etc/dm/bitdeals-test.asc" -PGP_SEC_FILE="/etc/dm/pgp.sec" +BITDEALS_TEST_PGP_FILE="/etc/dm/bitdeals-testnet.asc" +PGP_SEC_FILE="$UHOME/pgp.sec" BX_CONF_FILE="/usr/local/etc/libbitcoin/bx.cfg" WEB_CONF_FILE="/var/www/web/config.js" WEB_CONF_SITES="/etc/dm/sites/default.json" WEB_CONF_OAUTH="/etc/dm/oauth2/default.json" +WEB_CERT="$UHOME/fullchain.pem" +WEB_KEY="$UHOME/privkey.pem" +WEB_DH="/etc/ssl/dhparam.pem" +BITCOIN_KEYS_BACKUP="$UHOME/bitcoin.backup_and_remove" -#tput variable for log color output +#variable for tput color output export TERM=xterm ## Write a default variables to dm config @@ -49,13 +53,12 @@ fi export LC_ALL="$DM_LC_ALL" ## Add DM_FORWEB to dm oauth config -if ! grep -q "$DM_FORWEB" $WEB_CONF_SITES; then +if ! grep -q "$(basename $DM_FORWEB)" $WEB_CONF_SITES; then sed -i "/\"hosts\":/ s|]|, \"$(basename $DM_FORWEB)\"]|" $WEB_CONF_SITES sed -i -e "/\"redirect_uris\":/ s|$|\n\t\"$DM_FORWEB/oauth2/callback\",|" \ -e "/\"redirect_uris\":/ s|$|\n\t\"$DM_FORWEB/oauth2/code\",|" $WEB_CONF_OAUTH fi - ## Write the PGP keys locations to dm config sed -i "/\[pgp\]/,/\[/ s%^private=.*%private=$PGP_SEC_FILE%" $CONF_FILES @@ -82,6 +85,8 @@ if [ "$DM_TESTNET" = 1 -o "$DM_TESTNET" = true ]; then else sed -i "/\[main\]/,/\[/ s/.*testnet=.*/testnet=false/" $CONF_FILES fi + +## Write PGP key variables to files if [ "$DM_BITDEALS_PGP" ]; then echo "$BITDEALS_PGP" > "$BITDEALS_PGP_FILE" fi @@ -93,7 +98,7 @@ if [ "$DM_PGP_SEC" ]; then fi ## Create user PGP key if the file is empty -if [ ! -e "$PGP_SEC_FILE" ] +if [ ! -f "$PGP_SEC_FILE" ] then [ "$DM_ACCOUNT_URL" ] || \ { echo -en "\nGenerating new PGP key...\nPlease enter your site URL like https://example.com : " ; \ @@ -152,11 +157,11 @@ fi ## Create new Bitcoin keys. If user address (_DM_BITCOIN var) is empty. _DM_BITCOIN="$(sed -n '/^[ \t]*\[module\]/,/\[/s/^[ \t]*address[ \t]*=[ \t]*//p' $CONF_FILES)" +B=$(tput bold ; tput setaf 1) +N=$(tput sgr0) + if [ -z "$_DM_BITCOIN" ] then - B=$(tput bold ; tput setaf 1) - N=$(tput sgr0) - ## Generate bitcoin keys PRIVKEY="$(cat /dev/random | tr -cd "[:digit:]" | head -c 64)" PUBKEY="$(bx ec-to-public $PRIVKEY)" @@ -167,17 +172,31 @@ then sed -i "/\[module\]/,/\[/ s/^address=.*/address=$BITCOIN/" $CONF_FILES ## Show bitcoin key - cat <<-EOF + tee -a $BITCOIN_KEYS_BACKUP <<-EOF - Please backup this BITCOIN KEY: + ${B}Please backup this BITCOIN KEY:${N} Private key (raw form): $PRIVKEY - Private key (WIF form): ${B}$PRIVKEYWIF${N} - Public key: $PUBKEY - Bitcoin address: $BITCOIN + Private key (WIF form): $PRIVKEYWIF + Public key: $PUBKEY + Bitcoin address: $BITCOIN EOF + chmod 600 $BITCOIN_KEYS_BACKUP else - echo -e "NOTE: Your Bitcoin address: $_DM_BITCOIN" + test -f $BITCOIN_KEYS_BACKUP \ + && echo -e "NOTE: Your Bitcoin key saved to $(dirname $BITCOIN_KEYS_BACKUP)/${B}$(basename $BITCOIN_KEYS_BACKUP)${N}"\ + || echo -e "NOTE: Your ${B}Bitcoin${N} address: $_DM_BITCOIN" +fi + +## Generate self-signed certificate +if ! [ -f $WEB_KEY -a -f $WEB_CERT ]; then + openssl req -x509 -nodes -days 365 -newkey rsa:2048 -batch \ + -keyout $WEB_KEY \ + -out $WEB_CERT +fi +if ! [ -f $WEB_DH ]; then + echo "Generating DH parameters, 1024 bit long safe prime" + openssl dhparam -out $WEB_DH 1024 2>/dev/null fi ## Run the daemon diff --git a/docker/nginx.conf b/docker/nginx.conf index 06678f7..d31daa1 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -12,17 +12,48 @@ server { root /var/www/web; index index.html; try_files $uri $uri/ /index.html; - -# location ^~ /api/ { -# proxy_pass http://127.0.0.1:4999; -# proxy_http_version 1.1; -# proxy_set_header Host $host; -# proxy_set_header Connection "close"; -# proxy_set_header X-Forwarded-Proto $scheme; -# proxy_set_header X-Real-IP $remote_addr; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# } - } + + location ^~ /api/ { + proxy_pass http://127.0.0.1:4999; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header Connection "close"; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} + +server { + + index index.html; + + server_name _; + + rewrite ^/$ /dm/ permanent; + + location / { + root /var/www/web; + index index.html; + try_files $uri $uri/ /index.html; + } + + location ^~ /api/ { + proxy_pass http://127.0.0.1:4999; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header Connection "close"; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate /home/dm/fullchain.pem; + ssl_certificate_key /home/dm/privkey.pem; + ssl_dhparam /etc/ssl/dhparam.pem; + }