Dockerfile: add ssl

2023-03-17 07:05:41 -01:00
parent f02ec2cad2
commit e2dbd3cc6f
6 changed files with 92 additions and 39 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,9 @@
-# syntax=docker/dockerfile:3
+## syntax=docker/dockerfile:3

 ## BitDeals Module Dockerfile

 ## the Module user
-ARG UNAME="module"
+ARG UNAME="dm"
 ARG UHOME="/home/$UNAME"

 ## Base image
@@ -12,15 +12,17 @@ FROM debian:bullseye AS updated-debian
 SHELL ["/bin/bash", "-exo", "pipefail", "-c"]

 LABEL name="BitDeals Module"
-EXPOSE 4999/tcp 80/tcp
+EXPOSE 4999/tcp 80/tcp 443/tcp

 ## Debian update; install dependencies
-ARG DEBIAN_FRONTEND=noninteractive
+ARG DEBIAN_FRONTEND="noninteractive" \
+        DEBCONF_NOWARNINGS="yes"
 RUN apt-get update -y ; \
 	apt-get upgrade -y ; \
 	apt-get -y install --no-install-recommends locales ; \
 	apt-get -y install --no-install-recommends gpg gpg-agent ; \
 	apt-get -y install --no-install-recommends nginx ; \
+	apt-get -y install --no-install-recommends openssl ca-certificates ; \
 	apt-get clean ; \
 	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -36,7 +38,8 @@ RUN useradd --create-home --home-dir $UHOME $UNAME
 FROM updated-debian AS development

 ## Debian update; install dependencies for: C++ compiler; OpenPGP; Libbitcoin
-ARG DEBIAN_FRONTEND=noninteractive
+ARG DEBIAN_FRONTEND="noninteractive" \
+        DEBCONF_NOWARNINGS="yes"
 RUN apt-get -y update 
 RUN apt-get -y install --no-install-recommends build-essential libssl-dev libcurl4-openssl-dev make cmake gcc g++ git 
 RUN apt-get -y install --no-install-recommends libgmp-dev libbz2-dev libzip-dev 
@@ -71,9 +74,10 @@ RUN su -l --shell /bin/bash $UNAME -c 'wget https://raw.githubusercontent.com/li
 	cd $UHOME ; \
 	sed -i '/git clone / s/git.*$/while true; do & \&\& break; done/' install.sh ; \
 	sed -i '/$WGET / s/$WGET.*$/while true; do & \&\& break; done/' install.sh ; \
-	./install.sh --build-boost --build-zmq --disable-shared 
+	./install.sh --verbose --build-boost --build-zmq --disable-shared 

 ## Install BitDeals module (apostol-dm)
+#cmake -DCMAKE_BUILD_TYPE=Debug . -B cmake-build-debug' ; \
 RUN su -l --shell /bin/bash $UNAME -c 'cd '$UHOME' ; \
 	git clone https://git.bitdeals.org/private/apostol-dm.git ; \
 	cd apostol-dm ; \
@@ -97,16 +101,15 @@ FROM updated-debian

 ARG UNAME
 ARG UHOME
-
 ENV UNAME=$UNAME
-ENV LC_ALL=ru_RU.UTF-8 
+ENV UHOME=$UHOME

 COPY --from=development /usr/local/ /usr/local/
 COPY --from=development /etc/dm/ /etc/dm/
 COPY --from=development /usr/sbin/dm /usr/sbin/dm
 COPY --from=development /etc/init.d/dm /etc/init.d/dm
 COPY --from=development --chown=www-data:www-data $UHOME/web-build/build /var/www/web
-COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals-test.asc /etc/dm/bitdeals-test.asc
+COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals-test.asc /etc/dm/bitdeals-testnet.asc
 #COPY --from=development --chown=$UNAME:$UNAME $UHOME/apostol-dm/docker/bitdeals.asc /etc/dm/bitdeals.asc
 COPY --from=development $UHOME/apostol-dm/docker/entrypoint.sh /entrypoint.sh
 COPY nginx.conf /etc/nginx/sites-enabled/default
--- a/docker/README.md
+++ b/docker/README.md
@@ -36,7 +36,7 @@ services:
        -----END PGP PRIVATE KEY BLOCK-----

    volumes:
-      - dm:/etc/dm
+      - dm:/home/dm
    ports:
      - 127.0.0.1:4999:4999 
      - 80:80
@@ -56,7 +56,7 @@ docker run -d \
  -e DM_LC_ALL=en_US.UTF-8 \
  -p 127.0.0.1:4999:4999 \
  -p 127.0.0.1:80:80 \
-  -v /home/dm/:/etc/dm/ \ 
+  -v /home/dm/:/home/dm/ \ 
  bitdeals/apostol-dm
 ```

--- a/docker/bitdeals-testnet.asc
+++ b/docker/bitdeals-testnet.asc
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -7,21 +7,25 @@
 ##

 ## Web app requires the dmHost address should be accessable from your browser
-DM_FORWEB=${DM_FORWEB:-http://127.0.0.1:4999}
+DM_FORWEB=${DM_FORWEB:-https://127.0.0.1}
 DM_WEBAUTH=${DM_WEBAUTH:-0}
 DM_TESTNET=${DM_TESTNET:-0}

 ## Daemon config files
 CONF_FILES=$(find /etc/dm/ -type f -name "*.conf" -not -name "default.conf")
 BITDEALS_PGP_FILE="/etc/dm/bitdeals.asc"
-BITDEALS_TEST_PGP_FILE="/etc/dm/bitdeals-test.asc"
-PGP_SEC_FILE="/etc/dm/pgp.sec"
+BITDEALS_TEST_PGP_FILE="/etc/dm/bitdeals-testnet.asc"
+PGP_SEC_FILE="$UHOME/pgp.sec"
 BX_CONF_FILE="/usr/local/etc/libbitcoin/bx.cfg"
 WEB_CONF_FILE="/var/www/web/config.js"
 WEB_CONF_SITES="/etc/dm/sites/default.json"
 WEB_CONF_OAUTH="/etc/dm/oauth2/default.json"
+WEB_CERT="$UHOME/fullchain.pem"
+WEB_KEY="$UHOME/privkey.pem"
+WEB_DH="/etc/ssl/dhparam.pem"
+BITCOIN_KEYS_BACKUP="$UHOME/bitcoin.backup_and_remove"

-#tput variable for log color output
+#variable for tput color output
 export TERM=xterm

 ## Write a default variables to dm config
@@ -49,13 +53,12 @@ fi
 	export LC_ALL="$DM_LC_ALL"

 ## Add DM_FORWEB to dm oauth config
-if ! grep -q "$DM_FORWEB" $WEB_CONF_SITES; then
+if ! grep -q "$(basename $DM_FORWEB)" $WEB_CONF_SITES; then
 	sed -i "/\"hosts\":/  s|]|, \"$(basename $DM_FORWEB)\"]|" $WEB_CONF_SITES
 	sed -i -e "/\"redirect_uris\":/  s|$|\n\t\"$DM_FORWEB/oauth2/callback\",|" \
 	       -e "/\"redirect_uris\":/  s|$|\n\t\"$DM_FORWEB/oauth2/code\",|" $WEB_CONF_OAUTH
 fi

-
 ## Write the PGP keys locations to dm config
 sed -i "/\[pgp\]/,/\[/ s%^private=.*%private=$PGP_SEC_FILE%" $CONF_FILES

@@ -82,6 +85,8 @@ if [ "$DM_TESTNET" = 1 -o "$DM_TESTNET" = true ]; then
 else
 	sed -i "/\[main\]/,/\[/ s/.*testnet=.*/testnet=false/" $CONF_FILES
 fi
+
+## Write PGP key variables to files
 if [ "$DM_BITDEALS_PGP" ]; then
 	echo "$BITDEALS_PGP" > "$BITDEALS_PGP_FILE"
 fi
@@ -93,7 +98,7 @@ if [ "$DM_PGP_SEC" ]; then
 fi

 ## Create user PGP key if the file is empty
-if [ ! -e "$PGP_SEC_FILE" ] 
+if [ ! -f "$PGP_SEC_FILE" ] 
 then
 	[ "$DM_ACCOUNT_URL" ] || \
 		{ echo -en "\nGenerating new PGP key...\nPlease enter your site URL like https://example.com : " ; \
@@ -152,11 +157,11 @@ fi
 ## Create new Bitcoin keys. If user address (_DM_BITCOIN var) is empty.
 _DM_BITCOIN="$(sed -n '/^[ \t]*\[module\]/,/\[/s/^[ \t]*address[ \t]*=[ \t]*//p' $CONF_FILES)"

+B=$(tput bold ; tput setaf 1)
+N=$(tput sgr0)
+
 if [ -z "$_DM_BITCOIN" ]
 then
-	B=$(tput bold ; tput setaf 1)
-	N=$(tput sgr0)
-
 	## Generate bitcoin keys
 	PRIVKEY="$(cat /dev/random | tr -cd "[:digit:]" | head -c 64)"
 	PUBKEY="$(bx ec-to-public $PRIVKEY)"
@@ -167,17 +172,31 @@ then
 	sed -i "/\[module\]/,/\[/ s/^address=.*/address=$BITCOIN/" $CONF_FILES

 	## Show bitcoin key
-	cat <<-EOF
+	tee -a $BITCOIN_KEYS_BACKUP <<-EOF

-	Please backup this	BITCOIN KEY:
+	${B}Please backup this 	BITCOIN KEY:${N}
 	Private key (raw form):	$PRIVKEY
-	Private key (WIF form):	${B}$PRIVKEYWIF${N}
-	Public key:		$PUBKEY
-	Bitcoin address:	$BITCOIN
+	Private key (WIF form):	$PRIVKEYWIF
+ 	Public key:		$PUBKEY
+	Bitcoin address:    	$BITCOIN

 EOF
+	chmod 600 $BITCOIN_KEYS_BACKUP
 else
-	echo -e "NOTE: Your Bitcoin address: $_DM_BITCOIN"
+	test -f $BITCOIN_KEYS_BACKUP \
+	&& echo -e "NOTE: Your Bitcoin key saved to $(dirname $BITCOIN_KEYS_BACKUP)/${B}$(basename $BITCOIN_KEYS_BACKUP)${N}"\
+	|| echo -e "NOTE: Your ${B}Bitcoin${N} address: $_DM_BITCOIN"
+fi
+
+## Generate self-signed certificate
+if ! [ -f $WEB_KEY -a -f $WEB_CERT ]; then
+        openssl req -x509 -nodes -days 365 -newkey rsa:2048 -batch \
+                -keyout $WEB_KEY \
+                -out $WEB_CERT
+fi
+if ! [ -f $WEB_DH ]; then
+	echo "Generating DH parameters, 1024 bit long safe prime"
+	openssl dhparam -out $WEB_DH 1024 2>/dev/null
 fi

 ## Run the daemon
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -12,17 +12,48 @@ server {
                root /var/www/web;
                index index.html;
                try_files $uri $uri/ /index.html;
-
-#	location ^~ /api/ {
-#		proxy_pass http://127.0.0.1:4999;
-#		proxy_http_version 1.1;
-#		proxy_set_header Host $host;
-#		proxy_set_header Connection "close";
-#		proxy_set_header X-Forwarded-Proto $scheme;
-#		proxy_set_header X-Real-IP $remote_addr;
-#		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#	}
-
        }
+
+	location ^~ /api/ {
+		proxy_pass http://127.0.0.1:4999;
+		proxy_http_version 1.1;
+		proxy_set_header Host $host;
+		proxy_set_header Connection "close";
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	}
+}
+
+server {
+
+        index index.html;
+
+        server_name _;
+
+        rewrite ^/$ /dm/ permanent;
+
+        location / {
+                root /var/www/web;
+                index index.html;
+                try_files $uri $uri/ /index.html;
+        }
+
+        location ^~ /api/ {
+                proxy_pass http://127.0.0.1:4999;
+                proxy_http_version 1.1;
+                proxy_set_header Host $host;
+                proxy_set_header Connection "close";
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        listen [::]:443 ssl ipv6only=on;
+        listen 443 ssl;
+        ssl_certificate /home/dm/fullchain.pem;
+        ssl_certificate_key /home/dm/privkey.pem;
+        ssl_dhparam /etc/ssl/dhparam.pem;
+
 }