Volume to modsecurity

GON-3874-DD-moodle
Manuel Caballero 2022-11-21 10:37:02 +00:00 committed by Evilham
parent c19872dadb
commit 392f8e0ee9
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
9 changed files with 160 additions and 4 deletions

2
dd-ctl
View File

@ -216,7 +216,7 @@ build_compose(){
# Build compose ymls # Build compose ymls
docker-compose \ docker-compose \
"${MODSECURITY}" "${HAPROXY_WAF}" \ $MODSECURITY $HAPROXY_WAF \
\ \
-f dd-sso/docker-compose-parts/$BEHIND \ -f dd-sso/docker-compose-parts/$BEHIND \
-f dd-sso/docker-compose-parts/api.yml \ -f dd-sso/docker-compose-parts/api.yml \

View File

@ -21,7 +21,13 @@ ARG HAPROXY_IMG
FROM $HAPROXY_IMG as production FROM $HAPROXY_IMG as production
USER root USER root
RUN apk add openssl py-pip RUN apk add openssl certbot py-pip
RUN pip install certbot-plugin-gandi
COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/
COPY letsencrypt.sh /usr/local/sbin/
COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
COPY auto-generate-certs.sh /usr/local/sbin/
COPY docker-entrypoint.sh /usr/local/bin/ COPY docker-entrypoint.sh /usr/local/bin/
RUN ln -s /usr/local/bin/docker-entrypoint.sh / RUN ln -s /usr/local/bin/docker-entrypoint.sh /

View File

@ -0,0 +1,50 @@
#
# Copyright © 2021,2022 IsardVDI S.L.
#
# This file is part of DD
#
# DD is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
cd /certs
# Self signed cert generic data
C=CA
L=Barcelona
O=localdomain
CN_CA=$O
CN_HOST=*.$O
OU=$O
echo '#### Creating 2048-bit RSA key:'
openssl genrsa -out ca-key.pem 2048
echo '#### Using the key to create a self-signed certificate to your CA:'
openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \
-subj "/C=$C/L=$L/O=$O/CN=$CN_CA"
echo '#### Creating server certificate:'
openssl genrsa -out server-key.pem 2048
echo '#### Creating a certificate signing request for the server:'
openssl req -new -key server-key.pem -sha256 -out server-key.csr \
-subj "/CN=$CN_HOST"
echo '#### Creating server certificate:'
RND=$(( ( RANDOM % 1000 ) + 1 ))
openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \
-set_serial $RND -sha256 -out server-cert.pem
echo '#### Concatenate certs for haprox'
cat server-cert.pem server-key.pem > chain.pem

View File

@ -23,6 +23,12 @@ set -e
ln -sf /usr/local/etc/haproxy/${HAPROXY_CFG:-haproxy.normal.cfg} /usr/local/etc/haproxy/haproxy.cfg ln -sf /usr/local/etc/haproxy/${HAPROXY_CFG:-haproxy.normal.cfg} /usr/local/etc/haproxy/haproxy.cfg
LETSENCRYPT_DOMAIN="$DOMAIN" letsencrypt.sh
if [ ! -e "/certs/chain.pem" ]; then
auto-generate-certs.sh
fi
# first arg is `-f` or `--some-option` # first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then if [ "${1#-}" != "$1" ]; then
set -- haproxy "$@" set -- haproxy "$@"

View File

@ -50,7 +50,7 @@ frontend website
mode http mode http
bind :80 bind :80
bind :8888 accept-proxy bind :8888 accept-proxy
#redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc } redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
http-request del-header ssl_client_cert unless { ssl_fc_has_crt } http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem bind :443 ssl crt /certs/chain.pem

View File

@ -0,0 +1,23 @@
#!/bin/sh
#
# Copyright © 2021,2022 IsardVDI S.L.
#
# This file is part of DD
#
# DD is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /certs/chain.pem
kill -SIGUSR2 1

View File

@ -0,0 +1,21 @@
#!/bin/sh
#
# Copyright © 2021,2022 IsardVDI S.L.
#
# This file is part of DD
#
# DD is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN

View File

@ -0,0 +1,50 @@
#!/bin/sh
#
# Copyright © 2021,2022 IsardVDI S.L.
#
# This file is part of DD
#
# DD is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# DD is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
# details.
#
# You should have received a copy of the GNU Affero General Public License
# along with DD. If not, see <https://www.gnu.org/licenses/>.
#
# SPDX-License-Identifier: AGPL-3.0-or-later
if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ]
then
mkdir -p /etc/letsencrypt/renewal-hooks/deploy/
ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/
fi
if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ]
then
LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond
if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ]
then
option_root_domain="-d $LETSENCRYPT_DOMAIN"
fi
if [ ! -f /certs/chain.pem ]
then
if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \
-d "sso.$LETSENCRYPT_DOMAIN" \
-d "api.$LETSENCRYPT_DOMAIN" \
-d "admin.$LETSENCRYPT_DOMAIN" \
-d "moodle.$LETSENCRYPT_DOMAIN" \
-d "nextcloud.$LETSENCRYPT_DOMAIN" \
-d "wp.$LETSENCRYPT_DOMAIN" \
-d "oof.$LETSENCRYPT_DOMAIN" \
-d "pad.$LETSENCRYPT_DOMAIN" \
$option_root_domain
then
RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh
fi
fi
fi

View File

@ -1,5 +1,5 @@
<VirtualHost *:80> <VirtualHost *:80>
modsecurity On modsecurity Off
modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
ServerAdmin webmaster@localhost ServerAdmin webmaster@localhost
DocumentRoot /var/www/html DocumentRoot /var/www/html