Volume to modsecurity

dd-ctl

@@ -216,7 +216,7 @@ build_compose(){
 
 	# Build compose ymls
 	docker-compose \
-	       		"${MODSECURITY}" "${HAPROXY_WAF}" \
+	       		$MODSECURITY $HAPROXY_WAF \
 					\
 			-f dd-sso/docker-compose-parts/$BEHIND \
 			-f dd-sso/docker-compose-parts/api.yml \

dd-sso/docker/haproxy/Dockerfile

@@ -21,7 +21,13 @@ ARG HAPROXY_IMG
 FROM $HAPROXY_IMG as production
 
 USER root
-RUN apk add openssl py-pip
+RUN apk add openssl certbot py-pip
+RUN pip install certbot-plugin-gandi
+
+COPY letsencrypt-hook-deploy-concatenante.sh /usr/local/sbin/
+COPY letsencrypt.sh /usr/local/sbin/
+COPY letsencrypt-renew-cron.sh /etc/periodic/daily/letsencrypt-renew
+COPY auto-generate-certs.sh /usr/local/sbin/
 
 COPY docker-entrypoint.sh /usr/local/bin/
 RUN ln -s /usr/local/bin/docker-entrypoint.sh /

dd-sso/docker/haproxy/auto-generate-certs.sh

@@ -0,0 +1,50 @@
+#
+#   Copyright © 2021,2022 IsardVDI S.L.
+#
+#   This file is part of DD
+#
+#   DD is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
+#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+#   details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with DD. If not, see <https://www.gnu.org/licenses/>.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+cd /certs
+
+# Self signed cert generic data
+C=CA
+L=Barcelona
+O=localdomain
+CN_CA=$O
+CN_HOST=*.$O
+OU=$O
+
+echo '#### Creating 2048-bit RSA key:'
+openssl genrsa -out ca-key.pem 2048
+
+echo '#### Using the key to create a self-signed certificate to your CA:'
+openssl req -new -x509 -days 9999 -key ca-key.pem -out ca-cert.pem -sha256 \
+        -subj "/C=$C/L=$L/O=$O/CN=$CN_CA"
+
+echo '#### Creating server certificate:'
+openssl genrsa -out server-key.pem 2048
+
+echo '#### Creating a certificate signing request for the server:'
+openssl req -new -key server-key.pem -sha256 -out server-key.csr \
+          -subj "/CN=$CN_HOST"
+
+echo '#### Creating  server certificate:'
+RND=$(( ( RANDOM % 1000 ) + 1 ))
+openssl x509 -req -days 9999 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem \
+          -set_serial $RND -sha256 -out server-cert.pem
+
+echo '#### Concatenate certs for haprox'
+cat server-cert.pem server-key.pem > chain.pem

dd-sso/docker/haproxy/docker-entrypoint.sh

@@ -23,6 +23,12 @@ set -e
 
 ln -sf /usr/local/etc/haproxy/${HAPROXY_CFG:-haproxy.normal.cfg} /usr/local/etc/haproxy/haproxy.cfg
 
+LETSENCRYPT_DOMAIN="$DOMAIN" letsencrypt.sh
+
+if [ ! -e "/certs/chain.pem" ]; then
+   auto-generate-certs.sh
+fi
+
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
         set -- haproxy "$@"

dd-sso/docker/haproxy/haproxy.proxy-protocol.conf

@@ -50,7 +50,7 @@ frontend website
     mode http
     bind :80
     bind :8888 accept-proxy
-    #redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
+    redirect scheme https if !{ env(BEHIND_PROXY) -m str true } !{ ssl_fc }
     http-request del-header ssl_client_cert unless { ssl_fc_has_crt }
     http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\  if { ssl_fc_has_crt }
     bind :443 ssl crt /certs/chain.pem

dd-sso/docker/haproxy/letsencrypt-hook-deploy-concatenante.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+#
+#   Copyright © 2021,2022 IsardVDI S.L.
+#
+#   This file is part of DD
+#
+#   DD is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
+#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+#   details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with DD. If not, see <https://www.gnu.org/licenses/>.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /certs/chain.pem
+
+kill -SIGUSR2 1

dd-sso/docker/haproxy/letsencrypt-renew-cron.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+#   Copyright © 2021,2022 IsardVDI S.L.
+#
+#   This file is part of DD
+#
+#   DD is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
+#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+#   details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with DD. If not, see <https://www.gnu.org/licenses/>.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+certbot renew --http-01-port 8080 --cert-name sso.$LETSENCRYPT_DOMAIN

dd-sso/docker/haproxy/letsencrypt.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+#
+#   Copyright © 2021,2022 IsardVDI S.L.
+#
+#   This file is part of DD
+#
+#   DD is free software: you can redistribute it and/or modify
+#   it under the terms of the GNU Affero General Public License as published by
+#   the Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   DD is distributed in the hope that it will be useful, but WITHOUT ANY
+#   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+#   FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+#   details.
+#
+#   You should have received a copy of the GNU Affero General Public License
+#   along with DD. If not, see <https://www.gnu.org/licenses/>.
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+if [ ! -L /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh ]
+then
+  mkdir -p /etc/letsencrypt/renewal-hooks/deploy/
+  ln -s /usr/local/sbin/letsencrypt-hook-deploy-concatenante.sh /etc/letsencrypt/renewal-hooks/deploy/
+fi
+
+if [ -n "$LETSENCRYPT_DOMAIN" -a -n "$LETSENCRYPT_EMAIL" ]
+then
+  LETSENCRYPT_DOMAIN="$LETSENCRYPT_DOMAIN" crond
+  if [ "$LETSENCRYPT_DOMAIN_ROOT" == "true" ]
+  then
+    option_root_domain="-d $LETSENCRYPT_DOMAIN"
+  fi
+  if [ ! -f /certs/chain.pem ]
+  then
+    if certbot certonly --standalone -m "$LETSENCRYPT_EMAIL" -n --agree-tos \
+      -d "sso.$LETSENCRYPT_DOMAIN" \
+      -d "api.$LETSENCRYPT_DOMAIN" \
+      -d "admin.$LETSENCRYPT_DOMAIN" \
+      -d "moodle.$LETSENCRYPT_DOMAIN" \
+      -d "nextcloud.$LETSENCRYPT_DOMAIN" \
+      -d "wp.$LETSENCRYPT_DOMAIN" \
+      -d "oof.$LETSENCRYPT_DOMAIN" \
+      -d "pad.$LETSENCRYPT_DOMAIN" \
+      $option_root_domain
+    then
+      RENEWED_LINEAGE="/etc/letsencrypt/live/sso.$LETSENCRYPT_DOMAIN" /etc/letsencrypt/renewal-hooks/deploy/letsencrypt-hook-deploy-concatenante.sh
+    fi
+  fi
+fi

dd-waf/docker/modsecurity/vhosts/000-default.conf

@@ -1,5 +1,5 @@
 <VirtualHost *:80>
-	modsecurity On
+	modsecurity Off
 	modsecurity_rules_file /etc/apache2/modsecurity.d/modsec_rules.conf
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html