Self-cert SSL working🥳

- Improved `fullSetup.sh` - Fixed `local.conf` - `docker-compose-local.yml` now starts up correctly. `curl -I --http2 -k https://localhost` shows that http/2 is working as expected
MattHalloran · Oct 22, 2024 · a5f6090 · a5f6090
1 parent 5e9ed0e
commit a5f6090
Show file tree

Hide file tree

Showing 7 changed files with 88 additions and 27 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 # Ignore mkcert generated files (certificates and keys)
-localhost+*.pem
+certs/
+localhost+*.pem
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-
 2. Run setup script:  
     `chmod +x ./scripts/fullSetup.sh && ./scripts/fullSetup.sh`
 3. Start docker:  
-    a. `sudo docker-compose-local.yml up -d` (note which `.yml` file we're using)
+    a. `sudo docker-compose -f docker-compose.local.yml up -d`
 
 ### Running on a VPS
 1. Set up VPS ([example](https://www.youtube.com/watch?v=Dwlqa6NJdMo&t=142s)).
@@ -47,7 +47,7 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-
 5. Run setup script:  
     `chmod +x ./scripts/fullSetup.sh && ./scripts/fullSetup.sh`
 6. Start docker:  
-    a. `sudo docker-compose up -d` (note which `.yml` file we're using)
+    a. `sudo docker-compose -f docker-compose.remote.yml up -d`
 
 
 ## Common commands
@@ -56,6 +56,8 @@ Heavily inspired by [this article](https://olex.biz/2019/09/hosting-with-docker-
 
 
 ## Custom proxy
-Custom proxy configurations can be put in the `my_proxy.conf` file. By default, this only contains one line: `client_max_body_size 100m;`. This raises the maximum payload size for uploading files. This is useful if you'd like users to have the ability to upload multiple images in one request, for example.
+Custom proxy configurations can be put in the `nginx/conf.d/local.conf` or `nginx/conf.d/remote.conf` file, depending on if this will be running locally or remotely. 
+
+By default, the local version contains the standard configuration for self-signed SSL setup. Both versions also contain `client_max_body_size 100m;`. This raises the maximum payload size for uploading files. This is useful if you'd like users to have the ability to upload multiple images in one request, for example.
 
 If you are not using custom configurations, you can remove the docker-compose line `- ./my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro`.
diff --git a/docker-compose-local.yml b/docker-compose-local.yml
@@ -8,9 +8,11 @@ services:
       - "80:80"
       - "443:443"
     volumes:
-      - ./nginx/local.conf:/etc/nginx/conf.d/default.conf
+      - ./nginx/conf.d/local.conf:/etc/nginx/conf.d/local.conf:ro
       - ./certs/localhost+2.pem:/etc/nginx/certs/localhost+2.pem
       - ./certs/localhost+2-key.pem:/etc/nginx/certs/localhost+2-key.pem
+      # Remove default config
+      - /dev/null:/etc/nginx/conf.d/default.conf:ro
     networks:
       - localnet
 

diff --git a/docker-compose.yml → docker-compose-remote.yml b/docker-compose.yml → docker-compose-remote.yml
@@ -15,7 +15,7 @@ services:
       - dhparam:/etc/nginx/dhparam
       - certs:/etc/nginx/certs:ro
       - /var/run/docker.sock:/tmp/docker.sock:ro
-      - ./my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
+      - ./nginx/conf.d/remote.conf:/etc/nginx/conf.d/remote.conf:ro
       - ./50x.html:/usr/share/nginx/html/errors/50x.html:ro
     networks:
       - proxy

diff --git a/nginx/conf.d/local.conf b/nginx/conf.d/local.conf
@@ -0,0 +1,39 @@
+client_max_body_size 100m;
+
+# Enable HTTP/2 globally
+http2 on;
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name localhost;
+
+    # Redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name localhost;
+
+    ssl_certificate /etc/nginx/certs/localhost+2.pem;
+    ssl_certificate_key /etc/nginx/certs/localhost+2-key.pem;
+
+    ssl_session_cache shared:SSL:1m;
+    ssl_session_timeout  10m;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    # Root directory and index file
+    root /usr/share/nginx/html;
+    index index.html index.htm;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Additional configuration for reverse proxy or other settings can go here
+}
diff --git a/my_proxy.conf → nginx/conf.d/remote.conf b/my_proxy.conf → nginx/conf.d/remote.conf
diff --git a/scripts/fullSetup.sh b/scripts/fullSetup.sh
@@ -7,18 +7,6 @@ set -o pipefail # Exit if piped command (e.g. curl, apt-get) fails
 HERE=$(dirname $0)
 source "${HERE}/utils.sh"
 
-local_dev=false
-while [[ "$#" -gt 0 ]]; do
-    case $1 in
-    --local) local_dev=true ;;
-    *)
-        echo "Unknown parameter passed: $1"
-        exit 1
-        ;;
-    esac
-    shift
-done
-
 check_root_privileges() {
     if [[ $EUID -ne 0 ]]; then
         echo "This script must be run as root or with sudo privileges"
@@ -54,22 +42,22 @@ setup_ubuntu() {
 
 setup_docker() {
     header "Installing Docker prerequisites"
-    if ! command -v docker > /dev/null 2>&1; then
+    if ! command -v docker >/dev/null 2>&1; then
         sudo apt-get remove -y docker docker-engine docker.io containerd runc
         sudo apt-get install -y apt-transport-https ca-certificates curl gnupg lsb-release
 
         header "Adding Docker’s official GPG key"
         curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
 
-        echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+        echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list >/dev/null
         sudo apt-get update
         sudo apt-get install -y docker-ce docker-ce-cli containerd.io
     fi
 
     header "Verifying Docker Engine"
-    sudo docker run hello-world || true  # Non-blocking
+    sudo docker run hello-world || true # Non-blocking
 
-    if ! getent group docker > /dev/null; then
+    if ! getent group docker >/dev/null; then
         sudo groupadd docker
         sudo usermod -aG docker $USER
     fi
@@ -78,7 +66,7 @@ setup_docker() {
     sudo systemctl enable docker.service
     sudo systemctl enable containerd.service
 
-    if ! command -v docker-compose > /dev/null; then
+    if ! command -v docker-compose >/dev/null; then
         header "Installing Docker Compose"
         sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
         sudo chmod +x /usr/local/bin/docker-compose
@@ -91,7 +79,7 @@ setup_docker() {
 }
 
 setup_self_cert() {
-    if ! command -v mkcert > /dev/null; then
+    if ! command -v mkcert >/dev/null; then
         header "Installing mkcert for local SSL development certificates"
         sudo apt-get install -y libnss3-tools
         curl -L "https://github.com/FiloSottile/mkcert/releases/download/v1.4.4/mkcert-v1.4.4-linux-amd64" -o mkcert
@@ -101,12 +89,19 @@ setup_self_cert() {
     fi
 
     header "Generating SSL certificates for localhost"
-    if [ ! -f "localhost+2.pem" ]; then
+    local CERT_DIR="${HERE}/../certs"
+    mkdir -p "${CERT_DIR}"
+    if [ ! -f "${CERT_DIR}/localhost+2.pem" ]; then
+        cd "${CERT_DIR}"
         mkcert localhost 127.0.0.1 ::1
-        info "Certificates generated at: $(pwd)"
+        info "Certificates generated at: ${CERT_DIR}"
+        cd -
     else
         info "Existing SSL certificates found. Skipping regeneration."
     fi
+
+    # Ensure the certificates are readable
+    chmod 644 "${CERT_DIR}/localhost+2.pem"
 }
 
 purge_nginx() {
@@ -141,11 +136,33 @@ setup_firewall() {
     sudo sysctl -p
 }
 
+SERVER_LOCATION="local" # Default to local
 main() {
+    while [[ $# -gt 0 ]]; do
+        key="$1"
+        case $key in
+        -l | --location)
+            if [ -z "$2" ] || [[ "$2" == -* ]]; then
+                echo "Error: Option $key requires an argument."
+                exit 1
+            fi
+            SERVER_LOCATION="${2}"
+            shift # past argument
+            shift # past value
+            ;;
+        -h | --help)
+            echo "Usage: $0 [-l SERVER_LOCATION] [-h]"
+            echo "  -l --location: Server location (e.g. \"local\", \"remote\")"
+            echo "  -h --help: Show this help message"
+            exit 0
+            ;;
+        esac
+    done
+
     check_root_privileges
     setup_ubuntu
     setup_docker
-    if [ "$local_dev" = true ]; then
+    if [ "$SERVER_LOCATION" == "local" ]; then
         setup_self_cert
     fi
     purge_nginx