A simple, secure self-destructing message service, using HashiCorp Vault product as a backend.
Read more about the reasoning behind this project in the relevant blog post.
Now using Let's Encrypt for simple and free SSL certs!
You can just run docker-compose up --build: it will build the Docker image and then run it alongside a standalone Vault server.
By default, the docker-compose.yml is configured to run the webapp on port 8082 in cleartext HTTP (so you can access it on http://localhost:8082).
Optionally, you can modify the docker-compose.yml and tweak the options (enable HTTPS, disable HTTP or enable redirection to HTTPS, etc.). See Configuration options.
We recommend deploying the project via Docker and a container orchestration tool:
- Build the Docker image using the provided
Dockerfile - Host it in a Docker registry (Docker Hub, AWS ECR, etc.)
- Deploy the image (alongside with a standalone Vault server) using a container orchestration tool (Kubernetes, Docker Swarm, AWS ECS, etc.)
You can read the configuration examples below.
Whatever deployment method you choose, you should always run this behind SSL/TLS, otherwise secrets will be sent unencrypted!
Depending on your infrastructure/deployment, you can have TLS termination either inside the container (see Configuration examples - TLS), or before e.g. at a load balancer/reverse proxy in front of the service. It is interesting to have TLS termination before the container so you don't have to manage the certificate/key there, but make sure the network between your TLS termination point and your container is secure.
VAULT_ADDR: address of the Vault server used for storing the temporary secrets.VAULT_TOKEN: Vault token used to authenticate to the Vault server.VAULT_TLS_INSECURE_SKIP_VERIFY: Enable to skip TLS verification (default:false).CROW_HTTP_BINDING_ADDRESS: HTTP binding address (e.g.:80).CROW_HTTPS_BINDING_ADDRESS: HTTPS binding address (e.g.:443).CROW_HTTPS_REDIRECT_ENABLED: whether to enable HTTPS redirection or not (e.g.true).CROW_TLS_AUTO_DOMAIN: domain to use for "Auto" TLS, i.e. automatic generation of certificate with Let's Encrypt. See Configuration examples - TLS - Auto TLS.CROW_TLS_CERT_FILEPATH: certificate filepath to use for "manual" TLS.CROW_TLS_CERT_KEY_FILEPATH: certificate key filepath to use for "manual" TLS.CROW_VAULT_PREFIX: vault prefix for secrets (defaultcubbyhole/)
Here is an example of a functional docker-compose.yml file
version: '3.2'
services:
vault:
image: vault:latest
container_name: vault
environment:
VAULT_DEV_ROOT_TOKEN_ID: root
cap_add:
- IPC_LOCK
expose:
- 8200
crow:
build: ./
image: pando85/crow:latest
container_name: crow
environment:
VAULT_ADDR: http://vault:8200
VAULT_TOKEN: root
CROW_HTTP_BINDING_ADDRESS: ":80"
CROW_HTTPS_BINDING_ADDRESS: ":443"
CROW_HTTPS_REDIRECT_ENABLED: "true"
CROW_TLS_AUTO_DOMAIN: secrets.example.com
ports:
- "80:80"
- "443:443"
depends_on:
- vaultVAULT_ADDR=http://vault:8200
VAULT_TOKEN=root
CROW_HTTP_BINDING_ADDRESS=:80VAULT_ADDR=http://vault:8200
VAULT_TOKEN=root
CROW_HTTPS_BINDING_ADDRESS=:443
CROW_TLS_AUTO_DOMAIN=secrets.example.comVAULT_ADDR=http://vault:8200
VAULT_TOKEN=root
CROW_HTTP_BINDING_ADDRESS=:80
CROW_HTTPS_BINDING_ADDRESS=:443
CROW_HTTPS_REDIRECT_ENABLED=true
CROW_TLS_AUTO_DOMAIN=secrets.example.comVAULT_ADDR=http://vault:8200
VAULT_TOKEN=root
CROW_HTTPS_BINDING_ADDRESS=:443
CROW_TLS_CERT_FILEPATH=/mnt/ssl/cert_secrets.example.com.pem
CROW_TLS_CERT_KEY_FILEPATH=/mnt/ssl/key_secrets.example.com.pem
Pull requests are very welcome!
Original repository: https://github.com/algolia/sup3rS3cretMes5age