Temporarily require that the Nginx server generates a self-signed TLS certificate for testing purposes.

Author: kernelmethod

docker-compose.yml

@@ -67,14 +67,16 @@ services:
       context: docker/nginx/
     image: tec-proxy:latest
     container_name: tec-proxy
+    environment:
+      SERVER_NAME: encryptioncompendium.org
     ports:
       - "80:80"
       - "443:443"
     volumes:
       # Shared volume with the gunicorn server that allows us to
       # serve static files.
       - staticfiles:/opt/services/tec-gunicorn/static:ro
-      - letsencrypt:/etc/letsencrypt:rw
+      - letsencrypt:/tls:rw
     depends_on:
       - gunicorn
     networks:

docker/nginx/Dockerfile

@@ -10,3 +10,11 @@ RUN adduser -D -s /bin/false -G www-data www-data
 
 # Create directory for caching
 RUN mkdir -p /data/nginx/cache
+
+RUN apk update \
+    && apk add --no-cache openssl \
+    && mkdir -p /tls/encryptioncompendium.org/
+
+# Add a custom run script
+COPY run.sh /run.sh
+CMD [ "/run.sh" ]

docker/nginx/conf.d/https renamed to docker/nginx/conf.d/default.conf

@@ -14,15 +14,11 @@ server {
     client_max_body_size 4G;
     server_name _;
 
-    #ssl_certificate ${SSL_CERT};
-    #ssl_certificate_key ${SSL_KEY};
+    ssl_certificate /tls/fullchain.pem;
+    ssl_certificate_key /tls/privkey.pem;
 
     keepalive_timeout 70;
 
-    # Absolute path to site
-    root /var/www/public/;
-    index index.html;
-
     location / {
         # everything is passed to Gunicorn
         proxy_pass http://encryption_compendium_server;

docker/nginx/conf.d/http

@@ -0,0 +1,9 @@
+# Automatically redirect all http traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name _;
+
+    return 302 https://$host$request_uri;
+}

docker/nginx/conf.d/http.conf

@@ -30,8 +30,8 @@ http {
     ssl_prefer_server_ciphers on;
 
     # Logging
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
+    #access_log /var/log/nginx/access.log;
+    #error_log /var/log/nginx/error.log;
 
     # Virtual host configs
     include /etc/nginx/conf.d/*.conf;

docker/nginx/nginx.conf

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# Generate self-signed TLS certificates
+if [ ! -f /tls/fullchain.pem ]
+then
+    openssl req \
+        -x509 \
+        -newkey rsa:4096 \
+        -keyout /tls/privkey.pem \
+        -out /tls/fullchain.pem \
+        -days 30 \
+        -nodes \
+        -subj "/CN=${SERVER_NAME}"
+fi
+
+nginx -g 'daemon off;'