Merge pull request #76 from kool-dev/ssl

enable https on nginx

Author: fabriciojs

7.1-nginx-prod/Dockerfile

@@ -1,7 +1,25 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
 FROM kooldev/php:7.1-prod
 
 ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
     NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
     NGINX_ROOT=/app/public \
     NGINX_INDEX=index.php \
     NGINX_CLIENT_MAX_BODY_SIZE=25M \
@@ -36,6 +54,7 @@ RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/s
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl
 COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
 RUN chmod +x /kool/entrypoint
 
 EXPOSE 80

7.1-nginx-prod/default.tmpl

@@ -1,6 +1,13 @@
 server {
     listen {{ .Env.NGINX_LISTEN }} default_server;
     server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
     root {{ .Env.NGINX_ROOT }};
     index {{ .Env.NGINX_INDEX }};
     charset utf-8;

7.1-nginx/Dockerfile

@@ -1,7 +1,25 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
 FROM kooldev/php:7.1
 
 ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
     NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
     NGINX_ROOT=/app/public \
     NGINX_INDEX=index.php \
     NGINX_CLIENT_MAX_BODY_SIZE=25M \
@@ -36,6 +54,7 @@ RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/s
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl
 COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
 RUN chmod +x /kool/entrypoint
 
 EXPOSE 80

7.1-nginx/default.tmpl

@@ -1,6 +1,13 @@
 server {
     listen {{ .Env.NGINX_LISTEN }} default_server;
     server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
     root {{ .Env.NGINX_ROOT }};
     index {{ .Env.NGINX_INDEX }};
     charset utf-8;

7.2-nginx-prod/Dockerfile

@@ -1,7 +1,25 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
 FROM kooldev/php:7.2-prod
 
 ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
     NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
     NGINX_ROOT=/app/public \
     NGINX_INDEX=index.php \
     NGINX_CLIENT_MAX_BODY_SIZE=25M \
@@ -36,6 +54,7 @@ RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/s
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl
 COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
 RUN chmod +x /kool/entrypoint
 
 EXPOSE 80

7.2-nginx-prod/default.tmpl

@@ -1,6 +1,13 @@
 server {
     listen {{ .Env.NGINX_LISTEN }} default_server;
     server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
     root {{ .Env.NGINX_ROOT }};
     index {{ .Env.NGINX_INDEX }};
     charset utf-8;

7.2-nginx/Dockerfile

@@ -1,7 +1,25 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
 FROM kooldev/php:7.2
 
 ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
     NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
     NGINX_ROOT=/app/public \
     NGINX_INDEX=index.php \
     NGINX_CLIENT_MAX_BODY_SIZE=25M \
@@ -36,6 +54,7 @@ RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/s
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl
 COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
 RUN chmod +x /kool/entrypoint
 
 EXPOSE 80

7.2-nginx/default.tmpl

@@ -1,6 +1,13 @@
 server {
     listen {{ .Env.NGINX_LISTEN }} default_server;
     server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
     root {{ .Env.NGINX_ROOT }};
     index {{ .Env.NGINX_INDEX }};
     charset utf-8;

7.3-nginx-prod/Dockerfile

@@ -1,7 +1,25 @@
+FROM debian AS cert
+
+WORKDIR /kool/ssl
+
+RUN apt-get update && \
+    apt-get install -y openssl && \
+    openssl genrsa -des3 -passout pass:x -out server.pass.key 2048 && \
+    openssl rsa -passin pass:x -in server.pass.key -out _.localhost.key && \
+    rm server.pass.key && \
+    openssl req -new -key _.localhost.key -out server.csr \
+        -subj "/C=XX/ST=XX/L=XX/O=Kool-Local/OU=Localhost/CN=*.localhost" && \
+    openssl x509 -req -days 365 -in server.csr -signkey _.localhost.key -out _.localhost.crt && \
+    openssl x509 -in _.localhost.crt -out _.localhost.pem
+
 FROM kooldev/php:7.3-prod
 
 ENV PHP_FPM_LISTEN=/run/php-fpm.sock \
     NGINX_LISTEN=80 \
+    NGINX_HTTPS=false \
+    NGINX_LISTEN_HTTPS=443 \
+    NGINX_HTTPS_CERT=/kool/ssl/_.localhost.pem \
+    NGINX_HTTPS_CERT_KEY=/kool/ssl/_.localhost.key \
     NGINX_ROOT=/app/public \
     NGINX_INDEX=index.php \
     NGINX_CLIENT_MAX_BODY_SIZE=25M \
@@ -36,6 +54,7 @@ RUN curl -L https://github.com/ochinchina/supervisord/releases/download/v0.6.3/s
 COPY supervisor.conf /kool/supervisor.conf
 COPY default.tmpl /kool/default.tmpl
 COPY entrypoint /kool/entrypoint
+COPY --from=cert /kool/ssl /kool/ssl
 RUN chmod +x /kool/entrypoint
 
 EXPOSE 80

7.3-nginx-prod/default.tmpl

@@ -1,6 +1,13 @@
 server {
     listen {{ .Env.NGINX_LISTEN }} default_server;
     server_name _;
+{{ if isTrue .Env.NGINX_HTTPS }}
+    listen {{ .Env.NGINX_LISTEN_HTTPS }} ssl http2;
+    ssl_certificate     {{ .Env.NGINX_HTTPS_CERT }};
+    ssl_certificate_key {{ .Env.NGINX_HTTPS_CERT_KEY }};
+    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+{{ end }}
     root {{ .Env.NGINX_ROOT }};
     index {{ .Env.NGINX_INDEX }};
     charset utf-8;