From 3b1809e2ea8d7adcafaff09664569c75c35791e3 Mon Sep 17 00:00:00 2001 From: Kevin Morris Date: Sat, 2 Oct 2021 13:26:05 -0700 Subject: [PATCH] feat(Docker): allow custom certificates for fastapi/nginx Now, when a `./cache/production.{cert,key}.pem` pair is found, it is used in place of any certificates generated by the `ca` service. This allows users to customize the certificate that the FastAPI ASGI server uses as well as the front-end nginx certificates. Optional: - ./cache/production.cert.pem - ./cache/production.key.pem Fallback: - ./cache/localhost.cert.pem + ./cache/root.ca.pem (chain) - ./cache/localhost.key.pem Signed-off-by: Kevin Morris --- docker/config/nginx.conf | 8 ++++---- docker/nginx-entrypoint.sh | 20 +++++++++++++++++--- docker/scripts/run-fastapi.sh | 20 ++++++++++++++++---- 3 files changed, 37 insertions(+), 11 deletions(-) diff --git a/docker/config/nginx.conf b/docker/config/nginx.conf index 3a8de801..4288a57d 100644 --- a/docker/config/nginx.conf +++ b/docker/config/nginx.conf @@ -43,8 +43,8 @@ http { listen 8443 ssl http2; server_name localhost default_server; - ssl_certificate /etc/ssl/certs/localhost.cert.pem; - ssl_certificate_key /etc/ssl/private/localhost.key.pem; + ssl_certificate /etc/ssl/certs/web.cert.pem; + ssl_certificate_key /etc/ssl/private/web.key.pem; root /aurweb/web/html; index index.php; @@ -91,8 +91,8 @@ http { listen 8444 ssl http2; server_name localhost default_server; - ssl_certificate /etc/ssl/certs/localhost.cert.pem; - ssl_certificate_key /etc/ssl/private/localhost.key.pem; + ssl_certificate /etc/ssl/certs/web.cert.pem; + ssl_certificate_key /etc/ssl/private/web.key.pem; root /aurweb/web/html; diff --git a/docker/nginx-entrypoint.sh b/docker/nginx-entrypoint.sh index 226ded8f..63307948 100755 --- a/docker/nginx-entrypoint.sh +++ b/docker/nginx-entrypoint.sh @@ -1,6 +1,16 @@ #!/bin/bash set -eou pipefail +# If production.{cert,key}.pem exists, prefer them. This allows +# user customization of the certificates that FastAPI uses. +# Otherwise, fallback to localhost.{cert,key}.pem, generated by `ca`. + +CERT=/cache/production.cert.pem +KEY=/cache/production.key.pem + +DEST_CERT=/etc/ssl/certs/web.cert.pem +DEST_KEY=/etc/ssl/private/web.key.pem + # Setup a config for our mysql db. cp -vf conf/config.dev conf/config sed -i "s;YOUR_AUR_ROOT;$(pwd);g" conf/config @@ -12,9 +22,13 @@ sed -ri 's/^;?(password) = .+/\1 = aur/' conf/config sed -ri "s|^(aur_location) = .+|\1 = https://localhost:8444|" conf/config sed -ri 's/^(disable_http_login) = .+/\1 = 1/' conf/config -cat /cache/localhost.cert.pem /cache/ca.root.pem \ - > /etc/ssl/certs/localhost.cert.pem -cp -vf /cache/localhost.key.pem /etc/ssl/private/localhost.key.pem +if [ -f "$CERT" ]; then + cp -vf "$CERT" "$DEST_CERT" + cp -vf "$KEY" "$DEST_KEY" +else + cat /cache/localhost.cert.pem /cache/ca.root.pem > "$DEST_CERT" + cp -vf /cache/localhost.key.pem "$DEST_KEY" +fi cp -vf /docker/config/nginx.conf /etc/nginx/nginx.conf diff --git a/docker/scripts/run-fastapi.sh b/docker/scripts/run-fastapi.sh index bb1a01a7..4dcc1d96 100755 --- a/docker/scripts/run-fastapi.sh +++ b/docker/scripts/run-fastapi.sh @@ -1,17 +1,29 @@ #!/bin/bash +CERT=/cache/localhost.cert.pem +KEY=/cache/localhost.key.pem + +# If production.{cert,key}.pem exists, prefer them. This allows +# user customization of the certificates that FastAPI uses. +if [ -f /cache/production.cert.pem ]; then + CERT=/cache/production.cert.pem +fi +if [ -f /cache/production.key.pem ]; then + KEY=/cache/production.key.pem +fi + if [ "$1" == "uvicorn" ] || [ "$1" == "" ]; then exec uvicorn --reload \ - --ssl-certfile /cache/localhost.cert.pem \ - --ssl-keyfile /cache/localhost.key.pem \ + --ssl-certfile "$CERT" \ + --ssl-keyfile "$KEY" \ --log-config /docker/logging.conf \ --host "0.0.0.0" \ --port 8000 \ aurweb.asgi:app else exec hypercorn --reload \ - --certfile /cache/localhost.cert.pem \ - --keyfile /cache/localhost.key.pem \ + --certfile "$CERT" \ + --keyfile "$KEY" \ --log-config /docker/logging.conf \ -b "0.0.0.0:8000" \ aurweb.asgi:app