From 0a47fe4742b3c3cc5389cba398ec80ca98aab662 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 21 Oct 2024 11:11:09 -0400 Subject: [PATCH 1/2] Add SSL support to astral api server --- Dockerfile | 2 +- README.md | 30 ++++++++++++++++++++++++------ bin/http.sh | 2 ++ bin/ssl.sh | 5 +++++ lib/tasks/configure.rake | 28 +++++++++++++++++++++------- 5 files changed, 53 insertions(+), 14 deletions(-) create mode 100755 bin/http.sh create mode 100755 bin/ssl.sh diff --git a/Dockerfile b/Dockerfile index 3d941b3..d63d76e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -55,4 +55,4 @@ USER rails:rails # Start the server by default, this can be overwritten at runtime EXPOSE 3000 # Start the server -CMD ["bin/rails", "server", "-b", "0.0.0.0"] \ No newline at end of file +CMD ["bin/http.sh"] \ No newline at end of file diff --git a/README.md b/README.md index 00ca829..aac2a4e 100644 --- a/README.md +++ b/README.md @@ -72,18 +72,36 @@ file. Per-environment settings in the config file(development, test, production) will override the shared values for that type. ## mTLS connections -Astral can connect to Vault with mTLS. Just -set the following values in `config/astral.yml`: +Astral can be run as an SSL service and can communicate with Vault via SSL. +Just set the following values in `config/astral.yml` (or environment) to +encrypt Astral-to-Vault : ``` vault_ssl_cert: vault_ssl_client_cert: vault_ssl_client_key: ``` -A self-signed server cert for Vault can be generated with the following -command: + +To use Vault SSL in the devcontainer, edit +`.devcontainer/docker-compose.yml` so that the `app` service has +`VAULT_ADDRESS` of `https://vault:8443`. Client certs can also be +configured -- in which case Vault needs to be configured to verify with +a CA cert. + +A self-signed server cert for Vault and Astral can be generated with the following +command, and initial placeholder certs are already provided. ``` rake configure:ssl ``` -To use SSL in the devcontainer, edit `.devcontainer/docker-compose.yml` so -that the `app` service has `VAULT_ADDRESS` of `https://vault:8443`. +Astral SSL + +To use SSL in production, provide the necessary environment (SSL_CERT, SSL_KEY) to +the container environment, and use the `bin/ssl.sh` startup command. Eg: +``` +docker run -p 3000:3000 \ +-e SSL_CERT=/certs/cert.pem \ +-e SSL_KEY=/certs/key.key \ +-v certs:/certs:cached \ +astral:latest bin/ssl.sh +``` + diff --git a/bin/http.sh b/bin/http.sh new file mode 100755 index 0000000..33fb256 --- /dev/null +++ b/bin/http.sh @@ -0,0 +1,2 @@ +#! /bin/sh +rails s -b 0.0.0.0 diff --git a/bin/ssl.sh b/bin/ssl.sh new file mode 100755 index 0000000..a2f8865 --- /dev/null +++ b/bin/ssl.sh @@ -0,0 +1,5 @@ +#! /bin/sh +SSL_CERT="${SSL_CERT:-cert/astral.pem}" +SSL_KEY="${SSL_KEY:-cert/astral.key}" + +rails s -b "ssl://0.0.0.0:3000?key=${SSL_KEY}&cert=${SSL_CERT}" diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake index 80ad985..fd52ca3 100644 --- a/lib/tasks/configure.rake +++ b/lib/tasks/configure.rake @@ -2,16 +2,30 @@ require "rake" # Rake tasks for making a vault cert namespace :configure do + desc "Make Vault and Astral certs" + task ssl: [ :vault_ssl, :astral_ssl ] + desc "Make the server cert for vault" - task :ssl do + task :vault_ssl do + keygen("vault") + end + + desc "Make the server cert for astral" + task :astral_ssl do + keygen("astral") + end + + private + + def keygen(name) %x( openssl req -new -newkey rsa:4096 -nodes \ - -keyout cert/vault.key -out cert/vault.csr \ - -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=vault" - openssl x509 -req -days 365 -in cert/vault.csr \ - -signkey cert/vault.key \ - -out cert/vault.pem + -keyout cert/#{name}.key -out cert/#{name}.csr \ + -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{name}" + openssl x509 -req -days 365 -in cert/#{name}.csr \ + -signkey cert/#{name}.key \ + -out cert/#{name}.pem ) - puts "SSL key for vault created" + puts "SSL key for #{name} created" end end From ae10703afcd302d3c7e366ecf5f40a09a6cd7028 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Mon, 21 Oct 2024 13:30:36 -0400 Subject: [PATCH 2/2] fix startup scripts --- bin/http.sh | 2 +- bin/ssl.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/http.sh b/bin/http.sh index 33fb256..98c97d4 100755 --- a/bin/http.sh +++ b/bin/http.sh @@ -1,2 +1,2 @@ #! /bin/sh -rails s -b 0.0.0.0 +bin/rails s -b 0.0.0.0 diff --git a/bin/ssl.sh b/bin/ssl.sh index a2f8865..cd80740 100755 --- a/bin/ssl.sh +++ b/bin/ssl.sh @@ -2,4 +2,4 @@ SSL_CERT="${SSL_CERT:-cert/astral.pem}" SSL_KEY="${SSL_KEY:-cert/astral.key}" -rails s -b "ssl://0.0.0.0:3000?key=${SSL_KEY}&cert=${SSL_CERT}" +bin/rails s -b "ssl://0.0.0.0:3000?key=${SSL_KEY}&cert=${SSL_CERT}"