G-Research · suprjinx · Oct 22, 2024 · Sep 6, 2024 · Sep 13, 2024 · Sep 17, 2024
diff --git a/Dockerfile b/Dockerfile
@@ -55,4 +55,4 @@ USER rails:rails
 # Start the server by default, this can be overwritten at runtime
 EXPOSE 3000
 # Start the server
-CMD ["bin/rails", "server", "-b", "0.0.0.0"]
+CMD ["bin/http.sh"]
diff --git a/README.md b/README.md
@@ -72,18 +72,36 @@ file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
 
 ## mTLS connections
-Astral can connect to Vault with mTLS. Just
-set the following values in `config/astral.yml`:
+Astral can be run as an SSL service and can communicate with Vault via SSL.
+Just set the following values in `config/astral.yml` (or environment) to 
+encrypt Astral-to-Vault :
 ```
   vault_ssl_cert:
   vault_ssl_client_cert:
   vault_ssl_client_key:
 ```
-A self-signed server cert for Vault can be generated with the following 
-command:
+
+To use Vault SSL in the devcontainer, edit
+`.devcontainer/docker-compose.yml` so that the `app` service has
+`VAULT_ADDRESS` of `https://vault:8443`. Client certs can also be
+configured -- in which case Vault needs to be configured to verify with
+a CA cert.
+
+A self-signed server cert for Vault and Astral can be generated with the following 
+command, and initial placeholder certs are already provided.
 ```
 rake configure:ssl
 ```
 
-To use SSL in the devcontainer, edit `.devcontainer/docker-compose.yml` so
-that the `app` service has `VAULT_ADDRESS` of `https://vault:8443`. 
+Astral SSL 
+
+To use SSL in production, provide the necessary environment (SSL_CERT, SSL_KEY) to
+the container environment, and use the `bin/ssl.sh` startup command. Eg:
+```
+docker run -p 3000:3000 \
+-e SSL_CERT=/certs/cert.pem \
+-e SSL_KEY=/certs/key.key \
+-v certs:/certs:cached \
+astral:latest bin/ssl.sh
+```
+
diff --git a/bin/http.sh b/bin/http.sh
@@ -0,0 +1,2 @@
+#! /bin/sh
+bin/rails s -b 0.0.0.0
diff --git a/bin/ssl.sh b/bin/ssl.sh
@@ -0,0 +1,5 @@
+#! /bin/sh
+SSL_CERT="${SSL_CERT:-cert/astral.pem}"
+SSL_KEY="${SSL_KEY:-cert/astral.key}"
+
+bin/rails s -b "ssl://0.0.0.0:3000?key=${SSL_KEY}&cert=${SSL_CERT}"
diff --git a/lib/tasks/configure.rake b/lib/tasks/configure.rake
@@ -2,16 +2,30 @@ require "rake"
 
 # Rake tasks for making a vault cert
 namespace :configure do
+  desc "Make Vault and Astral certs"
+  task ssl: [ :vault_ssl, :astral_ssl ]
+
   desc "Make the server cert for vault"
-  task :ssl do
+  task :vault_ssl do
+    keygen("vault")
+  end
+
+  desc "Make the server cert for astral"
+  task :astral_ssl do
+    keygen("astral")
+  end
+
+  private
+
+  def keygen(name)
     %x(
       openssl req -new -newkey rsa:4096 -nodes \
-        -keyout cert/vault.key -out cert/vault.csr \
-        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=vault"
-      openssl x509 -req -days 365 -in cert/vault.csr \
-        -signkey cert/vault.key \
-        -out cert/vault.pem
+        -keyout cert/#{name}.key -out cert/#{name}.csr \
+        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=#{name}"
+      openssl x509 -req -days 365 -in cert/#{name}.csr \
+        -signkey cert/#{name}.key \
+        -out cert/#{name}.pem
     )
-    puts "SSL key for vault created"
+    puts "SSL key for #{name} created"
   end
 end