Skip to content

Commit

Permalink
Update SSL certificate locations, add ufw
Browse files Browse the repository at this point in the history
  • Loading branch information
ahosgood committed Nov 7, 2024
1 parent b1804c2 commit accbfc5
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 35 deletions.
66 changes: 33 additions & 33 deletions docker/tna-python/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -96,49 +96,49 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# ==========================================
# 1.
# Update the package index files and install
# a specific version of curl that we know to
# have no issues which is required later for
# installing Poetry
# ------------------------------------------
# 2.
# Install nginx and update the firewall rule
# to allow only HTTPS traffic
# ------------------------------------------
# 3.
# Clean and remove all the apt registries to
# disallow additional installations later on
# ------------------------------------------
# 4.
# Create a new system-level nonroot user who
# owns a home directory where we can install
# libraries into (along with our scripts for
# building and running)
# ------------------------------------------
# 5.
# Create an "/app" directory in the root dir
# for the application code and allow the new
# app user to access it
# specific versions of libcurl4, curl, build
# essentials (which then enables us to later
# install Poetry), as well as both nginx and
# ufw - after this, clean and remove all the
# apt registries to avoid the possibility of
# additional installations later on
# ==========================================
RUN set -eux; \
\
export DEBIAN_FRONTEND=noninteractive; \
\
apt-get update; \
apt-get -y upgrade; \
apt-get install -y --no-install-recommends libcurl4=7.88.1-10+deb12u7 curl=7.88.1-10+deb12u7 build-essential=12.9 libmagic-dev=1:5.44-3; \
\
apt-get install -y --no-install-recommends nginx=1.22.1-9 nginx-common=1.22.1-9; \
ufw allow 'Nginx HTTPS'; \
mkdir /etc/nginx/ssl; \
openssl req -x509 -noenc -newkey rsa:2048 -keyout /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/req.pem -days 90 -subj "/C=GB/ST=London/L=Kew/O=The National Archives/OU=Digital/CN=localhost"; \
apt-get install -y --no-install-recommends libcurl4=7.88.1-10+deb12u7 curl=7.88.1-10+deb12u7 build-essential=12.9 libmagic-dev=1:5.44-3 nginx=1.22.1-9 nginx-common=1.22.1-9 ufw=0.36.2-1; \
\
apt-get clean; \
apt-get autoremove -y --purge; \
rm -rfv /var/lib/apt/lists/*; \
\
useradd --system --create-home app; \
\
mkdir -p /app; \
rm -rfv /var/lib/apt/lists/*

# ==========================================
# Update the firewall rule to allow only for
# HTTPS, then create an SSL certificate that
# we can use locally in nginx to secure this
# container
# ==========================================
RUN ufw allow 'Nginx HTTPS'; \
mkdir /etc/nginx/ssl; \
openssl req -x509 -noenc -newkey rsa:2048 -keyout /etc/nginx/ssl/key.pem -out /etc/nginx/ssl/req.pem -days 90 -subj "/C=GB/ST=London/L=Kew/O=The National Archives/OU=Digital/CN=localhost"

# ==========================================
# Create a new system-level nonroot user who
# owns a home directory where we can install
# libraries into (along with our scripts for
# building and running)
# ==========================================
RUN useradd --system --create-home app

# ==========================================
# Create an "/app" directory in the root dir
# for the application code and allow the new
# app user to access it
# ==========================================
RUN mkdir -p /app; \
chown app:app -R /app; \
chmod 700 /app

Expand Down
4 changes: 2 additions & 2 deletions docker/tna-python/lib/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ server {
listen [::]:443 ssl;
http2 on;

ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_certificate /etc/nginx/ssl/req.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

Expand Down

0 comments on commit accbfc5

Please sign in to comment.