diff --git a/Dockerfile b/Dockerfile index 03622ed..1490e5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ -FROM nginx:1.19-alpine +FROM nginx:1.19 EXPOSE 80 443 -COPY cert/* /etc/nginx/ -RUN cat /etc/nginx/server.pem /etc/nginx/chain.pem > /etc/nginx/server.chained.pem +ENTRYPOINT ["/entrypoint.sh"] + +CMD ["nginx", "-g", "daemon off;"] diff --git a/README.md b/README.md index fcdca9d..2cc586d 100644 --- a/README.md +++ b/README.md @@ -54,12 +54,20 @@ with https:// , Nginx redirects the request to the HTTPS version for you 😉. **Docker note**: A local image is created the first time executed, and -there is no need to rebuild it if you change the Nginx configurations, -unless you want to change the certificates or the Dockerfile script. +there is no need to rebuild it if you change the Nginx configuration or the `entrypoint.sh` file. Only changes to the Dockerfile script require a rebuild. If you just edit the Nginx configuration, or want to change the ports mapped, only restart the container is needed. + +If you do need to rebuild the container, append `--build` on to your compose call: ` docker-compose up --build`. + +### Public SSL certificate + +The certs are downloaded and cached from [local-ip.co](http://local-ip.co/) on first run. On subsequent runs, the `entrypoint.sh` script checks locally whether they are expired and downloads renewed certs from [local-ip.co](http://local-ip.co/) if needed. ### Running with Medic-OS -The default ports used here will conflict with the ports that medic-os uses to run. To get around that you can specify the env-file for medic-os. This will start the container using 444 and 8080 for https and http, making your instance available at `https://192-168-0-3.my.local-ip.co:444/` +The default ports used here will conflict with the ports that medic-os +uses to run. To get around that you can specify the env-file for medic-os. +This will start the container using 444 and 8080 for https and http, +making your instance available at `https://192-168-0-3.my.local-ip.co:444/`. Command to run: @@ -92,20 +100,24 @@ ERROR: for nginx-local-ip_app_1 Cannot start service app: driver failed program 5cdae3a684): Error starting userland proxy: listen tcp4 0.0.0.0:443: bind: address already in use ``` -You may need to change one or both ports. For example, you could shift them up to 8xxx like so: +You may need to change one or both ports. For example, you could shift them +up to 8xxx like so: $ HTTP=8080 HTTPS=8443 APP_URL=http://192.168.1.3:5988 docker-compose up -Also a convenient environment file can be used to store the new values as suggested in the [Running with Medic-OS](#running-with-medic-os) section: +Also a convenient environment file can be used to store the new values as +suggested in the [Running with Medic-OS](#running-with-medic-os) section: **my.env file:** HTTP=8080 - HTTPS=444 + HTTPS=8443 Run with: `APP_URL=https://192.168.1.3:5988 docker-compose --env-file=my.env up` -You would then access your dev instance with the `8443` port. Using the sample URL from above, it would go from `https://192-168-0-3.my.local-ip.co` to this instead `https://192-168-0-3.my.local-ip.co:8443`. +You would then access your dev instance with the `8443` port. +Using the sample URL from above, it would go from `https://192-168-0-3.my.local-ip.co` +to this instead `https://192-168-0-3.my.local-ip.co:8443`. Copyright @@ -113,8 +125,8 @@ Copyright Copyright 2021 Medic Mobile, Inc. . -The certificates files under the `cert/` folder are property of -**local-ip.co**. +The SSL certificate files are downloaded from Internet at runtime, +and are property of **local-ip.co**. License diff --git a/cert/chain.pem b/cert/chain.pem deleted file mode 100644 index 1d82449..0000000 --- a/cert/chain.pem +++ /dev/null @@ -1,26 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow -MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT -AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs -jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp -Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB -U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 -gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel -/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R -oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E -BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p -ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE -AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu -Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 -LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf -r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH -ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 -S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL -qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p -O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw -UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== ------END CERTIFICATE----- diff --git a/cert/server.key b/cert/server.key deleted file mode 100644 index 84bb033..0000000 --- a/cert/server.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDP52e75+UdPShm -88s2RCazRnTdKZWB5GSma08Qerndf2BGFoWzlRDwsqLl9KSeS7JRDUkFK41zI33n -TjLe/VvkCTmeYiVNwnsJqCmIXtpYU4VRCL//bxe1KmSxMLwQCUNRpcPuXUy1zeBi -u383mdyHjwTkfYHMCvaZIr5yGUtbSZ+olSLsOxaunTgkRQ0J/etEQ9K06lPC3A0R -bMNPOTpwtX34llvD6gsw8t1Tq8J7/EGYJSJOGkam4f6rZUifAeGQUX+YmubK6LTj -qpR0IZPf0JkhMSxlQksVbLoQw7xfP2DSM2IfIKsybHJWItfKuMaPkaVs1uQSpiNo -7A5aPwEzAgMBAAECggEAFQXeTHb3iQxdIIP4gYVEsI4oVRDWaGsS7m0dcpomX0p5 -Dr1KSc2CCATYSg6B8uvOnTmNr7Mmu4TUP2Z96GSQPS/dnrFn+kP3MxPJF1wYEiRn -77jFyWuPZydhRTWbXrfBEemENX9DuYKW9QTmqVWqoh6JLR2v2VUmeHe18E20fAd4 -MBne/FhyqLO+ypY+l/H7EIfofo7EQ8lx6s6b7BWTaXNdX4Ic8hASJGIAiXWJHJvs -MI2eD5ebgYd/rWwM5R0I190BRsPU3Mz61sQSp+PnBhubAkQO/wdHYPNE4x/TZkLA -gH63NUb+gI8RDD550yzukqQQ+J5MFAHk+CpCAEig0QKBgQDoI2z9EhlqhkPShGTX -j7BZCOz/JayeXU7Wa4fE/tUeX/lIMdBPz73eEFxyknL9uL0sKDePstBNMgkbw82h -KQuNwQeayYtxWzszecy3TS9BkWIs16V0gOvw060bK+DsUaaVIk+OAnYjNGYgzo+K -YnkB9SMnj1qg6Ljo+J5xmLOnqwKBgQDlRkPheAiZ/uwh+IepjZiDQyS49tYSUZdY -jifLfS60OjGTCKhIwBlRJsNE9PuiVoCHzUPi/LnrgXqfHMHxC1i4Iqhggq9csE/D -yhjV2j6oS8e7Dvr2UH2B67vDk8Y+uWqkZBb8ZzbEHhqnKPNfRIaf9cQ57W3dem6t -g8OK9yNkmQKBgQDPa/ATxNte+q+ZaGEu155sP/R8G269ZoRuRVDgbg+B/6Gfp5sJ -5Ycy6A2i9ka3fR3TWfAjf1Ru1bmbzH5tdV50gDlKTrJBTJJ+cWPBmb8S6FP/24Rk -sFmiK5HuyGtG3cJqWWkabAqhdE2ZHNjXfxu+6wpJa+dABhJLYPM6b4Z/1wKBgHiO -Bctcbklq/YavQ8YnqfX7LCgFwnJHbKkntk0NOa2Sm9aQSsxWFfnRxANSPa4Sheri -R7vm32ux3WQknuW77Z6EurxkewjlvEtazMxFwYSEtDTrn5I8qIHUDhq8bRU2MZjW -+C8npmhg2+rhYXbKdW9Orys2aPp4EhIyonNDl9yhAoGBAJreaa4IIajzF7+BbP6b -ZEzOyUYo5vxILRFx18xrOHR4nXDdckeCp7U7/TAqXrhz0ZuGVQvTRFBjMWZsf3X5 -E9FwzgEyIY3JiwpJTU+KREt6nl4Yfqv9putmuFkK3bz4oOkjIFZ4ZFL8Dc4dOlyi -+yjDKtmZGMo1m0dEc8iDtY6v ------END PRIVATE KEY----- diff --git a/cert/server.pem b/cert/server.pem deleted file mode 100644 index bc4a970..0000000 --- a/cert/server.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFMTCCBBmgAwIBAgISBA3AyPJiy/JaRcRKo1eEezWxMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yMTAxMjYxNTU3NTlaFw0yMTA0MjYxNTU3NTlaMBsxGTAXBgNVBAMM -ECoubXkubG9jYWwtaXAuY28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQDP52e75+UdPShm88s2RCazRnTdKZWB5GSma08Qerndf2BGFoWzlRDwsqLl9KSe -S7JRDUkFK41zI33nTjLe/VvkCTmeYiVNwnsJqCmIXtpYU4VRCL//bxe1KmSxMLwQ -CUNRpcPuXUy1zeBiu383mdyHjwTkfYHMCvaZIr5yGUtbSZ+olSLsOxaunTgkRQ0J -/etEQ9K06lPC3A0RbMNPOTpwtX34llvD6gsw8t1Tq8J7/EGYJSJOGkam4f6rZUif -AeGQUX+YmubK6LTjqpR0IZPf0JkhMSxlQksVbLoQw7xfP2DSM2IfIKsybHJWItfK -uMaPkaVs1uQSpiNo7A5aPwEzAgMBAAGjggJWMIICUjAOBgNVHQ8BAf8EBAMCBaAw -HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFBvANmrHV10wXePqVPY3DikTnc1sMB8GA1UdIwQYMBaAFBQusxe3WFbL -rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov -L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v -cmcvMCgGA1UdEQQhMB+CECoubXkubG9jYWwtaXAuY2+CC2xvY2FsLWlwLmNvMEwG -A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW -Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAgYKKwYBBAHWeQIEAgSB8wSB -8ADuAHUARJRlLrDuzq/EQAfYqP4owNrmgr7YyzG1P9MzlrW2gagAAAF3P6FrkQAA -BAMARjBEAiAm50vzKppWIMzppxT0I4fU4R+/ldJlnkgrlAviiIlikAIgEo3RJ2WR -DScsMCLbqJufMfhHuqQarUPa6bZPIpnrRxIAdQB9PvL4j/+IVWgkwsDKnlKJeSvF -DngJfy5ql2iZfiLw1wAAAXc/oWupAAAEAwBGMEQCIBSs8/qJC3V9arKr5iHJ9qWO -4B2bUECjMIUSMPSmpUlzAiAkQtjc/M2Pmp6CUKbGcGGqCObiLhBhj5k6/D64j90Y -KzANBgkqhkiG9w0BAQsFAAOCAQEAmbJrasgrx3rWmu1WN0yFu1jyIaGDzGXlzOf+ -NKEPeLS6hkR5uNqAA3puPRktoPa3oPB2u9hPX+A+PJBaWQiY+qQMzsUfUrMsu2/w -81TQX+uSLiLmq12MOuCdzVjNUTsB37NB2de1kUsTiZ8Z/egUxSdXYNpLYfpIOLI6 -9dZdqJHyGSsDdRDiKwMsId5KLIW4ZD8sRvYlI32ehrr7XCMYX1uWVMsoC9vcZ7o3 -oiIb/ZVtUVi/8B3kk0A3HRRmUnOinnSp5Iz+/VrHN7gCI+WX565aZ9lC8EhKZu0g -DsAGF1ybtWcON2QSYBDim3rke4gKJfVTuTYbqFH5Hw0YMEkUGQ== ------END CERTIFICATE----- diff --git a/docker-compose.yml b/docker-compose.yml index 31c7fd3..4aa2080 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,5 +5,6 @@ app: - "${HTTPS}:443" volumes: - ./default.conf.template:/etc/nginx/templates/default.conf.template + - ./entrypoint.sh:/entrypoint.sh environment: APP_URL: $APP_URL diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..51e6b99 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# SSL certificate files and source URLs +CERT_PEM='/etc/nginx/server.pem' +CERT_PEM_SRC='http://local-ip.co/cert/server.pem' +CERT_KEY='/etc/nginx/server.key' +CERT_KEY_SRC='http://local-ip.co/cert/server.key' +CERT_CHAIN='/etc/nginx/chain.pem' +CERT_CHAIN_SRC='http://local-ip.co/cert/chain.pem' +CERT_CHAINED='/etc/nginx/server.chained.pem' + +CURL_CMD='curl -sS' + +install_certs () { + echo "$0: Downloading '$CERT_PEM_SRC' ..." + $CURL_CMD "$CERT_PEM_SRC" -o "$CERT_PEM" + + echo "$0: Downloading '$CERT_KEY_SRC' ..." + $CURL_CMD "$CERT_KEY_SRC" -o "$CERT_KEY" + + echo "$0: Downloading '$CERT_CHAIN_SRC' ..." + $CURL_CMD "$CERT_CHAIN_SRC" -o "$CERT_CHAIN" + + echo "$0: Creating chained cert file '$CERT_CHAINED' ..." + cat "$CERT_PEM" "$CERT_CHAIN" > "$CERT_CHAINED" +} + +DOWNLOAD="false" +if [ -f "$CERT_PEM" -a -f "$CERT_KEY" -a -f "$CERT_CHAIN" ]; then + echo "$0: SSL certificate files /etc/nginx/server.* found" +else + echo "$0: SSL certificate files /etc/nginx/server.* not found. Installing ..." + DOWNLOAD="true" + install_certs +fi + +CERT_EXP_DATE=$(openssl x509 -enddate -noout -in $CERT_PEM | grep -oP 'notAfter=\K.+') +CERT_EXP_DATE_ISO=$(date -d "$CERT_EXP_DATE" '+%Y-%m-%d') + +TODAY_ISO=$(date '+%Y-%m-%d') +if [[ "$CERT_EXP_DATE_ISO" < "$TODAY_ISO" ]]; then + if [ "$DOWNLOAD" == "false" ]; then + echo "$0: SSL certificate expired! Installing new certificate files ..." + install_certs + else + echo "$0: ERROR SSL certificate files have been downloaded but expired since: $CERT_EXP_DATE" >&2 + exit -1 + fi +else + echo "$0: SSL certificate OK. Expire after: $CERT_EXP_DATE" +fi + +. /docker-entrypoint.sh + +exec "$@"