Theaninova/openstapps
1
0
Fork 0
mirror of https://gitlab.com/openstapps/openstapps.git synced 2026-01-21 09:03:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: increase nginx transport security

Browse Source
This commit is contained in:
Rainer Killinger
2019-02-27 16:28:50 +00:00
committed by Rainer Killinger
parent 5f969c53f6
commit 8fe6a2795f
6 changed files with 75 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/main.ts
View File

@@ -18,7 +18,14 @@ import * as Dockerode from 'dockerode';
import {existsSync, readFile} from 'fs-extra';
import {render} from 'mustache';
import {join} from 'path';
import {ConfigFile, logger, TemplateView} from './common';
import {
ConfigFile,
logger,
protocolHardeningParameters,
SSLFilePaths,
sslHardeningParameters,
TemplateView,
} from './common';
const configFile: ConfigFile = config.util.toObject();
@@ -123,7 +130,7 @@ export function generateUpstreamMap(
* @param sslFiles
* @returns {string}
*/
function generateListener(sslFiles: string[]) {
function generateListener(sslFilePaths: SSLFilePaths) {
function isSSLCert(path: string) {
return existsSync(path) && /.*\.crt$/.test(path);
@@ -133,17 +140,31 @@ function generateListener(sslFiles: string[]) {
return existsSync(path) && /.*\.key$/.test(path);
}
function isPEMFile(path: string) {
return existsSync(path) && /.*\.pem$/.test(path);
}
let listener = '';
if (Array.isArray(sslFiles) && sslFiles.length === 2 && sslFiles.some(isSSLCert) && sslFiles.some(isSSLKey)) {
if (typeof sslFilePaths !== 'undefined' &&
typeof sslFilePaths.certificate === 'string' && isSSLCert(sslFilePaths.certificate) &&
typeof sslFilePaths.certificateChain === 'string' && isSSLCert(sslFilePaths.certificate) &&
typeof sslFilePaths.certificateKey === 'string' && isSSLKey(sslFilePaths.certificate) &&
typeof sslFilePaths.dhparam === 'string' && isPEMFile(sslFilePaths.dhparam)
) {
// https listener
listener = 'listen 443 ssl default_server;\n' +
`ssl_certificate ${sslFiles.find(isSSLCert)};\n` +
`ssl_certificate_key ${sslFiles.find(isSSLKey)};\n`;
`ssl_certificate ${sslFilePaths.certificate};\n` +
`ssl_certificate_key ${sslFilePaths.certificateKey};\n` +
`ssl_trusted_certificate ${sslFilePaths.certificateChain};\n` +
`ssl_dhparam ${sslFilePaths.dhparam};\n` +
`${sslHardeningParameters}`;
} else {
// default http listener
listener = 'listen 80 default_server;';
logger.warn('Https usage is not setup properly, falling back to http!');
}
listener = `${listener}\n${protocolHardeningParameters}\n`;
return listener;
}
@@ -183,7 +204,7 @@ export async function getTemplateView(containers: Dockerode.ContainerInfo[]): Pr
return {
dockerVersionMap: generateUpstreamMap(configFile.activeVersions, configFile.outdatedVersions, containers),
hiddenRoutes: (await Promise.all(hiddenRoutesPromises)).join(''),
listener: generateListener(configFile.sslFiles),
listener: generateListener(configFile.sslFilePaths),
staticRoute: await renderTemplate(join('fixtures', 'staticRoute.template'), {cors}),
visibleRoutes: (await Promise.all(visibleRoutesPromises)).join(''),
};