From f5fab2a149c0c15ad3cdd950703431cff404116b Mon Sep 17 00:00:00 2001 From: anonymous Date: Thu, 17 Mar 2022 16:44:43 +0100 Subject: [PATCH] x --- .gitignore | 2 ++ app/Dockerfile | 7 +++++++ app/Gemfile | 10 ++++++++++ app/Gemfile.lock | 31 +++++++++++++++++++++++++++++++ app/app.rb | 16 ++++++++++++++++ docker-compose.yaml | 19 +++++++++++++++++++ nginx/Dockerfile | 3 +++ nginx/certs/.keep | 0 nginx/nginx.conf | 33 +++++++++++++++++++++++++++++++++ script/create-certificate.sh | 9 +++++++++ script/create-client-key-and-csr.sh | 7 +++++++ script/create-server-certificate.sh | 9 +++++++++ script/create-server-key-and-csr.sh | 6 ++++++ script/sign-client-csr.sh | 9 +++++++++ 14 files changed, 161 insertions(+) create mode 100644 .gitignore create mode 100644 app/Dockerfile create mode 100644 app/Gemfile create mode 100644 app/Gemfile.lock create mode 100644 app/app.rb create mode 100644 docker-compose.yaml create mode 100644 nginx/Dockerfile create mode 100644 nginx/certs/.keep create mode 100644 nginx/nginx.conf create mode 100755 script/create-certificate.sh create mode 100755 script/create-client-key-and-csr.sh create mode 100755 script/create-server-certificate.sh create mode 100755 script/create-server-key-and-csr.sh create mode 100755 script/sign-client-csr.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1952100 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +nginx/certs/* +!nginx/certs/.keep diff --git a/app/Dockerfile b/app/Dockerfile new file mode 100644 index 0000000..ead6fa3 --- /dev/null +++ b/app/Dockerfile @@ -0,0 +1,7 @@ +from ruby + +add . /app +workdir /app +run bundle install + +cmd ["ruby", "app.rb"] diff --git a/app/Gemfile b/app/Gemfile new file mode 100644 index 0000000..5eafab9 --- /dev/null +++ b/app/Gemfile @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +source "https://rubygems.org" + +git_source(:github) { |repo_name| "https://github.com/#{repo_name}" } + +# gem "rails" + +gem "sinatra", "~> 2.2" +gem "thin", "~> 1.8" diff --git a/app/Gemfile.lock b/app/Gemfile.lock new file mode 100644 index 0000000..e4bf692 --- /dev/null +++ b/app/Gemfile.lock @@ -0,0 +1,31 @@ +GEM + remote: https://rubygems.org/ + specs: + daemons (1.4.1) + eventmachine (1.2.7) + mustermann (1.1.1) + ruby2_keywords (~> 0.0.1) + rack (2.2.3) + rack-protection (2.2.0) + rack + ruby2_keywords (0.0.5) + sinatra (2.2.0) + mustermann (~> 1.0) + rack (~> 2.2) + rack-protection (= 2.2.0) + tilt (~> 2.0) + thin (1.8.1) + daemons (~> 1.0, >= 1.0.9) + eventmachine (~> 1.0, >= 1.0.4) + rack (>= 1, < 3) + tilt (2.0.10) + +PLATFORMS + x86_64-linux + +DEPENDENCIES + sinatra (~> 2.2) + thin (~> 1.8) + +BUNDLED WITH + 2.2.19 diff --git a/app/app.rb b/app/app.rb new file mode 100644 index 0000000..cf6e996 --- /dev/null +++ b/app/app.rb @@ -0,0 +1,16 @@ +require 'sinatra' + +set :server, %w[thin webrick] +set :bind, '0.0.0.0' + +get '/' do + 'Hello world' +end + +get '/foo' do + 'Bar' +end + +get '/cert' do + request.env['HTTP_X_CLIENTCERT_DN'] +end diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..2d34103 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,19 @@ +version: '3.3' +services: + ruby: + container_name: app + image: integralist-ruby + ports: + - 4567:4567 + nginx: + container_name: nginx + image: integralist-nginx + volumes: + - ./html:/usr/share/nginx/html + - ./nginx/certs/server.crt:/etc/nginx/certs/server.crt + - ./nginx/certs/server.key:/etc/nginx/certs/server.key + - ./nginx/certs/ca.crt:/etc/nginx/certs/ca.crt + - ./nginx/nginx.conf:/etc/nginx/nginx.conf + ports: + - 80:80 + - 443:443 diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 0000000..90359d0 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,3 @@ +from nginx +expose 80 443 +cmd ["nginx", "-g", "daemon off;"] diff --git a/nginx/certs/.keep b/nginx/certs/.keep new file mode 100644 index 0000000..e69de29 diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..000d7cf --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,33 @@ +user nobody nogroup; +worker_processes auto; + +events { + worker_connections 512; +} + +http { + upstream app { + server app:4567; + } + + server { + listen *:443; + ssl on; + server_name ""; + + ssl_certificate /etc/nginx/certs/server.crt; + ssl_certificate_key /etc/nginx/certs/server.key; + ssl_client_certificate /etc/nginx/certs/ca.crt; + # @todo this could be made 'optional' so taht + # some connections are allowed to public + # endpooints + ssl_verify_client on; + + root /usr/share/nginx/html; + + location /app/ { + proxy_pass http://app/; + proxy_set_header X-ClientCert-DN $ssl_client_s_dn; + } + } +} diff --git a/script/create-certificate.sh b/script/create-certificate.sh new file mode 100755 index 0000000..d0a3a90 --- /dev/null +++ b/script/create-certificate.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +openssl genrsa -des3 -out ca.key 4096 + +openssl req -new \ + -x509 \ + -days 365 \ + -key ca.key \ + -out ca.crt diff --git a/script/create-client-key-and-csr.sh b/script/create-client-key-and-csr.sh new file mode 100755 index 0000000..b193318 --- /dev/null +++ b/script/create-client-key-and-csr.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +openssl genrsa -out client.key 2048 + +openssl req -new \ + -key client.key \ + -out client.csr diff --git a/script/create-server-certificate.sh b/script/create-server-certificate.sh new file mode 100755 index 0000000..630c6df --- /dev/null +++ b/script/create-server-certificate.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +openssl x509 -req \ + -days 365 \ + -in server.csr \ + -CA ca.crt \ + -CAkey ca.key \ + -set_serial 01 \ + -out server.crt diff --git a/script/create-server-key-and-csr.sh b/script/create-server-key-and-csr.sh new file mode 100755 index 0000000..72f3e4e --- /dev/null +++ b/script/create-server-key-and-csr.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +openssl genrsa -out server.key 4096 \ +openssl req -new \ + -key server.key \ + -out server.csr diff --git a/script/sign-client-csr.sh b/script/sign-client-csr.sh new file mode 100755 index 0000000..0f0db6b --- /dev/null +++ b/script/sign-client-csr.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +openssl x509 -req \ + -days 365 \ + -in client.csr \ + -CA ca.crt \ + -CAkey ca.key \ + -set_serial 01 \ + -out client.crt