Merge pull request #53 from shingo78/feature/acme

Add ACME support

Author: shingo78

auth-proxy/Dockerfile

@@ -131,7 +131,7 @@ RUN set -x \
 # supervisord
 COPY resources/supervisord.conf /etc/
 
-# Install j2cli
+# Install jinja2-cli and certbot
 RUN set -x \
     && apt-get update \
     && apt-get -y --no-install-recommends --no-install-suggests install \
@@ -140,7 +140,7 @@ RUN set -x \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir /opt/venv \
     && python3 -m venv /opt/venv \
-    && /opt/venv/bin/pip install --no-cache-dir jinja2-cli
+    && /opt/venv/bin/pip install --no-cache-dir jinja2-cli certbot
 
 ENV PATH=/opt/venv/bin:$PATH
 
@@ -150,12 +150,17 @@ COPY resources/etc/templates /etc/templates
 # Set the current working directory
 WORKDIR /var/www/html
 
-# Expose port 80
+# Expose port 80, 443
 EXPOSE 80
 EXPOSE 443
 
-COPY resources/scripts/start.sh /
-RUN chmod +x /start.sh
+COPY --chmod=755 resources/scripts/start.sh /
+COPY --chmod=755 resources/scripts/acme-init.sh /
+COPY --chmod=755 resources/scripts/acme-renew.sh /
+COPY --chmod=755 resources/scripts/reload-nginx /
+COPY --chmod=755 resources/scripts/healthcheck.sh /
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 --start-period=10s --start-interval=1s CMD /healthcheck.sh
 
 COPY --chown=www-data:www-data resources/htdocs/php /var/www/htdocs/php
 COPY --chown=www-data:www-data resources/html /var/www/htdocs/html

auth-proxy/resources/etc/templates/cron_root.j2

@@ -1,3 +1,4 @@
 @reboot /bin/sleep 10 && /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ environ("CRON_SECRET") }}"
 0 0 * * * /usr/bin/curl --silent --insecure "https://localhost/simplesaml/module.php/cron/run/daily/{{ environ("CRON_SECRET") }}"
-
+{% if environ("ACME_ENABLED") %}0 1 * * 1 /acme-renew.sh
+{% endif -%}

auth-proxy/resources/etc/templates/nginx.conf.j2

@@ -44,7 +44,14 @@ http {
     server {
         listen 80;
         server_name hub;
-        rewrite  ^ https://$host$request_uri? permanent;
+        root /var/www/htdocs;
+
+        location /.well-known/acme-challenge/ {
+        }
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
     }
 
     server {
@@ -53,8 +60,8 @@ http {
         root /var/www/htdocs;
         index login.php logout.php;
 
-        ssl_certificate "/etc/nginx/certs/auth-proxy.chained.cer";
-        ssl_certificate_key "/etc/nginx/certs/auth-proxy.key";
+        ssl_certificate "/etc/nginx/live-certs/server.cer";
+        ssl_certificate_key "/etc/nginx/live-certs/server.key";
 
         ssl_ciphers "AES128+EECDH:AES128+EDH";
         ssl_protocols TLSv1.2;

auth-proxy/resources/scripts/acme-init.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -xe
+
+CERTBOT_OPT=''
+CERTBOT_SERVER_OPT=''
+
+if [[ ! -z "${ACME_SERVER}" ]] ; then
+    CERTBOT_SERVER_OPT="--server ${ACME_SERVER}"
+fi
+
+CERTBOT_OPT=''
+if [[ ! -z "${ACME_EAB_KID}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} --eab-kid ${ACME_EAB_KID}"
+fi
+if [[ ! -z "${ACME_EAB_HMAC_KEY}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} --eab-hmac-key ${ACME_EAB_HMAC_KEY}"
+fi
+if [[ ! -z "${ACME_EAB_HMAC_ALG}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} --eab-hmac-alg ${ACME_EAB_HMAC_ALG}"
+fi
+if [[ ! -z "${ACME_EMAIL}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} -m ${ACME_EMAIL}"
+fi
+if [[ ! -z "${ACME_KEY_TYPE}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} --key-type ${ACME_KEY_TYPE}"
+fi
+
+cleanup() {
+    rm -f /.acme-init
+}
+
+trap 'cleanup' EXIT
+
+if [[ ! -d /etc/letsencrypt/live/${MASTER_FQDN} ]]; then
+    touch /.acme-init
+    # wait for the service to become healthy
+    time_wait_for_running="${TIME_WAIT_FOR_RUNNING:-1}"
+    sleep ${time_wait_for_running}
+    certbot certonly --debug -vvv -n \
+        --standalone \
+        -d ${MASTER_FQDN} \
+        ${CERTBOT_SERVER_OPT} \
+        ${CERTBOT_OPT} \
+        --agree-tos \
+        --no-eff-email
+fi
+
+echo "certbot certificates"
+certbot ${CERTBOT_SERVER_OPT} certificates || true
+
+ln -s -f /etc/letsencrypt/live/${MASTER_FQDN}/fullchain.pem /etc/nginx/live-certs/server.cer
+ln -s -f /etc/letsencrypt/live/${MASTER_FQDN}/privkey.pem /etc/nginx/live-certs/server.key
+ln -s -f /reload-nginx /etc/letsencrypt/renewal-hooks/deploy/reload-nginx
+

auth-proxy/resources/scripts/acme-renew.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+CERTBOT_OPT=''
+if [[ ! -z "${ACME_KEY_TYPE}" ]] ; then
+    CERTBOT_OPT="${CERTBOT_OPT} --key-type ${ACME_KEY_TYPE}"
+fi
+
+if [[ -d /etc/letsencrypt/live/${MASTER_FQDN} ]]; then
+    /opt/venv/bin/certbot renew ${CERTBOT_OPT}  --webroot -w /var/www/htdocs "$@"
+fi
+

auth-proxy/resources/scripts/healthcheck.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -xe
+
+if [[ -e /.acme-init ]]; then
+    exit 0
+fi
+
+curl -k -f https://localhost/php/login.php

auth-proxy/resources/scripts/reload-nginx

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/sbin/nginx -s reload

auth-proxy/resources/scripts/start.sh

@@ -3,6 +3,28 @@ set -xe
 
 TEMPLATE_DIR=/etc/templates
 
+ACME_CONFIG_FILE=${ACME_CONFIG_FILE:-acme-config}
+
+if [[ -e "/run/secrets/${ACME_CONFIG_FILE}" ]]; then
+    source "/run/secrets/${ACME_CONFIG_FILE}"
+    export ACME_SERVER \
+           ACME_EAB_KID \
+           ACME_EAB_HMAC_KEY \
+           ACME_EAB_HMAC_ALG \
+           ACME_EMAIL \
+           ACME_KEY_TYPE
+fi
+
+CERT_DIR=/etc/nginx/certs
+mkdir -p /etc/nginx/live-certs
+if [[ -e $CERT_DIR/server.cer ]] && [[ -e $CERT_DIR/server.key ]]; then
+    ln -s -f $CERT_DIR/server.cer /etc/nginx/live-certs/server.cer
+    ln -s -f $CERT_DIR/server.key /etc/nginx/live-certs/server.key
+else
+    export ACME_ENABLED=1
+    /acme-init.sh
+fi
+
 if [[ -z ${SIMPLESAMLPHP_ADMIN_PASSWORD} ]]; then
     export SIMPLESAMLPHP_ADMIN_PASSWORD=$(LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 12)
 fi
@@ -30,4 +52,4 @@ elif [[ "$ENABLE_FEDERATION" == "1" || "$ENABLE_FEDERATION" == "yes" ]]; then
     jinja2 ${TEMPLATE_DIR}/authsources.php.j2 -o /var/www/simplesamlphp/config/authsources.php
 fi
 
-/usr/bin/supervisord -n -c /etc/supervisord.conf
+exec /usr/bin/supervisord -n -c /etc/supervisord.conf