Merge pull request #20 from likesistemas/hotfix/ssl

🚑️ Fix ssl
likesistemas · Aug 28, 2024 · e6a4099 · e6a4099
2 parents b5e3191 + 3a2d1d9
commit e6a4099
Show file tree

Hide file tree

Showing 6 changed files with 109 additions and 25 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -90,6 +90,28 @@ jobs:
             exit 1;
           fi
 
+      - name: Down environment
+        run: |
+          docker compose down --remove-orphans
+
+      - name: Setup SSL
+        run: |
+          echo "PHP_FPM_PASSWORD=123456" > .env
+          docker compose -f docker-compose.ssl.yml up --build -d
+          sleep 10
+          docker compose -f docker-compose.ssl.yml ps
+          docker compose -f docker-compose.ssl.yml logs
+
+      - name: Test SSL
+        run: |
+          CONTENT=$(curl -s -k "https://localhost:444/");
+          echo "CHAMADA HTTP: ${CONTENT}";
+
+          if [ "${CONTENT}" != "php" ]; then
+            echo "Chamada HTTP retornou errado: ${CONTENT}"
+            exit 1;
+          fi
+
   push:
     needs: test
 

diff --git a/Dockerfile b/Dockerfile
@@ -1,20 +1,31 @@
-FROM debian:10-slim as htpasswd
+FROM debian:10-slim AS ssl
+WORKDIR /ssl/
+RUN apt update && apt-get install -y libnss3-tools curl
+RUN curl -JLO "https://dl.filippo.io/mkcert/latest?for=linux/amd64"
+RUN chmod +x mkcert-v*-linux-amd64
+RUN mv mkcert-v*-linux-amd64 /usr/local/bin/mkcert
+RUN mkcert -key-file privkey.pem -cert-file fullchain.pem localhost 127.0.0.1 ::1
+
+FROM debian:10-slim AS htpasswd
 WORKDIR /
 ARG PHP_FPM_PASSWORD=123456
 RUN apt update && apt install apache2-utils -y
 RUN htpasswd -bc fpm_passwd admin $PHP_FPM_PASSWORD
 RUN htpasswd -bv fpm_passwd admin $PHP_FPM_PASSWORD
 
+FROM debian:10-slim AS dockerize
+ENV DOCKERIZE_VERSION v0.8.0
+RUN apt-get update \
+ && apt-get install -y wget \
+ && wget -O - https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz | tar xzf - -C /usr/local/bin \
+ && apt-get autoremove -yqq --purge wget && rm -rf /var/lib/apt/lists/*
+
 FROM nginx:latest
 
 ENV PORTA_PHP=9000
 ENV TIMEOUT_PHP=60s
 
-ENV DOCKERIZE_VERSION v0.6.1
-RUN apt-get update && apt-get install -y wget \
-    && wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
-    && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
-    && rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
+COPY --from=dockerize /usr/local/bin/dockerize /usr/local/bin/dockerize
 
 ENV PUBLIC_HTML="/var/www/public"
 ENV SRC_CONFIG_TEMPLATES="/etc/nginx-templetes/"
@@ -26,6 +37,8 @@ COPY config/ ${SRC_CONFIG_TEMPLATES}
 COPY --from=htpasswd /fpm_passwd /etc/nginx/fpm_passwd
 COPY www/fpm_status.html /var/php/status.html
 
+COPY --from=ssl /ssl/ /etc/nginx/ssl/
+
 EXPOSE 80 443
 
 COPY sh/ /docker-entrypoint.d/

diff --git a/config/include.d/ssl.conf b/config/include.d/ssl.conf
@@ -1,6 +1,5 @@
-listen 443 ssl http2;
-
-http2_push_preload on;
+listen 443 ssl;
+http2 on;
 
 ssl_prefer_server_ciphers on;
 ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

diff --git a/config/site.d/ssl.conf b/config/site.d/ssl.conf
@@ -1,3 +1,3 @@
 include include.d/ssl.conf;
-ssl_certificate /var/www/ssl/fullchain.pem;
-ssl_certificate_key /var/www/ssl/privkey.pem;
+ssl_certificate /etc/nginx/ssl/fullchain.pem;
+ssl_certificate_key /etc/nginx/ssl/privkey.pem;
diff --git a/docker-compose.ssl.yml b/docker-compose.ssl.yml
@@ -0,0 +1,34 @@
+networks:
+  nginx:
+    driver: bridge
+
+services:
+
+  app:
+    image: likesistemas/php:latest
+    volumes:
+      - ./www/:/var/www/public/
+    networks:
+      - nginx
+
+  nginx:
+    image: likesistemas/nginx:dev
+    build:
+      context: .
+      args: 
+        - PHP_FPM_PASSWORD=${PHP_FPM_PASSWORD:-password}
+    environment:
+      - HOST_PHP=app
+      - PORTA_PHP=9000
+      - SSL=true
+    ports:
+      - 444:443
+    volumes:
+      - ./www/:/var/www/public/
+      - ./.docker/ssl/:/var/www/ssl/
+    links:
+      - app
+    depends_on:
+      - app
+    networks:
+      - nginx
diff --git a/sh/98-configure-nginx.sh b/sh/98-configure-nginx.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+step() {
+  echo -e "\e[30mnginx\e[0m >> \e[33m${1}\e[0m"
+}
+
 mkdir -p ${SRC_CONFIG}
 cp -R ${SRC_CONFIG_TEMPLATES}/. ${SRC_CONFIG}
 
@@ -8,24 +12,24 @@ PASTA_NGINX_CONF=${SRC_CONFIG}/conf.d;
 PASTA_NGINX_INCLUDE=${SRC_CONFIG}/include.d;
 
 if [ -d "/var/nginx/conf.d/" ]; then
-	echo "Copiando config extras...";
+	step "Copiando config extras...";
 	cp -Rv /var/nginx/conf.d/*.conf ${PASTA_NGINX_CONF}
 fi;
 
 if [ -d "/var/nginx/site.d/extras/" ]; then
-	echo "Copiando config site.d extras...";
+	step "Copiando config site.d extras...";
 	cp -Rv /var/nginx/site.d/extras/*.conf ${PASTA_NGINX_SITE}/extras/
 fi;
 
 # CONFIGURANDO LIMITS
 if [ -n "$LIMIT_NO_FILE" ]; then
-	echo "Configurando Limits '${LIMIT_NO_FILE}'...";
+	step "Configurando Limits '${LIMIT_NO_FILE}'...";
 	sed -i "s/worker_rlimit_nofile 1024;/worker_rlimit_nofile ${LIMIT_NO_FILE};/g" ${SRC_CONFIG}/nginx.conf;
 fi;
 
 # CONFIGURANDO HOST\PORTA PHP
 if [ -n "$HOST_PHP" ]; then
-	echo "Configurando Host\Porta PHP...";
+	step "Configurando Host\Porta PHP...";
 
 	if [ -n "$EXTENSAO_PHP" ]; then	
 		sed -i "14a		location ~ \.php$ { include site.d/php.conf; }" ${PASTA_NGINX_SITE}/default.conf;
@@ -46,6 +50,7 @@ if [ -n "$HOST_PHP" ]; then
 	fi;
 
 	cat ${PASTA_NGINX_SITE}/php.conf;
+	echo -e "\n\n";
 fi;
 
 # INDEX FILE
@@ -57,15 +62,16 @@ fi;
 
 # CONFIGURANDO TRY FILES
 if [ "$TRYFILES" == "1" ]; then
-	echo "Configurando tryfiles...";
+	step "Configurando tryfiles...";
 	sed -i "12a		include site.d/tryfiles.conf;" ${PASTA_NGINX_SITE}/default.conf;
 
 	cat ${PASTA_NGINX_SITE}/tryfiles.conf;
+	echo -e "\n\n";
 fi;
 
 # CONFIGURANDO REWRITE
 if [ "$REWRITE" == "1" ]; then
-	echo "Configurando rewrite...";
+	step "Configurando rewrite...";
 	sed -i "14a		include site.d/rewrite.conf;" ${PASTA_NGINX_SITE}/default.conf;
 
 	if [ -n "$REWRITE_ROLE" ]; then
@@ -78,35 +84,45 @@ if [ "$REWRITE" == "1" ]; then
 	fi;
 
 	cat ${PASTA_NGINX_SITE}/rewrite.conf;
+	echo -e "\n\n";
 fi;
 
 # CONFIGURANDO SSL
-if [ -d "/var/www/ssl/" ]; then
-	echo "Configurando SSL...";
-	sed -i "10a		include include.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf;
-fi;
+SSL_CERTIFICATE="/etc/nginx/ssl/fullchain.pem"
+SSL_CERTIFICATE_KEY="/etc/nginx/ssl/privkey.pem"
+
+if [ "${SSL}" == "true" ] && [ -f "${SSL_CERTIFICATE}" ] && [ -f "${SSL_CERTIFICATE_KEY}" ]; then
+	step "Configurando SSL...";
+	sed -i "10a		include site.d/ssl.conf;" ${PASTA_NGINX_SITE}/default.conf;
+fi
 
 # CONFIGURANDO PARA ELB
 if [ -n "$REALIP_FROM" ]; then
-	echo "Configurando Real IP...";
+	step "Configurando Real IP...";
 	REALIP_FROM_CONFIG=${PASTA_NGINX_CONF}/realip.conf
 	echo "real_ip_header X-Forwarded-For;" >> $REALIP_FROM_CONFIG
 	echo "set_real_ip_from ${REALIP_FROM};" >> $REALIP_FROM_CONFIG
 fi
 
 if [ -z "$HTTP_IPV6" ] || [ "$HTTP_IPV6" == "true" ]; then
-	echo "Habilitando IPV6 do HTTP";
+	step "Habilitando IPV6 do HTTP";
 	echo "listen    [::]:80;" >> ${PASTA_NGINX_INCLUDE}/80.conf;
 
 	cat ${PASTA_NGINX_INCLUDE}/80.conf;
+	echo -e "\n\n";
 fi;
 
 if [ -z "$HTTPS_IPV6" ] || [ "$HTTPS_IPV6" == "true" ]; then
-	echo "Habilitando IPV6 do HTTPS";
-	echo "listen [::]:443 ssl http2;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf;
+	step "Habilitando IPV6 do HTTPS";
+	echo "listen [::]:443 ssl;" >> ${PASTA_NGINX_INCLUDE}/ssl.conf;
 
 	cat ${PASTA_NGINX_INCLUDE}/ssl.conf;
+	echo -e "\n\n";
 fi;
 
+step "Configurações do Nginx";
 cat ${SRC_CONFIG}/nginx.conf;
+
+echo -e "\n\n";
+step "Configurações do Site";
 cat ${PASTA_NGINX_SITE}/default.conf;