Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate support for self-signed TLS certificates in frontend container #184

Merged
merged 2 commits into from
Nov 13, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 1 addition & 16 deletions Containerfile-frontend
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ ARG GROCY_VERSION

# Install build-time dependencies
RUN apk add --no-cache \
openssl \
git \
gnupg \
wget \
Expand All @@ -18,18 +17,6 @@ RUN apk update && \
apk add --no-cache \
nginx

# Generate TLS certificates
RUN openssl req \
-x509 \
-newkey rsa:2048 \
-keyout /etc/ssl/private/grocy-nginx.key \
-out /etc/ssl/private/grocy-nginx.crt \
-days 365 \
-nodes \
-subj /CN=localhost && \
chown nginx /etc/ssl/private/grocy-nginx.key && \
chown nginx /etc/ssl/private/grocy-nginx.crt

# Configure directory permissions
RUN chown -R nginx /var/log/nginx && \
rm -rf /var/www/localhost && \
Expand All @@ -38,7 +25,6 @@ RUN chown -R nginx /var/log/nginx && \
COPY static/frontend/nginx.conf /etc/nginx/nginx.conf
COPY static/frontend/common.conf /etc/nginx/common.conf
COPY static/frontend/conf.d/default.conf /etc/nginx/conf.d/default.conf
COPY static/frontend/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf

# Install application dependencies (unprivileged)
USER nginx
Expand All @@ -60,15 +46,14 @@ RUN yarn install --frozen-lockfile --modules-folder /var/www/public/node_mod
# Remove build-time dependencies (privileged)
USER root
RUN apk del \
openssl \
git \
gnupg \
wget \
yarn

VOLUME ["/var/log/nginx"]

EXPOSE 8080 8443
EXPOSE 8080

USER nginx

Expand Down
75 changes: 75 additions & 0 deletions Containerfile-frontend-tls-selfsigned
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
ARG PLATFORM

FROM --platform=${PLATFORM} docker.io/alpine:3.16.2
LABEL maintainer "Talmai Oliveira <[email protected]>, James Addison <[email protected]>"

ARG GROCY_VERSION

# Install build-time dependencies
RUN apk add --no-cache \
openssl \
git \
gnupg \
wget \
yarn

# Install system dependencies
RUN apk update && \
apk add --no-cache \
nginx

# Generate TLS certificates
RUN openssl req \
-x509 \
-newkey rsa:2048 \
-keyout /etc/ssl/private/grocy-nginx.key \
-out /etc/ssl/private/grocy-nginx.crt \
-days 365 \
-nodes \
-subj /CN=localhost && \
chown nginx /etc/ssl/private/grocy-nginx.key && \
chown nginx /etc/ssl/private/grocy-nginx.crt

# Configure directory permissions
RUN chown -R nginx /var/log/nginx && \
rm -rf /var/www/localhost && \
chown nginx /var/www

COPY static/frontend/nginx.conf /etc/nginx/nginx.conf
COPY static/frontend/common.conf /etc/nginx/common.conf
COPY static/frontend/conf.d/default.conf /etc/nginx/conf.d/default.conf
COPY static/frontend/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf

# Install application dependencies (unprivileged)
USER nginx
WORKDIR /var/www

# Extract application release package
ENV GROCY_RELEASE_KEY_URI="https://berrnd.de/data/Bernd_Bestel.asc"
RUN set -o pipefail && \
export GNUPGHOME=$(mktemp -d) && \
wget ${GROCY_RELEASE_KEY_URI} -O - | gpg --batch --import && \
git clone --branch ${GROCY_VERSION} --config advice.detachedHead=false --depth 1 "https://github.com/grocy/grocy.git" . && \
git verify-commit ${GROCY_VERSION} && \
rm -rf ${GNUPGHOME}

# Install application dependencies
RUN yarn install --frozen-lockfile --modules-folder /var/www/public/node_modules --production && \
yarn cache clean

# Remove build-time dependencies (privileged)
USER root
RUN apk del \
openssl \
git \
gnupg \
wget \
yarn

VOLUME ["/var/log/nginx"]

EXPOSE 8080 8443

USER nginx

CMD ["nginx", "-g", "daemon off;"]
3 changes: 0 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,6 @@ This will retrieve and start the most recent container images corresponding to t
The grocy application should now be accessible locally to the server:

- [http://localhost](http://localhost)
- [https://localhost](https://localhost)

Since the images contain self-signed certificates, your browser may display a warning when visiting the HTTPS URL.

### Configuration

Expand Down
1 change: 0 additions & 1 deletion docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ services:
- backend
ports:
- '127.0.0.1:80:8080'
- '127.0.0.1:443:8443'
read_only: true
tmpfs:
- /tmp
Expand Down