diff --git a/.gitignore b/.gitignore index 5ed9326..7cc540c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,10 @@ # Project .env -data +data/* +data/nginx/* +!data +!data/nginx +!data/nginx/default.conf.template # VScode .vscode/* diff --git a/README.md b/README.md index 8c39b03..df5bcbd 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # `sso.base23.de` - Base23 SSO for all services -[Authentik](https://goauthentik.io/) based sso for us. +[Authentik](https://goauthentik.io/) based SSO for our sevices. ## Prerequisites - Server Setup @@ -20,7 +20,13 @@ apt update \ && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \ && mkdir -p /var/lib/apps \ && ln -s /var/lib/apps \ - && apt install -y git + && apt install -y git \ + && TEMP_DIR=$(mktemp -d) \ + && curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \ + && tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \ + && install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \ + && rm -rf ${TEMP_DIR} \ + && unset TEMP_DIR ``` ## Installation @@ -30,7 +36,10 @@ Clone & configure initially: cd /root/apps \ && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \ && cd sso.base23.de \ - && ./init.sh \ + && ./scripts/init.sh \ + && docker compose build --no-cache \ + --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ + --build-arg SRC_REV=$(git rev-parse --short HEAD) && docker compose up -d; docker compose logs -f ``` @@ -40,3 +49,11 @@ cd /root/apps \ in the deployed `.env` file. 2. `docker-compose down` 3. `docker compose up -d; docker compose logs -f` + +## Rebuild containers locally + +```shell +docker compose build --no-cache \ + --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \ + --build-arg SRC_REV=$(git rev-parse --short HEAD) +``` diff --git a/data/nginx/default.conf.template b/data/nginx/default.conf.template new file mode 100644 index 0000000..efc7e95 --- /dev/null +++ b/data/nginx/default.conf.template @@ -0,0 +1,81 @@ +# Upstream where your authentik server is hosted. +upstream authentik { + server https://server:9443; + # Improve performance by keeping some connections alive. + keepalive 10; +} + +# Upgrade WebSocket if requested, otherwise use keepalive +map $http_upgrade $connection_upgrade_keepalive { + default upgrade; + '' ''; +} + +# Server just for serving a health endpoint +server { + listen 127.0.0.1:8181; + server_name localhost; + + # replace with the IP address of your resolver + resolver ${NGINX_RESOLVER}; + + # Handle /health separately without serving any files + location = /health { + access_log off; + default_type text/plain; + return 200 'OK'; + } +} + +# Redirect to HTTPS +server { + listen ${NGINX_HTTP_PORT}; + listen [::]:${NGINX_HTTP_PORT}; + server_name ${NGINX_SERVERNAME}; + + return 302 https://$host$request_uri; +} + +# HTTPS Server +server { + listen ${NGINX_HTTPS_PORT} ssl http2; + listen [::]:${NGINX_HTTPS_PORT} ssl http2; + server_name ${NGINX_SERVERNAME}; + + ssl_certificate /etc/nginx/ssl/certs/sso-base23-de-fullchain-cert.pem; + ssl_certificate_key /etc/nginx/ssl/certs/sso-base23-de-fullchain-key.pem; + ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT}; + ssl_session_cache ${NGINX_SSL_SESSION_CACHE}; + + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + # intermediate configuration + ssl_protocols ${NGINX_SSL_PROTOCOLS}; + ssl_ciphers ${NGINX_SSL_CIPHERS}; + ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS}; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + #add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY}; + + # OCSP stapling + ssl_stapling ${NGINX_SSL_STAPLING}; + ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY}; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/nginx/ssl/certs/sso-base23-de-trustchain.pem; + + # replace with the IP address of your resolver + resolver ${NGINX_RESOLVER}; + + client_max_body_size 50m; + + location / { + proxy_pass https://authentik; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade_keepalive; + } +} diff --git a/docker-compose.yml b/docker-compose.yml index 139c140..c4ef302 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,6 +1,16 @@ --- services: + geoipupdate: + image: "maxmindinc/geoipupdate:latest" + volumes: + - "geoip:/usr/share/GeoIP" + environment: + GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN" + GEOIPUPDATE_FREQUENCY: "8" + GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}" + GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}" + postgresql: image: docker.io/library/postgres:16-alpine restart: unless-stopped @@ -19,7 +29,7 @@ services: env_file: - .env networks: - - net + - backend redis: image: docker.io/library/redis:alpine @@ -34,7 +44,7 @@ services: volumes: - redis:/data networks: - - net + - backend server: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0} @@ -52,21 +62,12 @@ services: - geoip:/geoip env_file: - .env - # ports: - # - "${COMPOSE_PORT_HTTP:-9000}:9000" - # - "${COMPOSE_PORT_HTTPS:-9443}:9443" depends_on: - postgresql - redis networks: - - net - - web - labels: - - "traefik.enable=true" - - traefik.docker.network=web - - traefik.port=9443 - - traefik.frontend.rule=Host:${PUBLIC_DOMAIN} - - traefik.protocol=https + - backend + - frontend worker: image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0} @@ -97,17 +98,46 @@ services: - postgresql - redis networks: - - net + - backend - geoipupdate: - image: "maxmindinc/geoipupdate:latest" - volumes: - - "geoip:/usr/share/GeoIP" + nginx: + build: + context: ./docker/nginx + dockerfile: Dockerfile + args: + IMAGE: "nginxinc/nginx-unprivileged:1.27.2-bookworm" + IMG_TITLE: "nginx-unprivileged-base23" + IMAGE_VERSION: "COMPOSE" environment: - GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN" - GEOIPUPDATE_FREQUENCY: "8" - GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}" - GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}" + - NGINX_HTTP_PORT=${NGINX_HTTP_PORT} + - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT} + - NGINX_RESOLVER=${NGINX_RESOLVER} + - NGINX_SERVERNAME=${NGINX_SERVERNAME} + - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT} + - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE} + - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS} + - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS} + - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS} + - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY} + - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING} + - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY} + volumes: + - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro + - ./data/nginx/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro + - ./data/nginx/certs:/etc/nginx/ssl/certs:ro + ports: + - target: 8080 + published: "80" + protocol: tcp + app_protocol: http # Docker Compose 2.26.0 + mode: ingress + - target: 8443 + published: "443" + protocol: tcp + app_protocol: https # Docker Compose 2.26.0 + mode: ingress + networks: + - frontend volumes: @@ -120,6 +150,5 @@ volumes: networks: - net: - web: - external: true + backend: + frontend: diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile new file mode 100644 index 0000000..a730104 --- /dev/null +++ b/docker/nginx/Dockerfile @@ -0,0 +1,83 @@ +ARG IMAGE=nginxinc/nginx-unprivileged:stable-bullseye + +FROM $IMAGE AS builder + +ARG HTTP_SUBSTITUTIONS_VERSION='e12e965ac1837ca709709f9a26f572a54d83430e' +ARG HEADERS_MORE_VERSION='0.37' + +USER root + +RUN set -x \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + build-essential \ + libgd-dev \ + libgeoip-dev \ + libedit-dev \ + libxslt1-dev \ + libssl-dev \ + libpcre2-dev \ + libperl-dev \ + zlib1g-dev \ + unzip \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /usr/src \ + && curl \ + -o nginx.tar.gz \ + https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \ + && curl -L \ + -o nginx_substitutions_filter.zip \ + https://codeload.github.com/yaoweibin/ngx_http_substitutions_filter_module/zip/${HTTP_SUBSTITUTIONS_VERSION} \ + && curl -L \ + -o headers-more-nginx-module.zip \ + https://codeload.github.com/openresty/headers-more-nginx-module/zip/refs/tags/v${HEADERS_MORE_VERSION} \ + && tar -zxC /usr/src -f nginx.tar.gz \ + && unzip nginx_substitutions_filter.zip -d /usr/src \ + && unzip headers-more-nginx-module.zip -d /usr/src \ + && rm nginx.tar.gz \ + && rm nginx_substitutions_filter.zip \ + && rm headers-more-nginx-module.zip \ + && cd /usr/src/nginx-${NGINX_VERSION} \ + && set -eux \ + && eval ./configure $(nginx -V 2>&1 | sed -n -e "s/^.*configure arguments: //p") \ + --add-dynamic-module=/usr/src/ngx_http_substitutions_filter_module-${HTTP_SUBSTITUTIONS_VERSION} \ + --add-dynamic-module=/usr/src/headers-more-nginx-module-${HEADERS_MORE_VERSION} \ + --with-http_sub_module \ + && set +eux \ + && make \ + && make install + + + +FROM $IMAGE + +ARG BUILD_DATE=01.01.1970 +ARG IMG_TITLE=docker-image +ARG IMAGE_VERSION=0 +ARG SRC_REV=0 + +COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_subs_filter_module.so /usr/lib/nginx/modules/ngx_http_subs_filter_module.so +COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so +COPY --from=builder --chown=root:root --chmod=0755 /usr/sbin/nginx /usr/sbin/nginx + +RUN sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_subs_filter_module.so;\n' /etc/nginx/nginx.conf \ + && sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;\n' /etc/nginx/nginx.conf + +# Redirect log output to stdout and stderr +RUN set -x \ + && sed -i 's,/var/log/nginx/error.log,/dev/stderr,' /etc/nginx/nginx.conf \ + && sed -i 's,/var/log/nginx/access.log,/dev/stdout,' /etc/nginx/nginx.conf + +# Healthcheck to ping the /health endpoint +HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl --fail http://localhost:8181/health || exit 1 + +LABEL \ + maintainer="philip.henning@base23.de" \ + org.opencontainers.image.created="${BUILD_DATE}" \ + org.opencontainers.image.vendor="Base23 GmbH" \ + org.opencontainers.image.authors="Philip Henning | Base23 GmbH " \ + org.opencontainers.image.title="${IMG_TITLE}" \ + org.opencontainers.image.description="rootless nginx image based on nginxinc/nginx-unprivileged with subst module" \ + org.opencontainers.image.version="${IMAGE_VERSION}" \ + org.opencontainers.image.source="https://git.base23.de/base23/sso.base23.de" \ + org.opencontainers.image.revision="${SRC_REV}" diff --git a/env.template b/env.template index b47cae4..df9c8b4 100644 --- a/env.template +++ b/env.template @@ -34,7 +34,25 @@ AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16" # MaxMind GeoIP GEOIPUPDATE_ACCOUNT_ID=765001 + # PostgreSQL configuration PG_USER=authentik POSTGRES_DB=authentik + +# Nginx configuration +NGINX_HTTP_PORT=8080 +NGINX_HTTPS_PORT=8443 +NGINX_RESOLVER=1.1.1.1 +NGINX_SERVERNAME=sso.base23.de + +# NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14 +NGINX_SSL_SESSION_TIMEOUT=1d +NGINX_SSL_SESSION_CACHE=shared:MozSSL:10m # about 40000 sessions +NGINX_SSL_PROTOCOLS=TLSv1.2 TLSv1.3 +NGINX_SSL_CIPHERS=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 +NGINX_SSL_PREFER_SERVER_CIPHERS=off +NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always' +NGINX_SSL_STAPLING=on +NGINX_SSL_STAPLING_VERIFY=on + diff --git a/scripts/cert_renew.sh b/scripts/cert_renew.sh new file mode 100755 index 0000000..a1b892f --- /dev/null +++ b/scripts/cert_renew.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +set -euf -o pipefail + +cd "$(dirname "$(realpath "$0")")../" + +lego \ +--path ./data/.lego \ + --http.port 8080 \ + --tls.port 8443 \ + --email="acme@base23.de" \ + --domains="sso.base23.de" \ + --http renew \ + --renew-hook="./scripts/cert_renew_hook.sh" diff --git a/scripts/cert_renew_hook.sh b/scripts/cert_renew_hook.sh new file mode 100644 index 0000000..a7a9695 --- /dev/null +++ b/scripts/cert_renew_hook.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -euf -o pipefail + +cd "$(dirname "$(realpath "$0")")../" + +docker compose restart nginx diff --git a/init.sh b/scripts/init.sh similarity index 64% rename from init.sh rename to scripts/init.sh index 7b54fc4..73fb36a 100755 --- a/init.sh +++ b/scripts/init.sh @@ -28,7 +28,7 @@ prompt_password() { trap 'printf "\nOperation aborted by user.\n" >&2; rm .env; exit 1' SIGINT -cd "$(dirname "$(realpath "$0")")" +cd "$(dirname "$(realpath "$0")")../" # Check if .env exists and exit if it is [[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true @@ -40,3 +40,23 @@ echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD echo "" >> .env + +# Generate dhparam, if not existing +[[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true +[[ ! -f ./data/nginx/certs/dhparam.pem ]] && echo "" && echo "Generating Diffie-Hellman parameters (dhparams)" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \ + && echo "" && echo "Checking generated dhparams" openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true + +# Create certificate +echo "" +echo "Create certificate" +lego \ + --path ./data/.lego \ + --http.port 8080 \ + --tls.port 8443 \ + --email="acme@base23.de" \ + --domains="sso.base23.de" \ + --http run + +# Link certificates to correct directory + +# Setup cronjob to automatically renew certificates