Add cert scripts; update readme; update gitignore; add nginx

.gitignore

@@ -1,6 +1,10 @@
 # Project
 .env
-data
+data/*
+data/nginx/*
+!data
+!data/nginx
+!data/nginx/default.conf.template
 
 # VScode
 .vscode/*

README.md

@@ -1,6 +1,6 @@
 # `sso.base23.de` - Base23 SSO for all services
 
-[Authentik](https://goauthentik.io/) based sso for us.
+[Authentik](https://goauthentik.io/) based SSO for our sevices.
 
 ## Prerequisites - Server Setup
 
@@ -20,7 +20,13 @@ apt update \
   && apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
   && mkdir -p /var/lib/apps \
   && ln -s /var/lib/apps \
-  && apt install -y git
+  && apt install -y git \
+  && TEMP_DIR=$(mktemp -d) \
+  && curl -fsSL https://github.com/go-acme/lego/releases/download/v4.20.2/lego_v4.20.2_linux_amd64.tar.gz -o ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz \
+  && tar xzvf ${TEMP_DIR}/lego_v4.20.2_linux_amd64.tar.gz --directory=${TEMP_DIR} \
+  && install -m 755 -o root -g root "${TEMP_DIR}/lego" "/usr/local/bin" \
+  && rm -rf ${TEMP_DIR} \
+  && unset TEMP_DIR
 ```
 
 ## Installation
@@ -30,7 +36,10 @@ Clone & configure initially:
 cd /root/apps \
   && git clone ssh://git@git.base23.de:222/base23/sso.base23.de.git \
   && cd sso.base23.de \
-  && ./init.sh \
+  && ./scripts/init.sh \
+  && docker compose build --no-cache \
+    --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
+    --build-arg SRC_REV=$(git rev-parse --short HEAD)
   && docker compose up -d; docker compose logs -f
 ```
 
@@ -40,3 +49,11 @@ cd /root/apps \
 in the deployed `.env` file.
 2. `docker-compose down`
 3. `docker compose up -d; docker compose logs -f`
+
+## Rebuild containers locally
+
+```shell
+docker compose build --no-cache \
+  --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
+  --build-arg SRC_REV=$(git rev-parse --short HEAD)
+```

data/nginx/default.conf.template

@@ -0,0 +1,81 @@
+# Upstream where your authentik server is hosted.
+upstream authentik {
+	server https://server:9443;
+	# Improve performance by keeping some connections alive.
+	keepalive 10;
+}
+
+# Upgrade WebSocket if requested, otherwise use keepalive
+map $http_upgrade $connection_upgrade_keepalive {
+	default upgrade;
+	''      '';
+}
+
+# Server just for serving a health endpoint
+server {
+	listen 127.0.0.1:8181;
+	server_name localhost;
+
+	# replace with the IP address of your resolver
+	resolver ${NGINX_RESOLVER};
+
+	# Handle /health separately without serving any files
+	location = /health {
+		access_log off;
+		default_type text/plain;
+		return 200 'OK';
+	}
+}
+
+# Redirect to HTTPS
+server {
+	listen ${NGINX_HTTP_PORT};
+	listen [::]:${NGINX_HTTP_PORT};
+	server_name ${NGINX_SERVERNAME};
+
+	return 302 https://$host$request_uri;
+}
+
+# HTTPS Server
+server {
+	listen ${NGINX_HTTPS_PORT} ssl http2;
+	listen [::]:${NGINX_HTTPS_PORT} ssl http2;
+	server_name ${NGINX_SERVERNAME};
+
+	ssl_certificate /etc/nginx/ssl/certs/sso-base23-de-fullchain-cert.pem;
+	ssl_certificate_key /etc/nginx/ssl/certs/sso-base23-de-fullchain-key.pem;
+	ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
+	ssl_session_cache ${NGINX_SSL_SESSION_CACHE};
+
+	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+	# intermediate configuration
+	ssl_protocols ${NGINX_SSL_PROTOCOLS};
+	ssl_ciphers ${NGINX_SSL_CIPHERS};
+	ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};
+
+	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+	#add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};
+
+	# OCSP stapling
+	ssl_stapling ${NGINX_SSL_STAPLING};
+	ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};
+
+	# verify chain of trust of OCSP response using Root CA and Intermediate certs
+	ssl_trusted_certificate /etc/nginx/ssl/certs/sso-base23-de-trustchain.pem;
+
+	# replace with the IP address of your resolver
+	resolver ${NGINX_RESOLVER};
+
+	client_max_body_size 50m;
+
+	location / {
+		proxy_pass https://authentik;
+		proxy_http_version 1.1;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header Host $http_host;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade_keepalive;
+	}
+}

docker-compose.yml

@@ -1,6 +1,16 @@
 ---
 
 services:
+  geoipupdate:
+    image: "maxmindinc/geoipupdate:latest"
+    volumes:
+      - "geoip:/usr/share/GeoIP"
+    environment:
+      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
+      GEOIPUPDATE_FREQUENCY: "8"
+      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
+      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
+
   postgresql:
     image: docker.io/library/postgres:16-alpine
     restart: unless-stopped
@@ -19,7 +29,7 @@ services:
     env_file:
       - .env
     networks:
-      - net
+      - backend
 
   redis:
     image: docker.io/library/redis:alpine
@@ -34,7 +44,7 @@ services:
     volumes:
       - redis:/data
     networks:
-      - net
+      - backend
 
   server:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
@@ -52,21 +62,12 @@ services:
       - geoip:/geoip
     env_file:
       - .env
-    # ports:
-    #   - "${COMPOSE_PORT_HTTP:-9000}:9000"
-    #   - "${COMPOSE_PORT_HTTPS:-9443}:9443"
     depends_on:
       - postgresql
       - redis
     networks:
-      - net
-      - web
-    labels:
-      - "traefik.enable=true"
-      - traefik.docker.network=web
-      - traefik.port=9443
-      - traefik.frontend.rule=Host:${PUBLIC_DOMAIN}
-      - traefik.protocol=https
+      - backend
+      - frontend
 
   worker:
     image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.10.0}
@@ -97,17 +98,46 @@ services:
       - postgresql
       - redis
     networks:
-      - net
+      - backend
 
-  geoipupdate:
-    image: "maxmindinc/geoipupdate:latest"
-    volumes:
-      - "geoip:/usr/share/GeoIP"
+  nginx:
+    build:
+      context: ./docker/nginx
+      dockerfile: Dockerfile
+      args:
+        IMAGE: "nginxinc/nginx-unprivileged:1.27.2-bookworm"
+        IMG_TITLE: "nginx-unprivileged-base23"
+        IMAGE_VERSION: "COMPOSE"
     environment:
-      GEOIPUPDATE_EDITION_IDS: "GeoLite2-City GeoLite2-ASN"
-      GEOIPUPDATE_FREQUENCY: "8"
-      GEOIPUPDATE_ACCOUNT_ID: "${GEOIPUPDATE_ACCOUNT_ID:?MaxMind GeoIP account ID required}"
-      GEOIPUPDATE_LICENSE_KEY: "${GEOIPUPDATE_LICENSE_KEY:?MaxMind GeoIP license key required}"
+      - NGINX_HTTP_PORT=${NGINX_HTTP_PORT}
+      - NGINX_HTTPS_PORT=${NGINX_HTTPS_PORT}
+      - NGINX_RESOLVER=${NGINX_RESOLVER}
+      - NGINX_SERVERNAME=${NGINX_SERVERNAME}
+      - NGINX_SSL_SESSION_TIMEOUT=${NGINX_SSL_SESSION_TIMEOUT}
+      - NGINX_SSL_SESSION_CACHE=${NGINX_SSL_SESSION_CACHE}
+      - NGINX_SSL_PROTOCOLS=${NGINX_SSL_PROTOCOLS}
+      - NGINX_SSL_CIPHERS=${NGINX_SSL_CIPHERS}
+      - NGINX_SSL_PREFER_SERVER_CIPHERS=${NGINX_SSL_PREFER_SERVER_CIPHERS}
+      - NGINX_HEADER_STRICT_TRANSPORT_SECURITY=${NGINX_HEADER_STRICT_TRANSPORT_SECURITY}
+      - NGINX_SSL_STAPLING=${NGINX_SSL_STAPLING}
+      - NGINX_SSL_STAPLING_VERIFY=${NGINX_SSL_STAPLING_VERIFY}
+    volumes:
+      - ./data/nginx/default.conf.template:/etc/nginx/templates/default.conf.template:ro
+      - ./data/nginx/dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
+      - ./data/nginx/certs:/etc/nginx/ssl/certs:ro
+    ports:
+      - target: 8080
+        published: "80"
+        protocol: tcp
+        app_protocol: http # Docker Compose 2.26.0
+        mode: ingress
+      - target: 8443
+        published: "443"
+        protocol: tcp
+        app_protocol: https # Docker Compose 2.26.0
+        mode: ingress
+    networks:
+      - frontend
 
 
 volumes:
@@ -120,6 +150,5 @@ volumes:
 
 
 networks:
-  net:
-  web:
-    external: true
+  backend:
+  frontend:

docker/nginx/Dockerfile

@@ -0,0 +1,83 @@
+ARG IMAGE=nginxinc/nginx-unprivileged:stable-bullseye
+
+FROM $IMAGE AS builder
+
+ARG HTTP_SUBSTITUTIONS_VERSION='e12e965ac1837ca709709f9a26f572a54d83430e'
+ARG HEADERS_MORE_VERSION='0.37'
+
+USER root
+
+RUN set -x \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        build-essential \
+        libgd-dev \
+        libgeoip-dev \
+        libedit-dev \
+        libxslt1-dev \
+        libssl-dev \
+        libpcre2-dev \
+        libperl-dev \
+        zlib1g-dev \
+        unzip \
+    && rm -rf /var/lib/apt/lists/* \
+    && mkdir -p /usr/src \
+    && curl \
+        -o nginx.tar.gz \
+        https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz \
+    && curl -L \
+        -o nginx_substitutions_filter.zip \
+        https://codeload.github.com/yaoweibin/ngx_http_substitutions_filter_module/zip/${HTTP_SUBSTITUTIONS_VERSION} \
+    && curl -L \
+        -o headers-more-nginx-module.zip \
+        https://codeload.github.com/openresty/headers-more-nginx-module/zip/refs/tags/v${HEADERS_MORE_VERSION} \
+    && tar -zxC /usr/src -f nginx.tar.gz \
+    && unzip nginx_substitutions_filter.zip -d /usr/src \
+    && unzip headers-more-nginx-module.zip -d /usr/src \
+    && rm nginx.tar.gz \
+    && rm nginx_substitutions_filter.zip \
+    && rm headers-more-nginx-module.zip \
+    && cd /usr/src/nginx-${NGINX_VERSION} \
+    && set -eux \
+    && eval ./configure $(nginx -V 2>&1 | sed -n -e "s/^.*configure arguments: //p") \
+        --add-dynamic-module=/usr/src/ngx_http_substitutions_filter_module-${HTTP_SUBSTITUTIONS_VERSION} \
+        --add-dynamic-module=/usr/src/headers-more-nginx-module-${HEADERS_MORE_VERSION} \
+        --with-http_sub_module \
+    && set +eux \
+    && make \
+    && make install
+
+
+
+FROM $IMAGE
+
+ARG BUILD_DATE=01.01.1970
+ARG IMG_TITLE=docker-image
+ARG IMAGE_VERSION=0
+ARG SRC_REV=0
+
+COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_subs_filter_module.so /usr/lib/nginx/modules/ngx_http_subs_filter_module.so
+COPY --from=builder --chown=root:root --chmod=0644 /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so
+COPY --from=builder --chown=root:root --chmod=0755 /usr/sbin/nginx /usr/sbin/nginx
+
+RUN sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_subs_filter_module.so;\n' /etc/nginx/nginx.conf \
+    &&  sed -i '1iload_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;\n' /etc/nginx/nginx.conf
+
+# Redirect log output to stdout and stderr
+RUN set -x \
+    && sed -i 's,/var/log/nginx/error.log,/dev/stderr,' /etc/nginx/nginx.conf \
+    && sed -i 's,/var/log/nginx/access.log,/dev/stdout,' /etc/nginx/nginx.conf
+
+# Healthcheck to ping the /health endpoint
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 CMD curl --fail http://localhost:8181/health || exit 1
+
+LABEL \
+    maintainer="philip.henning@base23.de" \
+    org.opencontainers.image.created="${BUILD_DATE}" \
+    org.opencontainers.image.vendor="Base23 GmbH" \
+    org.opencontainers.image.authors="Philip Henning | Base23 GmbH <philip.henning@base23.de>" \
+    org.opencontainers.image.title="${IMG_TITLE}" \
+    org.opencontainers.image.description="rootless nginx image based on nginxinc/nginx-unprivileged with subst module" \
+    org.opencontainers.image.version="${IMAGE_VERSION}" \
+    org.opencontainers.image.source="https://git.base23.de/base23/sso.base23.de" \
+    org.opencontainers.image.revision="${SRC_REV}"

env.template

@@ -34,7 +34,25 @@ AUTHENTIK_LISTEN__TRUSTED_PROXY_CIDRS="172.18.0.0/16"
 # MaxMind GeoIP
 GEOIPUPDATE_ACCOUNT_ID=765001
 
+
 # PostgreSQL configuration
 PG_USER=authentik
 POSTGRES_DB=authentik
 
+
+# Nginx configuration
+NGINX_HTTP_PORT=8080
+NGINX_HTTPS_PORT=8443
+NGINX_RESOLVER=1.1.1.1
+NGINX_SERVERNAME=sso.base23.de
+
+# NGINX SSL Config for nginx 1.27.2, intermediate config, OpenSSL 3.0.14
+NGINX_SSL_SESSION_TIMEOUT=1d
+NGINX_SSL_SESSION_CACHE=shared:MozSSL:10m # about 40000 sessions
+NGINX_SSL_PROTOCOLS=TLSv1.2 TLSv1.3
+NGINX_SSL_CIPHERS=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+NGINX_SSL_PREFER_SERVER_CIPHERS=off
+NGINX_HEADER_STRICT_TRANSPORT_SECURITY='"max-age=63072000" always'
+NGINX_SSL_STAPLING=on
+NGINX_SSL_STAPLING_VERIFY=on
+

scripts/cert_renew.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euf -o pipefail
+
+cd "$(dirname "$(realpath "$0")")../"
+
+lego \
+--path ./data/.lego \
+	--http.port 8080 \
+	--tls.port 8443 \
+	--email="acme@base23.de" \
+	--domains="sso.base23.de" \
+	--http renew \
+	--renew-hook="./scripts/cert_renew_hook.sh"

scripts/cert_renew_hook.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euf -o pipefail
+
+cd "$(dirname "$(realpath "$0")")../"
+
+docker compose restart nginx

scripts/init.sh

@@ -28,7 +28,7 @@ prompt_password() {
 trap 'printf "\nOperation aborted by user.\n" >&2; rm .env; exit 1' SIGINT
 
 
-cd "$(dirname "$(realpath "$0")")"
+cd "$(dirname "$(realpath "$0")")../"
 
 # Check if .env exists and exit if it is
 [[ -f ./.env ]] && echo ".env already exists. Exiting!" && exit 1 || true
@@ -40,3 +40,23 @@ echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
 prompt_password "AUTHENTIK_EMAIL__PASSWORD"; echo "AUTHENTIK_EMAIL__PASSWORD=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
 prompt_password "GEOIPUPDATE_LICENSE_KEY"; echo "GEOIPUPDATE_LICENSE_KEY=${RETURNED_PASSWORD}" >> .env; unset RETURNED_PASSWORD
 echo "" >> .env
+
+# Generate dhparam, if not existing
+[[ ! -d ./data/nginx/certs ]] && mkdir -p ./data/nginx/certs && chmod 700 ./data/nginx/certs || true
+[[ ! -f ./data/nginx/certs/dhparam.pem ]] && echo "" && echo "Generating Diffie-Hellman parameters (dhparams)" && openssl dhparam -out ./data/nginx/certs/dhparams.pem 4096 \
+	&& echo "" && echo "Checking generated dhparams" openssl dhparam -check -in ./data/nginx/certs/dhparams.pem || true
+
+# Create certificate
+echo ""
+echo "Create certificate"
+lego \
+	--path ./data/.lego \
+	--http.port 8080 \
+	--tls.port 8443 \
+	--email="acme@base23.de" \
+	--domains="sso.base23.de" \
+	--http run
+
+# Link certificates to correct directory
+
+# Setup cronjob to automatically renew certificates