feature(generate-cert): allow create self-signed cert

- self-signed cert with a group-readable key and customizable hostname

build/Dockerfile

@@ -1,10 +1,17 @@
-FROM nginx:mainline-alpine
+#
+# build AB-NGINX container (based on NGINX mainline)
+#
 
-# default uid for nginx user
+ARG NGINX_VERSION=1.21.1
+FROM nginx:${NGINX_VERSION}-alpine
+ARG NGINX_VERSION
+
+# default uid and gid for nginx user
 ARG UID=8080
+ARG GID=8080
 
 # create nginx user
-RUN addgroup --gid ${UID} www-docker \
+RUN addgroup --gid ${GID} www-docker \
     && adduser \
         -S \
         -h /home/www-docker \
@@ -15,11 +22,13 @@ RUN addgroup --gid ${UID} www-docker \
         www-docker
 
 # add libcap, allow nginx to bind to ports <1024, extract fun error pages & create LetsEncrypt challenge directory outside webroot
-RUN apk --no-cache add libcap \
+RUN apk --update --no-cache add \
+    libcap \
+    openssl \
     && setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx \
     && cd /usr/share/nginx \
     && rm -rf html/* \
-    && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.app/asif/fun-errorpages/archive/v1.0.tar.gz \
+    && wget -O /tmp/errorpages.tar.gz https://git.asifbacchus.dev/asif/fun-errorpages/archive/v1.0.tar.gz \
     && tar -xzf /tmp/errorpages.tar.gz -C /tmp \
     && mv /tmp/fun-errorpages/errorpages ./ \
     && rm -rf /tmp/* \
@@ -28,22 +37,28 @@ RUN apk --no-cache add libcap \
     && mkdir /usr/share/nginx/letsencrypt
 
 # health check
-HEALTHCHECK --interval=60s --timeout=5s --start-period=30s --retries=3 \
+HEALTHCHECK \
+    --interval=10s \
+    --timeout=5s \
+    --start-period=60s \
+    --retries=3 \
     CMD curl --fail http://127.0.0.1:9000/nginx_status || exit 1
 
 # standardized labels
-LABEL author="Asif Bacchus <asif@bacchus.cloud>"
+MAINTAINER Asif Bacchus <asif@bacchus.cloud>
 LABEL maintainer="Asif Bacchus <asif@bacchus.cloud>"
 LABEL org.opencontainers.image.author="Asif Bacchus <asif@bacchus.cloud>"
-LABEL org.opencontainers.image.url="https://git.asifbacchus.app/ab-docker/ab-nginx"
-LABEL org.opencontainers.image.documentation="https://git.asifbacchus.app/ab-docker/ab-nginx/wiki"
-LABEL org.opencontainers.image.source="https://git.asifbacchus.app/ab-docker/ab-nginx.git"
+LABEL org.opencontainers.image.url="https://git.asifbacchus.dev/ab-docker/ab-nginx"
+LABEL org.opencontainers.image.documentation="https://git.asifbacchus.dev/ab-docker/ab-nginx/wiki"
+LABEL org.opencontainers.image.source="https://git.asifbacchus.dev/ab-docker/ab-nginx.git"
 LABEL org.opencontainers.image.vendor="NGINX"
 LABEL org.opencontainers.image.title="ab-nginx"
 LABEL org.opencontainers.image.description="NGINX-mainline-alpine with more logical file location layout and automatic SSL set up if certificates are provided."
 
-# copy configuration files
-COPY entrypoint.sh /entrypoint.sh
+# copy configuration files and utility scripts
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY generate-cert.sh /usr/local/bin/generate-cert
+COPY selfsigned.cnf /etc/selfsigned.cnf
 COPY config /etc/nginx/
 COPY sites /etc/nginx/sites/
 COPY webroot /usr/share/nginx/html/
@@ -59,7 +74,9 @@ RUN chown -R www-docker:www-docker /usr/share/nginx \
     && find /etc/nginx -type d -exec chmod 750 {} \; \
     && find /etc/nginx -type f -exec chmod 640 {} \; \
     && chown www-docker:www-docker /var/cache/nginx \
-    && chown www-docker:www-docker /var/log/nginx
+    && chown www-docker:www-docker /var/log/nginx \
+    && chmod 644 /etc/selfsigned.cnf \
+    && chmod 755 /usr/local/bin/generate-cert /usr/local/bin/entrypoint.sh
 USER www-docker
 WORKDIR /usr/share/nginx/html
 
@@ -73,7 +90,7 @@ ENV HSTS=FALSE
 ENV TLS13_ONLY=FALSE
 
 # entrypoint script
-ENTRYPOINT [ "/entrypoint.sh" ]
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
 
 # run NGINX by default
 STOPSIGNAL SIGQUIT
@@ -81,8 +98,11 @@ CMD [ "nginx", "-g", "daemon off;" ]
 
 # add build date and version labels
 ARG BUILD_DATE
-LABEL org.opencontainers.image.version="1.19.9"
-LABEL app.asifbacchus.docker.internalVersion="4.0-1.19.9"
+ARG GIT_COMMIT
+ARG INTERNAL_VERSION
+LABEL org.opencontainers.image.revision=${GIT_COMMIT}
+LABEL org.opencontainers.image.version=${NGINX_VERSION}
+LABEL app.asifbacchus.docker.internalVersion=${INTERNAL_VERSION}-${NGINX_VERSION}
 LABEL org.opencontainers.image.created=${BUILD_DATE}
 
 #EOF

build/entrypoint.sh

@@ -54,8 +54,20 @@ fi
 if [ -f "/certs/fullchain.pem" ]; then
     # activate SSL configuration as appropriate and only if certs exist
     if [ "$TLS13_ONLY" = 'FALSE' ]; then
-        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ] && [ -f "/certs/dhparam.pem" ]; then
+        if [ -f "/certs/fullchain.pem" ] && [ -f "/certs/privkey.pem" ] && [ -f "/certs/chain.pem" ]; then
             printf "Certificates found. Securing deployment using TLS 1.2\n"
+
+            # check for dhparam file and generate, if necessary
+            if ! [ -f "/certs/dhparam.pem" ]; then
+                printf "Diffie-Hellman Parameters not found... generating (using Digital Signature Algorithm instead of Diffie-Hellman)...\n"
+                if ! openssl dhparam -dsaparam -out /certs/dhparam.pem 4096; then
+                    printf "\n\nUnable to generate 'dhparam.pem'. Is your '/certs' directory writable by this container?\n"
+                    printf "TLS version 1.2 requires DHParams (or DSAParams) in order to function securely. Exiting.\n\n"
+                    exit 101
+                fi
+            printf "\nDSA-Params generated successfully\n"
+            fi
+
             # activate shared SSL configuration file
             if [ -f "/etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled" ]; then
                 mv /etc/nginx/ssl-config/mozIntermediate_ssl.conf.disabled \
@@ -123,4 +135,11 @@ fi
 printf "\nSetup complete...Container ready...\n"
 exec "$@"
 
-#EOF
+
+# exit return codes
+# 10x       certificate generation errors
+#   101     unable to generate DSA-parameters
+#   102     unable to generate private key
+#   103     unable to generate self-signed certificate
+
+#EOF

build/generate-cert.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# generate a self-signed certificate
+#
+
+# check for null hostname
+if [ -z "$1" ]; then
+    printf "\nPlease supply a hostname for the generated certificate as a parameter to this script. Exiting.\n\n"
+    exit 1
+fi
+
+# update openssl configuration file
+sed -e "s/{CERT_HOSTNAME}/$1/" /etc/selfsigned.cnf > /tmp/selfsigned.cnf
+
+printf "\nGenerating self-signed certificate for '%s':\n" "$1"
+
+# create placeholder files to set permissions
+if ! touch /certs/fullchain.pem && chmod 644 /certs/fullchain.pem; then
+    printf "\nUnable to write to '/certs', is it mounted writable by this container?\n\n"
+    exit 2
+fi
+touch /certs/privkey.pem && chmod 640 /certs/privkey.pem
+
+# generate certificate
+if ! openssl req -new -x509 -days 365 -nodes -out /certs/fullchain.pem -keyout /certs/privkey.pem -config /tmp/selfsigned.cnf; then
+    printf "\nUnable to generate certificate. Is the '/certs' directory writable by this container?\n\n"
+    exit 3
+fi
+\cp /certs/fullchain.pem /certs/chain.pem
+
+# print user notification
+printf "\n\nA self-signed certificate has been generated and saved in the location mounted to '/certs' in this container.\n"
+printf "The certificate and private key are PEM formatted with names 'fullchain.pem' and 'privkey.pem', respectively.\n"
+printf "Remember to import 'fullchain.pem' to the trusted store on any client machines or you will get warnings.\n\n"
+
+# exit gracefully
+exit 0
+
+
+#
+# exit codes
+# 0:    normal exit, no errors
+# 1:    invalid or missing parameters
+# 2:    unable to write to certs directory
+# 3:    unable to generate certificate
+
+#EOF

build/selfsigned.cnf

@@ -0,0 +1,16 @@
+default_bits = 4096
+default_md = sha256
+distinguished_name = dn
+req_extensions = san
+x509_extensions = san
+prompt = no
+
+[dn]
+organizationName = AB-NGINX Webserver
+CN = {CERT_HOSTNAME}
+
+[san]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = {CERT_HOSTNAME}