nginx: start TLS only when certs are provided

- remove generation of self-cigned certificates from start script
- remove openssl package installation

This only causes problems and isn't recommended to do by nginx developers (nginx/docker-nginx#182).

Author: sitnik

Dockerfile

@@ -8,21 +8,17 @@ LABEL org.label-schema.url="https://devicehive.com" \
       org.label-schema.name="devicehive-proxy" \
       org.label-schema.version="$DH_PROXY_VERSION"
 
-RUN apt-get update && \
-  apt-get install -y openssl && \
-  rm -rf /var/lib/apt/lists/*
-
 ADD nginx.conf /etc/nginx/nginx.conf
 
-ADD server.d/ /etc/nginx/server.d/
 ADD upstream.d/ /etc/nginx/upstream.d/
 ADD location.d/ /etc/nginx/location.d/
+ADD server-available/ /etc/nginx/server-available/
 ADD upstreams-available/ /etc/nginx/upstreams-available/
 ADD locations-available/ /etc/nginx/locations-available/
 
 ADD admin/ /opt/devicehive/admin/
 
-RUN mkdir /etc/nginx/stream.d/
+RUN mkdir /etc/nginx/stream.d/ /etc/nginx/server.d/
 
 COPY proxy-start.sh /opt/devicehive/
 

proxy-start.sh

@@ -3,27 +3,24 @@
 set -e
 set -x
 
-if [ ! -f /etc/ssl/dhparam.pem ]
+if [ -f /etc/ssl/dhparam.pem -a -f /etc/ssl/ssl_certificate -a -f /etc/ssl/ssl_certificate_key ]
 then
-    # NOTE: we only need this if we want to support non-PFS ciphers
-    openssl dhparam -out /etc/ssl/dhparam.pem 2048
-fi
-
-if [ ! -f /etc/ssl/ssl_certificate -o ! -f /etc/ssl/ssl_certificate_key ]
-then
-    openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/ssl_certificate_key -out /etc/ssl/ssl_certificate -days 365 -nodes -subj '/CN=localhost' -sha256
+  echo "Found TLS certificate and key. Enabling TLS in nginx."
+  ln -sf /etc/nginx/server-available/ssl-parameters.conf /etc/nginx/server.d/
+else
+  echo "TLS certificate, key or DH parameters file not found. Starting nginx without TLS support."
 fi
 
 echo resolver $(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) ";" > /etc/nginx/resolvers.conf
 
 # Enable dh_plugin configuration only if dh_plugin resolvable
 getent hosts dh_plugin \
-  && ln -s /etc/nginx/upstreams-available/plugin_upstream.conf /etc/nginx/upstream.d/plugin_upstream.conf \
-  && ln -s /etc/nginx/locations-available/plugin_location.conf /etc/nginx/location.d/plugin_location.conf
+  && ln -sf /etc/nginx/upstreams-available/plugin_upstream.conf /etc/nginx/upstream.d/ \
+  && ln -sf /etc/nginx/locations-available/plugin_location.conf /etc/nginx/location.d/
 
 # Enable wsproxyext configuration only if wsproxyext resolvable
 getent hosts wsproxyext \
-  && ln -s /etc/nginx/upstreams-available/wsproxyext.conf /etc/nginx/upstream.d/wsproxyext.conf \
-  && ln -s /etc/nginx/locations-available/wsproxyext.conf /etc/nginx/location.d/wsproxyext.conf
+  && ln -sf /etc/nginx/upstreams-available/wsproxyext.conf /etc/nginx/upstream.d/ \
+  && ln -sf /etc/nginx/locations-available/wsproxyext.conf /etc/nginx/location.d/
 
 nginx

server.d/ssl-parameters.conf renamed to server-available/ssl-parameters.conf

@@ -8,6 +8,7 @@ ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+# NOTE: we only need this if we want to support non-PFS ciphers
 ssl_dhparam /etc/ssl/dhparam.pem;
 
 # intermediate configuration. tweak to your needs.