diff --git a/Dockerfile b/Dockerfile index 0673bed..2903cfe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,21 +8,17 @@ LABEL org.label-schema.url="https://devicehive.com" \ org.label-schema.name="devicehive-proxy" \ org.label-schema.version="$DH_PROXY_VERSION" -RUN apt-get update && \ - apt-get install -y openssl && \ - rm -rf /var/lib/apt/lists/* - ADD nginx.conf /etc/nginx/nginx.conf -ADD server.d/ /etc/nginx/server.d/ ADD upstream.d/ /etc/nginx/upstream.d/ ADD location.d/ /etc/nginx/location.d/ +ADD server-available/ /etc/nginx/server-available/ ADD upstreams-available/ /etc/nginx/upstreams-available/ ADD locations-available/ /etc/nginx/locations-available/ ADD admin/ /opt/devicehive/admin/ -RUN mkdir /etc/nginx/stream.d/ +RUN mkdir /etc/nginx/stream.d/ /etc/nginx/server.d/ COPY proxy-start.sh /opt/devicehive/ diff --git a/proxy-start.sh b/proxy-start.sh index 2908173..c7d6c09 100755 --- a/proxy-start.sh +++ b/proxy-start.sh @@ -3,27 +3,24 @@ set -e set -x -if [ ! -f /etc/ssl/dhparam.pem ] +if [ -f /etc/ssl/dhparam.pem -a -f /etc/ssl/ssl_certificate -a -f /etc/ssl/ssl_certificate_key ] then - # NOTE: we only need this if we want to support non-PFS ciphers - openssl dhparam -out /etc/ssl/dhparam.pem 2048 -fi - -if [ ! -f /etc/ssl/ssl_certificate -o ! -f /etc/ssl/ssl_certificate_key ] -then - openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/ssl_certificate_key -out /etc/ssl/ssl_certificate -days 365 -nodes -subj '/CN=localhost' -sha256 + echo "Found TLS certificate and key. Enabling TLS in nginx." + ln -sf /etc/nginx/server-available/ssl-parameters.conf /etc/nginx/server.d/ +else + echo "TLS certificate, key or DH parameters file not found. Starting nginx without TLS support." fi echo resolver $(awk 'BEGIN{ORS=" "} $1=="nameserver" {print $2}' /etc/resolv.conf) ";" > /etc/nginx/resolvers.conf # Enable dh_plugin configuration only if dh_plugin resolvable getent hosts dh_plugin \ - && ln -s /etc/nginx/upstreams-available/plugin_upstream.conf /etc/nginx/upstream.d/plugin_upstream.conf \ - && ln -s /etc/nginx/locations-available/plugin_location.conf /etc/nginx/location.d/plugin_location.conf + && ln -sf /etc/nginx/upstreams-available/plugin_upstream.conf /etc/nginx/upstream.d/ \ + && ln -sf /etc/nginx/locations-available/plugin_location.conf /etc/nginx/location.d/ # Enable wsproxyext configuration only if wsproxyext resolvable getent hosts wsproxyext \ - && ln -s /etc/nginx/upstreams-available/wsproxyext.conf /etc/nginx/upstream.d/wsproxyext.conf \ - && ln -s /etc/nginx/locations-available/wsproxyext.conf /etc/nginx/location.d/wsproxyext.conf + && ln -sf /etc/nginx/upstreams-available/wsproxyext.conf /etc/nginx/upstream.d/ \ + && ln -sf /etc/nginx/locations-available/wsproxyext.conf /etc/nginx/location.d/ nginx diff --git a/server.d/ssl-parameters.conf b/server-available/ssl-parameters.conf similarity index 95% rename from server.d/ssl-parameters.conf rename to server-available/ssl-parameters.conf index d12bf24..8482a29 100644 --- a/server.d/ssl-parameters.conf +++ b/server-available/ssl-parameters.conf @@ -8,6 +8,7 @@ ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits +# NOTE: we only need this if we want to support non-PFS ciphers ssl_dhparam /etc/ssl/dhparam.pem; # intermediate configuration. tweak to your needs.