Basic SSL support for inner and outer nginx + for ajax with new doors

2c49dfe2 · Romain Loth · 4d011cea · 2c49dfe2 · 2c49dfe2 · 2c49dfe2
Commit 2c49dfe2 authored Jan 25, 2017 by Romain Loth
5 changed files
--- a/setup/comex_and_registration.nginx_deployed.conf
+++ b/setup/comex_and_registration.nginx_deployed.conf
@@ -3,9 +3,17 @@
 server {
    listen 80 ;
    listen [::]:80 ;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    # SSL certificates
+        # self-signed certificates for the moment
+        include snippets/snakeoil.conf;
+
+        # uncomment future certificates for https://communityexplorer.org
+        # ssl_certificate /etc/ssl/cert/ssl-future-comex.pem;
+        # ssl_certificate_key /etc/ssl/private/ssl-future-comex.key;

    # server_name communityexplorer.org;
-    server_name _ ;

    # get the logs in a custom place
    # (adapt paths)

--- a/setup/dockers/comex2_services/Dockerfile
+++ b/setup/dockers/comex2_services/Dockerfile
@@ -14,7 +14,7 @@ RUN dpkg-reconfigure locales

 # Install global dependencies and utilities
 RUN apt update && apt autoclean
-RUN apt install -y python3-pip libmysqlclient-dev git nano tree iputils-ping nginx-full php7.0-fpm php7.0-mysql
+RUN apt install -y python3-pip libmysqlclient-dev git nano tree iputils-ping nginx-full php7.0-fpm php7.0-mysql ssl-cert

 # Configure php fpm to allow environment variables (uncomment removing the ';')
 RUN mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/www.conf.bak
@@ -53,6 +53,4 @@ CMD bash run.sh

 # nginx server (redirecting to php AND services)
 EXPOSE 80
-
-# TODO SSL configuration
 EXPOSE 443
--- a/setup/dockers/comex2_services/comex2_php_and_services.nginx.conf
+++ b/setup/dockers/comex2_services/comex2_php_and_services.nginx.conf
@@ -4,10 +4,17 @@ server {
    listen 80 default_server;
    listen [::]:80 default_server;

-    # TODO SSL configuration
-    # listen 443 ssl default_server;
-    # listen [::]:443 ssl default_server;
-    # include snippets/snakeoil.conf;
+    # SSL
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    # SSL certificates
+        # self-signed certificates for the moment
+        include snippets/snakeoil.conf;
+
+        # uncomment future certificates for https://communityexplorer.org
+        # ssl_certificate /etc/ssl/cert/ssl-future-comex.pem;
+        # ssl_certificate_key /etc/ssl/private/ssl-future-comex.key;

    root /comex2;

@@ -17,6 +24,7 @@ server {
    # we'll be using php but still index is an html file in comex2 anyway
    index index.html;

+
    # TODO check if this is not too permissive
    server_name _;


--- a/setup/dockers/docker-compose.yml
+++ b/setup/dockers/docker-compose.yml
@@ -35,6 +35,9 @@
         - ../../config:/comex2/config
         # similar logic used to expose inner logs
         - ../../logs:/comex2/logs
+         # and to pass the ssl keys
+         - /etc/ssl/certs/:/etc/ssl/certs/
+         - /etc/ssl/private/:/etc/ssl/private/
        environment:
            # override values from parametres_comex.ini
            # for a double reason:

--- a/static/js/comex_user_shared_auth.js
+++ b/static/js/comex_user_shared_auth.js
@@ -326,10 +326,13 @@ cmxClt = (function(cC) {
                    "name":     nameStr
                }

+            var scheme = cC.uauth.protoDoors ? 'http' : 'https'
+
            $.ajax({
                contentType: cC.uauth.protoDoors ? "application/json" : "application/x-www-form-urlencoded; charset=UTF-8",
                dataType: 'json',
-                url: "http://"+cC.uauth.doorsConnectParam+"/api/" + apiAction,
+
+                url: scheme + "://"+cC.uauth.doorsConnectParam+"/api/" + apiAction,
                data: cC.uauth.protoDoors ? JSON.stringify(sendData) : sendData,
                type: 'POST',
                // traditional: !cC.uauth.protoDoors,