Spindel/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Caramel setup instructions

This setup assumes dockerized containers, we're using this on CoreOS, but you can use whatever that's using docker.
This setup is more complex than the simplest possible, but it's production ready.

set up a new host, point a DNS name at it
Sets up a http proxy to get a LetsEncrypt cert up
Sets up LetsEncrypt for public infra (https to the CA server)
Sets up caramel server

variables to replace below:
CA_HOSTNAME=ca.kub.modio.se
CA_MAIL=spider@modio.se

copy nginx.http.conf => server
copy nginx.https.conf => server
Below steps are all done on your CA server

Certs volume for LetsEncrypt. Ephermal

docker create --name certs \
  -v /var/www/html \
  -v /etc/letsencrypt \
  quay.io/letsencrypt/letsencrypt

Nginx-http frontend for LetsEncrypt

docker run -d \
  -p 80:80 \
  --name nginx-http \
  --volumes-from certs \
  -v /home/core/nginx.http.conf:/etc/nginx/nginx.conf \
  nginx

Get a LetsEncrypt cert for the CA domain

docker run -it \
  --name letsencrypt \
  --volumes-from certs \
  quay.io/letsencrypt/letsencrypt \
  certonly \
  --noninteractive \
  --agree-tos \
  --webroot \
  --webroot-path /var/www/html \
  -m $CA_MAIL \
  -d $CA_HOSTNAME

Caramel CA generation / start

This creates your CA, asks questions about the rules, and generates your CA-cert
docker run -d \
	--expose 80 \
 	--volume=/srv/caramel:/data:rw \
	--name caramel \
	modioab/caramel

Caramel CA HTTPS proxy (using letsEncrypt)

docker run -d \
  -p 443:443 \
  --name nginx-tls \
  --link caramel \
  --volumes-from certs  \
  -v /home/core/nginx.https.conf:/etc/nginx/nginx.conf \
  nginx

Test renewal

docker run -it \
 --rm=true \
 --name certbot-renew \
 --volumes-from certs \
 quay.io/letsencrypt/letsencrypt \
 renew --dry-run

Put below in a timer unit

docker run -it \
  --rm=true \
  --name certbot-renew \
  --volumes-from certs \
  quay.io/letsencrypt/letsencrypt \
  renew


## nginx-http.conf
user  nginx;
worker_processes  1;

error_log  stderr warn;
pid        /var/run/nginx.pid;


events {
	worker_connections  1024;
}

http {
	include       /etc/nginx/mime.types;
	default_type  application/octet-stream;

	log_format main  '$remote_addr - $remote_user [$time_local] "$request" '
			'$status $body_bytes_sent "$http_referer" '
			'msec:$msec upstream:$upstream_response_time request:$request_time '
			'"$http_user_agent" "$http_x_forwarded_for"';

	access_log  /dev/stdout main;

	sendfile        on;
	#tcp_nopush     on;

	gzip             on;

	server {
		listen      80;
		listen      [::]:80;
		server_name ca.kub.modio.se;

		location /.well-known {
			root /var/www/html;
		}

		location / {
			return 301 https://$host$request_uri;
		}
	}
}

## nginx-https.conf
user              nginx;
worker_processes  1;

error_log  stderr;
pid        /run/nginx.pid;


events {
    worker_connections  1024;
}


http {
	include       /etc/nginx/mime.types;
	default_type  application/octet-stream;

	# get CN
	map $ssl_client_s_dn $ssl_client_s_dn_cn {
		default "should_not_happen";
	    ~/CN=(?<CN>[^/]+) $CN;
	}


	log_format tls   '$remote_addr - $remote_user [$time_local] "$request" '
			'$status $body_bytes_sent "$http_referer" '
			'msec:$msec upstream:$upstream_response_time request:$request_time '
			'"$http_user_agent" "$http_x_forwarded_for" '
			'"$ssl_client_verify" "$ssl_client_s_dn"';

	access_log  /dev/stdout tls;

	sendfile        on;

	keepalive_timeout  75s;

	gzip             on;
	gzip_types       *;
	gzip_proxied     any;
	gzip_min_length  0;

	ssl_session_timeout 2h;
	ssl_session_cache shared:SSL:200m;

	ssl_protocols TLSv1.2;

	server {
		listen       443 ssl http2;
		listen       [::]:443 ssl http2;
		server_name ca.kub.modio.se;

		ssl on;


		ssl_certificate      /etc/letsencrypt/live/ca.kub.modio.se/fullchain.pem;
	 	ssl_trusted_certificate /etc/letsencrypt/live/ca.kub.modio.se/chain.pem;
		ssl_certificate_key  /etc/letsencrypt/live/ca.kub.modio.se/privkey.pem;

		ssl_session_timeout 1d;

		ssl_protocols TLSv1.2;

		ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
		ssl_prefer_server_ciphers on;

		add_header Strict-Transport-Security "max-age=63072000;";

		# strip out and discard anything already set here.
		proxy_set_header X-Forwarded-For $remote_addr;

		proxy_set_header Host $http_host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;

		location /.well-known {
			root /var/www/html;
		}

		location / {
			proxy_pass http://caramel:80;
			proxy_read_timeout 60;
		}
	}

}
	user nginx;
	worker_processes 1;

	error_log stderr warn;
	pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	}

	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'msec:$msec upstream:$upstream_response_time request:$request_time '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /dev/stdout main;

	sendfile on;
	#tcp_nopush on;

	gzip on;

	server {
	listen 80;
	listen [::]:80;
	server_name ca.kub.modio.se;

	location /.well-known {
	root /var/www/html;
	}

	location / {
	return 301 https://$host$request_uri;
	}
	}
	}
	user nginx;
	worker_processes 1;

	error_log stderr;
	pid /run/nginx.pid;


	events {
	worker_connections 1024;
	}



	http {
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# get CN
	map $ssl_client_s_dn $ssl_client_s_dn_cn {
	default "should_not_happen";
	~/CN=(?<CN>[^/]+) $CN;
	}


	log_format tls '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'msec:$msec upstream:$upstream_response_time request:$request_time '
	'"$http_user_agent" "$http_x_forwarded_for" '
	'"$ssl_client_verify" "$ssl_client_s_dn"';

	access_log /dev/stdout tls;

	sendfile on;

	keepalive_timeout 75s;

	gzip on;
	gzip_types *;
	gzip_proxied any;
	gzip_min_length 0;

	ssl_session_timeout 2h;
	ssl_session_cache shared:SSL:200m;

	ssl_protocols TLSv1.2;

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name ca.kub.modio.se;

	ssl on;



	ssl_certificate /etc/letsencrypt/live/ca.kub.modio.se/fullchain.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/ca.kub.modio.se/chain.pem;
	ssl_certificate_key /etc/letsencrypt/live/ca.kub.modio.se/privkey.pem;

	ssl_session_timeout 1d;

	ssl_protocols TLSv1.2;

	ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=63072000;";

	# strip out and discard anything already set here.
	proxy_set_header X-Forwarded-For $remote_addr;

	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;

	location /.well-known {
	root /var/www/html;
	}

	location / {
	proxy_pass http://caramel:80;
	proxy_read_timeout 60;
	}
	}

	}