Add SSL support and documentation on how to use the container

Razique Mahroua

2019-11-28 4f5bede83c2dda41582e846b90c2e2d46bfade21

Add SSL support and documentation on how to use the container

 todo-angular/Dockerfile

@@ -10,7 +10,12 @@
  nginx nginx-mod-http-perl \
  && yum clean all

COPY nginx.conf /etc/nginx/
COPY nginx/nginx.conf /etc/nginx/nginx.conf
# SSL - these two directive install the SSL configuration file
# This copies the Diffie-Hellman settings. Used by NGinx
COPY nginx/dhparam.pem /etc/ssl/conf/dhparam.pem
COPY nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf
## End of SSL

RUN touch /run/nginx.pid \
  && chgrp -R nginx /var/log/nginx /run/nginx.pid \
@@ -18,7 +23,7 @@

COPY src/ /usr/share/nginx/html

EXPOSE 8080
EXPOSE 8080 8443

USER nginx


 todo-angular/README.md

New file
@@ -0,0 +1,44 @@
## About this container
This container deploys a stand-alone To Do application written in AngularJS.
The web server supports both HTTP and HTTPs connection.

## How to build
Run the following command to build the container image:
`$ podman build -t do280/todo-angular:latest .`

The current application provides a self-signed certificate in `ssl`. Their names
would match the certificates name in OpenShift.
If you need to regenerate a self-signed certificate,run the following command:
`$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt`

If you need to recreate a Diffie-Hellman group, run the following command:
`$ openssl dhparam -out dhparam.pem 2048`

## How to run

### In HTTP mode
`podman run --userns keep-id  -v ./ssl/certs:/usr/local/etc/ssl/certs:Z --name todo -p 8080:8080 do280/todo-angular:latest`

### In HTTPs mode
`podman run --userns keep-id  -v ./ssl/certs:/usr/local/etc/ssl/certs:Z --name todo -p 8443:8443 do280/todo-angular:latest`

### Disable HTTPs support
If you need to disable HTTPs support, run the following steps:

  1. In `Dockerfile` -- comment lines 16 and 17:
  ```
  # COPY nginx/dhparam.pem /etc/ssl/conf/dhparam.pem
  # COPY nginx/conf.d/ssl.conf /etc/nginx/conf.d/ssl.conf
  ```
  2. In `nginx/nginx.conf`comment line 36
  ```
  # include /etc/nginx/conf.d/*.conf; 
  ```
  3. Rebuild the image:
  ```
  `$ podman build -t do280/todo-angular:latest .`
  ```
  4. Run the following command to create the container:
  ```
  `$ podman run --name todo -p 8080:8080 do280/todo-angular:latest`
  ```

 todo-angular/nginx/conf.d/ssl.conf

New file
@@ -0,0 +1,48 @@
server {
    listen 8443 http2 ssl;
    listen [::]:8443 http2 ssl;

    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate /usr/local/etc/ssl/certs/tls.crt;
    ssl_certificate_key /usr/local/etc/ssl/certs/tls.key;
    ssl_dhparam /etc/ssl/conf/dhparam.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################

    location / {
    }

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}  

 todo-angular/nginx/dhparam.pem

New file
@@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAngpO95MkTY4tq05n3c4PWrsZbGdQBuKrOm8u8RzMRr1LgLvSHcZ3
JHEpWwa78Iwh1Wu5U0rjSC/37ooN6qUB7dY++zulaF+r3UPABu2VVp5Hi48i2n6z
xAAOj4kci9GvFnqZQGTx+1Vx1ICnRgpKc0CaCgMlGZ6aNP5Q8pW1V08uzH80xG9G
djDnhyJIY7QKDIJuavJ1AOikzM4tYlliDoIaE2H9P2nNqiIhD8HdS/8TXfr2NLiB
OGWC8E6ro3SWl/x1Anwg5Hy7YGBrLMDRZkPeoU6gFb2Y2DCnHA8ANLMgr05P6Ue8
C15kRTtRE1waYY/NKoGWxHGcwMZLaeT5UwIBAg==
-----END DH PARAMETERS-----

 todo-angular/nginx/nginx.conf

New file
@@ -0,0 +1,65 @@
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

env BACKEND_HOST;

worker_processes auto;
error_log stderr;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/default.d/*.conf;
    include /etc/nginx/conf.d/*.conf;

    perl_set $backend 'sub { return $ENV{"BACKEND_HOST"}; }';

    server {
        listen       8080 default_server;
        listen       [::]:8080 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        # include /etc/nginx/conf.d/*.conf;

        sub_filter_types application/javascript;
        sub_filter '_BACKEND_' $backend;
        sub_filter_once off;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

 todo-angular/src/assets/js/app/domain/todoitems.js

@@ -19,41 +19,25 @@

        var todoItems = [
            {
                description: 'Buy bread',
                category: 'Domestic',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: 1.75,
                notes: "Buy from Budgens\nor failing that from Tesco's"
            },
            {
                description: 'Buy milk',
                category: 'Domestic',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: 0.75,
                notes: null
            },
            {
                description: 'Buy stamps',
                category: 'Domestic',
                complete: true,
                dueBy: randomInNextFortnight(),
                cost: 10.00,
                notes: null
            },
            {
                description: 'Mow lawn',
                description: 'Take OpenShift training',
                category: 'Domestic',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: "Take OpenShift DO280 course"
            },
            {
                description: 'Book exam',
                category: 'Domestic',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: 200,
                notes: null
            },
            {
                description: 'Organize brown bag',
                category: 'Professional',
                complete: false,
                description: 'Read James Joyce',
                category: 'Domestic',
                complete: true,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null
@@ -64,30 +48,6 @@
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: 7.50,
                notes: null
            },
            {
                description: 'Sharpen knives',
                category: 'Domestic',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null
            },
            {
                description: 'Stage Isis release',
                category: 'Professional',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null
            },
            {
                description: 'Submit conference session',
                category: 'Professional',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null
            },
            {
@@ -102,14 +62,6 @@
                description: 'Write blog post',
                category: 'Professional',
                complete: true,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null
            },
            {
                description: 'Write to penpal',
                category: 'Other',
                complete: false,
                dueBy: randomInNextFortnight(),
                cost: null,
                notes: null

 todo-angular/ssl/certs/tls.crt

New file
@@ -0,0 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIUZ2ILvNHGb6kIggcIKY5ibQ5m1u4wDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJOQzEQMA4GA1UEBwwHUmFsZWln
aDEQMA4GA1UECgwHUmVkIEhhdDERMA8GA1UECwwIVHJhaW5pbmcxHjAcBgNVBAMM
FXRvZG8uYXBwcy5leGFtcGxlLmNvbTEiMCAGCSqGSIb3DQEJARYTdHJhaW5pbmdA
cmVkaGF0LmNvbTAeFw0xOTExMjgyMDQyMDJaFw0yMDExMjcyMDQyMDJaMIGVMQsw
CQYDVQQGEwJVUzELMAkGA1UECAwCTkMxEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNV
BAoMB1JlZCBIYXQxETAPBgNVBAsMCFRyYWluaW5nMR4wHAYDVQQDDBV0b2RvLmFw
cHMuZXhhbXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE3RyYWluaW5nQHJlZGhhdC5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCurfjfmTVju+uJxanJ
cio6DYs1lAQyzKuJeJeKlzIxdY1RT48QN8iBQ6egLCwgZxqUMKhEEHYfxAi6/aKl
cQdr3n77xMVQv+Bub34XX3H2aOE1V9kKh0og0srrvKBUb8su6uiqu0Jpq0eu+Xe7
gVe5WP1b4SeA4ZpAtPugqFRxXLufsyqpVCoGJKvi3XQGHOini/h+Oz/sirpUGJ60
P4IhYOsC3vNPTVB4Bgmcm7AsgEfK19+AQLqYqnmCc8iq2XFmHiAvd7VrqnLFOjpN
FR+x7xrDRAkEB/WiQ+s2HHWMpAYOJb9qfbBCKr1JUH7cX0ZHaEtwMxVvqNcjxpEI
CshpAgMBAAGjUzBRMB0GA1UdDgQWBBSkr4M7N/rBhHeVyBEU0MHlE0i67zAfBgNV
HSMEGDAWgBSkr4M7N/rBhHeVyBEU0MHlE0i67zAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQA01PSkcS8SOgQpNSfIoJ8s2pMOlhQ/0VoEFofheGVt
kekFaPRGn0Z2DEorKXRuclR2Ye4+4zvvAsNXeZZa2jAbhFXA9Zs2SzUDK7xXebUc
azzGd4JFST5KqroV5lAgeEeZdW1r39PCFPLZ36c0jh5g6fbFws7atzO+dqATU2mX
c0qywhEZDz4PfUwyP6B2oG39oNGKj457WMg39oWjopZJ9NK0SKqFybeTjO/13pDr
CWJNC//Eralcdu8zoWF6U5BFiEQTXlmeD4J+AZTmBBT5vaAW1ypEkmRAhPIkAwVs
HryISUxmPg2JCrlU+52jCM3RCXoXCZerrdC+l/xirTgd
-----END CERTIFICATE-----

 todo-angular/ssl/certs/tls.key

New file
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCurfjfmTVju+uJ
xanJcio6DYs1lAQyzKuJeJeKlzIxdY1RT48QN8iBQ6egLCwgZxqUMKhEEHYfxAi6
/aKlcQdr3n77xMVQv+Bub34XX3H2aOE1V9kKh0og0srrvKBUb8su6uiqu0Jpq0eu
+Xe7gVe5WP1b4SeA4ZpAtPugqFRxXLufsyqpVCoGJKvi3XQGHOini/h+Oz/sirpU
GJ60P4IhYOsC3vNPTVB4Bgmcm7AsgEfK19+AQLqYqnmCc8iq2XFmHiAvd7VrqnLF
OjpNFR+x7xrDRAkEB/WiQ+s2HHWMpAYOJb9qfbBCKr1JUH7cX0ZHaEtwMxVvqNcj
xpEICshpAgMBAAECggEBAIWXJZOTr2I0EMHP+rbGagb13rY+GivjnXjIUlU6prdu
qII77zS/BMffPu5feevaDlixEa7kTAKlQOwJF/+g/sT/Z2wTI7hK1lB/UhZ790M1
GK9cHPBRYV7S9z/shU2uJd0e6IvSJMt9o5fs0CYFmFp29WT0P+rwHrFH+Hz434PF
3WYswUyZLLpuC2bkOPam7AEHQgZ7UHW38GWC72zDVOCUZnxbqknWw9PKIHdMK5EK
7CNkRc9KwTOPnT4uE+h/RiO2LUapxPz9NSfCuGNVmRRPezNajIY8TELNXL4DxC8x
G7IXW3DXCqkHexg0e2YKWWPq9V/iiAJRVUcdTP8sQRECgYEA2NWNgBt1P5seRLy/
77Vz/w57r6Ds7rk/uDPC96SZVSTIHcwKx+UOSNIyzmbBAfW0QGaWnAz/XyUSe6Vj
5KKDHKSKUd7p4w3dzJFfgWl1/M+HyC2eTrDYYaqSAsqKcWLavF2sHU2ISYrGsVrI
czrGqK2LN4xwCFX1Q9hIs3G5mf0CgYEAzjsu+up9gudPdAfavYVyppNh8LABKVcV
1lIlz0UfS4aWq+C6gWjnEqrOKHkvWwzlgozvaEyIChHlTpc/zMo0/DMx+BngYNhh
uvMv7AgbBmo1MEHH/ZFwTKoWF2nlx9ER+FqyeTR8rfuff7fsNp/qwnTWJnY9QdEu
c7EPKXqrDd0CgYAjGcbTMx6y0jh/JhLoCfaiFkUddC6GooRXHEH2drW/m7mtYSdp
noHGdgh1cxrRZ2Xreu/siQoZ69VnIKngDBKvY09k23H/KHJ8OBg+ycSozSuM0x2q
XWRZwxPp0cHBgyAnl/5RrAhg508szKZgSOZ5zcYYkupb3xZaCjwSmFlUPQKBgBEm
Zs/C9FEQf1D83jnogRJNK1XirRYNAenixvYnn2SeeqUseRYN7TlmLuK6wS9nMSbc
JYSc6Ks9tb4FYe7b2fAnKb6iGEC1fdsYIiIUwnqUFnw+3CzADYCynEeyLMOjJUVr
9W+S59NoG2l5mBEq11D4el6Ucp+oj55bWRFv/A2ZAoGBAMehwcekk/7PhroCvuSf
nwsZAfKEC5jrcDkrhZ/Um5q2ca/E0HMKqLB1xscPrNHyNzuxORMPzKQpcQHOQIPW
isRyRaSbbJO23pDlgImY4LZYVjNwYM6bbJZGwr7K1IjPsosiE6j7jMNRVZVlmHA4
E0Gy+qsU9BPz6msZ2LFYRkWX
-----END PRIVATE KEY-----