nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

convert setup to use config.yml

Browse Source
This commit is contained in:
Kyle Spearrin
2018-08-30 11:35:44 -04:00
parent a1f0f04660
commit 310e6bcf61
14 changed files with 954 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files

210
util/Setup/NginxConfigBuilder.cs
View File

@ -16,177 +16,99 @@ namespace Bit.Setup
"child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
"connect-src 'self' wss://{0} https://haveibeenpwned.com https://api.pwnedpasswords.com;";
public NginxConfigBuilder(string domain, string url, bool ssl, bool selfSignedSsl, bool letsEncrypt,
bool trusted, bool diffieHellman)
{
Domain = domain;
Url = url;
Ssl = ssl;
SelfSignedSsl = selfSignedSsl;
LetsEncrypt = letsEncrypt;
Trusted = trusted;
DiffieHellman = diffieHellman;
}
private readonly Context _context;
public NginxConfigBuilder(string domain, string url)
public NginxConfigBuilder(Context context)
{
Domain = domain;
Url = url;
_context = context;
}
public bool Ssl { get; private set; }
public bool SelfSignedSsl { get; private set; }
public bool LetsEncrypt { get; private set; }
public string Domain { get; private set; }
public string Url { get; private set; }
public bool DiffieHellman { get; private set; }
public bool Trusted { get; private set; }
public void BuildForInstaller()
{
Build();
var model = new TemplateModel(_context);
if(model.Ssl && !_context.Config.SslManagedLetsEncrypt)
{
var sslPath = _context.Install.SelfSignedCert ?
$"/etc/ssl/self/{model.Domain}" : $"/etc/ssl/{model.Domain}";
_context.Config.SslCertificatePath = model.CertificatePath =
string.Concat(sslPath, "/", "certificate.crt");
_context.Config.SslKeyPath = model.KeyPath =
string.Concat(sslPath, "/", "private.key");
if(_context.Install.Trusted)
{
_context.Config.SslCaPath = model.CaPath =
string.Concat(sslPath, "/", "ca.crt");
}
if(_context.Install.DiffieHellman)
{
_context.Config.SslDiffieHellmanPath = model.DiffieHellmanPath =
string.Concat(sslPath, "/", "dhparam.pem");
}
}
Build(model);
}
public void BuildForUpdater()
{
if(File.Exists(ConfFile))
{
var confContent = File.ReadAllText(ConfFile);
Ssl = confContent.Contains("ssl http2;");
SelfSignedSsl = confContent.Contains("/etc/ssl/self/");
LetsEncrypt = !SelfSignedSsl && confContent.Contains("/etc/letsencrypt/live/");
DiffieHellman = confContent.Contains("/dhparam.pem;");
Trusted = confContent.Contains("ssl_trusted_certificate ");
}
Build();
var model = new TemplateModel(_context);
Build(model);
}
private void Build()
private void Build(TemplateModel model)
{
Directory.CreateDirectory("/bitwarden/nginx/");
var sslPath = LetsEncrypt ? $"/etc/letsencrypt/live/{Domain}" :
SelfSignedSsl ? $"/etc/ssl/self/{Domain}" : $"/etc/ssl/{Domain}";
var certFile = LetsEncrypt ? "fullchain.pem" : "certificate.crt";
var keyFile = LetsEncrypt ? "privkey.pem" : "private.key";
var caFile = LetsEncrypt ? "fullchain.pem" : "ca.crt";
Console.WriteLine("Building nginx config.");
if(!_context.Config.GenerateNginxConfig)
{
Console.WriteLine("...skipped");
return;
}
var template = Helpers.ReadTemplate("NginxConfig");
using(var sw = File.CreateText(ConfFile))
{
sw.WriteLine($@"# Config Parameters
# Parameter:Ssl={Ssl}
# Parameter:SelfSignedSsl={SelfSignedSsl}
# Parameter:LetsEncrypt={LetsEncrypt}
# Parameter:Domain={Domain}
# Parameter:Url={Url}
# Parameter:DiffieHellman={DiffieHellman}
# Parameter:Trusted={Trusted}
sw.WriteLine(template(model));
}
}
server {{
listen 8080 default_server;
listen [::]:8080 default_server;
server_name {Domain};");
public class TemplateModel
{
public TemplateModel() { }
public TemplateModel(Context context)
{
Ssl = context.Config.Ssl;
Domain = context.Config.Domain;
Url = context.Config.Url;
if(Ssl)
{
sw.WriteLine($@" return 301 {Url}$request_uri;
}}
server {{
listen 8443 ssl http2;
listen [::]:8443 ssl http2;
server_name {Domain};
ssl_certificate {sslPath}/{certFile};
ssl_certificate_key {sslPath}/{keyFile};
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;");
if(DiffieHellman)
if(context.Config.SslManagedLetsEncrypt)
{
sw.WriteLine($@"
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam {sslPath}/dhparam.pem;");
var sslPath = $"/etc/letsencrypt/live/{Domain}";
CertificatePath = CaPath = string.Concat(sslPath, "/", "fullchain.pem");
KeyPath = string.Concat(sslPath, "/", "privkey.pem");
DiffieHellmanPath = string.Concat(sslPath, "/", "dhparam.pem");
}
sw.WriteLine($@"
# SSL protocol TLSv1.2 is allowed. Disabled SSLv3, TLSv1, and TLSv1.1
ssl_protocols TLSv1.2;
# Enable most secure cipher suites only.
ssl_ciphers ""{SslCiphers}"";
# Enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;");
if(Trusted)
else
{
sw.WriteLine($@"
# OCSP Stapling ---
# Fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {sslPath}/{caFile};
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
add_header Strict-Transport-Security max-age=15768000;");
CertificatePath = context.Config.SslCertificatePath;
KeyPath = context.Config.SslKeyPath;
CaPath = context.Config.SslCaPath;
DiffieHellmanPath = context.Config.SslDiffieHellmanPath;
}
}
sw.WriteLine($@"
location / {{
proxy_pass http://web:5000/;
# Security headers
#add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection ""1; mode=block"";
add_header Referrer-Policy same-origin;
add_header Content-Security-Policy ""{string.Format(ContentSecurityPolicy, Domain)}"";
}}
location = /app-id.json {{
proxy_pass http://web:5000/app-id.json;
proxy_hide_header Content-Type;
add_header Content-Type $fido_content_type;
}}
location /attachments/ {{
proxy_pass http://attachments:5000/;
}}
location /api/ {{
proxy_pass http://api:5000/;
}}
location /identity/ {{
proxy_pass http://identity:5000/;
}}
location /icons/ {{
proxy_pass http://icons:5000/;
}}
location /notifications/ {{
proxy_pass http://notifications:5000/;
}}
location /notifications/hub {{
proxy_pass http://notifications:5000/hub;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
}}
location /admin {{
proxy_pass http://admin:5000;
}}
}}");
}
public bool Ssl { get; set; }
public string Domain { get; set; }
public string Url { get; set; }
public string CertificatePath { get; set; }
public string KeyPath { get; set; }
public string CaPath { get; set; }
public string DiffieHellmanPath { get; set; }
public string ContentSecurityPolicy => string.Format(NginxConfigBuilder.ContentSecurityPolicy, Domain);
public string SslCiphers => NginxConfigBuilder.SslCiphers;
}
}
}