nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

setup for ssl certs

Browse Source
This commit is contained in:
Kyle Spearrin
2017-08-08 14:35:31 -04:00
parent e70323b59e
commit 7cf54b0e4c
6 changed files with 89 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docker/docker-compose.linux.yml
View File

@ -18,4 +18,4 @@ services:
volumes: volumes:
- /etc/bitwarden/nginx:/etc/bitwarden/nginx - /etc/bitwarden/nginx:/etc/bitwarden/nginx
- /etc/bitwarden/letsencrypt:/etc/letsencrypt - /etc/bitwarden/letsencrypt:/etc/letsencrypt
- /etc/bitwarden/ssl:/etc/certificates - /etc/bitwarden/ssl:/etc/ssl

2
docker/docker-compose.override.yml
View File

@ -18,6 +18,6 @@ services:
volumes: volumes:
- c:/bitwarden/nginx:/etc/bitwarden/nginx - c:/bitwarden/nginx:/etc/bitwarden/nginx
- c:/bitwarden/letsencrypt:/etc/letsencrypt - c:/bitwarden/letsencrypt:/etc/letsencrypt
- c:/bitwarden/ssl:/etc/certificates - c:/bitwarden/ssl:/etc/ssl
volumes: volumes:
mssql_data: mssql_data:

2
docker/docker-compose.windows.yml
View File

@ -18,6 +18,6 @@ services:
volumes: volumes:
- c:/bitwarden/nginx:/etc/bitwarden/nginx - c:/bitwarden/nginx:/etc/bitwarden/nginx
- c:/bitwarden/letsencrypt:/etc/letsencrypt - c:/bitwarden/letsencrypt:/etc/letsencrypt
- c:/bitwarden/ssl:/etc/certificates - c:/bitwarden/ssl:/etc/ssl
volumes: volumes:
mssql_data: mssql_data:

19
scripts/setup.ps1
View File

@ -1,18 +1,19 @@
param ( param (
[string]$outputDir = "c:/bitwarden", [string]$outputDir = "c:/bitwarden",
[string]$domain = $( Read-Host "Please enter your domain name (i.e. bitwarden.company.com)" ), [string]$domain = $( Read-Host "Enter your domain name (i.e. bitwarden.company.com)" ),
[string]$email = $( Read-Host "Please enter your email address: " ), [string]$email = $( Read-Host "Enter your email address" ),
[string]$letsencrypt = $( Read-Host "Generate Let's Encrypt Cert (y/n)" ) [string]$letsencrypt = $( Read-Host "Do you want to use Let's Encrypt to generate a free SSL certificate? (y/n)" )
) )
docker --version
$dockerDir="../docker" $dockerDir="../docker"
$databasePassword=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_}) $databasePassword=-join ((48..57) + (97..122) | Get-Random -Count 32 | % {[char]$_})
docker --version if($letsencrypt -eq "y") {
mkdir -p $outputDir/letsencrypt/live/$domain
#mkdir -p $outputDir/letsencrypt/live/$domain docker run -it --rm -p 80:80 -v $outputDir/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $email --agree-tos -d $domain
#docker run -it --rm -p 80:80 -v $outputDir/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $email --agree-tos -d $domain }
#docker run -it --rm -v $outputDir/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$domain/dhparam.pem 2048
docker run -it --rm -v ${outputDir}:/bitwarden bitwarden/setup dotnet Setup.dll -domain ${domain} -letsencrypt ${letsencrypt} -db_pass ${databasePassword} docker run -it --rm -v ${outputDir}:/bitwarden bitwarden/setup dotnet Setup.dll -domain ${domain} -letsencrypt ${letsencrypt} -db_pass ${databasePassword}

9
scripts/setup.sh
View File

@ -3,18 +3,19 @@ set -e
echo "Please enter your domain name (i.e. bitwarden.company.com): " echo "Please enter your domain name (i.e. bitwarden.company.com): "
read DOMAIN read DOMAIN
echo -e "\nPlease enter your email address (used to generate an HTTPS certificate with LetsEncrypt): " echo -e "\nPlease enter your email address: "
read EMAIL read EMAIL
echo -e "\nDo you want to use Let's Encrypt to generate a free SSL certificate (y/n)? "
read LETS_ENCRYPT
OUTPUT_DIR=./bitwarden OUTPUT_DIR=/etc/bitwarden
DATABASE_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32) DATABASE_PASSWORD=$(LC_ALL=C tr -dc A-Za-z0-9 </dev/urandom | head -c 32)
docker --version docker --version
#mkdir -p $OUTPUT_DIR/letsencrypt/live/$DOMAIN #mkdir -p $OUTPUT_DIR/letsencrypt/live/$DOMAIN
#docker run -it --rm -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $EMAIL --agree-tos -d $DOMAIN #docker run -it --rm -p 80:80 -v $OUTPUT_DIR/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email $EMAIL --agree-tos -d $DOMAIN
#docker run -it --rm -v $OUTPUT_DIR/letsencrypt/live:/certificates/ bitwarden/openssl openssl dhparam -out /certificates/$DOMAIN/dhparam.pem 2048
docker run -it --rm -v $OUTPUT_DIR:/bitwarden bitwarden/setup dotnet Setup.dll -domain $DOMAIN -letsencrypt y -db_pass $DATABASE_PASSWORD docker run -it --rm -v $OUTPUT_DIR:/bitwarden bitwarden/setup dotnet Setup.dll -domain $DOMAIN -letsencrypt $LETS_ENCRYPT -db_pass $DATABASE_PASSWORD
echo -e "\nSetup complete" echo -e "\nSetup complete"

87
util/Setup/Program.cs
View File

@ -14,6 +14,7 @@ namespace Setup
private static string _url = null; private static string _url = null;
private static string _identityCertPassword = null; private static string _identityCertPassword = null;
private static bool _ssl = false; private static bool _ssl = false;
private static bool _selfSignedSsl = false;
private static bool _letsEncrypt = false; private static bool _letsEncrypt = false;
public static void Main(string[] args) public static void Main(string[] args)
@ -27,10 +28,24 @@ namespace Setup
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false; _parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
_ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ? _ssl = _letsEncrypt || (_parameters.ContainsKey("ssl") ?
_parameters["ssl"].ToLowerInvariant() == "y" : false); _parameters["ssl"].ToLowerInvariant() == "y" : false);
_url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
_identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
_ssl = _letsEncrypt;
if(!_letsEncrypt)
{
Console.Write("Are you using your own SSL certificate? (y/n): ");
_ssl = Console.ReadLine().ToLowerInvariant() == "y";
if(_ssl)
{
Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
"appropriate directory (see setup instructions).");
}
}
_identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
MakeCerts(); MakeCerts();
_url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
BuildNginxConfig(); BuildNginxConfig();
BuildEnvironmentFiles(); BuildEnvironmentFiles();
BuildAppSettingsFiles(); BuildAppSettingsFiles();
@ -38,6 +53,29 @@ namespace Setup
private static void MakeCerts() private static void MakeCerts()
{ {
if(!_ssl)
{
Console.Write("Do you want to generate a self signed SSL certificate? (y/n): ");
if(Console.ReadLine().ToLowerInvariant() == "y")
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{_domain}/");
Console.WriteLine("Generating self signed SSL certificate.");
_ssl = _selfSignedSsl = true;
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
$"-keyout /bitwarden/ssl/self/{_domain}/private.key " +
$"-out /bitwarden/ssl/self/{_domain}/certificate.crt " +
$"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=bitwarden/CN={_domain}\"");
}
}
if(_letsEncrypt)
{
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_domain}/");
Console.WriteLine("Generating DH ephemeral parameter.");
Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{_domain}/dhparam.pem 2048");
}
Console.WriteLine("Generating key for IdentityServer.");
Directory.CreateDirectory("/bitwarden/identity/"); Directory.CreateDirectory("/bitwarden/identity/");
Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " + Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950"); "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
@ -54,12 +92,27 @@ namespace Setup
"ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:" + "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:" +
"AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; "AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
var dh = _letsEncrypt || var dh = _letsEncrypt;
(_parameters.ContainsKey("ssl_dh") ? _parameters["ssl_dh"].ToLowerInvariant() == "y" : false); if(_ssl && !_selfSignedSsl && !_letsEncrypt)
var trusted = _letsEncrypt || {
(_parameters.ContainsKey("ssl_trusted") ? _parameters["ssl_trusted"].ToLowerInvariant() == "y" : false); Console.Write("Use Diffie Hellman ephemeral parameters for SSL (requires dhparam.pem)? (y/n): ");
var certPath = _letsEncrypt ? $"/etc/letsencrypt/live/{_domain}" : $"/etc/certificates/{_domain}"; dh = Console.ReadLine().ToLowerInvariant() == "y";
}
var trusted = _letsEncrypt;
if(_ssl && !_selfSignedSsl && !_letsEncrypt)
{
Console.Write("Is this a trusted SSL certificate (requires ca.crt)? (y/n): ");
trusted = Console.ReadLine().ToLowerInvariant() == "y";
}
var sslPath = _letsEncrypt ? $"/etc/letsencrypt/live/{_domain}" :
_selfSignedSsl ? $"/etc/ssl/self/{_domain}" : $"/etc/ssl/{_domain}";
var certFile = _letsEncrypt ? "fullchain.pem" : "certificate.crt";
var keyFile = _letsEncrypt ? "privkey.pem" : "private.key";
var caFile = _letsEncrypt ? "fullchain.pem" : "ca.crt";
Console.WriteLine("Building nginx config.");
using(var sw = File.CreateText("/bitwarden/nginx/default.conf")) using(var sw = File.CreateText("/bitwarden/nginx/default.conf"))
{ {
sw.WriteLine($@"server {{ sw.WriteLine($@"server {{
@ -77,8 +130,8 @@ server {{
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
server_name {_domain}; server_name {_domain};
ssl_certificate {certPath}/fullchain.pem; ssl_certificate {sslPath}/{certFile};
ssl_certificate_key {certPath}/privkey.pem; ssl_certificate_key {sslPath}/{keyFile};
ssl_session_timeout 30m; ssl_session_timeout 30m;
ssl_session_cache shared:SSL:20m; ssl_session_cache shared:SSL:20m;
@ -88,7 +141,7 @@ server {{
{ {
sw.WriteLine($@" sw.WriteLine($@"
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam {certPath}/dhparam.pem;"); ssl_dhparam {sslPath}/dhparam.pem;");
} }
sw.WriteLine($@" sw.WriteLine($@"
@ -108,14 +161,17 @@ server {{
ssl_stapling_verify on; ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs ## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate {certPath}/fullchain.pem; ssl_trusted_certificate {sslPath}/{caFile};
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;"); resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;");
} }
sw.WriteLine($@" sw.WriteLine($@"
# Headers # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
add_header Strict-Transport-Security max-age=15768000;");
}
sw.WriteLine($@"
# X-Frame-Options is to prevent from clickJacking attack # X-Frame-Options is to prevent from clickJacking attack
add_header X-Frame-Options SAMEORIGIN; add_header X-Frame-Options SAMEORIGIN;
@ -128,11 +184,7 @@ server {{
# This header controls what referrer information is shared # This header controls what referrer information is shared
add_header Referrer-Policy same-origin; add_header Referrer-Policy same-origin;
# This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
add_header Strict-Transport-Security max-age=15768000;
# Content-Security-Policy is set via meta tag on the website so it is not included here"); # Content-Security-Policy is set via meta tag on the website so it is not included here");
}
sw.WriteLine($@" sw.WriteLine($@"
location / {{ location / {{
@ -177,6 +229,7 @@ server {{
private static void BuildEnvironmentFiles() private static void BuildEnvironmentFiles()
{ {
Console.WriteLine("Building docker environment override files.");
Directory.CreateDirectory("/bitwarden/docker/"); Directory.CreateDirectory("/bitwarden/docker/");
var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE"; var dbPass = _parameters.ContainsKey("db_pass") ? _parameters["db_pass"].ToLowerInvariant() : "REPLACE";
var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" + var dbConnectionString = "Server=tcp:mssql,1433;Initial Catalog=vault;Persist Security Info=False;User ID=sa;" +
@ -205,6 +258,7 @@ SA_PASSWORD={dbPass}");
private static void BuildAppSettingsFiles() private static void BuildAppSettingsFiles()
{ {
Console.WriteLine("Building app settings.");
Directory.CreateDirectory("/bitwarden/web/"); Directory.CreateDirectory("/bitwarden/web/");
using(var sw = File.CreateText("/bitwarden/web/settings.js")) using(var sw = File.CreateText("/bitwarden/web/settings.js"))
{ {
@ -218,6 +272,7 @@ SA_PASSWORD={dbPass}");
private static void BuildAppId() private static void BuildAppId()
{ {
Console.WriteLine("Building FIDO U2F app id.");
Directory.CreateDirectory("/bitwarden/web/"); Directory.CreateDirectory("/bitwarden/web/");
using(var sw = File.CreateText("/bitwarden/web/app-id.json")) using(var sw = File.CreateText("/bitwarden/web/app-id.json"))
{ {