From 4a25abade80e3a9e64196cc940bfd51a561168a6 Mon Sep 17 00:00:00 2001 From: Kyle Spearrin Date: Fri, 4 Aug 2017 12:21:13 -0400 Subject: [PATCH] docker support --- .gitignore | 3 +- bitwarden-core.sln | 11 ++- docker/Docker.dcproj | 14 ++++ docker/docker-compose.yml | 46 ++++++++++++ docker/global.env | 6 ++ docker/mssql.env | 3 + nginx/Dockerfile | 9 +++ nginx/default.conf | 73 +++++++++++++++++++ nginx/nginx.conf | 134 +++++++++++++++++++++++++++++++++++ scripts/install.sh | 11 +++ src/Api/.dockerignore | 3 + src/Api/Api.csproj | 1 + src/Api/Dockerfile | 26 +++++++ src/Identity/.dockerignore | 3 + src/Identity/Dockerfile | 26 +++++++ src/Identity/Identity.csproj | 1 + 16 files changed, 368 insertions(+), 2 deletions(-) create mode 100644 docker/Docker.dcproj create mode 100644 docker/docker-compose.yml create mode 100644 docker/global.env create mode 100644 docker/mssql.env create mode 100644 nginx/Dockerfile create mode 100644 nginx/default.conf create mode 100644 nginx/nginx.conf create mode 100644 scripts/install.sh create mode 100644 src/Api/.dockerignore create mode 100644 src/Api/Dockerfile create mode 100644 src/Identity/.dockerignore create mode 100644 src/Identity/Dockerfile diff --git a/.gitignore b/.gitignore index ea045d05a..936864b96 100644 --- a/.gitignore +++ b/.gitignore @@ -202,4 +202,5 @@ project.lock.json mail_dist/ *.refactorlog *.scmp -src/Core/Properties/launchSettings.json \ No newline at end of file +src/Core/Properties/launchSettings.json +*.override.env \ No newline at end of file diff --git a/bitwarden-core.sln b/bitwarden-core.sln index 1e4fb5789..418a36727 100644 --- a/bitwarden-core.sln +++ b/bitwarden-core.sln @@ -1,7 +1,7 @@  Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio 15 -VisualStudioVersion = 15.0.26430.13 +VisualStudioVersion = 15.0.26724.1 MinimumVisualStudioVersion = 10.0.40219.1 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{DD5BD056-4AAE-43EF-BBD2-0B569B8DA84D}" EndProject @@ -28,6 +28,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Billing", "src\Billing\Bill EndProject Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Identity", "src\Identity\Identity.csproj", "{04148736-3C0B-445E-8B74-2020E7A53502}" EndProject +Project("{E53339B2-1760-4266-BCC7-CA923CBCF16C}") = "Docker", "docker\Docker.dcproj", "{026DDB58-F0DB-4089-8168-83015AF785AE}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -60,6 +62,10 @@ Global {04148736-3C0B-445E-8B74-2020E7A53502}.Debug|Any CPU.Build.0 = Debug|Any CPU {04148736-3C0B-445E-8B74-2020E7A53502}.Release|Any CPU.ActiveCfg = Release|Any CPU {04148736-3C0B-445E-8B74-2020E7A53502}.Release|Any CPU.Build.0 = Release|Any CPU + {026DDB58-F0DB-4089-8168-83015AF785AE}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {026DDB58-F0DB-4089-8168-83015AF785AE}.Debug|Any CPU.Build.0 = Debug|Any CPU + {026DDB58-F0DB-4089-8168-83015AF785AE}.Release|Any CPU.ActiveCfg = Release|Any CPU + {026DDB58-F0DB-4089-8168-83015AF785AE}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE @@ -72,4 +78,7 @@ Global {02BC2982-ED8D-4A6D-A41E-092B3DAEB98A} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84D} {04148736-3C0B-445E-8B74-2020E7A53502} = {DD5BD056-4AAE-43EF-BBD2-0B569B8DA84D} EndGlobalSection + GlobalSection(ExtensibilityGlobals) = postSolution + SolutionGuid = {E01CBF68-2E20-425F-9EDB-E0A6510CA92F} + EndGlobalSection EndGlobal diff --git a/docker/Docker.dcproj b/docker/Docker.dcproj new file mode 100644 index 000000000..53500d856 --- /dev/null +++ b/docker/Docker.dcproj @@ -0,0 +1,14 @@ + + + + 2.0 + Linux + 026ddb58-f0db-4089-8168-83015af785ae + True + http://localhost:{ServicePort} + api + + + + + \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 000000000..f6a54c12a --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,46 @@ +version: '3' + +services: + mssql: + image: microsoft/mssql-server-linux + container_name: mssql + restart: always + volumes: + - mssql_data:/var/opt/mssql/data + env_file: + - mssql.env + - mssql.override.env + ports: + - '1433:1433' + + api: + image: api + container_name: api + restart: always + build: ../src/Api + env_file: + - global.env + - global.override.env + + identity: + image: identity + container_name: identity + restart: always + build: ../src/Identity + env_file: + - global.env + - global.override.env + + nginx: + image: nginx + container_name: nginx + restart: always + build: ../nginx + volumes: + - c:/bitwarden/letsencrypt:/etc/letsencrypt + ports: + - '80:80' + - '443:443' + +volumes: + mssql_data: diff --git a/docker/global.env b/docker/global.env new file mode 100644 index 000000000..e92cb6651 --- /dev/null +++ b/docker/global.env @@ -0,0 +1,6 @@ +ASPNETCORE_ENVIRONMENT=Production +globalSettings:selfHosted=true +globalSettings:baseServiceUri:vault=http://localhost +globalSettings:baseServiceUri:api=http://localhost/api +globalSettings:baseServiceUri:identity=http://localhost/identity +globalSettings:baseServiceUri:identityInternal=http://identity diff --git a/docker/mssql.env b/docker/mssql.env new file mode 100644 index 000000000..38b064e96 --- /dev/null +++ b/docker/mssql.env @@ -0,0 +1,3 @@ +ACCEPT_EULA=Y +MSSQL_PID=Express +SA_PASSWORD=SECRET diff --git a/nginx/Dockerfile b/nginx/Dockerfile new file mode 100644 index 000000000..e86c662f4 --- /dev/null +++ b/nginx/Dockerfile @@ -0,0 +1,9 @@ +FROM nginx:stable + +RUN rm /etc/nginx/nginx.conf +COPY nginx.conf /etc/nginx/nginx.conf + +RUN rm /etc/nginx/conf.d/default.conf +COPY default.conf /etc/nginx/conf.d/default.conf + +CMD ["nginx", "-g", "daemon off;"] \ No newline at end of file diff --git a/nginx/default.conf b/nginx/default.conf new file mode 100644 index 000000000..d655e1d16 --- /dev/null +++ b/nginx/default.conf @@ -0,0 +1,73 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + server_name bw.kylespearrin.com; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name bw.kylespearrin.com; + + ssl_certificate /etc/letsencrypt/live/bw.kylespearrin.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/bw.kylespearrin.com/privkey.pem; + + ssl_session_timeout 30m; + ssl_session_cache shared:SSL:20m; + ssl_session_tickets off; + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits + ssl_dhparam /etc/letsencrypt/live/bw.kylespearrin.com/dhparam.pem; + + # SSL protocols TLS v1~TLSv1.2 are allowed. Disabed SSLv3 + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH"; + # enables server-side protection from BEAST attacks + ssl_prefer_server_ciphers on; + + # OCSP Stapling --- + # fetch OCSP records from URL in ssl_certificate and cache them + ssl_stapling on; + ssl_stapling_verify on; + + ## verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /etc/letsencrypt/live/bw.kylespearrin.com/fullchain.pem; + + resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s; + + # Headers + + # X-Frame-Options is to prevent from clickJacking attack + #add_header X-Frame-Options SAMEORIGIN; + + # disable content-type sniffing on some browsers. + add_header X-Content-Type-Options nosniff; + + # This header enables the Cross-site scripting (XSS) filter + add_header X-XSS-Protection "1; mode=block"; + + # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack + #add_header Strict-Transport-Security max-age=15768000; + + location /api/ { + proxy_pass http://api/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Url-Scheme $scheme; + proxy_redirect off; + } + + location /identity/ { + proxy_pass http://identity/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Url-Scheme $scheme; + proxy_redirect off; + } +} diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 000000000..988ca8025 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,134 @@ +# nginx Configuration File +# http://wiki.nginx.org/Configuration + +# Run as a less privileged user for security reasons. +# user www www; + +# How many worker threads to run; +# "auto" sets it to the number of CPU cores available in the system, and +# offers the best performance. Don't set it higher than the number of CPU +# cores if changing this parameter. + +# The maximum number of connections for Nginx is calculated by: +# max_clients = worker_processes * worker_connections +worker_processes auto; + +# Maximum open file descriptors per process; +# should be > worker_connections. +worker_rlimit_nofile 8192; + +events { + # When you need > 8000 * cpu_cores connections, you start optimizing your OS, + # and this is probably the point at which you hire people who are smarter than + # you, as this is *a lot* of requests. + worker_connections 8000; +} + +# Default error log file +# (this is only used when you don't override error_log on a server{} level) +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +http { + + # Hide nginx version information. + server_tokens off; + + # Define the MIME types for files. + include mime.types; + default_type application/octet-stream; + + # Update charset_types due to updated mime.types + charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + + # Format to use in log files + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Default log file + # (this is only used when you don't override access_log on a server{} level) + access_log /var/log/nginx/access.log main; + + # How long to allow each connection to stay idle; longer values are better + # for each individual client, particularly for SSL, but means that worker + # connections are tied up longer. (Default: 65) + keepalive_timeout 20; + + # Speed up file transfers by using sendfile() to copy directly + # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + sendfile on; + + # Tell Nginx not to send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. (adds TCP_CORK) + tcp_nopush on; + + + # Compression + + # Enable Gzip compressed. + gzip on; + + # Compression level (1-9). + # 5 is a perfect compromise between size and cpu usage, offering about + # 75% reduction for most ascii files (almost identical to level 9). + gzip_comp_level 5; + + # Don't compress anything that's already small and unlikely to shrink much + # if at all (the default is 20 bytes, which is bad as that usually leads to + # larger files after gzipping). + gzip_min_length 256; + + # Compress data even for clients that are connecting to us via proxies, + # identified by the "Via" header (required for CloudFront). + gzip_proxied any; + + # Tell proxies to cache both the gzipped and regular version of a resource + # whenever the client's Accept-Encoding capabilities header varies; + # Avoids the issue where a non-gzip capable client (which is extremely rare + # today) would display gibberish if their proxy gave them the gzipped version. + gzip_vary on; + + # Compress all output labeled with one of the following MIME-types. + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy; + # text/html is always compressed by HttpGzipModule + + # This should be turned on if you are going to have pre-compressed copies (.gz) of + # static files available. If not it should be left off as it will cause extra I/O + # for the check. It is best if you enable this in a location{} block for + # a specific directory, or on an individual server{} level. + # gzip_static on; + + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. + include conf.d/*.conf; +} diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100644 index 000000000..f10d683da --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,11 @@ +dotnet publish ../src/Api/Api.csproj -f netcoreapp2.0 -o obj/Docker/publish -c "Release" +dotnet publish ../src/Identity/Identity.csproj -f netcoreapp2.0 -o obj/Docker/publish -c "Release" + +docker-compose pull +docker-compose down + +#mkdir -p c:/bitwarden/letsencrypt/live +#docker run -it --rm -p 80:80 -v c:/bitwarden/letsencrypt:/etc/letsencrypt/ certbot/certbot certonly --standalone --noninteractive --preferred-challenges http --email kyle.spearrin@gmail.com --agree-tos -d bw.kylespearrin.com +#openssl dhparam -out c:/bitwarden/letsencrypt/live/bw.kylespearrin.com/dhparam.pem 2048 + +docker-compose up -d diff --git a/src/Api/.dockerignore b/src/Api/.dockerignore new file mode 100644 index 000000000..d8f8175f6 --- /dev/null +++ b/src/Api/.dockerignore @@ -0,0 +1,3 @@ +* +!obj/Docker/publish/* +!obj/Docker/empty/ diff --git a/src/Api/Api.csproj b/src/Api/Api.csproj index 72a4f8022..d5aaef9d8 100644 --- a/src/Api/Api.csproj +++ b/src/Api/Api.csproj @@ -6,6 +6,7 @@ Api Bit.Api bitwarden-Api + ..\..\docker\Docker.dcproj diff --git a/src/Api/Dockerfile b/src/Api/Dockerfile new file mode 100644 index 000000000..ef35ddac3 --- /dev/null +++ b/src/Api/Dockerfile @@ -0,0 +1,26 @@ +FROM microsoft/dotnet:2.0.0-preview2-runtime-jessie + +# FROM https://github.com/aspnet/aspnet-docker/blob/master/1.1/jessie/runtime/Dockerfile + +# set up network +ENV ASPNETCORE_URLS http://+:80 + +# set env var for packages cache +ENV DOTNET_HOSTING_OPTIMIZATION_CACHE /packagescache + +# set up package cache and other tools +RUN for version in '1.1.2' '1.1.3'; do \ + curl -o /tmp/aspnetcore.cache.$version.tar.gz \ + https://dist.asp.net/packagecache/$version/debian.8-x64/aspnetcore.cache.tar.gz \ + && mkdir -p /packagescache && cd /packagescache \ + && tar xf /tmp/aspnetcore.cache.$version.tar.gz \ + && rm /tmp/aspnetcore.cache.$version.tar.gz; \ +done + +# Custom + +ARG source +WORKDIR /app +EXPOSE 80 +COPY ${source:-obj/Docker/publish} . +ENTRYPOINT ["dotnet", "Api.dll"] diff --git a/src/Identity/.dockerignore b/src/Identity/.dockerignore new file mode 100644 index 000000000..d8f8175f6 --- /dev/null +++ b/src/Identity/.dockerignore @@ -0,0 +1,3 @@ +* +!obj/Docker/publish/* +!obj/Docker/empty/ diff --git a/src/Identity/Dockerfile b/src/Identity/Dockerfile new file mode 100644 index 000000000..e87caa5ee --- /dev/null +++ b/src/Identity/Dockerfile @@ -0,0 +1,26 @@ +FROM microsoft/dotnet:2.0.0-preview2-runtime-jessie + +# FROM https://github.com/aspnet/aspnet-docker/blob/master/1.1/jessie/runtime/Dockerfile + +# set up network +ENV ASPNETCORE_URLS http://+:80 + +# set env var for packages cache +ENV DOTNET_HOSTING_OPTIMIZATION_CACHE /packagescache + +# set up package cache and other tools +RUN for version in '1.1.2' '1.1.3'; do \ + curl -o /tmp/aspnetcore.cache.$version.tar.gz \ + https://dist.asp.net/packagecache/$version/debian.8-x64/aspnetcore.cache.tar.gz \ + && mkdir -p /packagescache && cd /packagescache \ + && tar xf /tmp/aspnetcore.cache.$version.tar.gz \ + && rm /tmp/aspnetcore.cache.$version.tar.gz; \ +done + +# Custom + +ARG source +WORKDIR /app +EXPOSE 80 +COPY ${source:-obj/Docker/publish} . +ENTRYPOINT ["dotnet", "Identity.dll"] diff --git a/src/Identity/Identity.csproj b/src/Identity/Identity.csproj index b3252d517..d8e8b58ba 100644 --- a/src/Identity/Identity.csproj +++ b/src/Identity/Identity.csproj @@ -6,6 +6,7 @@ Identity Bit.Identity bitwarden-Identity + ..\..\docker\Docker.dcproj