Merge pull request #6 from kekru/auto-create-certs

create certs on startup and use stream instead of http

Author: kekru

.dockerignore

@@ -0,0 +1,2 @@
+cert-data
+certs

.gitignore

@@ -0,0 +1,3 @@
+cert-data
+certs
+temp

Dockerfile

@@ -1,4 +1,15 @@
-FROM nginx:alpine
-MAINTAINER Kevin Krummenauer <[email protected]>
-COPY resources/nginx-cert.conf /etc/nginx/conf.d/nginx-cert.conf
-RUN sed -i 's/user\s*nginx;/user root;/g' /etc/nginx/nginx.conf
+FROM nginx:1.15.12-alpine
+LABEL MAINTAINER="Kevin Krummenauer <[email protected]>"
+RUN apk add --no-cache openssl
+
+COPY resources /script
+
+RUN cp /script/nginx-cert.conf /etc/nginx/nginx.conf \
+ && chmod +x /script/create-certs.sh /script/entrypoint.sh
+
+ENV CREATE_CERTS_WITH_PW="" \
+    CERTS_DIR=/data/certs \
+    CERT_HOSTNAME="myserver.example.com"
+
+ENTRYPOINT ["/script/entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]

README.md

@@ -1,24 +1,67 @@
 # Docker Remote API with TLS client authentication via container
+
 This images makes you publish your Docker Remote API by a container.  
 A client must authenticate with a client-TLS certificate.  
-This is an alternative way, instead of configuring TLS on Docker directly.  
+This is an alternative way, instead of [configuring TLS on Docker directly](https://gist.github.com/kekru/974e40bb1cd4b947a53cca5ba4b0bbe5).  
+
+## Remote Api with external CA, certificates and key
 
-## Create CA, certificates and keys  
 First you need a CA and certs and keys for your Docker server and the client.  
+
 Create them as shown here [Protect the Docker daemon socket](https://docs.docker.com/engine/security/https/).  
 Or create the files with this script [create-certs.sh](https://github.com/kekru/linux-utils/blob/master/cert-generate/create-certs.sh). Read [Create certificate files](https://gist.github.com/kekru/974e40bb1cd4b947a53cca5ba4b0bbe5#create-certificate-files) for information on how to use the script.
 
-## Start Container  
-Copy the following files in a directory. The directory will me mounted in the container. 
+Copy the following files in a directory. The directory will me mounted in the container.  
+
 ```bash
-ca-cert.pem 
-server-cert.pem 
+ca-cert.pem
+server-cert.pem
 server-key.pem
 ```
 
 The files `cert.pem` and `key.pem` are certificate and key for the client. The client will also need the `ca-cert.pem`.  
 
-Now run the container:  
-`docker run --name remote-api-tls -d -p 2376:443 -v <local cert dir>:/data/certs:ro -v /var/run/docker.sock:/var/run/docker.sock:ro whiledo/docker-remote-api-tls`  
+Create a docker-compose.yml file:
 
+```yml
+version: "3.4"
+services:
+  remote-api:
+    image: kekru/docker-remote-api-tls:v0.2.0
+    ports:
+     - 2376:443
+    volumes:
+     - <local cert dir>:/data/certs:ro
+     - /var/run/docker.sock:/var/run/docker.sock:ro
+```
+
+Now run the container with `docker-compose up -d` or `docker stack deploy --compose-file=docker-compose.yml remoteapi`.  
 Your Docker Remote API is available on port 2376 via https. The client needs to authenticate via `cert.pem` and `key.pem`.
+
+## Remote Api with auto generating CA, certificates and keys
+
+The docker-remote-api image can generate CA, certificates and keys for you automatically.  
+Create a docker-compose.yml file, specifying a password and the hostname, on which the remote api will be accessible later on. The hostname will be written to the server's certificate.
+
+```yml
+version: "3.4"
+services:
+  remote-api:
+    image: kekru/docker-remote-api-tls:v0.2.0
+    ports:
+     - 2376:443
+    environment:
+     - CREATE_CERTS_WITH_PW=supersecret
+     - CERT_HOSTNAME=remote-api.example.com
+    volumes:
+     - <local cert dir>:/data/certs
+     - /var/run/docker.sock:/var/run/docker.sock:ro
+```
+
+Now run the container with `docker-compose up -d` or `docker stack deploy --compose-file=docker-compose.yml remoteapi`.  
+Certificates will be creates in `<local cert dir>`.  
+You will find the client-certs in `<local cert dir>/client/`. The files are `ca.pem`, `cert.pem` and `key.pem`.  
+
+## Setup client
+
+See [Run commands on remote Docker host](https://gist.github.com/kekru/4e6d49b4290a4eebc7b597c07eaf61f2) for instructions how to setup a client to communicate with the remote api.

docker-compose.yml

@@ -0,0 +1,35 @@
+x-sharedConfig: &sharedConfig
+  logging:
+    driver: "json-file"
+    options:
+      max-size: "500k"
+      max-file: "10"
+
+x-sharedDeployConfig: &sharedDeployConfig
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 150M
+        reservations:
+          cpus: '0.1'
+          memory: 5M
+
+version: "3.4"
+
+services:
+  remote-api:
+    <<: *sharedConfig
+    image: kekru/docker-remote-api-tls:temp
+    ports:
+     - 8443:443
+    environment:
+     - CREATE_CERTS_WITH_PW=supersecret
+     - CERT_HOSTNAME=abc.127.0.0.1.nip.io
+    volumes:
+     - ./certs:/data/certs
+     - /var/run/docker.sock:/var/run/docker.sock:ro
+    deploy:
+      <<: *sharedDeployConfig
+      placement:
+        constraints:
+          - node.role == manager

resources/create-certs.sh

@@ -0,0 +1,132 @@
+#!/bin/sh
+#see https://docs.docker.com/engine/security/https/
+
+EXPIRATIONDAYS=700
+CASUBJSTRING="/C=GB/ST=London/L=London/O=ExampleCompany/OU=IT/CN=example.com/[email protected]"
+
+while [[ $# -gt 1 ]]
+do
+key="$1"
+
+case $key in
+    -m|--mode)
+    MODE="$2"
+    shift 
+    ;;
+    -h|--hostname)
+    NAME="$2"
+    shift 
+    ;;
+    -hip|--hostip)
+    SERVERIP="$2"
+    shift 
+    ;;    
+    -pw|--password)
+    PASSWORD="$2"
+    shift 
+    ;;
+    -t|--targetdir)
+    TARGETDIR="$2"
+    shift 
+    ;;    
+    -e|--expirationdays)
+    EXPIRATIONDAYS="$2"
+    shift 
+    ;;    
+    --ca-subj)
+    CASUBJSTRING="$2"
+    shift 
+    ;; 
+    *)
+            # unknown option
+    ;;
+esac
+shift 
+done
+
+echo "Mode $MODE"
+echo "Host/Clientname $NAME"
+echo "Host IP $SERVERIP"
+echo "Targetdir $TARGETDIR"
+echo "Expiration $EXPIRATIONDAYS"
+
+programname=$0
+
+function usage {
+    echo "usage: $programname -m ca -h example.de [-hip 1.2.3.4] -pw my-secret -t /target/dir [-e 365]"
+    echo "  -m|--mode                 'ca' to create CA, 'server' to create server cert, 'client' to create client cert"
+    echo "  -h|--hostname|-n|--name   DNS hostname for the server or name of client"
+    echo "  -hip|--hostip             host's IP - default: none"
+    echo "  -pw|--password            Password for CA Key generation"
+    echo "  -t|--targetdir            Targetdir for certfiles and keys"
+    echo "  -e|--expirationdays       certificate expiration in day - default: 700 days"    
+    echo "  --ca-subj                 subj string for ca cert - default: Example String..."
+    exit 1
+}
+
+function createCA {
+    openssl genrsa -aes256 -passout pass:$PASSWORD -out $TARGETDIR/ca-key.pem 4096
+    openssl req -passin pass:$PASSWORD -new -x509 -days $EXPIRATIONDAYS -key $TARGETDIR/ca-key.pem -sha256 -out $TARGETDIR/ca.pem -subj $CASUBJSTRING
+    
+    chmod 0400 $TARGETDIR/ca-key.pem
+    chmod 0444 $TARGETDIR/ca.pem
+}
+
+function checkCAFilesExist {
+    if [[ ! -f "$TARGETDIR/ca.pem" || ! -f "$TARGETDIR/ca-key.pem" ]]; then
+        echo "$TARGETDIR/ca.pem or $TARGETDIR/ca-key.pem not found. Create CA first with '-m ca'"
+        exit 1
+    fi
+}
+
+function createServerCert {
+    checkCAFilesExist
+
+    if [[ -z $SERVERIP ]]; then
+        IPSTRING=""
+    else
+        IPSTRING=",IP:$SERVERIP"
+    fi
+
+    openssl genrsa -out $TARGETDIR/server-key.pem 4096
+    openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/server-key.pem -out $TARGETDIR/server.csr
+    echo "subjectAltName = DNS:$NAME$IPSTRING" > $TARGETDIR/extfile.cnf
+    openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/server.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/server-cert.pem -extfile $TARGETDIR/extfile.cnf
+
+    rm $TARGETDIR/server.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
+    chmod 0400 $TARGETDIR/server-key.pem
+    chmod 0444 $TARGETDIR/server-cert.pem
+}
+
+function createClientCert {
+    checkCAFilesExist
+
+    openssl genrsa -out $TARGETDIR/client-key.pem 4096
+    openssl req -subj "/CN=$NAME" -new -key $TARGETDIR/client-key.pem -out $TARGETDIR/client.csr
+    echo "extendedKeyUsage = clientAuth" > $TARGETDIR/extfile.cnf
+    openssl x509 -passin pass:$PASSWORD -req -days $EXPIRATIONDAYS -in $TARGETDIR/client.csr -CA $TARGETDIR/ca.pem -CAkey $TARGETDIR/ca-key.pem -CAcreateserial -out $TARGETDIR/client-cert.pem -extfile $TARGETDIR/extfile.cnf
+
+    rm $TARGETDIR/client.csr $TARGETDIR/extfile.cnf $TARGETDIR/ca.srl
+    chmod 0400 $TARGETDIR/client-key.pem
+    chmod 0444 $TARGETDIR/client-cert.pem
+
+    mv $TARGETDIR/client-key.pem $TARGETDIR/client-$NAME-key.pem
+    mv $TARGETDIR/client-cert.pem $TARGETDIR/client-$NAME-cert.pem 
+}
+
+
+if [[ -z $MODE || -z $PASSWORD || -z $TARGETDIR ]]; then
+    usage   
+fi
+
+mkdir -p $TARGETDIR
+
+if [[ $MODE = "ca" ]]; then 
+    createCA
+elif [[ $MODE = "server" ]]; then
+    createServerCert
+elif [[ $MODE = "client" ]]; then
+    createClientCert
+else
+    usage
+fi

resources/entrypoint.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+if [ -n $CREATE_CERTS_WITH_PW ]; then
+  if [ -z "$(ls -A $CERTS_DIR)" ]; then
+
+    echo "Create CA cert"
+    /script/create-certs.sh -m ca -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 900
+    echo "Create server cert"
+    /script/create-certs.sh -m server -h $CERT_HOSTNAME -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 365
+    echo "Create client cert"
+    /script/create-certs.sh -m client -h testClient -pw $CREATE_CERTS_WITH_PW -t $CERTS_DIR -e 365
+
+    mkdir $CERTS_DIR/client
+    mv $CERTS_DIR/ca.pem $CERTS_DIR/ca-cert.pem
+    cp $CERTS_DIR/ca-cert.pem $CERTS_DIR/client/ca.pem
+    mv $CERTS_DIR/client-testClient-cert.pem $CERTS_DIR/client/cert.pem
+    mv $CERTS_DIR/client-testClient-key.pem $CERTS_DIR/client/key.pem
+    chmod 444 $CERTS_DIR/client/key.pem
+
+  else
+  
+    echo "$CERTS_DIR is not empty. Not creating certs."
+  fi
+fi
+
+exec "$@"

resources/nginx-cert.conf

@@ -1,15 +1,24 @@
-server {
-    client_max_body_size 0;
-    listen 443;
-    ssl on;
-    server_name localhost;
-
-    ssl_certificate      /data/certs/server-cert.pem;
-    ssl_certificate_key  /data/certs/server-key.pem;
+user  root;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+stream {
+  server {
+    listen 443 ssl;
+
+    ssl_certificate        /data/certs/server-cert.pem;
+    ssl_certificate_key    /data/certs/server-key.pem;
     ssl_client_certificate /data/certs/ca-cert.pem;
     ssl_verify_client on;
-
-    location / {
-        proxy_pass http://unix:/var/run/docker.sock:/;
-    }
+   
+    proxy_pass unix:/var/run/docker.sock;
+  }
 }

test/localConnect.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# call this file with source localConnect.sh
+
+unset DOCKER_HOST
+unset DOCKER_TLS_VERIFY
+unset DOCKER_CERT_PATH

test/remoteConnect.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# call this file with source remoteConnect.sh
+
+export DOCKER_HOST=abc.127.0.0.1.nip.io:8443
+export DOCKER_TLS_VERIFY=1
+export DOCKER_CERT_PATH=$(pwd)/certs/client