From ae1b1f9ea29b28ffdc7e3346fa81ded95c5f62e3 Mon Sep 17 00:00:00 2001 From: Maeve Andrews Date: Fri, 25 Sep 2020 15:50:53 -0400 Subject: [PATCH 1/5] Add nginx container to serve ruleset files --- docker/Dockerfile | 10 ++++++++++ docker/nginx.conf | 26 ++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 docker/Dockerfile create mode 100644 docker/nginx.conf diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..5b8f1f8 --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,10 @@ +# sha256 as of 2020-09-25 for mainline-alpine +FROM nginx@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c +ARG timestamp + +COPY docker/nginx.conf /etc/nginx +RUN mkdir -p /opt/nginx && chown nginx:nginx /opt/nginx + +USER nginx +RUN mkdir -p /opt/nginx/run /opt/nginx/root/https-everywhere +COPY index.html latest-rulesets-timestamp default.rulesets.${timestamp}.gz rulesets-signature.${timestamp}.sha256 /opt/nginx/root/https-everywhere diff --git a/docker/nginx.conf b/docker/nginx.conf new file mode 100644 index 0000000..a2f1442 --- /dev/null +++ b/docker/nginx.conf @@ -0,0 +1,26 @@ +pid /opt/nginx/run/nginx.pid; + +events { +} + +http { + include /etc/nginx/mime.types; + sendfile on; + + server { + listen 4080; + port_in_redirect off; + + client_body_temp_path /opt/nginx/run/client_temp; + proxy_temp_path /opt/nginx/run/proxy_temp_path; + fastcgi_temp_path /opt/nginx/run/fastcgi_temp; + uwsgi_temp_path /opt/nginx/run/uwsgi_temp; + scgi_temp_path /opt/nginx/run/scgi_temp; + + location / { + root /opt/nginx/root; + index index.html; + } + } +} + From ea70129f33d93fd223af2f8f8f149c7e72ce1c4c Mon Sep 17 00:00:00 2001 From: Maeve Andrews Date: Wed, 30 Sep 2020 14:19:02 -0400 Subject: [PATCH 2/5] Add make rule to test serving locally and notes in README --- Makefile | 11 +++++++++++ README.md | 12 ++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 7449389..2113e0e 100644 --- a/Makefile +++ b/Makefile @@ -1,9 +1,20 @@ +timestamp := $(shell cat latest-rulesets-timestamp) +image := fpf.local/securedrop-https-everywhere-ruleset:$(timestamp) + .PHONY: test-key test-key: ## Generates a test key for development/testing purposes locally. openssl genrsa -out key.pem 4096 openssl rsa -in key.pem -outform PEM -pubout -out public.pem python jwk.py > test-key.jwk +.PHONY: serve +serve: ## Builds Nginx container to serve generated files + @docker build --build-arg "timestamp=$(timestamp)" -t "$(image)" -f docker/Dockerfile . + @echo "==============================================================================" + @echo " Serving ruleset at http://localhost:4080/https-everywhere/ " + @echo "==============================================================================" + @docker run --rm -p 4080 "$(image)" + .PHONY: help help: @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' diff --git a/README.md b/README.md index b681316..10e2a76 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,14 @@ For the production rules this signing must be done via the official signing cere Once you have the signature, place the files to serve in the root of the git tree in this repository, and then update the directory listing in `index.html` using the `update_index.sh` shell script in this directory. -Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served. +# Verifying -Upon merge the ruleset release will be live. +Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served. To test locally, run + + make serve + +And configure your browser to use `http://localhost:4080/https-everywhere/`. + +# Deployment + +Upon merge the container will be published to `quay.io/freedomofpress` and the new tag will be deployed automatically. From 7472e9a5f69d8ac29605d557163fada09a61d5c3 Mon Sep 17 00:00:00 2001 From: Maeve Andrews Date: Wed, 30 Sep 2020 14:26:17 -0400 Subject: [PATCH 3/5] Avoid issuing redirect at all if trailing slash is missing --- docker/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/nginx.conf b/docker/nginx.conf index a2f1442..e7b88f9 100644 --- a/docker/nginx.conf +++ b/docker/nginx.conf @@ -20,7 +20,7 @@ http { location / { root /opt/nginx/root; index index.html; + rewrite ^/https-everywhere$ $uri/; } } } - From 7c0d9bb25e2e7d2e73d0725b23afc9f4b909c787 Mon Sep 17 00:00:00 2001 From: Maeve Andrews Date: Thu, 1 Oct 2020 10:58:51 -0400 Subject: [PATCH 4/5] Add trailing slash on COPY --- docker/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 5b8f1f8..b0ca2ff 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -7,4 +7,4 @@ RUN mkdir -p /opt/nginx && chown nginx:nginx /opt/nginx USER nginx RUN mkdir -p /opt/nginx/run /opt/nginx/root/https-everywhere -COPY index.html latest-rulesets-timestamp default.rulesets.${timestamp}.gz rulesets-signature.${timestamp}.sha256 /opt/nginx/root/https-everywhere +COPY index.html latest-rulesets-timestamp default.rulesets.${timestamp}.gz rulesets-signature.${timestamp}.sha256 /opt/nginx/root/https-everywhere/ From 2da4c95ddf7d5c85d07923e352364487fc6c9d98 Mon Sep 17 00:00:00 2001 From: Maeve Andrews Date: Thu, 1 Oct 2020 11:00:49 -0400 Subject: [PATCH 5/5] Specify both sides of port and listen on 127.0.0.1 only --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2113e0e..04cc1e9 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ serve: ## Builds Nginx container to serve generated files @echo "==============================================================================" @echo " Serving ruleset at http://localhost:4080/https-everywhere/ " @echo "==============================================================================" - @docker run --rm -p 4080 "$(image)" + @docker run --rm -p 127.0.0.1:4080:4080 "$(image)" .PHONY: help help: