Change haproxy.cfg to enable http->https redirect and optional certbot

[tornaria]

Admittedly I don't know all the implications of this, but here's my proposal:

--- haproxy.cfg.orig    2017-08-11 23:01:10.748000000 +0000
+++ haproxy.cfg 2017-08-11 23:59:26.444000000 +0000
@@ -36,9 +36,16 @@
     timeout server 20s
     server proxy localhost:5001 cookie server:localhost:5000 check inter 4000 maxco
 
+frontend http
+    bind *:80
+    acl is_acme path_beg /.well-known/acme-challenge
+    redirect scheme https code 301 if !is_acme
+    use_backend static if is_acme
+
 frontend https
     bind *:443 ssl crt /nopassphrase.pem no-sslv3
-    bind *:80
     reqadd X-Forwarded-Proto:\ https
     timeout client 120s

This has two consequences:

a. The haproxy in port 80 will not serve any content, redirecting everything to https.
(not only a security issue but also see e.g. #2000 (comment))

b. There will be an exception for /.well-known/acme-challenge which would be served using the static backend from /cocalc/src/static/.well-known/acme-challenge/ which can be used as webroot for certbot.

Note that this actually doesn't do anything to install or activate certbot, but with this configuration in place is easy to install a letsencrypt certificate.

Possible instructions to do it (assuming my proposed haproxy.cfg is installed):

1. enter the docker container

$ docker exec -it cocalc bash

2. install certbot

# apt-get update
# apt-get install certbot

3. make a persistent directory for letsencrypt files

# mkdir /projects/conf/letsencrypt
# ln -sT /projects/conf/letsencrypt /etc/letsencrypt

4. obtain a certificate (substitute <DOMAIN> and <EMAIL>)

# certbot certonly --config-dir /projects/conf/letsencrypt --webroot --agree-tos -w /cocalc/src/static/ -d <DOMAIN> -m <EMAIL>

5. install the certificate where haproxy expects it:

# cat /etc/letsencrypt/live/<DOMAIN>/{fullchain.pem,privkey.pem} > /nopassphrase.pem
# service haproxy reload

6. enjoy

This does not automate renewals. At renewal time (i.e. every month?) one has to do something like:

# certbot renew
# cat /etc/letsencrypt/live/<DOMAIN>/{fullchain.pem,privkey.pem} > /nopassphrase.pem
# service haproxy reload

I haven't tested renewals yet, as I understand it it is safe to run certbot renew once or twice a day since it won't do a thing if the certificate is not old. I don't know how to automate this inside the docker container, since cron is not running.

Any suggestion? A worthwhile goal would be to have a single script that when executed will do steps 2-5 above and make sure the certificate is periodically renewed.

NOTE: the patch above and the suggested steps are just configuration, I make no copyright claim, use it freely, keep the pieces if it breaks, etc.

[tornaria]

For the record: it seems service cron start will run cron, so that can be used to automate certificate renewal.

However I'm afraid this will run a lot of other stuff periodically from ubuntu cron configuration which I'm not sure it's desirable.

[tornaria]

This is implemented in PR #2294, together with other improvements.

[haraldschilly]

closing this ticket because the PR is closed

[billpage]

I suggest that the recipe for letsencrypt in this proposal become part of the docker readme. I just tested it and it works for me. My reason for doing this is that apparently there is some kind of time restriction in firefox (and maybe other browsers) on continuing to access a site (even a local site) with an invalid certificate.

Or since this issue is closed does it mean that this approach has been replaced with something else?

[slel]

@billpage This issue is closed because the Docker image for CoCalc
now has its own repo at https://github.com/sagemathinc/cocalc-docker
with its issue tracker at https://github.com/sagemathinc/cocalc-docker/issues
and pull requests at https://github.com/sagemathinc/cocalc-docker/pulls

Further discussion of cocalc-docker happens there.

Regarding Letsencrypt and CoCalc-Docker, there is a discussion around
https://github.com/sagemathinc/cocalc-docker/pull/3 if you can have a look.