jlusiardi/docker_ssl_endpoint
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Removed unsecure RC4

Browse Source 
RC4-SHA was marked insecure by https://sslanalyzer.comodoca.com
This commit is contained in:
Joachim Lusiardi 2016-04-10 09:36:03 +02:00
parent d5425aef30
commit b1c32049a0
4 changed files with 65 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1 +1,2 @@
cert cert
aliases

2
haproxy_ssl.conf
View File

@ -9,7 +9,7 @@ global
ca-base /etc/ssl/certs ca-base /etc/ssl/certs
crt-base /crypt crt-base /crypt
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:!RC4:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3 ssl-default-bind-options no-sslv3
defaults defaults

8
list_domains.py
View File

@ -7,6 +7,7 @@ import json
import signal import signal
import os import os
from socket import getaddrinfo from socket import getaddrinfo
import logging
def get_if_available(dict, key, defValue): def get_if_available(dict, key, defValue):
if key in dict: if key in dict:
@ -48,10 +49,15 @@ def handle_container(docker_client, id):
def get_resolving_domains_from_containers(docker_client): def get_resolving_domains_from_containers(docker_client):
container_ids = docker_client.containers(quiet=True) container_ids = docker_client.containers(quiet=True)
logging.info('list of containers: %s', str(container_ids))
domains = [] domains = []
for container_id in container_ids: for container_id in container_ids:
domains.extend(handle_container(docker_client, container_id['Id'])) domains.extend(handle_container(docker_client, container_id['Id']))
logging.info('list of activated domains on containers: %s', str(domains))
resolved_domains = [] resolved_domains = []
for domain in domains: for domain in domains:
try: try:
@ -60,6 +66,8 @@ def get_resolving_domains_from_containers(docker_client):
except Exception: except Exception:
pass pass
logging.info('list of resolved domains on containers: %s', str(resolved_domains))
return resolved_domains return resolved_domains
if __name__ == '__main__': if __name__ == '__main__':

90
start.py
View File

@ -1,11 +1,13 @@
#!/usr/bin/python3.4 #!/usr/bin/python3.4
import os import os
import json
import sys import sys
import signal import signal
import logging import logging
import time import time
import hashlib import hashlib
import threading
import list_domains import list_domains
from docker import Client from docker import Client
@ -65,9 +67,6 @@ def is_haproxy_running():
def ssl_possible(): def ssl_possible():
"""Check if a certificate is available.""" """Check if a certificate is available."""
if not os.path.exists(cert_path):
logging.info('creating cert_path path: %s', cert_path)
os.mkdir(cert_path)
if not os.path.isfile(cert_file): if not os.path.isfile(cert_file):
return False return False
@ -76,44 +75,19 @@ def ssl_possible():
def create_haproxy_cert(): def create_haproxy_cert():
"""Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem""" """Combines the freshly created fullchain.pem and privkey.pem into /data/haproxy/cert.pem"""
os.system('DIR=`ls -td /data/config/live/*/ | head -1`; cat ${DIR}/fullchain.pem ${DIR}/privkey.pem > /data/haproxy/cert.pem') logging.info('updating %s', cert_file)
os.system('DIR=`ls -td /data/config/live/*/ | head -1`; echo ${DIR}; mkdir -p /data/haproxy; cat ${DIR}/fullchain.pem ${DIR}/privkey.pem > /data/haproxy/cert.pem')
def create_cert_data_standalone(domains): def create_cert_data_standalone(domains):
domains = " -d ".join(domains) domains = " -d ".join(domains)
os.system('/letsencrypt/letsencrypt-auto --config letencrypt.conf certonly -d ' + domains) os.system('/letsencrypt/letsencrypt-auto --config letencrypt.conf certonly --expand --force-renewal --duplicate --allow-subset-of-names --standalone-supported-challenges http-01 --http-01-port 54321 -d ' + domains)
if __name__ == '__main__':
setup_logging()
logging.info('starting')
def cert_watcher():
SSL_RUNNING=True
cert_file_hash = hash_cert_file() cert_file_hash = hash_cert_file()
# try to start in SSL mode, no problem if that fails
logging.info('try in SSL mode')
SSL_RUNNING = start_haproxy_ssl()
if not SSL_RUNNING:
logging.info('SSL mode failed')
if not is_haproxy_running():
# tried to start haproxy and this failed, so we need to create a certificate and try again:
# - start non ssl haproxy to be able to get a valid cert
logging.info('try in NON SSL mode')
SSL_RUNNING = start_haproxy()
# - get all domains
client = Client(base_url='unix://var/run/docker.sock', version='1.15')
resolved_domains = list_domains.get_resolving_domains_from_containers(client)
# - create cert
create_cert_data_standalone(resolved_domains)
create_haproxy_cert()
# now we should have it up and running or something weird happened.
if not is_haproxy_running():
logging.error('could not start after generating cert. See output above.')
sys.exit(1)
while True: while True:
time.sleep(10) logging.info('ping')
time.sleep(60)
if ssl_possible() and not SSL_RUNNING: if ssl_possible() and not SSL_RUNNING:
kill_haproxy() kill_haproxy()
start_haproxy_ssl() start_haproxy_ssl()
@ -136,3 +110,49 @@ if __name__ == '__main__':
start_haproxy() start_haproxy()
logging.info('SSL -> NON SSL') logging.info('SSL -> NON SSL')
SSL_RUNNING=False SSL_RUNNING=False
if __name__ == '__main__':
setup_logging()
logging.info('starting')
if not os.path.exists(cert_path):
logging.info('creating cert_path path: %s', cert_path)
os.mkdir(cert_path)
client = Client(base_url='unix://var/run/docker.sock', version='1.15')
cert_file_hash = hash_cert_file()
# try to start in SSL mode, no problem if that fails
logging.info('try in SSL mode')
SSL_RUNNING = start_haproxy_ssl()
if not SSL_RUNNING:
logging.info('SSL mode failed')
if not is_haproxy_running():
# tried to start haproxy and this failed, so we need to create a certificate and try again:
# - start non ssl haproxy to be able to get a valid cert
logging.info('try in NON SSL mode')
SSL_RUNNING = start_haproxy()
# - get all domains
resolved_domains = list_domains.get_resolving_domains_from_containers(client)
# - create cert
create_cert_data_standalone(resolved_domains)
create_haproxy_cert()
# now we should have it up and running or something weird happened.
if not is_haproxy_running():
logging.error('could not start after generating cert. See output above.')
sys.exit(1)
t = threading.Thread(target=cert_watcher)
t.start()
for line in client.events():
line_str = line.decode("utf-8")
event = json.loads(line_str)
if event['Action'] in ['start', 'destroy']:
resolved_domains = list_domains.get_resolving_domains_from_containers(client)
create_cert_data_standalone(resolved_domains)
create_haproxy_cert()