diff --git a/Dockerfile b/Dockerfile index 520d538..e8ded3c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,5 +11,8 @@ COPY templates templates RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js' RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css' +RUN mkdir /frontend-secrets +RUN ln -s ../server-secrets/self_cert.pem /frontend-secrets/cert.pem +RUN ln -s ../server-secrets/self_key.pem /frontend-secrets/key.pem COPY entrypoint.sh /entrypoint.sh ENTRYPOINT /entrypoint.sh diff --git a/nginx.conf b/nginx.conf index 128439a..41274f8 100644 --- a/nginx.conf +++ b/nginx.conf @@ -61,10 +61,6 @@ http { proxy_read_timeout 600; send_timeout 600; - # To use CA-s own certificate for frontend and mutually authenticated connections - ssl_certificate /server-secrets/self_cert.pem; - ssl_certificate_key /server-secrets/self_key.pem; - server { # Section for serving insecure HTTP, note that this is suitable for # OCSP, CRL-s etc which is already covered by PKI protection mechanisms. @@ -97,6 +93,10 @@ http { # once it has been configured add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + # Bind mount this directory to use Let's Encrypt keypair for frontend + ssl_certificate /frontend-secrets/cert.pem; + ssl_certificate_key /frontend-secrets/key.pem; + #proxy pass event location /api/event/ { proxy_buffering off; @@ -147,6 +147,10 @@ http { ssl_verify_client optional; ssl_client_certificate /server-secrets/ca_cert.pem; + # Use same keypair used by IPSec, OpenVPN + ssl_certificate /server-secrets/self_cert.pem; + ssl_certificate_key /server-secrets/self_key.pem; + # Proxy pass to backend location /api/ { proxy_pass http://read-write;