gitea/ckan
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #59 from ckan/Potential-Security-Updates

Browse Source 
Potential security updates
This commit is contained in:
Brett Jones 2023-07-31 16:23:22 +01:00 committed by GitHub
commit 1928074f01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 181 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.env
View File

@ -13,13 +13,18 @@ NGINX_PORT_HOST=81
NGINX_SSLPORT_HOST=8443
# CKAN databases
POSTGRES_USER=ckan
POSTGRES_PASSWORD=ckan
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
POSTGRES_DB=postgres
POSTGRES_HOST=db
CKAN_DB_USER=ckandbuser
CKAN_DB_PASSWORD=ckandbpassword
CKAN_DB=ckandb
DATASTORE_READONLY_USER=datastore_ro
DATASTORE_READONLY_PASSWORD=datastore
POSTGRES_HOST=db
CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
DATASTORE_DB=datastore
CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
# Test database connections

17
.env.example
View File

@ -13,13 +13,18 @@ NGINX_PORT_HOST=81
NGINX_SSLPORT_HOST=8443
# CKAN databases
POSTGRES_USER=ckan
POSTGRES_PASSWORD=ckan
POSTGRES_USER=postgres
POSTGRES_PASSWORD=postgres
POSTGRES_DB=postgres
POSTGRES_HOST=db
CKAN_DB_USER=ckandbuser
CKAN_DB_PASSWORD=ckandbpassword
CKAN_DB=ckandb
DATASTORE_READONLY_USER=datastore_ro
DATASTORE_READONLY_PASSWORD=datastore
POSTGRES_HOST=db
CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
DATASTORE_DB=datastore
CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
# Test database connections
@ -30,7 +35,7 @@ TEST_CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore_te
# CKAN core
CKAN_VERSION=2.10.0
CKAN_SITE_ID=default
CKAN_SITE_URL=http://ckan:5000
CKAN_SITE_URL=https://localhost:8443
CKAN_PORT=5000
CKAN_PORT_HOST=5000
CKAN___BEAKER__SESSION__SECRET=CHANGE_ME

1
.gitignore vendored
View File

@ -7,3 +7,4 @@ _service-provider/*
_solr/schema.xml
_src/*
local/*
.env

2
README.md
View File

@ -206,7 +206,7 @@ running the latest version of Datapusher.
## 10. NGINX
The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443 and an HTTP port (81). A "self-signed" SSL certificate is generated beforehand and the server certificate and key files are included. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production.
The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443. A "self-signed" SSL certificate is generated as part of the ENTRYPOINT. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production.
Creating the SSL cert and key files as follows:
`openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost" -keyout ckan-local.key -out ckan-local.crt`

11
docker-compose.dev.yml
View File

@ -43,18 +43,15 @@ services:
container_name: ${POSTGRESQL_CONTAINER_NAME}
build:
context: postgresql/
args:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
environment:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- PGDATA=/var/lib/postgresql/data/db
- DATASTORE_READONLY_PASSWORD
- POSTGRES_PASSWORD
- CKAN_DB_PASSWORD
volumes:
- pg_data:/var/lib/postgresql/data
restart: unless-stopped
healthcheck:
test: ["CMD", "pg_isready", "-U", "ckan"]
test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"]
solr:
container_name: ${SOLR_CONTAINER_NAME}

48
docker-compose.yml
View File

@ -1,5 +1,6 @@
version: "3"
volumes:
ckan_storage:
pg_data:
@ -12,11 +13,13 @@ services:
build:
context: nginx/
dockerfile: Dockerfile
networks:
- webnet
- ckannet
depends_on:
ckan:
condition: service_healthy
ports:
- "0.0.0.0:${NGINX_PORT_HOST}:${NGINX_PORT}"
- "0.0.0.0:${NGINX_SSLPORT_HOST}:${NGINX_SSLPORT}"
ckan:
@ -26,6 +29,11 @@ services:
dockerfile: Dockerfile
args:
- TZ=${TZ}
networks:
- ckannet
- dbnet
- solrnet
- redisnet
env_file:
- .env
depends_on:
@ -35,8 +43,6 @@ services:
condition: service_healthy
redis:
condition: service_healthy
ports:
- "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}"
volumes:
- ckan_storage:/var/lib/ckan
restart: unless-stopped
@ -45,6 +51,9 @@ services:
datapusher:
container_name: ${DATAPUSHER_CONTAINER_NAME}
networks:
- ckannet
- dbnet
image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
restart: unless-stopped
healthcheck:
@ -54,21 +63,28 @@ services:
container_name: ${POSTGRESQL_CONTAINER_NAME}
build:
context: postgresql/
args:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
networks:
- dbnet
environment:
- DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- PGDATA=/var/lib/postgresql/data/db
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB
- CKAN_DB_USER
- CKAN_DB_PASSWORD
- CKAN_DB
- DATASTORE_READONLY_USER
- DATASTORE_READONLY_PASSWORD
- DATASTORE_DB
volumes:
- pg_data:/var/lib/postgresql/data
restart: unless-stopped
healthcheck:
test: ["CMD", "pg_isready", "-U", "ckan"]
test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"]
solr:
container_name: ${SOLR_CONTAINER_NAME}
networks:
- solrnet
image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
volumes:
- solr_data:/var/solr
@ -79,6 +95,18 @@ services:
redis:
container_name: ${REDIS_CONTAINER_NAME}
image: redis:${REDIS_VERSION}
networks:
- redisnet
restart: unless-stopped
healthcheck:
test: ["CMD", "redis-cli", "-e", "QUIT"]
networks:
webnet:
ckannet:
solrnet:
internal: true
dbnet:
internal: true
redisnet:
internal: true

15
nginx/Dockerfile
View File

@ -2,11 +2,22 @@ FROM nginx:stable-alpine
ENV NGINX_DIR=/etc/nginx
RUN apk update --no-cache && \
apk upgrade --no-cache && \
apk add --no-cache openssl
COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf
COPY setup/index.html /usr/share/nginx/html/index.html
COPY setup/default.conf ${NGINX_DIR}/conf.d/
RUN mkdir -p ${NGINX_DIR}/certs
COPY setup/ckan-local.* ${NGINX_DIR}/certs/
EXPOSE 81
ENTRYPOINT \
openssl req \
-subj '/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost' \
-x509 -newkey rsa:4096 \
-nodes -keyout /etc/nginx/ssl/default_key.pem \
-keyout ${NGINX_DIR}/certs/ckan-local.key \
-out ${NGINX_DIR}/certs/ckan-local.crt \
-days 365 && \
nginx -g 'daemon off;'

28
nginx/setup/default.conf
View File

@ -1,11 +1,23 @@
server {
listen 80;
listen [::]:80;
#listen 80;
#listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/certs/ckan-local.crt;
ssl_certificate_key /etc/nginx/certs/ckan-local.key;
# TLS 1.2 & 1.3 only
ssl_protocols TLSv1.2 TLSv1.3;
# Disable weak ciphers
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# SSL sessions
ssl_session_timeout 1d;
# ssl_session_cache dfine in stream and http
ssl_session_tickets off;
#access_log /var/log/nginx/host.access.log main;
@ -20,13 +32,15 @@ server {
proxy_cache_key $host$scheme$proxy_host$request_uri;
}
error_page 404 /404.html;
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;
# redirect server error pages to the static page /50x.html
# redirect server error pages to the static page /error.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
location = /error.html {
ssi on;
internal;
auth_basic off;
root /usr/share/nginx/html;
}
}

64
nginx/setup/nginx.conf
View File

@ -22,14 +22,70 @@ http {
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
keepalive_timeout 65;
#gzip on;
# Don't expose Nginx version
server_tokens off;
# Prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN";
# Mitigate Cross-Site scripting attack
add_header X-XSS-Protection "1; mode=block";
# Enable gzip encryption
gzip on;
proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
proxy_temp_path /tmp/nginx_proxy 1 2;
include /etc/nginx/conf.d/*.conf;
}
# Error status text
map $status $status_text {
400 'Bad Request';
401 'Unauthorized';
402 'Payment Required';
403 'Forbidden';
404 'Not Found';
405 'Method Not Allowed';
406 'Not Acceptable';
407 'Proxy Authentication Required';
408 'Request Timeout';
409 'Conflict';
410 'Gone';
411 'Length Required';
412 'Precondition Failed';
413 'Payload Too Large';
414 'URI Too Long';
415 'Unsupported Media Type';
416 'Range Not Satisfiable';
417 'Expectation Failed';
418 'I\'m a teapot';
421 'Misdirected Request';
422 'Unprocessable Entity';
423 'Locked';
424 'Failed Dependency';
425 'Too Early';
426 'Upgrade Required';
428 'Precondition Required';
429 'Too Many Requests';
431 'Request Header Fields Too Large';
451 'Unavailable For Legal Reasons';
500 'Internal Server Error';
501 'Not Implemented';
502 'Bad Gateway';
503 'Service Unavailable';
504 'Gateway Timeout';
505 'HTTP Version Not Supported';
506 'Variant Also Negotiates';
507 'Insufficient Storage';
508 'Loop Detected';
510 'Not Extended';
511 'Network Authentication Required';
default 'Something is wrong';
}
}

11
postgresql/Dockerfile
View File

@ -1,13 +1,4 @@
FROM postgres:12-alpine
# Allow connections; we don't map out any ports so only linked docker containers can connect
RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf
# Customize default user/pass/db
ENV POSTGRES_DB ckan
ENV POSTGRES_USER ckan
ARG POSTGRES_PASSWORD
ARG DATASTORE_READONLY_PASSWORD
# Include extra setup scripts (eg datastore)
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d

7
postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE ROLE "$CKAN_DB_USER" NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD '$CKAN_DB_PASSWORD';
CREATE DATABASE "$CKAN_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
EOSQL

4
postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql
View File

@ -1,4 +0,0 @@
\set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\''
CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password;
CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8';

7
postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE ROLE "$DATASTORE_READONLY_USER" NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD '$DATASTORE_READONLY_PASSWORD';
CREATE DATABASE "$DATASTORE_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
EOSQL

2
postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql
View File

@ -1,2 +0,0 @@
CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8';

7
postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql Executable file
View File

@ -0,0 +1,7 @@
#!/bin/bash
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE DATABASE ckan_test OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
CREATE DATABASE datastore_test OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
EOSQL