diff --git a/.env b/.env index 136156d..07ab2b5 100644 --- a/.env +++ b/.env @@ -13,13 +13,18 @@ NGINX_PORT_HOST=81 NGINX_SSLPORT_HOST=8443 # CKAN databases -POSTGRES_USER=ckan -POSTGRES_PASSWORD=ckan +POSTGRES_USER=postgres +POSTGRES_PASSWORD=postgres +POSTGRES_DB=postgres +POSTGRES_HOST=db +CKAN_DB_USER=ckandbuser +CKAN_DB_PASSWORD=ckandbpassword +CKAN_DB=ckandb DATASTORE_READONLY_USER=datastore_ro DATASTORE_READONLY_PASSWORD=datastore -POSTGRES_HOST=db -CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan -CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore +DATASTORE_DB=datastore +CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb +CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore # Test database connections diff --git a/.env.example b/.env.example index 209b617..07ab2b5 100644 --- a/.env.example +++ b/.env.example @@ -13,13 +13,18 @@ NGINX_PORT_HOST=81 NGINX_SSLPORT_HOST=8443 # CKAN databases -POSTGRES_USER=ckan -POSTGRES_PASSWORD=ckan +POSTGRES_USER=postgres +POSTGRES_PASSWORD=postgres +POSTGRES_DB=postgres +POSTGRES_HOST=db +CKAN_DB_USER=ckandbuser +CKAN_DB_PASSWORD=ckandbpassword +CKAN_DB=ckandb DATASTORE_READONLY_USER=datastore_ro DATASTORE_READONLY_PASSWORD=datastore -POSTGRES_HOST=db -CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan -CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore +DATASTORE_DB=datastore +CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb +CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore # Test database connections @@ -30,7 +35,7 @@ TEST_CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore_te # CKAN core CKAN_VERSION=2.10.0 CKAN_SITE_ID=default -CKAN_SITE_URL=http://ckan:5000 +CKAN_SITE_URL=https://localhost:8443 CKAN_PORT=5000 CKAN_PORT_HOST=5000 CKAN___BEAKER__SESSION__SECRET=CHANGE_ME diff --git a/.gitignore b/.gitignore index 06c7c30..a3d88d5 100755 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ _service-provider/* _solr/schema.xml _src/* local/* +.env diff --git a/README.md b/README.md index c11a3af..f48b18b 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ running the latest version of Datapusher. ## 10. NGINX -The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443 and an HTTP port (81). A "self-signed" SSL certificate is generated beforehand and the server certificate and key files are included. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production. +The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443. A "self-signed" SSL certificate is generated as part of the ENTRYPOINT. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production. Creating the SSL cert and key files as follows: `openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost" -keyout ckan-local.key -out ckan-local.crt` diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 2b6a0f1..2bc7894 100755 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -43,18 +43,15 @@ services: container_name: ${POSTGRESQL_CONTAINER_NAME} build: context: postgresql/ - args: - - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} environment: - - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - PGDATA=/var/lib/postgresql/data/db + - DATASTORE_READONLY_PASSWORD + - POSTGRES_PASSWORD + - CKAN_DB_PASSWORD volumes: - pg_data:/var/lib/postgresql/data restart: unless-stopped healthcheck: - test: ["CMD", "pg_isready", "-U", "ckan"] + test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"] solr: container_name: ${SOLR_CONTAINER_NAME} diff --git a/docker-compose.yml b/docker-compose.yml index 8548f0e..0f5330f 100755 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,6 @@ version: "3" + volumes: ckan_storage: pg_data: @@ -12,11 +13,13 @@ services: build: context: nginx/ dockerfile: Dockerfile + networks: + - webnet + - ckannet depends_on: ckan: condition: service_healthy ports: - - "0.0.0.0:${NGINX_PORT_HOST}:${NGINX_PORT}" - "0.0.0.0:${NGINX_SSLPORT_HOST}:${NGINX_SSLPORT}" ckan: @@ -26,6 +29,11 @@ services: dockerfile: Dockerfile args: - TZ=${TZ} + networks: + - ckannet + - dbnet + - solrnet + - redisnet env_file: - .env depends_on: @@ -35,8 +43,6 @@ services: condition: service_healthy redis: condition: service_healthy - ports: - - "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}" volumes: - ckan_storage:/var/lib/ckan restart: unless-stopped @@ -45,6 +51,9 @@ services: datapusher: container_name: ${DATAPUSHER_CONTAINER_NAME} + networks: + - ckannet + - dbnet image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION} restart: unless-stopped healthcheck: @@ -54,21 +63,28 @@ services: container_name: ${POSTGRESQL_CONTAINER_NAME} build: context: postgresql/ - args: - - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + networks: + - dbnet environment: - - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - PGDATA=/var/lib/postgresql/data/db + - POSTGRES_USER + - POSTGRES_PASSWORD + - POSTGRES_DB + - CKAN_DB_USER + - CKAN_DB_PASSWORD + - CKAN_DB + - DATASTORE_READONLY_USER + - DATASTORE_READONLY_PASSWORD + - DATASTORE_DB volumes: - pg_data:/var/lib/postgresql/data restart: unless-stopped healthcheck: - test: ["CMD", "pg_isready", "-U", "ckan"] + test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"] solr: container_name: ${SOLR_CONTAINER_NAME} + networks: + - solrnet image: ckan/ckan-solr:${SOLR_IMAGE_VERSION} volumes: - solr_data:/var/solr @@ -79,6 +95,18 @@ services: redis: container_name: ${REDIS_CONTAINER_NAME} image: redis:${REDIS_VERSION} + networks: + - redisnet restart: unless-stopped healthcheck: test: ["CMD", "redis-cli", "-e", "QUIT"] + +networks: + webnet: + ckannet: + solrnet: + internal: true + dbnet: + internal: true + redisnet: + internal: true diff --git a/nginx/Dockerfile b/nginx/Dockerfile index 8abad79..eda7994 100644 --- a/nginx/Dockerfile +++ b/nginx/Dockerfile @@ -2,11 +2,22 @@ FROM nginx:stable-alpine ENV NGINX_DIR=/etc/nginx +RUN apk update --no-cache && \ + apk upgrade --no-cache && \ + apk add --no-cache openssl + COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf COPY setup/index.html /usr/share/nginx/html/index.html COPY setup/default.conf ${NGINX_DIR}/conf.d/ RUN mkdir -p ${NGINX_DIR}/certs -COPY setup/ckan-local.* ${NGINX_DIR}/certs/ -EXPOSE 81 \ No newline at end of file +ENTRYPOINT \ + openssl req \ + -subj '/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost' \ + -x509 -newkey rsa:4096 \ + -nodes -keyout /etc/nginx/ssl/default_key.pem \ + -keyout ${NGINX_DIR}/certs/ckan-local.key \ + -out ${NGINX_DIR}/certs/ckan-local.crt \ + -days 365 && \ + nginx -g 'daemon off;' \ No newline at end of file diff --git a/nginx/setup/default.conf b/nginx/setup/default.conf index 17e9cc1..a628619 100644 --- a/nginx/setup/default.conf +++ b/nginx/setup/default.conf @@ -1,11 +1,23 @@ server { - listen 80; - listen [::]:80; + #listen 80; + #listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name localhost; ssl_certificate /etc/nginx/certs/ckan-local.crt; ssl_certificate_key /etc/nginx/certs/ckan-local.key; + + # TLS 1.2 & 1.3 only + ssl_protocols TLSv1.2 TLSv1.3; + + # Disable weak ciphers + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + + # SSL sessions + ssl_session_timeout 1d; + # ssl_session_cache dfine in stream and http + ssl_session_tickets off; #access_log /var/log/nginx/host.access.log main; @@ -20,13 +32,15 @@ server { proxy_cache_key $host$scheme$proxy_host$request_uri; } - error_page 404 /404.html; + error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html; - # redirect server error pages to the static page /50x.html + # redirect server error pages to the static page /error.html # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; + location = /error.html { + ssi on; + internal; + auth_basic off; + root /usr/share/nginx/html; } } \ No newline at end of file diff --git a/nginx/setup/nginx.conf b/nginx/setup/nginx.conf index b14c5be..ddc819c 100644 --- a/nginx/setup/nginx.conf +++ b/nginx/setup/nginx.conf @@ -22,14 +22,70 @@ http { access_log /var/log/nginx/access.log main; sendfile on; - #tcp_nopush on; - + tcp_nopush on; + tcp_nodelay on; + types_hash_max_size 2048; keepalive_timeout 65; - #gzip on; + # Don't expose Nginx version + server_tokens off; + + # Prevent clickjacking attacks + add_header X-Frame-Options "SAMEORIGIN"; + + # Mitigate Cross-Site scripting attack + add_header X-XSS-Protection "1; mode=block"; + + # Enable gzip encryption + gzip on; proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m; proxy_temp_path /tmp/nginx_proxy 1 2; include /etc/nginx/conf.d/*.conf; -} \ No newline at end of file + + # Error status text + map $status $status_text { + 400 'Bad Request'; + 401 'Unauthorized'; + 402 'Payment Required'; + 403 'Forbidden'; + 404 'Not Found'; + 405 'Method Not Allowed'; + 406 'Not Acceptable'; + 407 'Proxy Authentication Required'; + 408 'Request Timeout'; + 409 'Conflict'; + 410 'Gone'; + 411 'Length Required'; + 412 'Precondition Failed'; + 413 'Payload Too Large'; + 414 'URI Too Long'; + 415 'Unsupported Media Type'; + 416 'Range Not Satisfiable'; + 417 'Expectation Failed'; + 418 'I\'m a teapot'; + 421 'Misdirected Request'; + 422 'Unprocessable Entity'; + 423 'Locked'; + 424 'Failed Dependency'; + 425 'Too Early'; + 426 'Upgrade Required'; + 428 'Precondition Required'; + 429 'Too Many Requests'; + 431 'Request Header Fields Too Large'; + 451 'Unavailable For Legal Reasons'; + 500 'Internal Server Error'; + 501 'Not Implemented'; + 502 'Bad Gateway'; + 503 'Service Unavailable'; + 504 'Gateway Timeout'; + 505 'HTTP Version Not Supported'; + 506 'Variant Also Negotiates'; + 507 'Insufficient Storage'; + 508 'Loop Detected'; + 510 'Not Extended'; + 511 'Network Authentication Required'; + default 'Something is wrong'; + } +} diff --git a/postgresql/Dockerfile b/postgresql/Dockerfile index e912383..121a711 100755 --- a/postgresql/Dockerfile +++ b/postgresql/Dockerfile @@ -1,13 +1,4 @@ FROM postgres:12-alpine -# Allow connections; we don't map out any ports so only linked docker containers can connect -RUN echo "host all all 0.0.0.0/0 md5" >> /var/lib/postgresql/data/pg_hba.conf - -# Customize default user/pass/db -ENV POSTGRES_DB ckan -ENV POSTGRES_USER ckan -ARG POSTGRES_PASSWORD -ARG DATASTORE_READONLY_PASSWORD - # Include extra setup scripts (eg datastore) -ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d +ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d \ No newline at end of file diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh b/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh new file mode 100755 index 0000000..1c9c4ca --- /dev/null +++ b/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -e + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE ROLE "$CKAN_DB_USER" NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD '$CKAN_DB_PASSWORD'; + CREATE DATABASE "$CKAN_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8'; +EOSQL diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql b/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql deleted file mode 100755 index 8038de0..0000000 --- a/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql +++ /dev/null @@ -1,4 +0,0 @@ -\set datastore_ro_password '\'' `echo $DATASTORE_READONLY_PASSWORD` '\'' - -CREATE ROLE datastore_ro NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD :datastore_ro_password; -CREATE DATABASE datastore OWNER ckan ENCODING 'utf-8'; diff --git a/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh b/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh new file mode 100755 index 0000000..968e443 --- /dev/null +++ b/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -e + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE ROLE "$DATASTORE_READONLY_USER" NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD '$DATASTORE_READONLY_PASSWORD'; + CREATE DATABASE "$DATASTORE_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8'; +EOSQL \ No newline at end of file diff --git a/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql b/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql deleted file mode 100755 index 140f2e5..0000000 --- a/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql +++ /dev/null @@ -1,2 +0,0 @@ -CREATE DATABASE ckan_test OWNER ckan ENCODING 'utf-8'; -CREATE DATABASE datastore_test OWNER ckan ENCODING 'utf-8'; diff --git a/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql b/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql new file mode 100755 index 0000000..da55af3 --- /dev/null +++ b/postgresql/docker-entrypoint-initdb.d/30_setup_test_databases.sql @@ -0,0 +1,7 @@ +#!/bin/bash +set -e + +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE DATABASE ckan_test OWNER "$CKAN_DB_USER" ENCODING 'utf-8'; + CREATE DATABASE datastore_test OWNER "$CKAN_DB_USER" ENCODING 'utf-8'; +EOSQL