Add SSL support

cert/.gitignore

@@ -0,0 +1,5 @@
+# Ignore the private key
+omniport.key
+
+# Ignore the certificate
+omniport.crt

cert/README.md

@@ -0,0 +1,8 @@
+# Cert
+
+Place your SSL files in this directory and choose to enable SSL during the build
+process of the NGINX image.
+
+The files that are required are
+- `omniport.crt`: the certificate provided by the CA
+- `omniport.key`: the private key generated on the server

nginx/.gitignore

@@ -1,2 +1,3 @@
 # Ignore the .conf files generated using the stencils
-conf.d/*.conf
+conf.d/*.conf
+conf.d/includes/*-http_redirect.conf

nginx/conf.d/includes/ssl.conf

@@ -0,0 +1,19 @@
+# SSL
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+
+# modern configuration
+ssl_protocols TLSv1.2;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
+ssl_prefer_server_ciphers on;
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+resolver_timeout 2s;
+
+# SSL
+ssl_certificate /cert/omniport.crt;
+ssl_certificate_key /cert/omniport.key;

nginx/conf.d/stencils/01-http_redirect.conf

@@ -0,0 +1,11 @@
+# HTTP redirect
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name .[[intranet_domain]];
+
+	location / {
+		return 301 https://[[intranet_domain]]$request_uri;
+	}
+}

nginx/conf.d/stencils/01-intranet.conf

@@ -15,14 +15,16 @@ upstream intranet-daphne {
 # Configuration for rate limiting and throttling
 limit_req_zone $binary_remote_addr zone=intranet_limit:16m rate=16r/s;
 
+[[redirect]]
+
 # Configuration of the HTTP server
 server {
     # The port the site will be served on
-    listen      80;
-    listen      [::]:80;
+    listen      [[main_port]];
+    listen      [::]:[[main_port]];
 
     # The domain name it will serve for
-    server_name [[intranet_domain]];
+    server_name .[[intranet_domain]];
 
     # Use the UTF-8 charset
     charset     utf-8;
@@ -35,6 +37,8 @@ server {
     include         mime.types;
     default_type    application/octet-stream;
 
+    [[enable_ssl]]
+
     # Compression
     # Uses GNU Gzip
     include conf.d/includes/compression.conf;

nginx/conf.d/stencils/02-http_redirect.conf

@@ -0,0 +1,11 @@
+# HTTP redirect
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name .[[internet_domain]];
+
+	location / {
+		return 301 https://[[internet_domain]]$request_uri;
+	}
+}

nginx/conf.d/stencils/02-internet.conf

@@ -15,14 +15,16 @@ upstream internet-daphne {
 # Configuration for rate limiting and throttling
 limit_req_zone $binary_remote_addr zone=internet_limit:16m rate=16r/s;
 
+[[redirect]]
+
 # Configuration of the HTTP server
 server {
     # The port the site will be served on
-    listen      80;
-    listen      [::]:80;
+    listen      [[main_port]];
+    listen      [::]:[[main_port]];
 
     # The domain name it will serve for
-    server_name [[internet_domain]];
+    server_name .[[internet_domain]];
 
     # Use the UTF-8 charset
     charset     utf-8;
@@ -35,6 +37,8 @@ server {
     include         mime.types;
     default_type    application/octet-stream;
 
+    [[enable_ssl]]
+
     # Compression
     # Uses GNU Gzip
     include conf.d/includes/compression.conf;

scripts/build/nginx.sh

@@ -5,20 +5,56 @@ cd nginx/
 
 read -p "Rebuild NGINX .conf files? (y/N): " REBUILD
 if [ $REBUILD == 'Y' -o $REBUILD == 'y' ]; then
-    read -p "Enter the domain name for the intranet site as '.omniport.intranet': " INTRANET_DOMAIN
-    read -p "Enter the domain name for the Internet site as '.omniport.internet': " INTERNET_DOMAIN
+    read -p "Enter the intranet-side domain as 'omniport.intranet': " INTRANET_DOMAIN
+    read -p "Enter the Internet-side domain as 'omniport.internet': " INTERNET_DOMAIN
+
+    read -p "Enable HTTPS? [y/N]: " HTTPS
+
+    if [ $HTTPS == 'Y' -o $HTTPS == 'y' ]; then
+        MAIN_PORT='443 ssl'   # 'ssl' is essential here
+        REDIRECT_INTRANET='include conf\.d\/includes\/01-http_redirect\.conf;'
+        REDIRECT_INTERNET='include conf\.d\/includes\/02-http_redirect\.conf;'
+        ENABLE_SSL='include conf\.d\/includes\/ssl\.conf;'
+    else
+        MAIN_PORT='80'
+        REDIRECT_INTRANET=''  # Leaves out the include directives
+        REDIRECT_INTERNET=''  # Leaves out the include directives
+        ENABLE_SSL=''         # Leaves out the include directives
+    fi
 
     # Enter conf.d/ inside the NGINX Docker folder
     cd conf.d/
 
     # Remove pre-existing .conf files
     rm 01-intranet.conf 02-internet.conf
+    rm includes/01-http_redirect.conf includes/02-http_redirect.conf
 
     # Perform text substitution to generate the new .conf files
+    printf "Writing intranet .conf file... "
     cp stencils/01-intranet.conf ./01-intranet.conf
     sed -i "s/\[\[intranet_domain\]\]/${INTRANET_DOMAIN}/g" 01-intranet.conf
+    sed -i "s/\[\[main_port\]\]/${MAIN_PORT}/g" 01-intranet.conf
+    sed -i "s/\[\[redirect\]\]/${REDIRECT_INTRANET}/g" 01-intranet.conf
+    sed -i "s/\[\[enable_ssl\]\]/${ENABLE_SSL}/g" 01-intranet.conf
+    printf "done\n"
+
+    printf "Writing intranet redirect file... "
+    cp stencils/01-http_redirect.conf ./includes/01-http_redirect.conf
+    sed -i "s/\[\[intranet_domain\]\]/${INTRANET_DOMAIN}/g" ./includes/01-http_redirect.conf
+    printf "done\n"
+
+    printf "Writing Internet .conf file... "
     cp stencils/02-internet.conf ./02-internet.conf
     sed -i "s/\[\[internet_domain\]\]/${INTERNET_DOMAIN}/g" 02-internet.conf
+    sed -i "s/\[\[main_port\]\]/${MAIN_PORT}/g" 02-internet.conf
+    sed -i "s/\[\[redirect\]\]/${REDIRECT_INTERNET}/g" 02-internet.conf
+    sed -i "s/\[\[enable_ssl\]\]/${ENABLE_SSL}/g" 02-internet.conf
+    printf "done\n"
+
+    printf "Writing Internet redirect file... "
+    cp stencils/02-http_redirect.conf ./includes/02-http_redirect.conf
+    sed -i "s/\[\[internet_domain\]\]/${INTERNET_DOMAIN}/g" ./includes/02-http_redirect.conf
+    printf "done\n"
 
     # Get back out
     cd ..
@@ -30,4 +66,10 @@ TIMESTAMP=$(date +"%s")
 docker build \
     --tag omniport-nginx:${TIMESTAMP} \
     --tag omniport-nginx:latest \
-    .
+    .
+
+# Remove the .conf files after they have served their purpose
+rm conf.d/01-intranet.conf
+rm conf.d/02-internet.conf
+rm conf.d/includes/01-http_redirect.conf
+rm conf.d/includes/02-http_redirect.conf