From e828b089c668bae15ce7b438b52fdf7c4c571355 Mon Sep 17 00:00:00 2001
From: Steven Foerster <steven@cyber5k.com>
Date: Fri, 27 Mar 2020 16:33:02 -0400
Subject: [PATCH] openssl

---
 compose/production/traefik/Dockerfile            |  7 ++++---
 compose/production/traefik/traefik.toml.template | 13 ++++++++-----
 scripts/install.sh                               |  2 ++
 scripts/services/Mistborn-base.service           |  2 ++
 scripts/subinstallers/openssl.sh                 | 15 +++++++++++++++
 5 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100755 scripts/subinstallers/openssl.sh

diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile
index 7088e6f..0b80e0b 100644
--- a/compose/production/traefik/Dockerfile
+++ b/compose/production/traefik/Dockerfile
@@ -1,5 +1,6 @@
 FROM traefik:alpine
-RUN mkdir -p /etc/traefik/acme
-RUN touch /etc/traefik/acme/acme.json
-RUN chmod 600 /etc/traefik/acme/acme.json
+#RUN mkdir -p /etc/traefik/acme
+#RUN touch /etc/traefik/acme/acme.json
+#RUN chmod 600 /etc/traefik/acme/acme.json
+COPY ./tls /tls
 COPY ./compose/production/traefik/traefik.toml /etc/traefik
diff --git a/compose/production/traefik/traefik.toml.template b/compose/production/traefik/traefik.toml.template
index 45e1169..47db874 100644
--- a/compose/production/traefik/traefik.toml.template
+++ b/compose/production/traefik/traefik.toml.template
@@ -3,8 +3,8 @@
 logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
 InsecureSkipVerify = true 
 
-#defaultEntryPoints = ["http", "https"]
-defaultEntryPoints = ["http"]
+defaultEntryPoints = ["http", "https"]
+#defaultEntryPoints = ["http"]
 
 # Entrypoints, http and https
 [entryPoints]
@@ -14,9 +14,12 @@ defaultEntryPoints = ["http"]
     #[entryPoints.http.redirect]
     #entryPoint = "https"
   # https is the default
-  #[entryPoints.https]
-  #address = ":443"
-  #  [entryPoints.https.tls]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    [entryPoints.httpSSL.tls.defaultCertificate]
+      certFile = "/tls/cert.crt"
+      keyFile = "/tls/cert.key"
 
 ## Enable ACME (Let's Encrypt): automatic SSL
 #[acme]
diff --git a/scripts/install.sh b/scripts/install.sh
index 705edf9..e1534f7 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -181,6 +181,8 @@ sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
 cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+# setup tls certs 
+source ./scripts/subinstallers/openssl.sh
 
 # Download docker images while DNS is operable
 sudo docker-compose -f base.yml pull || true
diff --git a/scripts/services/Mistborn-base.service b/scripts/services/Mistborn-base.service
index fab39a7..b1c52b5 100644
--- a/scripts/services/Mistborn-base.service
+++ b/scripts/services/Mistborn-base.service
@@ -16,6 +16,7 @@ ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
@@ -28,6 +29,7 @@ ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
diff --git a/scripts/subinstallers/openssl.sh b/scripts/subinstallers/openssl.sh
new file mode 100755
index 0000000..fcc1dd5
--- /dev/null
+++ b/scripts/subinstallers/openssl.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+KEY_FOLDER="./tls/"
+CRT_FILE="cert.crt"
+KEY_FILE="cert.key"
+
+CRT_PATH="$KEY_FOLDER/$CRT_FILE"
+KEY_PATH="$KEY_FOLDER/$KEY_FILE"
+
+# generate crt and key
+openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
+
+# set permissions
+chmod 644 $CRT_PATH
+chmod 600 $KEY_PATH