openssl

compose/production/traefik/Dockerfile

@@ -1,5 +1,6 @@
 FROM traefik:alpine
-RUN mkdir -p /etc/traefik/acme
-RUN touch /etc/traefik/acme/acme.json
-RUN chmod 600 /etc/traefik/acme/acme.json
+#RUN mkdir -p /etc/traefik/acme
+#RUN touch /etc/traefik/acme/acme.json
+#RUN chmod 600 /etc/traefik/acme/acme.json
+COPY ./tls /tls
 COPY ./compose/production/traefik/traefik.toml /etc/traefik

compose/production/traefik/traefik.toml.template

@@ -3,8 +3,8 @@
 logLevel = "ERROR" #DEBUG, INFO, WARN, ERROR, FATAL, PANIC
 InsecureSkipVerify = true 
 
-#defaultEntryPoints = ["http", "https"]
-defaultEntryPoints = ["http"]
+defaultEntryPoints = ["http", "https"]
+#defaultEntryPoints = ["http"]
 
 # Entrypoints, http and https
 [entryPoints]
@@ -14,9 +14,12 @@ defaultEntryPoints = ["http"]
     #[entryPoints.http.redirect]
     #entryPoint = "https"
   # https is the default
-  #[entryPoints.https]
-  #address = ":443"
-  #  [entryPoints.https.tls]
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    [entryPoints.httpSSL.tls.defaultCertificate]
+      certFile = "/tls/cert.crt"
+      keyFile = "/tls/cert.key"
 
 ## Enable ACME (Let's Encrypt): automatic SSL
 #[acme]

scripts/install.sh

@@ -181,6 +181,8 @@ sudo mkdir -p ../mistborn_volumes/extra
 
 # Traefik final setup (cockpit)
 cp ./compose/production/traefik/traefik.toml.template ./compose/production/traefik/traefik.toml
+# setup tls certs 
+source ./scripts/subinstallers/openssl.sh
 
 # Download docker images while DNS is operable
 sudo docker-compose -f base.yml pull || true

scripts/services/Mistborn-base.service

@@ -16,6 +16,7 @@ ExecStartPre=-/sbin/ip address add 10.2.3.1/30 dev DIFACE
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -I DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/iptables -A OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStartPre=/sbin/ip6tables -A OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP
@@ -28,6 +29,7 @@ ExecStop=/usr/local/bin/docker-compose -f /opt/mistborn/base.yml down
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 80 -j MISTBORN_LOG_DROP
+ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 443 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D DOCKER-USER -i DIFACE -p tcp --dport 5555 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/iptables -D OUTPUT -o DIFACE -p udp --dport 53 -j MISTBORN_LOG_DROP
 ExecStopPost=-/sbin/ip6tables -D OUTPUT -p udp --dport 53 -j MISTBORN_LOG_DROP

scripts/subinstallers/openssl.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+KEY_FOLDER="./tls/"
+CRT_FILE="cert.crt"
+KEY_FILE="cert.key"
+
+CRT_PATH="$KEY_FOLDER/$CRT_FILE"
+KEY_PATH="$KEY_FOLDER/$KEY_FILE"
+
+# generate crt and key
+openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout $KEY_PATH -out $CRT_PATH -subj "/C=US/ST=New York/L=New York/O=cyber5k/OU=mistborn/CN=*.mistborn/emailAddress=mistborn@localhost"
+
+# set permissions
+chmod 644 $CRT_PATH
+chmod 600 $KEY_PATH