From 9f02f7b3ca5ba0b8b2eea5ea9157bdbb80e1ac15 Mon Sep 17 00:00:00 2001
From: schlagmichdoch <schlagmichdoch@users.noreply.github.com>
Date: Wed, 31 May 2023 18:57:22 +0200
Subject: [PATCH] add docker-compose-dev.yml and needed conf files

---
 docker-compose-dev.yml               | 33 ++++++++++++++++++++++
 docker/fqdn.env                      |  1 +
 docker/nginx-with-openssl.Dockerfile |  3 ++
 docker/nginx/default.conf            | 41 ++++++++++++++++++++++++++++
 docker/openssl/create.sh             |  9 ++++++
 docker/openssl/pairdropCA.cnf        | 26 ++++++++++++++++++
 docker/openssl/pairdropCert.cnf      | 29 ++++++++++++++++++++
 7 files changed, 142 insertions(+)
 create mode 100644 docker-compose-dev.yml
 create mode 100644 docker/fqdn.env
 create mode 100644 docker/nginx-with-openssl.Dockerfile
 create mode 100644 docker/nginx/default.conf
 create mode 100755 docker/openssl/create.sh
 create mode 100644 docker/openssl/pairdropCA.cnf
 create mode 100644 docker/openssl/pairdropCert.cnf

diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
new file mode 100644
index 0000000..472e001
--- /dev/null
+++ b/docker-compose-dev.yml
@@ -0,0 +1,33 @@
+version: "3"
+services:
+  pairdrop:
+    build: .
+    container_name: pairdrop
+    restart: unless-stopped
+    environment:
+      - PUID=1000 # UID to run the application as
+      - PGID=1000 # GID to run the application as
+      - WS_FALLBACK=false # Set to true to enable websocket fallback if the peer to peer WebRTC connection is not available to the client.
+      - RATE_LIMIT=false # Set to true to limit clients to 1000 requests per 5 min.
+      - RTC_CONFIG=false # Set to the path of a file that specifies the STUN/TURN servers.
+      - DEBUG_MODE=false # Set to true to debug container and peer connections.
+      - TZ=Etc/UTC # Time Zone
+    ports:
+      - "127.0.0.1:3000:3000" # Web UI. Change the port number before the last colon e.g. `127.0.0.1:9000:3000`
+  nginx:
+    build:
+      context: ./docker/
+      dockerfile: nginx-with-openssl.Dockerfile
+    image: "nginx-with-openssl"
+    volumes:
+      - ./public:/usr/share/nginx/html
+      - ./docker/certs:/etc/ssl/certs
+      - ./docker/openssl:/mnt/openssl
+      - ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf
+    ports:
+      - "8080:80"
+      - "8443:443"
+    env_file: ./docker/fqdn.env
+    entrypoint: /mnt/openssl/create.sh
+    command: ["nginx", "-g", "daemon off;"]
+    restart: unless-stopped
\ No newline at end of file
diff --git a/docker/fqdn.env b/docker/fqdn.env
new file mode 100644
index 0000000..3302bc9
--- /dev/null
+++ b/docker/fqdn.env
@@ -0,0 +1 @@
+FQDN=localhost
\ No newline at end of file
diff --git a/docker/nginx-with-openssl.Dockerfile b/docker/nginx-with-openssl.Dockerfile
new file mode 100644
index 0000000..4752a53
--- /dev/null
+++ b/docker/nginx-with-openssl.Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx:alpine
+
+RUN apk add --no-cache openssl
\ No newline at end of file
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
new file mode 100644
index 0000000..9f40337
--- /dev/null
+++ b/docker/nginx/default.conf
@@ -0,0 +1,41 @@
+server {
+    listen       80;
+
+    expires epoch;
+
+    location / {
+        proxy_connect_timeout 300;
+        proxy_pass http://node:3000;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Upgrade $http_upgrade;
+    }
+
+    location /ca.crt {
+        alias /etc/ssl/certs/snapdropCA.crt;
+    }
+
+    # To allow POST on static pages
+    error_page  405     =200 $uri;
+}
+
+server {
+    listen       443 ssl http2;
+    ssl_certificate /etc/ssl/certs/pairdrop-dev.crt;
+    ssl_certificate_key /etc/ssl/certs/pairdrop-dev.key;
+
+    expires epoch;
+
+    location / {
+        proxy_connect_timeout 300;
+        proxy_pass http://node:3000;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Upgrade $http_upgrade;
+    }
+
+    location /ca.crt {
+        alias /etc/ssl/certs/pairdropCA.crt;
+    }
+    # To allow POST on static pages
+    error_page  405     =200 $uri;
+}
+
diff --git a/docker/openssl/create.sh b/docker/openssl/create.sh
new file mode 100755
index 0000000..4f70697
--- /dev/null
+++ b/docker/openssl/create.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+cnf_dir='/mnt/openssl/'
+certs_dir='/etc/ssl/certs/'
+openssl req -config ${cnf_dir}pairdropCA.cnf -new -x509 -days 1 -keyout ${certs_dir}pairdropCA.key -out ${certs_dir}pairdropCA.crt
+openssl req -config ${cnf_dir}pairdropCert.cnf -new -out /tmp/pairdrop-dev.csr -keyout ${certs_dir}pairdrop-dev.key
+openssl x509 -req -in /tmp/pairdrop-dev.csr -CA ${certs_dir}pairdropCA.crt -CAkey ${certs_dir}pairdropCA.key -CAcreateserial -extensions req_ext -extfile ${cnf_dir}pairdropCert.cnf -sha512 -days 1 -out ${certs_dir}pairdrop-dev.crt
+
+exec "$@"
diff --git a/docker/openssl/pairdropCA.cnf b/docker/openssl/pairdropCA.cnf
new file mode 100644
index 0000000..2ef6185
--- /dev/null
+++ b/docker/openssl/pairdropCA.cnf
@@ -0,0 +1,26 @@
+[ req ]
+default_bits       = 2048
+default_md         = sha256
+default_days       = 1
+encrypt_key        = no
+distinguished_name = subject
+x509_extensions    = x509_ext
+string_mask        = utf8only
+prompt             = no
+
+[ subject ]
+organizationName = PairDrop
+OU               = CA
+commonName       = pairdrop-CA
+
+[ x509_ext ]
+subjectKeyIdentifier      = hash
+authorityKeyIdentifier    = keyid:always,issuer
+
+# You only need digitalSignature below. *If* you don't allow
+#   RSA Key transport (i.e., you use ephemeral cipher suites), then
+#   omit keyEncipherment because that's key transport.
+
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage         = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
+
diff --git a/docker/openssl/pairdropCert.cnf b/docker/openssl/pairdropCert.cnf
new file mode 100644
index 0000000..87202d8
--- /dev/null
+++ b/docker/openssl/pairdropCert.cnf
@@ -0,0 +1,29 @@
+[ req ]
+default_bits        = 2048
+default_md          = sha256
+default_days        = 1
+encrypt_key         = no
+distinguished_name  = subject
+req_extensions      = req_ext
+string_mask         = utf8only
+prompt              = no
+
+[ subject ]
+organizationName    = PairDrop
+OU                  = Development
+
+# Use a friendly name here because it's presented to the user. The server's DNS
+#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
+#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you
+#   must include the DNS name in the SAN too (otherwise, Chrome and others that
+#   strictly follow the CA/Browser Baseline Requirements will fail).
+
+commonName           = ${ENV::FQDN}
+
+[ req_ext ]
+subjectKeyIdentifier = hash
+basicConstraints     = CA:FALSE
+keyUsage             = digitalSignature, keyEncipherment
+subjectAltName       = DNS:${ENV::FQDN}
+nsComment            = "OpenSSL Generated Certificate"
+extendedKeyUsage     = serverAuth