diff --git a/Dockerfile b/Dockerfile index 40f183f..3cf06fa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,6 @@ FROM jonasal/nginx-certbot:1.1.0-nginx1.19.7 COPY ./nginx.conf /etc/nginx/nginx.conf # Copy over redirecting configuration -COPY ./https_www_redirects /etc/nginx/conf.d COPY ./http_domain_redirects.conf /etc/nginx/conf.d/http_domain_redirects.conf COPY ./letsencrypt /etc/nginx/conf.d diff --git a/LETSENCRYPT.md b/LETSENCRYPT.md index d9c38ee..95d3fd4 100644 --- a/LETSENCRYPT.md +++ b/LETSENCRYPT.md @@ -2,7 +2,7 @@ ### Introduction -Let's Encrypt is a nonprofit Certificate Authority run by the Internet +Let's Encrypt is a nonprofit Certificate Authority run by the Internet Security Research Group (ISRG) that provides free SSL certificates. Isomer takes advantage of this through: @@ -14,21 +14,20 @@ Isomer takes advantage of this through: This document shall focus on the latter usecase. - ### Background and Motivations -Isomer serves web traffic on `www.example.gov.sg`, and 301 redirects -requests to `example.gov.sg` to the www subdomain. These are served -over HTTPS by separate services, respectively, a CDN and an EC2 instance +Isomer serves web traffic on `www.example.gov.sg`, and 301 redirects +requests to `example.gov.sg` to the www subdomain. These are served +over HTTPS by separate services, respectively, a CDN and an EC2 instance (the redirection server). Historically, Isomer users were asked to provide an Extended Validation certificate for use on both services. Given that this is no longer needed, Isomer can make use of built-in LetsEncrypt certificate provisioning -found on CDNs. +found on CDNs. The redirection server also needs SSL certificates, and given that it -accounts for less than 0.1% of web traffic coming to Isomer, it makes +accounts for less than 0.1% of web traffic coming to Isomer, it makes very little sense to allocate resources to manually procure and install a certificate. Given that LetsEncrypt certificates are free and only available through automated means, integration with Isomer's redirection @@ -37,25 +36,25 @@ server makes sense. ### Implementation Overview Jonas Alfredsson (@JonasAlfredsson) maintains a Docker image originally written -by Eliot Saba (@staticfloat) which incorporates certbot into the standard nginx +by Eliot Saba (@staticfloat) which incorporates certbot into the standard nginx image. At runtime, the image runs: - a bootstrap script that inspects and disables/enables config at `/etc/nginx/conf.d/` if they reference missing SSL files before enabling nginx, and; -- a long-running while loop that does the following both at the start +- a long-running while loop that does the following both at the start as well once every week: - run certbot to obtain certificates for domain names implied by - `ssl_certificate_key` if the path is of the form + `ssl_certificate_key` if the path is of the form `/etc/letsencrypt/live//privkey.pem` and the file is either missing or expired, and; - enable the config once the certificates are obtained by reloading nginx. -Elastic Beanstalk does not have its CloudWatch logger immediately enabled at +Elastic Beanstalk does not have its CloudWatch logger immediately enabled at runtime, so to ensure we have everything logged into CloudWatch, we introduce -a script into [`/docker-entrypoint.d/`](https://github.com/nginxinc/docker-nginx/tree/master/entrypoint) +a script into [`/docker-entrypoint.d/`](https://github.com/nginxinc/docker-nginx/tree/master/entrypoint) that makes nginx sleep for ten seconds The contact e-mail for these certificates is configured by the env var @@ -64,15 +63,12 @@ The contact e-mail for these certificates is configured by the env var Certifcates are stored in an AWS Elastic File System mounted into the EC2 instance at `/etc/letsencrypt`. -Nginx has been configured to reroute requests for `/.well-known` on port 80 +Nginx has been configured to reroute requests for `/.well-known` on port 80 to certbot's internal web service. This allows certbot to prove to LetsEncrypt that Isomer has control of the domain that we are requesting a certificate for, via an [HTTP-01 challenge](https://letsencrypt.org/docs/challenge-types/). -Custom SSL certificates are still supported by adding nginx server config blocks -to `https_www_redirects.conf` - ### Further Reading -Further information can be found at the relevant GitHub +Further information can be found at the relevant GitHub [repository](https://github.com/JonasAlfredsson/docker-nginx-certbot). diff --git a/https_www_redirects/taxacademy.sg.conf b/https_www_redirects/taxacademy.sg.conf deleted file mode 100644 index 01a439d..0000000 --- a/https_www_redirects/taxacademy.sg.conf +++ /dev/null @@ -1,8 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name taxacademy.sg; - ssl_certificate /ssl/www.taxacademy.sg.crt; - ssl_certificate_key /ssl/www.taxacademy.sg.key; - return 301 https://www.taxacademy.sg$request_uri; -} \ No newline at end of file