Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated production configuration to utilize SSL by default. #8

Merged
merged 1 commit into from
Aug 2, 2019
Merged

Updated production configuration to utilize SSL by default. #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -271,3 +271,8 @@ ghostwriter/media/
.idea/
.env
.envs/*

# SSL certificates
ssl/*.crt
ssl/*.key
ssl/dhparam.pem
82 changes: 23 additions & 59 deletions compose/production/nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,44 @@ http {
server django:5000;
}

# Basic setup without SSL encryption
# Begin redirect for port 80
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
# End redirect for port 80

# Begin SSL site setup
server {
listen 443 ssl http2 default_server;
server_name ghostwriter.local;
charset utf-8;

root /var/www/html;

# ssl on;
ssl_certificate /ssl/ghostwriter.crt;
ssl_certificate_key /ssl/ghostwriter.key;
#ssl_stapling on;
#ssl_stapling_verify on;

# SSL from stock default's ssl section
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
resolver 8.8.8.8;

location /admin {
try_files $uri @proxy_to_app;
}

location /static {
alias /app/staticfiles;
}

location / {
try_files $uri @proxy_to_app;
}
Expand All @@ -63,63 +84,6 @@ http {
}

}

# Begin redirect for port 80
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# return 301 https://$host$request_uri;
# }
# End redirect for port 80

# Begin SSL site setup
# server {
# listen 443 ssl http2 default_server;
# listen 8080 ssl http2 default_server;
# server_name ghostwriter.local;
# charset utf-8;

# root /var/www/html;

# # ssl on;
# ssl_certificate /ssl/ghostwriter.crt;
# ssl_certificate_key /ssl/ghostwriter.key;
# #ssl_stapling on;
# #ssl_stapling_verify on;

# # SSL from stock default's ssl section
# ssl_session_timeout 60m;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# ssl_dhparam /ssl/dhparam.pem;
# ssl_prefer_server_ciphers on;
# resolver 8.8.8.8;

# location /admin {
# try_files $uri @proxy_to_app;
# }

# location /static {
# alias /app/staticfiles;
# }

# location / {
# try_files $uri @proxy_to_app;
# }

# location @proxy_to_app {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_redirect off;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Protocol ssl;
# proxy_connect_timeout 60;
# proxy_read_timeout 60;
# proxy_pass https://app;
# }

# }
# End setup for SSL site

}
2 changes: 1 addition & 1 deletion config/settings/production.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
# https://docs.djangoproject.com/en/dev/ref/settings/#secret-key
SECRET_KEY = env("DJANGO_SECRET_KEY")
# https://docs.djangoproject.com/en/dev/ref/settings/#allowed-hosts
ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["specterops.io"])
ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=["ghostwriter.local", "localhost"])

# DATABASES
# ------------------------------------------------------------------------------
Expand Down
31 changes: 31 additions & 0 deletions ssl/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Production Setup: SSL Encryption

Before running in production, it is necessary to setup a SSL certificate. A self-signed certificate can be created using the following commands. Other options include purchasing a certificate or using [LetsEncrypt](https://letsencrypt.org/) for a free certificate.

Certificates should be placed in the `ssl/` folder. The files referenced in `compose/production/nginx/nginx.conf` use the following files names:

- ghostwriter.crt
- ghostwriter.key
- dhparam.pem

If different filenames are used, update the `nginx.conf` to reflect the correct filenames.

## Creating a self-signed SSL certificate

### With Prompts

```
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout ghostwriter.key -out ghostwriter.crt
```

### Without Prompts

```
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=/ST=/L=/O=Ghostwriter/CN=ghostwriter.local" -keyout ghostwriter.key -out ghostwriter.crt
```

### Creating the dhparam.pem

```
openssl dhparam -out dhparam.pem 4096
```