From 6a08a5ef748cf038703c73408766c8a1e6a2e5e0 Mon Sep 17 00:00:00 2001
From: Ratha Heang <ratha@web-essentials.asia>
Date: Thu, 21 Jun 2018 14:44:33 +0700
Subject: [PATCH] [TASK] Add SSL

Some projects will required SSL

refs SS-00
---
 Configuration/Web/nginx_vhost.conf  | 84 +++++++++++++++++++++++++++++
 Configuration/certs/wehost.asia.crt | 21 ++++++++
 Configuration/certs/wehost.asia.key | 27 ++++++++++
 docker-compose.yml                  |  2 +
 4 files changed, 134 insertions(+)
 create mode 100644 Configuration/certs/wehost.asia.crt
 create mode 100644 Configuration/certs/wehost.asia.key

diff --git a/Configuration/Web/nginx_vhost.conf b/Configuration/Web/nginx_vhost.conf
index 7c59ecf..ad5126c 100644
--- a/Configuration/Web/nginx_vhost.conf
+++ b/Configuration/Web/nginx_vhost.conf
@@ -76,3 +76,87 @@ server {
 	}
 }
 
+server {
+	listen      8443;
+	# TODO: Maybe we can just use $hostname instead
+	server_name DOCKER_FLOW_SERVERNAME;
+
+	charset utf-8;
+
+	root  /var/www/Web/;
+	index index.html index.php;
+
+    ssl on;
+
+    ssl_certificate /etc/ssl/certs/wehost.asia.crt;
+    ssl_certificate_key /etc/ssl/private/wehost.asia.key;
+
+
+	# Disable .htaccess and other hidden files
+	location ~ /\. {
+		access_log    off;
+		log_not_found off;
+		deny          all;
+	}
+
+	# No need to log access to robots and favicon
+	location = /favicon.ico {
+		log_not_found off;
+		access_log    off;
+	}
+
+	location = /robots.txt {
+		allow         all;
+		log_not_found off;
+		access_log    off;
+	}
+
+	location ~ "^/_Resources/Persistent/" {
+		access_log off;
+		try_files  $uri @neos12AndBefore;
+	}
+
+	# Backward compatibility: these are rewrite rules needed for Neos 1.2 and before
+	location @neos12AndBefore {
+		rewrite "(.{40})/.+\.(.+)"                        /_Resources/Persistent/$1.$2 break;
+		rewrite "([a-z0-9]+/(.+/)?[a-f0-9]{40})/.+\.(.+)" /_Resources/Persistent/$1.$2 break;
+	}
+
+	# Block access to the main resources folder
+	location ~ "^/_Resources/" {
+		access_log    off;
+		log_not_found off;
+		expires       max;
+		break;
+	}
+
+	# Stop rewriting by existing files | is instead of -> location / { rewrite ".*" /index.php last; }
+	location / {
+		try_files $uri $uri/ /index.php?$args;
+	}
+
+	# Pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+	location ~ \.php$ {
+		include       /etc/nginx/fastcgi_params;
+		try_files     $uri =404;
+		fastcgi_pass  app:9000;
+		fastcgi_index index.php;
+		fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO        $fastcgi_path_info;
+		fastcgi_param FLOW_CONTEXT     DOCKER_FLOW_CONTEXT;
+		fastcgi_param FLOW_REWRITEURLS 1;
+		fastcgi_param X-Forwarded-For  $proxy_add_x_forwarded_for;
+		fastcgi_param X-Forwarded-Port $proxy_port;
+		fastcgi_param REMOTE_ADDR      $remote_addr;
+		fastcgi_param REMOTE_PORT      $remote_port;
+		fastcgi_param SERVER_ADDR      $server_addr;
+		fastcgi_param SERVER_NAME      $http_host;
+		fastcgi_split_path_info        ^(.+\.php)(.*)$;
+		fastcgi_read_timeout           300;
+		fastcgi_buffer_size            128k;
+		fastcgi_buffers                256 16k;
+		fastcgi_busy_buffers_size      256k;
+		fastcgi_temp_file_write_size   256k;
+	}
+}
+
diff --git a/Configuration/certs/wehost.asia.crt b/Configuration/certs/wehost.asia.crt
new file mode 100644
index 0000000..b7ffff8
--- /dev/null
+++ b/Configuration/certs/wehost.asia.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJAMQmdjXtlP1AMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
+BAYTAktIMREwDwYDVQQIDAhDYW1ib2RpYTERMA8GA1UEBwwIUGhvbVBlbmgxGDAW
+BgNVBAsMD1dlYiBEZXZlbG9wbWVudDEWMBQGA1UEAwwNKi53ZWhvc3QuYXNpYTAe
+Fw0xODAzMDcwNjM3MzBaFw0yODAzMDQwNjM3MzBaMGUxCzAJBgNVBAYTAktIMREw
+DwYDVQQIDAhDYW1ib2RpYTERMA8GA1UEBwwIUGhvbVBlbmgxGDAWBgNVBAsMD1dl
+YiBEZXZlbG9wbWVudDEWMBQGA1UEAwwNKi53ZWhvc3QuYXNpYTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAOfMBNxRuP6VwD57VnNXmYBssdGC1tufFJU4
+4vB4aOOgl5suG9wCRRBBwrJppDZKgTQkoX/U94aiuJKaNhW1awP2vpQXr7yVSky4
+RgPEdolccKsLer+kcPArmkqs9r6WEgSMVfskGSmVgbgMrCYBcRXc0vwisFSLZnoJ
+wSI0bPJ0/P7P4LWOMWySmIUt++9F19JFwdJXEY/u2qRD/iNoOLwTBJ5UrWpEWAYI
+9u9qFt9XB+g449HlmFznqXSB9J2NY7norA6aMny+MQV3tPJe7d37XieDoVKGzyhT
+p3xgU8roeA38Zh3ceV+xdwihiZWvIxUbd/VU4paw5SDH8KqFZ18CAwEAAaM0MDIw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwGAYDVR0RBBEwD4INKi53ZWhvc3QuYXNp
+YTANBgkqhkiG9w0BAQsFAAOCAQEACVS2JaLz2jfHfxMqbTg6Lf+uMkHSuD8vELnG
+jhqOkk3d32UmMykHbFwE4L4z5qwGl0mt2tJMBuNV4pur/TWp7rkHYzU5WsDalFBh
+avQ5BnN1UVlG6aC8nE/2iaxhF1Exg4n+iGPhE5qqxzFvGhNoDoRFrcKqC7UjjqgM
+vZ9YAki24uERnQ2RlKkHC7yri5BGccDGbRqKb9pyNo8zp36BaAYCQu7ZJOBZraIL
+D8zNyRuJ2Xnzex29UffbPl13oNzYnhPWhNcOQ/tEdD+K3Od9RpDrK3oS0Sv4jwLm
+IMdSkN49cQmjQ/f0mkfyYxUHcU611tm4a6KiYKlY3RH1gqNG2Q==
+-----END CERTIFICATE-----
diff --git a/Configuration/certs/wehost.asia.key b/Configuration/certs/wehost.asia.key
new file mode 100644
index 0000000..19d94bd
--- /dev/null
+++ b/Configuration/certs/wehost.asia.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA58wE3FG4/pXAPntWc1eZgGyx0YLW258UlTji8Hho46CXmy4b
+3AJFEEHCsmmkNkqBNCShf9T3hqK4kpo2FbVrA/a+lBevvJVKTLhGA8R2iVxwqwt6
+v6Rw8CuaSqz2vpYSBIxV+yQZKZWBuAysJgFxFdzS/CKwVItmegnBIjRs8nT8/s/g
+tY4xbJKYhS3770XX0kXB0lcRj+7apEP+I2g4vBMEnlStakRYBgj272oW31cH6Djj
+0eWYXOepdIH0nY1jueisDpoyfL4xBXe08l7t3fteJ4OhUobPKFOnfGBTyuh4Dfxm
+Hdx5X7F3CKGJla8jFRt39VTilrDlIMfwqoVnXwIDAQABAoIBACgzQ+yJ59GPWyX6
+8gVS/fY946D4VhcEwecXVJRr7ZT8tw5cssw3QI8POJsEo0wfI8VNTQ0EfGFHO0eB
+ozukmQi49FhuuzWzlo0zsEDbA8vS0l93wDQYatXcWgf1c12eXUWYqRjDK/IAUdz/
+paN5wIkQIS9FPNuMyZsEshAik3qA5xce1TxVV3QFMPQKWlpQAv+gPvlPm/3qhsX2
+0W38zUspsesRIYag9LYUmN3P4OgusxaHL9Pre7SuLA+4ipnrW2Gq0nLuygDxgRvA
+lAQzBgyFAgnsXyyUe7sJj/ABDKFQFo5eJ6ItaWShHvV3VHyfcMEKk4KaAhj/S99n
+VCQm8wECgYEA9skxq0MZGchwSa4EFnlo5gPdI2HGVfM+FhjFiipxKjOeilsooq5j
+QS6qzV54YGjMBUvizdNVadC+RB3jkhxqmD2yYsJtem8aE8ehelr7n2VqxrMTisdG
+RPUF/ZQo+bHwNyjj5BKAqYD8FjT0aFhNlq7O9aXwWNbgIaGNHjX4Ox8CgYEA8HOP
+EKmr6z1Stg9DKJwk/VisfZxWacXlgHfoapWtVOWLSriVwMXS3o4An83rqQmslhxa
+RGmcCZsHo6PntqQjWeZK0zDZOflKg+tolzCRbb5dACrSiQfy6uGazn6mVSJeSX0R
+KlTC1+MoE4N8nZ1U/pT7dSzOyY7F+lkX4EvZi8ECgYEAhssVygl4KFEGo/fcW7os
+xZXOr4i0IDYf70nQe8r6zKYtLjzkURcXN38Z49p5vY8AANSWKP4JZSaTBfmdVy0W
+O9lXGgJAceNFRxB+7qnLTiDC1YzyW5bElt2OTBck2l2Ka1Z2QxioFe1Rw39hD61L
+k8YfXKUqRhv3h+cJgTrRPtkCgYAwrBOfmdjVC1q8w6YiiEjsh5CS9JyBWK+2K49+
+U8H8V2K0w1x84w5mQnRZ5ML5Op4W3LJg+se9IgaP11PGIr+NKRKoYVD3bUDqJzLK
+t+gYQNpueDyZxGQlq3k8p2JgBU70rT5WRUYTkUXBfXIyLXDQ/7NO6r0JC7+Dh5lP
+q8rjgQKBgEW67zADyZs+AKs5/wuxEqH6C+/ley1q7ZO8iABKUVA9EYXi1/mVw8Qy
+0wQ5Mm74a9ENdER5drVAVMrz14htl1QYo8v3axjmpxlZ+/39BCJRVAZsnvOGVF5D
+sbxStCaJVBncfR68Hm7I+4NXH+qR3LbEiXCgcQWCO35uMgKqRLDV
+-----END RSA PRIVATE KEY-----
diff --git a/docker-compose.yml b/docker-compose.yml
index bcf50e5..27032d4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -49,6 +49,8 @@ web:
     - ./Configuration/Web/nginx.conf:/etc/nginx/nginx.conf:ro
     - ./Configuration/Web/nginx_vhost_merged.conf:/etc/nginx/conf.d/default.conf:ro
     - ./Configuration/Web/ip_address.txt:/ip_address.txt:rw
+    - ./Configuration/certs/wehost.asia.crt:/etc/ssl/certs/wehost.asia.crt:ro
+    - ./Configuration/certs/wehost.asia.key:/etc/ssl/private/wehost.asia.key:ro
     - ./Scripts/EntryPoint/web.sh:/entrypoint.sh:ro
   volumes_from:
     - data