Merge pull request #254 from Mailu/feature-traefik

Switch to traefik for proxying and querying letsencrypt
master
kaiyou 7 years ago committed by GitHub
commit 829e4a5e28

@ -40,18 +40,18 @@ PASSWORD_SCHEME=SHA512-CRYPT
# Optional features # Optional features
################################### ###################################
# Choose which frontend Web server to run if any (value: nginx, nginx-no-https, none) # Choose which frontend Web server to run if any (value: nginx, traefik, none)
FRONTEND=none FRONTEND=none
# Choose how secure connections will behave (value: letsencrypt, cert, notls)
TLS_FLAVOR=cert
# Choose which webmail to run if any (values: roundcube, rainloop, none) # Choose which webmail to run if any (values: roundcube, rainloop, none)
WEBMAIL=none WEBMAIL=none
# Expose the admin interface in publicly (values: yes, no) # Expose the admin interface in publicly (values: yes, no)
EXPOSE_ADMIN=no EXPOSE_ADMIN=no
# Use Letsencrypt to generate a TLS certificate (uncomment to enable)
# ENABLE_CERTBOT=True
# Dav server implementation (value: radicale, none) # Dav server implementation (value: radicale, none)
WEBDAV=none WEBDAV=none

@ -4,7 +4,7 @@ RUN mkdir -p /app
WORKDIR /app WORKDIR /app
COPY requirements-prod.txt requirements.txt COPY requirements-prod.txt requirements.txt
RUN apk --update add --virtual build-dep openssl-dev libffi-dev python-dev build-base \ RUN apk --update add --virtual build-dep openssl-dev libffi-dev python-dev build-base openssl \
&& pip install -r requirements.txt \ && pip install -r requirements.txt \
&& apk del build-dep && apk del build-dep

@ -31,7 +31,8 @@ default_config = {
'DMARC_RUF': None, 'DMARC_RUF': None,
'BABEL_DEFAULT_LOCALE': 'en', 'BABEL_DEFAULT_LOCALE': 'en',
'BABEL_DEFAULT_TIMEZONE': 'UTC', 'BABEL_DEFAULT_TIMEZONE': 'UTC',
'ENABLE_CERTBOT': False, 'FRONTEND': 'none',
'TLS_FLAVOR': 'cert',
'CERTS_PATH': '/certs', 'CERTS_PATH': '/certs',
'PASSWORD_SCHEME': 'SHA512-CRYPT' 'PASSWORD_SCHEME': 'SHA512-CRYPT'
} }
@ -59,20 +60,17 @@ manager.add_command('db', flask_migrate.MigrateCommand)
# Task scheduling # Task scheduling
if not app.debug or os.environ.get('WERKZEUG_RUN_MAIN') == 'true': if not app.debug or os.environ.get('WERKZEUG_RUN_MAIN') == 'true':
scheduler.start() scheduler.start()
from mailu import tlstasks
# Babel configuration # Babel configuration
@babel.localeselector @babel.localeselector
def get_locale(): def get_locale():
return flask.request.accept_languages.best_match(translations) return flask.request.accept_languages.best_match(translations)
# Certbot configuration
if app.config['ENABLE_CERTBOT']:
from mailu import certbot
# Finally setup the blueprint and redirect / # Finally setup the blueprint and redirect /
from mailu import admin from mailu import admin
app.register_blueprint(admin.app, url_prefix='/admin') app.register_blueprint(admin.app, url_prefix='/admin')
@app.route("/") @app.route("/")
def index(): def index():
return flask.redirect(flask.url_for("admin.index")) return flask.redirect("/webmail/")

@ -1,71 +0,0 @@
from mailu import app, scheduler, dockercli
import subprocess
import os
def certbot_command(subcommand, *args):
""" Run a certbot command while specifying the standard parameters.
"""
command = [
"certbot", subcommand,
"-n",
"--work-dir", "/tmp",
"--logs-dir", "/tmp",
"--config-dir", app.config["CERTS_PATH"],
*args
]
result = subprocess.run(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
return result
def certbot_install(domain):
""" Install certificates for the given domain. Return True if a reload
is required.
"""
must_reload = False
path = app.config["CERTS_PATH"]
cert = os.path.join(path, "cert.pem")
key = os.path.join(path, "key.pem")
live_cert = os.path.join("live", domain, "fullchain.pem")
live_key = os.path.join("live", domain, "privkey.pem")
if not os.path.islink(cert) or os.readlink(cert) != live_cert:
must_reload = True
if os.path.exists(cert):
os.unlink(cert)
os.symlink(live_cert, cert)
if not os.path.islink(key) or os.readlink(key) != live_key:
must_reload = True
if os.path.exists(key):
os.unlink(key)
os.symlink(live_key, key)
return must_reload
@scheduler.scheduled_job('date')
@scheduler.scheduled_job('cron', day='*/4', hour=0, minute=0)
def generate_cert():
print("Generating TLS certificates using Certbot")
hostname = app.config["HOSTNAME"]
email = "{}@{}".format(app.config["POSTMASTER"], app.config["DOMAIN"])
result = certbot_command(
"certonly",
"--standalone",
"--agree-tos",
"--preferred-challenges", "http",
"--email", email,
"-d", hostname,
# The port is hardcoded in the nginx image as well, we should find
# a more suitable way to go but this will do until we have a proper
# daemon handling certbot stuff
"--http-01-port", "8081"
)
if result.returncode:
print("Error while generating certificates:\n{}".format(
result.stdout.decode("utf8") + result.stderr.decode("utf8")))
else:
print("Successfully generated or renewed TLS certificates")
if certbot_install(hostname):
print("Reloading TLS-dependant services")
dockercli.reload("http", "smtp", "imap")

@ -0,0 +1,68 @@
from mailu import app, scheduler, dockercli
import urllib3
import json
import os
import base64
import subprocess
def install_certs(domain):
""" Extract certificates from the given domain and install them
to the certificate path.
"""
path = app.config["CERTS_PATH"]
acme_path = os.path.join(path, "acme.json")
key_path = os.path.join(path, "key.pem")
cert_path = os.path.join(path, "cert.pem")
if not os.path.exists(acme_path):
print("Could not find traefik acme configuration")
return
with open(acme_path, "r") as handler:
data = json.loads(handler.read())
for item in data["DomainsCertificate"]["Certs"]:
if domain == item["Domains"]["Main"]:
cert = base64.b64decode(item["Certificate"]["Certificate"])
key = base64.b64decode(item["Certificate"]["PrivateKey"])
break
else:
print("Could not find the proper certificate from traefik")
return
if os.path.exists(cert_path):
with open(cert_path, "rb") as handler:
if handler.read() == cert:
return
print("Installing the new certificate from traefik")
with open(cert_path, "wb") as handler:
handler.write(cert)
with open(key_path, "wb") as handler:
handler.write(key)
def restart_services():
print("Reloading services using TLS")
dockercli.reload("http", "smtp", "imap")
@scheduler.scheduled_job('date')
def create_dhparam():
path = app.config["CERTS_PATH"]
dhparam_path = os.path.join(path, "dhparam.pem")
if not os.path.exists(dhparam_path):
print("Creating DH params")
subprocess.call(["openssl", "dhparam", "-out", dhparam_path, "2048"])
restart_services()
@scheduler.scheduled_job('date')
@scheduler.scheduled_job('cron', day='*/4', hour=0, minute=0)
def refresh_certs():
if not app.config["TLS_FLAVOR"] == "letsencrypt":
return
if not app.config["FRONTEND"] == "traefik":
print("Letsencrypt certificates are compatible with traefik only")
return
print("Requesting traefik to make sure the certificate is fresh")
hostname = app.config["HOSTNAME"]
urllib3.PoolManager().request("GET", "https://{}".format(hostname))
install_certs(hostname)

@ -12,6 +12,7 @@ services:
- "$BIND_ADDRESS:443:443" - "$BIND_ADDRESS:443:443"
volumes: volumes:
- "$ROOT/certs:/certs" - "$ROOT/certs:/certs"
- /var/run/docker.sock:/docker.sock:ro
redis: redis:
image: redis:latest image: redis:latest
@ -87,6 +88,12 @@ services:
admin: admin:
# build: admin # build: admin
image: mailu/admin:$VERSION image: mailu/admin:$VERSION
labels:
- traefik.enable=true
- traefik.admin.frontend.rule=Host:$HOSTNAME;PathPrefix:/admin/
- traefik.admin.port=80
- traefik.home.frontend.rule=Host:$HOSTNAME;Path:/
- traefik.home.port=80
restart: always restart: always
env_file: .env env_file: .env
ports: ports:
@ -100,6 +107,10 @@ services:
webmail: webmail:
# build: "$WEBMAIL" # build: "$WEBMAIL"
image: "mailu/$WEBMAIL:$VERSION" image: "mailu/$WEBMAIL:$VERSION"
labels:
- traefik.enable=true
- traefik.frontend.rule=Host:$HOSTNAME;PathPrefix:/webmail/
- traefik.port=80
restart: always restart: always
env_file: .env env_file: .env
volumes: volumes:

@ -58,12 +58,15 @@ namespace inbox {
ssl = yes ssl = yes
ssl_cert = </certs/cert.pem ssl_cert = </certs/cert.pem
ssl_key = </certs/key.pem ssl_key = </certs/key.pem
# This will be enabled once 2.3 is released
# ssl_dh = </certs/dhparam.pem
# In the meanwhile:
ssl_dh_parameters_length = 2048
# TLS hardening is based on the following documentation: # TLS hardening is based on the following documentation:
# https://bettercrypto.org/static/applied-crypto-hardening.pdf # https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_protocols=!SSLv3 !SSLv2 ssl_protocols=!SSLv3 !SSLv2
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
ssl_prefer_server_ciphers = yes ssl_prefer_server_ciphers = yes
ssl_dh_parameters_length = 2048
ssl_options = no_compression ssl_options = no_compression
############### ###############

@ -45,6 +45,7 @@ tls_preempt_cipherlist = yes
smtpd_tls_security_level = may smtpd_tls_security_level = may
smtpd_tls_cert_file=/certs/cert.pem smtpd_tls_cert_file=/certs/cert.pem
smtpd_tls_key_file=/certs/key.pem smtpd_tls_key_file=/certs/key.pem
smtpd_tls_dh1024_param_file=/certs/dhparam.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# Server-side TLS is hardened, it should be up to the client to update his or # Server-side TLS is hardened, it should be up to the client to update his or

@ -0,0 +1,8 @@
FROM traefik:alpine
RUN apk add --no-cache bash
COPY conf /conf
COPY start.sh /start.sh
CMD /start.sh

@ -0,0 +1,31 @@
defaultEntryPoints = ["http", "https"]
logLevel = "ERROR"
accessLogsFile = "/dev/stdout"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
MinVersion = "VersionTLS11"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
[[entryPoints.https.tls.certificates]]
CertFile = "/certs/cert.pem"
KeyFile = "/certs/key.pem"
[docker]
endpoint = "unix:///docker.sock"
domain = "{{ DOMAIN }}"
watch = true
exposedbydefault = false
[acme]
email = "{{ POSTMASTER }}@{{ DOMAIN }}"
storageFile = "/certs/acme.json"
onDemand = true
entryPoint = "https"

@ -0,0 +1,28 @@
defaultEntryPoints = ["http", "https"]
logLevel = "ERROR"
accessLogsFile = "/dev/stdout"
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
MinVersion = "VersionTLS11"
CipherSuites = ["TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"]
[docker]
endpoint = "unix:///docker.sock"
domain = "{{ DOMAIN }}"
watch = true
exposedbydefault = false
[acme]
email = "{{ POSTMASTER }}@{{ DOMAIN }}"
storageFile = "/certs/acme.json"
onDemand = true
entryPoint = "https"

@ -0,0 +1,14 @@
defaultEntryPoints = ["http"]
logLevel = "ERROR"
accessLogsFile = "/dev/stdout"
[entryPoints]
[entryPoints.http]
address = ":80"
[docker]
endpoint = "unix:///docker.sock"
domain = "{{ DOMAIN }}"
watch = true
exposedbydefault = false

@ -0,0 +1,12 @@
#!/bin/bash
# Substitute configuration
for VARIABLE in `env | cut -f1 -d=`; do
sed -i "s={{ $VARIABLE }}=${!VARIABLE}=g" /conf/*.toml
done
# Select the proper configuration
cp /conf/$TLS_FLAVOR.toml /conf/traefik.toml
exec traefik -c /conf/traefik.toml
Loading…
Cancel
Save