Commit d533031b authored by Spencer Sutton's avatar Spencer Sutton Committed by Rucha Deshpande
Browse files

SSL AWS

commit 85825f27 
Author: Sutton <suttonsp@147dda3a90de.ant.amazon.com> 
Date: Fri Jan 29 2021 16:41:21 GMT-0600 (Central Standard Time) 

    Adding ssl env var


commit b3a46018 
Author: Sutton <suttonsp@147dda3a90de.ant.amazon.com> 
Date: Fri Jan 29 2021 16:34:54 GMT-0600 (Central Standard Time) 

    Enable SSL
parent 3dd79fe6
./ssl.sh;
node ./dist/cloud/providers/aws/server/server-start.js
...@@ -22,6 +22,8 @@ ARG docker_builder_image ...@@ -22,6 +22,8 @@ ARG docker_builder_image
# build the service (require builder image) # build the service (require builder image)
FROM ${docker_builder_image} as runtime-builder FROM ${docker_builder_image} as runtime-builder
RUN apt-get install -yqq --no-install-recommends openssl
ADD ./ /service ADD ./ /service
WORKDIR /service WORKDIR /service
RUN npm run clean && rm -rf node_modules && rm -rf artifact && mkdir artifact RUN npm run clean && rm -rf node_modules && rm -rf artifact && mkdir artifact
...@@ -32,7 +34,16 @@ RUN cp -r package.json npm-shrinkwrap.json dist artifact ...@@ -32,7 +34,16 @@ RUN cp -r package.json npm-shrinkwrap.json dist artifact
# Create the runtime image (require base image) # Create the runtime image (require base image)
FROM node:${docker_node_image_version} as release FROM node:${docker_node_image_version} as release
#Default to using self signed generated TLS cert
ENV USE_SELF_SIGNED_SSL_CERT true
ENV SSL_CERT_PATH "/src/cloud/providers/aws/certs/cert.crt"
ENV SSL_KEY_PATH "/src/cloud/providers/aws/certs/cert.key"
ENV SSL_ENABLED "true"
COPY --from=runtime-builder /service/artifact /seistore-service COPY --from=runtime-builder /service/artifact /seistore-service
WORKDIR /seistore-service WORKDIR /seistore-service
COPY src/cloud/providers/aws/build-aws/ssl.sh /seistore-service/ssl.sh
COPY src/cloud/providers/aws/build-aws/entrypoint.sh /seistore-service/entrypoint.sh
RUN npm install --production RUN npm install --production
ENTRYPOINT ["node", "./dist/server/server-start.js"] EXPOSE 5000
\ No newline at end of file ENTRYPOINT ["/bin/sh", "-c", "/seistore-service/entrypoint.sh"]
\ No newline at end of file
#!/usr/bin/env bash
#Future: Support for using Amazon Cert Manager
# if [ "$1" == "webserver" ] && [ -n $ACM_CERTIFICATE_ARN ];
# then
# if [ -z $SSL_CERT_PATH ] || [ -z $SSL_KEY_PATH ];
# then
# echo "SSL_CERT_PATH and SSL_KEY_PATH must be set as environment variables when using ACM_CERTIFICATE_ARN"
# exit 1
# fi
# aws acm export-certificate --certificate-arn $ACM_CERTIFICATE_ARN --passphrase $(echo -n 'aws123' | openssl base64 -e) | jq -r '"\(.PrivateKey)"' > ${SSL_KEY_PATH}.enc
# openssl rsa -in ${SSL_KEY_PATH}.enc -out $SSL_KEY_PATH -passin pass:aws123
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.CertificateChain)"' > $SSL_CERT_PATH
# aws acm get-certificate --certificate-arn $ACM_CERTIFICATE_ARN | jq -r '"\(.Certificate)"' >> $SSL_CERT_PATH
# fi
if [ -n $USE_SELF_SIGNED_SSL_CERT ];
then
if [ -z $SSL_CERT_PATH ] || [ -z $SSL_KEY_PATH ];
then
echo "SSL_CERT_PATH and SSL_KEY_PATH must be set as environment variables when using USE_SELF_SIGNED_SSL_CERT"
exit 1
fi
mkdir -p $(dirname "$SSL_CERT_PATH")
mkdir -p $(dirname "$SSL_KEY_PATH")
hostname="localhost"
subject="/CN=${hostname}"
#new versions of openssl support this:
# openssl req \
# -newkey rsa:2048 -nodes -keyout ${SSL_KEY_PATH} \
# -new -x509 -sha256 -days 365 -out ${SSL_CERT_PATH} \
# -subj "${subject}" \
# -addext "subjectAltName = DNS:${hostname}" \
# -addext "extendedKeyUsage = serverAuth"
#old version of openssl use this:
confdir=$(openssl version -d | awk -F'"' '{print $2}')
openssl req \
-newkey rsa:2048 -nodes -keyout ${SSL_KEY_PATH} \
-new -x509 -sha256 -days 365 -out ${SSL_CERT_PATH} \
-subj "${subject}" \
-extensions SAN -reqexts SAN \
-config <(cat ${confdir}/openssl.cnf;printf "[SAN]\nsubjectAltName=DNS:${hostname}\nextendedKeyUsage=serverAuth")
fi
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
export { Server } from './server';
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
import { Config, TraceFactory, ConfigFactory } from '../../..';
import { Locker } from '../../../../services/dataset/locker';
import { Feature, FeatureFlags } from '../../../../shared';
async function ServerStart() {
try {
// tslint:disable-next-line
console.log('- Initializing cloud provider');
Config.setCloudProvider(process.env.CLOUDPROVIDER);
// tslint:disable-next-line
console.log('- Initializing ' + Config.CLOUDPROVIDER + ' configurations')
await ConfigFactory.build(Config.CLOUDPROVIDER).init();
// tslint:disable-next-line
console.log('- Initializing redis cache')
await Locker.init();
if(FeatureFlags.isEnabled(Feature.TRACE)) {
// tslint:disable-next-line
console.log('- Initializing cloud tracer')
TraceFactory.build(Config.CLOUDPROVIDER).start();
}
new (await import('./server')).Server().start();
} catch (error) {
// tslint:disable-next-line
console.log(error);
process.exit(1);
}
}
ServerStart();
// ============================================================================
// Copyright 2017-2019, Schlumberger
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
import bodyparser from 'body-parser';
import cors from 'cors';
import express from 'express';
import jwtProxy, { JwtProxyOptions } from 'jwtproxy';
import { Config, LoggerFactory } from '../../..';
import { ServiceRouter } from '../../../../services';
import { Feature, FeatureFlags, TraceLog } from '../../../../shared';
import fs from 'fs';
import https from 'https';
// -------------------------------------------------------------------
// Seismic Store Service
// -------------------------------------------------------------------
export class Server {
private app: express.Express;
private port: number;
private httpServer: import('http').Server;
private httpsServer: import('https').Server;
private corsOptions = {
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
preflightContinue: false,
optionsSuccessStatus: 204,
credentials: true,
maxAge: 3600,
exposedHeaders: [
'Origin',
'Content-Type',
'X-Requested-With',
'Authorization',
'Accept',
'Referer',
'X-Requested-With',
'Access-Control-Allow-Origin',
'x-traffic-manager'
],
allowedHeaders: [
'Origin',
'Content-Type',
'X-Requested-With',
'Authorization',
'Accept',
'Referer',
'X-Requested-With',
'Access-Control-Allow-Origin',
'x-traffic-manager'
]
}
constructor() {
this.app = express();
this.app.use(bodyparser.urlencoded({ extended: false }));
this.app.use(bodyparser.json());
this.app.disable('x-powered-by');
this.app.use(cors(this.corsOptions));
this.app.options('*', cors());
this.app.use((req: express.Request, res: express.Response, next: express.NextFunction) => {
// create and start a new trace object
res.locals.trace = new TraceLog(req.method + ':' + req.url);
// not required anymore - to verify
if (req.get('slb-on-behalf-of') !== undefined) {
req.headers.authorization = req.get('slb-on-behalf-of');
}
// init the metrics logger
if(FeatureFlags.isEnabled(Feature.LOGGING)) {
LoggerFactory.build(Config.CLOUDPROVIDER).metric('Request Size',
req.headers['content-length'] ? +req.headers['content-length'] : 0)
}
// forward the caller appkey if exist
// if exists ensure it does not collide the google-esp api-key (required for backward compatibility)
req[Config.DE_FORWARD_APPKEY] =
req.headers['appkey'] !== req.headers['x-api-key'] ? req.headers['appkey'] : undefined
next();
});
const jwtValidateOptions: JwtProxyOptions = {
disable: !Config.JWT_ENABLE_FEATURE,
excluded: Config.JWT_EXCLUDE_PATHS ? Config.JWT_EXCLUDE_PATHS.split(';') : [],
jwksUrl:Config.JWKS_URL,
algorithms: ['RS256'],
audience: Config.JWT_AUDIENCE
}
// adding middleware to intercept and valiate jwt
this.app.use(jwtProxy(jwtValidateOptions));
this.app.use(ServiceRouter);
}
public async start(port = Config.SERVICE_PORT) {
this.port = port;
// The timeout of the backend service should be greater than the timeout of the load balancer. This will
// prevent premature connection closures from the service
// Additionally, the headerstimeout needs to be greater than keepalivetimeout
// https://github.com/nodejs/node/issues/27363
// SSL
const privateKey = fs.readFileSync(process.env.SSL_KEY_PATH, 'utf8');
const certificate = fs.readFileSync(process.env.SSL_CERT_PATH, 'utf8');
const credentials = {key: privateKey, cert: certificate};
if (process.env.SSL_ENABLED === "true"){
this.httpsServer = https.createServer(credentials, this.app).listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpsServer.keepAliveTimeout = 65 * 1000;
this.httpsServer.headersTimeout = 66 * 1000;
} else {
this.httpServer = this.app.listen(this.port, () => {
// tslint:disable-next-line
console.log(`- Server is listening on port ${this.port}...`);
});
this.httpServer.keepAliveTimeout = 65 * 1000;
this.httpServer.headersTimeout = 66 * 1000;
}
}
public stop() {
if (this.httpServer) {
this.httpServer.close();
}
if (this.httpsServer) {
this.httpsServer.close();
}
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment