Merge pull request #17 from riotkit-org/remove-ssl-support

Remove SSL support
riotkit-org · Oct 7, 2019 · 6494608 · 6494608
2 parents 6fc4cd5 + d13deb8
commit 6494608
Show file tree

Hide file tree

Showing 6 changed files with 1 addition and 76 deletions.
diff --git a/.env.dist b/.env.dist
@@ -10,10 +10,6 @@ TAIGA_SCHEME=http
 TAIGA_SECRET_KEY=PLEASE-CHANGE-ME
 TAIGA_DEFAULT_LOCALE=en
 
-# Taiga container has it's own SSL
-#TAIGA_ENABLE_SSL=true
-#TAIGA_REDIRECT_TO_SSL=true
-
 # Database settings
 # To use an external database, simply update these and remove the postgres
 # service from this docker-compose.yml file

diff --git a/Dockerfile b/Dockerfile
@@ -52,8 +52,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
     TAIGA_REDIRECT_TO_SSL=false \
     # Hostname of your instance (domain ex. riotkit.org or subdomain - board.riotkit.org)
     TAIGA_HOSTNAME=localhost \
-    # Enable SSL
-    TAIGA_ENABLE_SSL=false \
     # Set to `true` to enable the LDAP authentication.
     TAIGA_LDAP=false \
     # The LDAP server URL.

diff --git a/README.md b/README.md
@@ -69,28 +69,6 @@ make start
 # tadam...
 ```
 
-#### Configuring SSL directly in Taiga
-
-There are two ways of configuring SSL, the suggested way is that you set
-up a webserver and configure SSL there - you can use Letsencrypt or
-other certificate.
-
-Second way is to set up SSL directly in the Taiga container, we will
-focus on this.
-
-You need to add your certificates to the container into
-`/etc/nginx/ssl/ssl.crt` and `/etc/nginx/ssl/ssl.key` by building a
-docker image, using a volume mount or at least `docker cp`.
-
-Then make sure to configure environment variables on Taiga container:
-
-```bash
-TAIGA_SCHEME=https
-TAIGA_REDIRECT_TO_SSL=true
-TAIGA_HOSTNAME=example.riotkit.org
-TAIGA_ENABLE_SSL=true
-```
-
 #### Configuring LDAP
 
 LDAP support can optionally be enabled by setting the `TAIGA_LDAP` environment variable to `true`. See the Dockerfile for a list of the environment variables used for configuring LDAP and their descriptions.
@@ -169,9 +147,6 @@ List of all environment variables that could be used.
 # Hostname of your instance (domain ex. riotkit.org or subdomain - board.riotkit.org)
 - TAIGA_HOSTNAME # (default: localhost)
 
-# Enable SSL
-- TAIGA_ENABLE_SSL # (default: false)
-
 # Set to `true` to enable the LDAP authentication.
 - TAIGA_LDAP # (default: false)
 

diff --git a/README.md.j2 b/README.md.j2
@@ -69,28 +69,6 @@ make start
 # tadam...
 ```
 
-#### Configuring SSL directly in Taiga
-
-There are two ways of configuring SSL, the suggested way is that you set
-up a webserver and configure SSL there - you can use Letsencrypt or
-other certificate.
-
-Second way is to set up SSL directly in the Taiga container, we will
-focus on this.
-
-You need to add your certificates to the container into
-`/etc/nginx/ssl/ssl.crt` and `/etc/nginx/ssl/ssl.key` by building a
-docker image, using a volume mount or at least `docker cp`.
-
-Then make sure to configure environment variables on Taiga container:
-
-```bash
-TAIGA_SCHEME=https
-TAIGA_REDIRECT_TO_SSL=true
-TAIGA_HOSTNAME=example.riotkit.org
-TAIGA_ENABLE_SSL=true
-```
-
 #### Configuring LDAP
 
 LDAP support can optionally be enabled by setting the `TAIGA_LDAP` environment variable to `true`. See the Dockerfile for a list of the environment variables used for configuring LDAP and their descriptions.

diff --git a/conf/nginx/nginx.conf.j2 b/conf/nginx/nginx.conf.j2
@@ -31,7 +31,7 @@ http {
     {% endif %}
 
     server {
-        listen {% if TAIGA_ENABLE_SSL.lower() == 'true' %}443 ssl{% else %}80{% endif %} default_server;
+        listen 80 default_server;
         server_name _;
 
         large_client_header_buffers 4 32k;
@@ -94,21 +94,5 @@ http {
             proxy_read_timeout 7d;
         }
         {% endif %}
-
-        {% if TAIGA_ENABLE_SSL.lower() == 'true' %}
-        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
-        add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains';
-
-        ssl on;
-        ssl_certificate /etc/nginx/ssl/ssl.crt;
-        ssl_certificate_key /etc/nginx/ssl/ssl.key;
-        ssl_session_timeout 5m;
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-        ssl_session_cache shared:SSL:10m;
-        ssl_stapling on;
-        ssl_stapling_verify on;
-        {% endif %}
     }
 }
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,17 +9,11 @@ services:
         image: quay.io/riotkit/taiga:${VERSION}
         ports:
             - 80:80
-            # SSL support
-            # - 443:443
         depends_on:
             - postgres
         volumes:
             # all data placed in volumes are kept between container updates/deletion/recreation
             - media:/usr/src/taiga-back/media
-
-            # SSL support inside of the taiga container
-            # - ./ssl.crt:/etc/nginx/ssl/ssl.crt:ro
-            # - ./ssl.key:/etc/nginx/ssl/ssl.key:ro
         env_file:
             - .env