From d13deb84099902ac3fd7592e7527ac8fc1f3cb0b Mon Sep 17 00:00:00 2001 From: Andrew Johnson Date: Thu, 3 Oct 2019 21:55:13 +0200 Subject: [PATCH] Remove SSL support --- .env.dist | 4 ---- Dockerfile | 2 -- README.md | 25 ------------------------- README.md.j2 | 22 ---------------------- conf/nginx/nginx.conf.j2 | 18 +----------------- docker-compose.yml | 6 ------ 6 files changed, 1 insertion(+), 76 deletions(-) diff --git a/.env.dist b/.env.dist index d98eac6..c8d8c87 100644 --- a/.env.dist +++ b/.env.dist @@ -10,10 +10,6 @@ TAIGA_SCHEME=http TAIGA_SECRET_KEY=PLEASE-CHANGE-ME TAIGA_DEFAULT_LOCALE=en -# Taiga container has it's own SSL -#TAIGA_ENABLE_SSL=true -#TAIGA_REDIRECT_TO_SSL=true - # Database settings # To use an external database, simply update these and remove the postgres # service from this docker-compose.yml file diff --git a/Dockerfile b/Dockerfile index 5d20983..f21ae7a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,8 +52,6 @@ ENV DEBIAN_FRONTEND=noninteractive \ TAIGA_REDIRECT_TO_SSL=false \ # Hostname of your instance (domain ex. riotkit.org or subdomain - board.riotkit.org) TAIGA_HOSTNAME=localhost \ - # Enable SSL - TAIGA_ENABLE_SSL=false \ # Set to `true` to enable the LDAP authentication. TAIGA_LDAP=false \ # The LDAP server URL. diff --git a/README.md b/README.md index c927870..5fe2ae0 100644 --- a/README.md +++ b/README.md @@ -69,28 +69,6 @@ make start # tadam... ``` -#### Configuring SSL directly in Taiga - -There are two ways of configuring SSL, the suggested way is that you set -up a webserver and configure SSL there - you can use Letsencrypt or -other certificate. - -Second way is to set up SSL directly in the Taiga container, we will -focus on this. - -You need to add your certificates to the container into -`/etc/nginx/ssl/ssl.crt` and `/etc/nginx/ssl/ssl.key` by building a -docker image, using a volume mount or at least `docker cp`. - -Then make sure to configure environment variables on Taiga container: - -```bash -TAIGA_SCHEME=https -TAIGA_REDIRECT_TO_SSL=true -TAIGA_HOSTNAME=example.riotkit.org -TAIGA_ENABLE_SSL=true -``` - #### Configuring LDAP LDAP support can optionally be enabled by setting the `TAIGA_LDAP` environment variable to `true`. See the Dockerfile for a list of the environment variables used for configuring LDAP and their descriptions. @@ -169,9 +147,6 @@ List of all environment variables that could be used. # Hostname of your instance (domain ex. riotkit.org or subdomain - board.riotkit.org) - TAIGA_HOSTNAME # (default: localhost) -# Enable SSL -- TAIGA_ENABLE_SSL # (default: false) - # Set to `true` to enable the LDAP authentication. - TAIGA_LDAP # (default: false) diff --git a/README.md.j2 b/README.md.j2 index d5cc185..144b0e8 100644 --- a/README.md.j2 +++ b/README.md.j2 @@ -69,28 +69,6 @@ make start # tadam... ``` -#### Configuring SSL directly in Taiga - -There are two ways of configuring SSL, the suggested way is that you set -up a webserver and configure SSL there - you can use Letsencrypt or -other certificate. - -Second way is to set up SSL directly in the Taiga container, we will -focus on this. - -You need to add your certificates to the container into -`/etc/nginx/ssl/ssl.crt` and `/etc/nginx/ssl/ssl.key` by building a -docker image, using a volume mount or at least `docker cp`. - -Then make sure to configure environment variables on Taiga container: - -```bash -TAIGA_SCHEME=https -TAIGA_REDIRECT_TO_SSL=true -TAIGA_HOSTNAME=example.riotkit.org -TAIGA_ENABLE_SSL=true -``` - #### Configuring LDAP LDAP support can optionally be enabled by setting the `TAIGA_LDAP` environment variable to `true`. See the Dockerfile for a list of the environment variables used for configuring LDAP and their descriptions. diff --git a/conf/nginx/nginx.conf.j2 b/conf/nginx/nginx.conf.j2 index efb370a..b1379d5 100644 --- a/conf/nginx/nginx.conf.j2 +++ b/conf/nginx/nginx.conf.j2 @@ -31,7 +31,7 @@ http { {% endif %} server { - listen {% if TAIGA_ENABLE_SSL.lower() == 'true' %}443 ssl{% else %}80{% endif %} default_server; + listen 80 default_server; server_name _; large_client_header_buffers 4 32k; @@ -94,21 +94,5 @@ http { proxy_read_timeout 7d; } {% endif %} - - {% if TAIGA_ENABLE_SSL.lower() == 'true' %} - add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; - add_header Public-Key-Pins 'pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains'; - - ssl on; - ssl_certificate /etc/nginx/ssl/ssl.crt; - ssl_certificate_key /etc/nginx/ssl/ssl.key; - ssl_session_timeout 5m; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; - ssl_session_cache shared:SSL:10m; - ssl_stapling on; - ssl_stapling_verify on; - {% endif %} } } diff --git a/docker-compose.yml b/docker-compose.yml index df582b9..7da95b5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,17 +9,11 @@ services: image: quay.io/riotkit/taiga:${VERSION} ports: - 80:80 - # SSL support - # - 443:443 depends_on: - postgres volumes: # all data placed in volumes are kept between container updates/deletion/recreation - media:/usr/src/taiga-back/media - - # SSL support inside of the taiga container - # - ./ssl.crt:/etc/nginx/ssl/ssl.crt:ro - # - ./ssl.key:/etc/nginx/ssl/ssl.key:ro env_file: - .env