Add custom SSL helpers

docker-compose.yml

@@ -195,6 +195,21 @@ services:
       - /etc/letsencrypt/:/etc/letsencrypt/
     networks:
       - net
+  sublime_nginx_custom_ssl:
+    image: sublime_nginx_custom_ssl:latest
+    restart: unless-stopped
+    profiles:
+      - nginx-custom-ssl
+    ports:
+      - "443:443"
+    depends_on:
+      - sublime_mantis
+      - sublime_dashboard
+    container_name: sublime_nginx_custom_ssl
+    volumes:
+      - /etc/nginx-custom-ssl/:/etc/nginx-custom-ssl/
+    networks:
+      - net
 
 networks:
   net:

nginx-custom-ssl/Dockerfile

@@ -0,0 +1,10 @@
+FROM nginx:1.23.3
+
+COPY conf/nginx.conf /etc/nginx/nginx.conf
+COPY conf/ssl-params.conf /etc/nginx/ssl-params.conf
+
+COPY certs/nginx.crt /etc/ssl/certs/nginx.crt
+COPY certs/nginx.key /etc/ssl/private/nginx.key
+COPY certs/dhparam.pem /etc/ssl/certs/dhparam.pem
+
+CMD nginx -g "daemon off;"

nginx-custom-ssl/README.md

@@ -0,0 +1,13 @@
+# nginx-custom-ssl
+
+SSL support with custom cert.
+
+To enable SSL with your custom certificate, follow the steps below:
+
+1. Copy your certificate and key to certs/nginx.crt and certs/nginx.key
+2. Copy your dhparam file to certs/dhparam.pem
+3. Edit conf/nginx.conf to update `__server_names__` to your domain or IP address
+4. Perform any other configuration edits that you might need
+5. Run `docker build -t sublime_nginx_custom_ssl .`
+6. Run `cd ..` (back to sublime-platform directory)
+7. Run `docker compose --profile nginx-custom-ssl up`

nginx-custom-ssl/conf/nginx.conf

@@ -0,0 +1,56 @@
+events {
+	worker_connections 1024;
+}
+
+http {
+	# language server websockets
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	server {
+		listen 80 default_server;
+		listen [::]:80 default_server;
+		server_name __server_names__;
+		return 302 https://$server_name$request_uri;
+	}
+
+	server {
+		listen 443 ssl http2 default_server;
+	        listen [::]:443 ssl http2 default_server;
+
+		ssl_certificate /etc/ssl/certs/nginx.crt;
+		ssl_certificate_key /etc/ssl/private/nginx.key;
+
+	        include ssl-params.conf;
+
+		location /v1 {
+			proxy_pass http://sublime_mantis:8000;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+
+			# language server websockets
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection $connection_upgrade;
+		}
+
+		location /v0 {
+			proxy_pass http://sublime_mantis:8000;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+		}
+
+		location / {
+			proxy_pass http://sublime_dashboard;
+			proxy_set_header Host $host;
+			proxy_set_header X-Real-IP $remote_addr;
+			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+			proxy_set_header X-Forwarded-Host $server_name;
+		}
+	}
+}

nginx-custom-ssl/conf/ssl-params.conf

@@ -0,0 +1,21 @@
+# from https://cipherli.st/
+# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;