From 44879f10e702dae854a316677edadf3b360b2472 Mon Sep 17 00:00:00 2001
From: Patrice <ofjokg@gmail.com>
Date: Wed, 15 May 2019 15:58:28 +0200
Subject: [PATCH] cert stuff :(

---
 .gitignore                                |  10 ++++
 reader/{GST.Dockerfile => Dockerfile}     |  11 ++--
 reader/__pycache__/siteobj.cpython-35.pyc | Bin 3518 -> 3518 bytes
 reader/__pycache__/util.cpython-35.pyc    | Bin 554 -> 591 bytes
 reader/gen_cert.sh                        |  49 +----------------
 reader/main.py                            |  10 +++-
 reader/nginx.conf                         |  61 ++++++++++++++++++++++
 reader/requirements.txt                   |   1 +
 8 files changed, 87 insertions(+), 55 deletions(-)
 rename reader/{GST.Dockerfile => Dockerfile} (62%)
 create mode 100644 reader/nginx.conf

diff --git a/.gitignore b/.gitignore
index 3faff97..8724c5c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,12 @@
 
 reader/ngrok\.exe
+
+alexa\.jopa\.dev\.csr
+
+alexa\.jopa\.dev\.key
+
+certificate\.pem
+
+privkey\.pem
+
+reader/cert/certificate\.crt
diff --git a/reader/GST.Dockerfile b/reader/Dockerfile
similarity index 62%
rename from reader/GST.Dockerfile
rename to reader/Dockerfile
index 5f2a70f..5876e48 100644
--- a/reader/GST.Dockerfile
+++ b/reader/Dockerfile
@@ -1,14 +1,13 @@
 FROM tiangolo/uwsgi-nginx-flask:python3.5
-ENV FQDN *.example.com
+
 RUN python -m pip install pip==9.0.3
 RUN apt-get update
 RUN apt-get install -y gcc libevent-dev python-dev
+
 COPY ./requirements.txt /
 COPY ./ /app
-COPY ./gen_cert.sh /gen_cert.sh
+
+COPY ./nginx.conf /etc/nginx/nginx.conf
+#COPY /app/certificate.pem /etc/nginx/certs
 RUN pip install -r /requirements.txt
-CMD sh /gen_cert.sh && cp /server.crt /etc/nginx/certs:/etc/nginx/certs && /start.sh
-
-
-
 
diff --git a/reader/__pycache__/siteobj.cpython-35.pyc b/reader/__pycache__/siteobj.cpython-35.pyc
index 39ceb47525faecb43bba33c3ed0088fb4b04d33a..c013b204836f58fd10dea70db36f69e262040b1e 100644
GIT binary patch
delta 15
Wcmdldy-%7=oR^oY-E|||4qgBvwgfx?

delta 15
Wcmdldy-%7=oR^ntrr}1m9lQV{z63e|

diff --git a/reader/__pycache__/util.cpython-35.pyc b/reader/__pycache__/util.cpython-35.pyc
index 298c6f912def718a0492af538520ade39799729d..d26c0cce042eff8426a3d1941129df26551b3e71 100644
GIT binary patch
delta 119
zcmZ3*a-M}toR^pDkloD~8K#L`!4p4eO)SdbVq*XTMjl2Mril-v<u!nu8b*d128L`l
zh9U(J1IU%EVPeQ;0`ezwF?#cG1Jx8mw8>0PWK0qkOiwL|FHS8k&dkq?FH6iRO%<Gc
Li_w>vgNF?OBCr~}

delta 109
zcmX@lvWkUEoR^o&#q4IxX2ywJ!J>=|3=GadT+9L_QWzP6HJSWECbnm=F#-7uj1zxK
zPfSys?8<1#!vRvo1{UR++{KtAE}EWN5?`EJT%4Jo7oS*CQk0ogT9V2)`9GsCGb;}p
E00Al)=>Px#

diff --git a/reader/gen_cert.sh b/reader/gen_cert.sh
index 58ddd09..e43c2a2 100644
--- a/reader/gen_cert.sh
+++ b/reader/gen_cert.sh
@@ -1,48 +1 @@
-#!/bin/bash
-
-# set values for certificate DNs
-# note: CN is set to different values in the sections below
-ORG="000_Test_Certificates"
-
-# set values that the commands will share
-VALID_DAYS=360
-CA_KEY=ca.key
-CA_CERT=ca.crt
-CLIENT_KEY=client.key
-CLIENT_CERT=client.crt
-CLIENT_CSR=client.csr
-CLIENT_P12=client.p12
-SERVER_KEY=server.key
-SERVER_CERT=server.crt
-SERVER_CSR=server.csr
-KEY_BITS=2048
-
-echo
-echo "Create CA certificate..."
-CN="Test CA"
-openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $CA_KEY
-openssl req -new -x509 -days $VALID_DAYS -key $CA_KEY -subj "/CN=$CN/O=$ORG" -out $CA_CERT
-echo "Done."
-
-echo
-echo "Creating Server certificate..."
-CN="localhost"
-openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $SERVER_KEY
-openssl req -new -key $SERVER_KEY -subj "/CN=$CN/O=$ORG" -out $SERVER_CSR
-openssl x509 -days $VALID_DAYS -req -in $SERVER_CSR -CAcreateserial -CA $CA_CERT -CAkey $CA_KEY -out $SERVER_CERT
-echo "Done."
-
-echo
-echo "Creating Client certificate..."
-CN="Test User 1"
-USER_ID="testuser1"
-P12_PASSWORD=
-openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $CLIENT_KEY
-openssl req -new -key $CLIENT_KEY -subj "/CN=$CN/O=$ORG/UID=$USER_ID" -out $CLIENT_CSR
-openssl x509 -days $VALID_DAYS -req -in $CLIENT_CSR -CAcreateserial -CA $CA_CERT -CAkey $CA_KEY -out $CLIENT_CERT
-openssl pkcs12 -in $CLIENT_CERT -inkey $CLIENT_KEY -export -password pass:$P12_PASSWORD -out $CLIENT_P12
-echo "Done."
-
-echo
-echo "----- Don't forget to open your browser and install your $CA_CERT and $CLIENT_P12 certificates -----"
-echo
\ No newline at end of file
+openssl req -newkey rsa:2048 -nodes -keyout privkey.pem -x509 -days 365 -out certificate.pem -subj "/C=US/ST=NRW/L=Earth/O=CompanyName/OU=IT/CN=alexa.jopa.dev"
\ No newline at end of file
diff --git a/reader/main.py b/reader/main.py
index c3cb906..8206c8c 100644
--- a/reader/main.py
+++ b/reader/main.py
@@ -1,4 +1,5 @@
 import logging
+from OpenSSL import SSL
 import os
 from flask import Flask
 from flask_ask import Ask, request, session, question, statement
@@ -150,4 +151,11 @@ if __name__ == '__main__':
         verify = str(os.environ.get('ASK_VERIFY_REQUESTS', '')).lower()
         if verify == 'false':
             app.config['ASK_VERIFY_REQUESTS'] = False
-    app.run()
+
+
+    context = SSL.Context(SSL.TLSv1_2_METHOD)
+    cer = os.path.join(os.path.dirname(__file__), 'certificate.pem')
+    key = os.path.join(os.path.dirname(__file__), 'privkey.pem')
+    context = (cer, key)
+    
+    app.run(host='127.0.0.1',port=443,ssl_context=context)
diff --git a/reader/nginx.conf b/reader/nginx.conf
new file mode 100644
index 0000000..a338ef4
--- /dev/null
+++ b/reader/nginx.conf
@@ -0,0 +1,61 @@
+
+user  nginx;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+    
+    server {
+    # enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
+    ssl_protocols SSLv3 TLSv1;
+    
+    # disables all weak ciphers
+    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
+
+    server_name alexa.jopa.dev jopa.dev;
+
+    ## Access and error logs.
+    access_log /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log info;
+
+    ## Keep alive timeout set to a greater value for SSL/TLS.
+    keepalive_timeout 75 75;
+
+    ## See the keepalive_timeout directive in nginx.conf.
+    ## Server certificate and key.
+    ssl on;
+    ssl_certificate /app/cert/certificate.pem;
+    ssl_certificate_key /app/cert/privkey.pem;
+    ssl_session_timeout  5m;
+
+    ## Strict Transport Security header for enhanced security. See
+    ## http://www.chromium.org/sts. I've set it to 2 hours; set it to
+    ## whichever age you want.
+    add_header Strict-Transport-Security "max-age=7200";
+
+    }
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/reader/requirements.txt b/reader/requirements.txt
index 9157fa2..70fb707 100644
--- a/reader/requirements.txt
+++ b/reader/requirements.txt
@@ -1,2 +1,3 @@
 requests
 flask-ask
+lxml