SSL everywhere

[petersilva]

Need to configure every container that runs a service to use the SSL certificate (involves ensuring the certificates are in the right places for each one. Services to configure so far:

• nginx
• mosquitto
• wis2box stack itself? or inherit from nginx?
• webdav

Since certificates have pretty short lifetimes (max 1 year) these days, need to arrange for auto-renewal, and automated replacement of certs, and restarting of the services using them.

implementing something like Lets Encrypt, with auto updating would be desirable.
Some countries nations may have security standards that conflict with use of external or specific SSL providers. so this part may need to be pluggable.

[petersilva]

https://pentacent.medium.com/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
probably a good start.

[tomkralidis]

Needs setup/proxy (+X-Forward, etc.) on:

• nginx

• mosquitto

• does does data-consumer need SSL as well?

• need to verify ingest workflows (SFTP, or other [s3]?)

• certs can be the same, need to managed across box

[webb-ben]

I will add that we could use a web server that has built-in TLS/SSL like Caddy. Ideally, we would have SSL from only one container. I believe nginx and caddy can be configured to serve any TCP protocol including MQTT...

[tomkralidis]

@webb-ben sure. We can also generate the certs and mount them across nginx and mosquitto.

[maaikelimper]

additional service to use SSL: grafana for the monitoring

[tomkralidis]

• nginx as proxy for other services
• nginx does SSL
• SSL is installed once on web proxy
• internal services are raw HTTP
• cert options
  • self-signed
  • letsencrypt (needs public facing address, hard for development)
  • commercial (i.e. Entrust)
• nginx configuration: http://nginx.org/en/docs/http/configuring_https_servers.html
• we would put files where nginx wants them
• keys needs to be created BEFORE docker-compose orchestration
• have different nginx configs
• unsecure (CI, dev.)
  • 80
  • 1883
• secure (docker/nginx/nginx.ssl.conf)
  • 443
  • 8883
• change docker/docker-compose.yml to point to nginx.ssl.conf and uncomment/edit volume map to .key and .crt
• we can have a build step to copy the nginx.dev.conf or nginx.ssl.conf to nginx.conf
• we need an SSL page/documentation
  • how to enable SSL
  • change env vars
  • startup

[tomkralidis]

cc @maaikelimper

• option to enable/disable SSL, when SSL is disabled user should get clear warning on wis2box-ctl.py to indicate that this is for development only and production-environment requires HTTPS/MQTTS to be enabled
• prepare nginx/mqtt configuration files with/without SSL
• new environment variables to define WIS2BOX_SSL_ENABLED (true/false) and WIS2BOX_NGINX_CERTS_DIR, WIS2BOX_MQTTS_CERTS_DIR on local host for nginx and mqtt (and optionally sftp)

[golfvert]

Have you considered using traefik? As a proxy HTTPS/MQTTS/... it also makes autorenewal with let's encrypt fairly straightforward.
MF Global Broker is using this setup.

[tomkralidis]

PR in #403; I will review today/tomorrow.

[tomkralidis]

Implemented in #403.