Reject SSL handshake on default server

SteveLTN · Oct 25, 2021 · e6018f5 · e6018f5
1 parent 9db6177
commit e6018f5
Show file tree

Hide file tree

Showing 6 changed files with 6 additions and 38 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-ARG  DIST=nginx:1.19.6
+ARG  DIST=nginx:1.21.3
 FROM $DIST
 
 # Set by `docker buildx build`

diff --git a/fs_overlay/etc/cont-init.d/00-welcome b/fs_overlay/etc/cont-init.d/00-welcome
@@ -2,6 +2,6 @@
 
 echo '
 ========================================
-HTTPS-PORTAL v1.19.2
+HTTPS-PORTAL v1.20.0
 ========================================
 '
diff --git a/fs_overlay/opt/certs_manager/certs_manager.rb b/fs_overlay/opt/certs_manager/certs_manager.rb
@@ -27,7 +27,6 @@ def setup_config(initial)
         domain.ensure_welcome_page
       end
 
-      ensure_dummy_certificate_for_default_server
       OpenSSL.ensure_dhparam
       OpenSSL.ensure_account_key
 

diff --git a/fs_overlay/opt/certs_manager/lib/commands.rb b/fs_overlay/opt/certs_manager/lib/commands.rb
@@ -31,20 +31,6 @@ def generate_ht_access(domains)
     end
   end
 
-  def ensure_dummy_certificate_for_default_server
-    base_dir = File.join(NAConfig.portal_base_dir, "default_server")
-    cert_path = File.join(NAConfig.portal_base_dir, "default_server/default_server.crt")
-    key_path = File.join(NAConfig.portal_base_dir, "default_server/default_server.key")
-
-    unless File.exist?(cert_path) && File.exist?(key_path)
-      OpenSSL.generate_dummy_certificate(
-        base_dir,
-        cert_path,
-        key_path
-      )
-    end
-  end
-
   def fail_and_shutdown
     Logger.debug ("Fail and Shutdown")
     Nginx.stop

diff --git a/fs_overlay/opt/certs_manager/lib/open_ssl.rb b/fs_overlay/opt/certs_manager/lib/open_ssl.rb
@@ -66,23 +66,6 @@ def self.self_sign(domain)
     (system command) && ACME.rename_ongoing_cert_and_key(domain)
   end
 
-  def self.generate_dummy_certificate(dir, out_path, keyout_path)
-    puts "Generating dummy certificate for default fallback server"
-
-    command = <<-EOC
-      mkdir -p #{dir} && \
-      openssl req -x509 -newkey \
-        rsa:#{NAConfig.key_length} -nodes \
-        -out #{out_path} \
-        -keyout #{keyout_path} \
-        -days 36500 \
-        -batch \
-        -subj "/CN=default-server.example.com"
-    EOC
-
-    system command
-  end
-
   private
 
   def self.dummy?(pem)

diff --git a/fs_overlay/var/lib/nginx-conf/nginx.conf.erb b/fs_overlay/var/lib/nginx-conf/nginx.conf.erb
@@ -118,11 +118,11 @@ http {
     # Prevent Nginx from leaking other server configurations on the same machine
     server {
         listen      80 default_server;
-        listen      443 ssl default_server;
-
-        ssl_certificate <%= NAConfig.portal_base_dir %>/default_server/default_server.crt;
-        ssl_certificate_key <%= NAConfig.portal_base_dir %>/default_server/default_server.key;
         server_name _;
         return      444;
     }
+    server {
+        listen      443 ssl default_server;
+        ssl_reject_handshake on;
+    }
 }