From 9aada993b1db43c51a59692f18f88dcaeb4308c9 Mon Sep 17 00:00:00 2001 From: wh1te909 Date: Mon, 14 Mar 2022 04:20:41 +0000 Subject: [PATCH] nginx/celery changes and bump docker deps --- .devcontainer/docker-compose.yml | 2 +- .../containers/tactical-frontend/dockerfile | 2 +- .../tactical-meshcentral/dockerfile | 2 +- docker/containers/tactical-nats/dockerfile | 2 +- .../containers/tactical-nginx/entrypoint.sh | 27 +++++++++++++-- docker/containers/tactical/dockerfile | 6 ++-- install.sh | 33 +++++++++++++++---- 7 files changed, 58 insertions(+), 16 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 4a987007..3665fb1f 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -24,7 +24,7 @@ services: app-dev: container_name: trmm-app-dev - image: node:14-alpine + image: node:16-alpine restart: always command: /bin/sh -c "npm install npm@latest -g && npm install && npm run serve -- --host 0.0.0.0 --port ${APP_PORT}" working_dir: /workspace/web diff --git a/docker/containers/tactical-frontend/dockerfile b/docker/containers/tactical-frontend/dockerfile index 31dd981a..74fd2dc2 100644 --- a/docker/containers/tactical-frontend/dockerfile +++ b/docker/containers/tactical-frontend/dockerfile @@ -1,4 +1,4 @@ -FROM node:14-alpine AS builder +FROM node:16-alpine AS builder WORKDIR /home/node/app diff --git a/docker/containers/tactical-meshcentral/dockerfile b/docker/containers/tactical-meshcentral/dockerfile index d0b3f5ed..2705daf5 100644 --- a/docker/containers/tactical-meshcentral/dockerfile +++ b/docker/containers/tactical-meshcentral/dockerfile @@ -1,4 +1,4 @@ -FROM node:14-alpine +FROM node:16-alpine WORKDIR /home/node/app diff --git a/docker/containers/tactical-nats/dockerfile b/docker/containers/tactical-nats/dockerfile index ad1bd059..beb37fcb 100644 --- a/docker/containers/tactical-nats/dockerfile +++ b/docker/containers/tactical-nats/dockerfile @@ -1,4 +1,4 @@ -FROM nats:2.6.6-alpine +FROM nats:2.7.4-alpine ENV TACTICAL_DIR /opt/tactical ENV TACTICAL_READY_FILE ${TACTICAL_DIR}/tmp/tactical.ready diff --git a/docker/containers/tactical-nginx/entrypoint.sh b/docker/containers/tactical-nginx/entrypoint.sh index 32f49f17..2908c8bf 100644 --- a/docker/containers/tactical-nginx/entrypoint.sh +++ b/docker/containers/tactical-nginx/entrypoint.sh @@ -102,7 +102,14 @@ server { listen 4443 ssl; ssl_certificate ${CERT_PUB_PATH}; ssl_certificate_key ${CERT_PRIV_PATH}; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; } @@ -139,7 +146,14 @@ server { listen 4443 ssl; ssl_certificate ${CERT_PUB_PATH}; ssl_certificate_key ${CERT_PRIV_PATH}; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; } @@ -160,9 +174,16 @@ server { server_name ${MESH_HOST}; ssl_certificate ${CERT_PUB_PATH}; ssl_certificate_key ${CERT_PRIV_PATH}; + ssl_session_cache shared:WEBSSL:10m; - ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; location / { #Using variable to disable start checks diff --git a/docker/containers/tactical/dockerfile b/docker/containers/tactical/dockerfile index e972dfdc..811b4554 100644 --- a/docker/containers/tactical/dockerfile +++ b/docker/containers/tactical/dockerfile @@ -1,5 +1,5 @@ # creates python virtual env -FROM python:3.9.9-slim AS CREATE_VENV_STAGE +FROM python:3.10.2-slim AS CREATE_VENV_STAGE ARG DEBIAN_FRONTEND=noninteractive @@ -21,14 +21,14 @@ RUN apt-get update && \ pip install --no-cache-dir -r ${TACTICAL_TMP_DIR}/api/requirements.txt # pulls community scripts from git repo -FROM python:3.9.9-slim AS GET_SCRIPTS_STAGE +FROM python:3.10.2-slim AS GET_SCRIPTS_STAGE RUN apt-get update && \ apt-get install -y --no-install-recommends git && \ git clone https://github.com/amidaware/community-scripts.git /community-scripts # runtime image -FROM python:3.9.9-slim +FROM python:3.10.2-slim # set env variables ENV VIRTUAL_ENV /opt/venv diff --git a/install.sh b/install.sh index e90c8d59..c00d9fd3 100644 --- a/install.sh +++ b/install.sh @@ -521,8 +521,15 @@ server { error_log /rmm/api/tacticalrmm/tacticalrmm/private/log/error.log; ssl_certificate ${CERT_PUB_KEY}; ssl_certificate_key ${CERT_PRIV_KEY}; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; - + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; + location /static/ { root /rmm/api/tacticalrmm; } @@ -585,9 +592,16 @@ server { server_name ${meshdomain}; ssl_certificate ${CERT_PUB_KEY}; ssl_certificate_key ${CERT_PRIV_KEY}; + ssl_session_cache shared:WEBSSL:10m; - ssl_ciphers HIGH:!aNULL:!MD5; + + ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; location / { proxy_pass http://127.0.0.1:4430/; @@ -642,7 +656,7 @@ CELERY_APP="tacticalrmm" CELERYD_MULTI="multi" -CELERYD_OPTS="--time-limit=9999 --autoscale=100,5" +CELERYD_OPTS="--time-limit=86400 --autoscale=50,3" CELERYD_PID_FILE="/rmm/api/tacticalrmm/%n.pid" CELERYD_LOG_FILE="/var/log/celery/%n%I.log" @@ -737,7 +751,14 @@ server { listen [::]:443 ssl; ssl_certificate ${CERT_PUB_KEY}; ssl_certificate_key ${CERT_PRIV_KEY}; - ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+AESGCM:EDH+AESGCM; + ssl_ecdh_curve secp384r1; + ssl_stapling on; + ssl_stapling_verify on; + add_header X-Content-Type-Options nosniff; } server { @@ -842,7 +863,7 @@ printf >&2 "${YELLOW}%0.s*${NC}" {1..80} printf >&2 "\n\n" printf >&2 "${YELLOW}Installation complete!${NC}\n\n" printf >&2 "${YELLOW}Access your rmm at: ${GREEN}https://${frontenddomain}${NC}\n\n" -printf >&2 "${YELLOW}Django admin url: ${GREEN}https://${rmmdomain}/${ADMINURL}${NC}\n\n" +printf >&2 "${YELLOW}Django admin url (disabled by default): ${GREEN}https://${rmmdomain}/${ADMINURL}${NC}\n\n" printf >&2 "${YELLOW}MeshCentral username: ${GREEN}${meshusername}${NC}\n" printf >&2 "${YELLOW}MeshCentral password: ${GREEN}${MESHPASSWD}${NC}\n\n"