Anyone have issues with latest builds and SSL?

Anthias
4

Hi!

Here is quick & dirty hack that enables SSL for Anthias control panel. In general: Nginx within screenly-anthias-nginx-X container shall have SSL configured. To do this, you need two things - server cert & key and new Nginx configuration. Both components will be delivered to the container by volumes definition in docker-compose.yml.

Here are steps to take:

  1. Generate new CA crt & key
mkdir ~/screenly/SSL
cd ~/screenly/pki
openssl genrsa 4096 > ca-key.pem openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pem
  1. Generate new server’s crt & key
openssl req -newkey rsa:4096 -days 365 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
  1. Sign server’s crt with just crated CA (you can add CA to browser, to have trusted connection)
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
  1. Copy server crt and key into dedicated directory
mkdir ~/screenly/pki
cd ~/screenly/pki
cp ../SSL/server-key.pem ./
cp ../SSL/server-crt.pem ./
  1. Update Nginx config to cover SSL
mkdir ~/screenly/nginx.conf
cd ~/screenly/nginx.conf
cp docker/nginx/nginx.conf ./anthias.conf
vim anthias.conf

Update server section with ssl configuration as follows:

[...]
server {
    server_tokens off;
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL config START
    listen 443 ssl;
    ssl_certificate /data/.pki/server-cert.pem;
    ssl_certificate_key /data/.pki/server-key.pem;
    # SSL config END
[...]
  1. Update docker-compose.yml as follows:
cd ~/screenly
vim docker-compose.yml

add below lines in anthias-nginx service configuration:

[...]
  anthias-nginx:
    image: screenly/anthias-nginx:8f6d8b0-pi4
    build:
      context: .
      dockerfile: docker/Dockerfile.nginx
    ports:
      # Comment out passing port 80 and add passing port 443 from container
      #- 80:80
      - 443:443
    environment:
      - HOME=/data
    depends_on:
      - anthias-server
      - anthias-websocket
    restart: always
    volumes:
      - resin-data:/data:ro
      - /home/pi/.screenly:/data/.screenly:ro
      - /home/pi/screenly_assets:/data/screenly_assets:ro
      - /home/pi/screenly/static:/data/screenly/static:ro
      # Cert & key Volume
      - /home/pi/screenly/pki:/data/.pki:ro
      # New Nginx configuration Volume
      - /home/pi/screenly/nginx.conf:/etc/nginx/sites-enabled:ro
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
  1. Restart docker compose services:
docker compose stop
docker compose start

Remarks

  1. As I wrote, this is quick & dirty hack. Protect content of SSL directory, there are secrets among files inside, which shall not been distributed
  2. While creating certs put special attention to Common Name field - the value should be exact FQDN of the server.
  3. Volumes could be mounted in more elegant places.
  4. You may track execution of containers by running docker compose up.
  5. As I’m not sure if Nginx port 80 is used for internal communication between containers (f.e REST API calls) I left it operational, but not forwarded from container to the host
  6. Fell free to ansible everything :wink: