Commit 024e7d49 authored by Robert Schambach's avatar Robert Schambach
Browse files

Enable tls between nginx and fastapi

parent cae0f1d2
......@@ -2,7 +2,12 @@ events {}
http {
server {
location / {
proxy_pass http://fastapi-scone:8000;
proxy_pass https://fastapi-scone:8000;
proxy_ssl_certificate /etc/nginx/fastapi-client.crt;
proxy_ssl_certificate_key /etc/nginx/fastapi-client.key;
proxy_ssl_trusted_certificate /etc/nginx/fastapi-ca.crt;
proxy_ssl_verify on;
proxy_ssl_session_reuse on;
}
}
}
......@@ -34,7 +34,7 @@ spec:
#- name: SCONE_ALLOW_DLOPEN
#value: 2
- name: SCONE_CONFIG_ID
value: database_simpleclient_22243-27489-21957/serve
value: $SIMPLE_CLIENT_CONFIG_ID/serve
- name: SCONE_CAS_ADDR
value: 5-0-0.scone-cas.cf
- name: SCONE_LAS_ADDR
......
......@@ -32,7 +32,7 @@ spec:
- name: SCONE_ALLOW_DLOPEN
value: "2"
- name: SCONE_CONFIG_ID
value: memcached_policy_22243-27489-21957/memcached
value: $MEMCACHED_CONFIG_ID/memcached
- name: SCONE_CAS_ADDR
value: "5-0-0.scone-cas.cf"
- name: SCONE_LAS_ADDR
......
......@@ -18,10 +18,10 @@ spec:
- name: nginx-scone
image: registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server
imagePullPolicy: Always
command:
- sh
- -c
- sleep 10000
# command:
# - sh
# - -c
# - sleep 10000
ports:
- name: nginx
containerPort: 80
......@@ -31,8 +31,8 @@ spec:
value: 2G
- name: SCONE_FORK
value: "1"
# - name: SCONE_CONFIG_ID
# value: nginx_policy_3936-9073-27801/nginx
- name: SCONE_CONFIG_ID
value: $NGINX_CONFIG_ID/nginx
- name: SCONE_CAS_ADDR
value: "5-0-0.scone-cas.cf"
- name: SCONE_LAS_ADDR
......
......@@ -29,37 +29,77 @@ services:
images:
- name: client_image
injection_files:
- path: /etc/mariadb-ca.crt
content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
- path: /etc/mariadb-client.crt
content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
- path: /etc/mariadb-client.key
content: $$SCONE::MARIADB_CLIENT_CERT.key$$
- path: /etc/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$
- path: /etc/memcached-client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
- path: /etc/memcached-client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
- path: /etc/fastapi-ca.crt
content: $$SCONE::FASTAPI_CA_CERT.chain$$
- path: /etc/server.crt
content: $$SCONE::fastapi.crt$$
- path: /etc/server.key
content: $$SCONE::fastapi.key$$
- path: /etc/client.crt
content: $$SCONE::FASTAPI_CLIENT_CERT.crt$$ # export client certificate
- path: /etc/client.key
content: $$SCONE::FASTAPI_CLIENT_CERT.key$$ # export client key
- path: /etc/mariadb-ca.crt
content: $$SCONE::MARIADB_CA_CERT.chain$$ # Use the database session's CA certificate as a trusted root CA cert. We can use chain here because we verify the session name in the DB
- path: /etc/mariadb-client.crt
content: $$SCONE::MARIADB_CLIENT_CERT.crt$$
- path: /etc/mariadb-client.key
content: $$SCONE::MARIADB_CLIENT_CERT.key$$
- path: /etc/memcached-ca.crt
content: $$SCONE::MEMCACHED_CA_CERT.chain$$
- path: /etc/memcached-client.crt
content: $$SCONE::MEMCACHED_CLIENT_CERT.crt$$
- path: /etc/memcached-client.key
content: $$SCONE::MEMCACHED_CLIENT_CERT.key$$
# Import client credentials from DB session.
secrets:
- name: db_user
kind: ascii
value: $DB_USER
- name: MARIADB_CLIENT_CERT
import:
session: $DB_SESSION
secret: MARIADB_CLIENT_CERT
- name: MARIADB_CA_CERT
import:
session: $DB_SESSION
secret: MARIADB_CA_CERT
- name: MEMCACHED_CLIENT_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CLIENT_CERT
- name: MEMCACHED_CA_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CA_CERT
# fastapi - mariadb tls
- name: db_user
kind: ascii
value: $DB_USER
- name: MARIADB_CLIENT_CERT
import:
session: $DB_SESSION
secret: MARIADB_CLIENT_CERT
- name: MARIADB_CA_CERT
import:
session: $DB_SESSION
secret: MARIADB_CA_CERT
# fastapi - memcached tls
- name: MEMCACHED_CLIENT_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CLIENT_CERT
- name: MEMCACHED_CA_CERT
import:
session: $MEMCACHED_SESSION
secret: MEMCACHED_CA_CERT
# specific for fastapi - nginx tls
- name: fastapi-key # automatically generate FASTAPI server certificate
kind: private-key
- name: fastapi # automatically generate FASTAPI server certificate
private_key: fastapi-key
issuer: FASTAPI_CA_CERT
kind: x509
dns:
- $FASTAPI_HOST
- name: FASTAPI_CLIENT_KEY
kind: private-key
export:
- session: $NGINX_SESSION
- name: FASTAPI_CLIENT_CERT # automatically generate client certificate
private_key: FASTAPI_CLIENT_KEY
issuer: FASTAPI_CA_CERT
common_name: FASTAPI_CLIENT_CERT
kind: x509
export:
- session: $NGINX_SESSION # export client cert/key to upload session
- name: FASTAPI_CA_KEY # export session CA certificate as FASTAPI CA certificate
kind: private-key
- name: FASTAPI_CA_CERT # export session CA certificate as FASTAPI CA certificate
kind: x509-ca
common_name: FASTAPI_CA
private_key: FASTAPI_CA_KEY
export:
- session: $NGINX_SESSION # export the session CA certificate to upload session
name: $NGINX_SESSION
version: "0.3"
# Access control:
# - only the data owner (CREATOR) can read or update the session
# - even the data owner cannot read the session secrets (i.e., the volume key and tag) or delete the session
access_policy:
read:
- CREATOR
update:
- CREATOR
security:
attestation:
tolerate: [debug-mode, hyperthreading, outdated-tcb, insecure-configuration]
ignore_advisories: "*"
services:
- name: nginx
image_name: nginx_image
command: ["nginx", "-g", "master_process off; daemon off;"]
mrenclaves: ["$MRENCLAVE_NGINX"]
pwd: /
#fspf_path: /fspf.pb
#fspf_key: $NGINX_POLICY_FSPF_KEY
#fspf_tag: $NGINX_POLICY_FSPF_TAG
images:
- name: nginx_image
injection_files:
- path: /etc/nginx/fastapi-ca.crt
content: $$SCONE::FASTAPI_CA_CERT.chain$$
- path: /etc/nginx/fastapi-client.crt
content: $$SCONE::FASTAPI_CLIENT_CERT.crt$$
- path: /etc/nginx/fastapi-client.key
content: $$SCONE::FASTAPI_CLIENT_CERT.key$$
# Import client credentials from DB session.
secrets:
# nginx - fastapi tls
- name: FASTAPI_CLIENT_CERT
import:
session: $DB_SIMPLECLIENT
secret: FASTAPI_CLIENT_CERT
- name: FASTAPI_CA_CERT
import:
session: $DB_SIMPLECLIENT
secret: FASTAPI_CA_CERT
......@@ -21,10 +21,11 @@ MARIADB_IMAGE=${MARIADB_BASE_IMAGE:-"sconecuratedimages/apps:mariadb-10.4-alpine
FASTAPISERVER_IMAGE=${FASTAPISERVER_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:fastapi-server"}
CLI_IMAGE=${CLI_IMAGE:-"sconecuratedimages/sconecli:alpine3.10-scone5.0.0"}
MEMCACHED_IMAGE=${MEMCACHED_BASE_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:memcached-tls"}
NGINX_IMAGE=${NGINX_IMAGE:-"registry.scontain.com:5050/enterjazz/secure-doc-management:nginx-proxy-server"}
echo "Pulling the latest images. Make sure you have access to all of them!"
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPISERVER_IMAGE $CLI_IMAGE $MEMCACHED_IMAGE; do
for img in $MARIADB_IMAGE $CAS_IMAGE $FASTAPISERVER_IMAGE $CLI_IMAGE $MEMCACHED_IMAGE $NGINX_IMAGE; do
docker pull $img
done
......@@ -37,6 +38,7 @@ MRENCLAVE_MY_PRINT_DEFAULTS=$(get_mrenclave $MARIADB_IMAGE my_print_defaults "-e
MRENCLAVE_MYSQL=$(get_mrenclave $MARIADB_IMAGE mysql "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=1 --entrypoint=""")
MRENCLAVE_SIMPLECLIENT_FASTAPISERVER=$(get_mrenclave $FASTAPISERVER_IMAGE python3 "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_MEMCACHED=$(get_mrenclave $MEMCACHED_IMAGE memcached "-e SCONE_HEAP=2G -e SCONE_ALLOW_DLOPEN=2")
MRENCLAVE_NGINX=$(get_mrenclave $NGINX_IMAGE nginx "-e SCONE_HEAP=2G -e SCONE_FORK=1")
cat > /tmp/mrenclaves.sh << EOF
export CAS_MRENCLAVE="$CAS_MRENCLAVE"
......@@ -45,6 +47,7 @@ export MRENCLAVE_MYSQL="$MRENCLAVE_MYSQL"
export MRENCLAVE_MY_PRINT_DEFAULTS="$MRENCLAVE_MY_PRINT_DEFAULTS"
export MRENCLAVE_SIMPLECLIENT_FASTAPISERVER="$MRENCLAVE_SIMPLECLIENT_FASTAPISERVER"
export MRENCLAVE_MEMCACHED="$MRENCLAVE_MEMCACHED"
export MRENCLAVE_NGINX="$MRENCLAVE_NGINX"
EOF
sed 's/\r//g' /tmp/mrenclaves.sh > mrenclaves.sh
......
......@@ -10,11 +10,13 @@ POSTFIX=$RANDOM-$RANDOM-$RANDOM
export DB_SESSION="database_policy_$POSTFIX"
export DB_SIMPLECLIENT="database_simpleclient_$POSTFIX"
export MEMCACHED_SESSION="memcached_policy_$POSTFIX"
export NGINX_SESSION="nginx_policy_$POSTFIX"
# MRENCLAVEs.
# Run `pull_latest_images.sh` to export the correct, up-to-date
# MRENCLAVES to your environment.
source "${BASH_SOURCE%/*}/mrenclaves.sh"
source "${BASH_SOURCE%/*}/fspf_variables.sh"
# Parse CAS address.
# If provided SCONE_CAS_ADDR is an IPv4 address,
......@@ -61,7 +63,6 @@ fi
if [ ! -z "$MEMCACHED_SESSION" ]; then
source "${BASH_SOURCE%/*}/fspf_variables.sh"
echo "Uploading policy $MEMCACHED_SESSION (memcached)..."
scone session create --use-env "${BASH_SOURCE%/*}/mc_session.yml"
echo ""
......@@ -69,12 +70,19 @@ if [ ! -z "$MEMCACHED_SESSION" ]; then
fi
if [ ! -z "$NGINX_SESSION" ]; then
echo "Uploading policy $NGINX_SESSION (nginx)..."
scone session create --use-env "${BASH_SOURCE%/*}/nginx_session.yml"
echo ""
echo "export NGINX_CONFIG_ID="$NGINX_SESSION"" >> "${BASH_SOURCE%/*}/myenv"
fi
if [ ! -z "$DB_SESSION" ]; then
# Server FSPF key and tag.
# This should be generated in advance, when building
# a MariaDB image with encrypted libs.
# Please refer to the documentation at github.com/scontain/scone-templates.
source "${BASH_SOURCE%/*}/fspf_variables.sh"
echo "Uploading policy $DB_SESSION (MariaDB server)..."
scone session create --use-env "${BASH_SOURCE%/*}/db_session.yml"
......@@ -87,3 +95,5 @@ echo "export SCONE_CAS_ADDR="$SCONE_CAS_ADDR"" >> "${BASH_SOURCE%/*}/myenv"
# Uncomment to double check submitted policies.
#scone session read $DB_SESSION
#scone session read $DB_SIMPLECLIENT
#scone session read $MEMCACHED_SESSION
#scone session read $NGINX_SESSION
......@@ -48,11 +48,12 @@ export SCONE_CAS_ADDR=${SCONE_CAS_ADDR:-5-0-0.scone-cas.cf} # for production use
export DB_HOST=${DB_HOST:-$RELEASE_NAME-mariadb-scone}
export DB_USER=${DB_USER:-scontain}
export MEMCACHED_HOST=${MEMCACHED_HOST:-memcached-scone}
export FASTAPI_HOST=${FASTAPI_HOST:-fastapi-scone}
kubectl port-forward service/cas 8081:8081 & # remove this and network= host for production
# -e SCONE_LAS_ADDR=172.17.0.1
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e RELEASE_NAME=$RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST --device /dev/isgx -v $PWD:/policies sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
docker run -it --rm --network=host -e SCONE_CAS_ADDR=$SCONE_CAS_ADDR -e SCONE_LAS_ADDR=las-scone -e RELEASE_NAME=$RELEASE_NAME -e DB_HOST=$DB_HOST -e DB_USER=$DB_USER -e MEMCACHED_HOST=$MEMCACHED_HOST -e FASTAPI_HOST=$FASTAPI_HOST --device /dev/isgx -v $PWD:/policies sconecuratedimages/sconecli:alpine3.10-scone5.0.0 bash /policies/upload_policies.sh
source myenv
......
......@@ -214,7 +214,7 @@ def insert_document(document: Document, username: str):
# main
if __name__ == "__main__":
# get uvicorn TLS args for secure connection to nginx
server_ca_path = '/etc/server-ca.crt'
server_ca_path = '/etc/fastapi-ca.crt'
server_cert_path = '/etc/server.crt'
server_key_path = '/etc/server.key'
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment