add all the new ssl awesomeness to version 4.6

Author: blacktop

4.6/Dockerfile

@@ -25,7 +25,7 @@ ENV ELASTIC 2.4.1
 ENV LOGSTASH 2.4.0
 ENV KIBANA 4.6.2
 
-RUN apk-install libzmq bash nodejs supervisor nginx apache2-utils
+RUN apk-install libzmq bash nodejs supervisor nginx apache2-utils openssl
 RUN mkdir -p /usr/local/lib \
 	&& ln -s /usr/lib/*/libzmq.so.3 /usr/local/lib/libzmq.so
 RUN apk-install -t .build-deps wget ca-certificates \
@@ -68,6 +68,8 @@ RUN apk-install -t .build-deps wget ca-certificates \
   && apline_node='NODE="/usr/bin/node"' \
   && sed -i "s|$bundled|$apline_node|g" /usr/share/kibana/bin/kibana \
   && rm -rf /usr/share/kibana/node \
+  && echo "Make Ngins SSL directory..." \
+  && mkdir -p /etc/nginx/ssl \
   && echo "Create elstack user..." \
   && adduser -DH -s /sbin/nologin elstack \
   && chown -R elstack:elstack /usr/share/elasticsearch \
@@ -84,23 +86,28 @@ ENV PATH /usr/share/kibana/bin:$PATH
 # Add custom elasticsearch config
 COPY config/elastic /usr/share/elasticsearch/config
 COPY config/elastic/logrotate /etc/logrotate.d/elasticsearch
+
 # Add custom logstash config
 COPY config/logstash/conf.d/ /etc/logstash/conf.d/
 COPY config/logstash/patterns/ /opt/logstash/patterns/
 COPY config/logstash/logstash.yml /etc/logstash/
+
 # necessary for 5.0+ (overriden via "--path.settings", ignored by < 5.0)
 ENV LS_SETTINGS_DIR /etc/logstash
+
 # Add custom nginx config
 COPY config/nginx/nginx.conf /etc/nginx/nginx.conf
 COPY config/nginx/kibana.conf /etc/nginx/conf.d/
-COPY config/nginx/htpasswd /etc/nginx/htpasswd.users
+COPY config/nginx/ssl.kibana.conf /etc/nginx/conf.d/
+
 # Add custom supervisor config
 COPY config/supervisord/supervisord.conf /etc/supervisor/
 
 # Add entrypoints
 COPY entrypoints/elastic-entrypoint.sh /
 COPY entrypoints/logstash-entrypoint.sh /
 COPY entrypoints/kibana-entrypoint.sh /
+COPY entrypoints/nginx-entrypoint.sh /
 
 VOLUME ["/usr/share/elasticsearch/data"]
 VOLUME ["/etc/logstash/conf.d"]

4.6/Makefile

@@ -7,8 +7,10 @@ dev:
 	docker run --rm $(NAME):dev $(DEV_RUN_OPTS)
 
 build:
-	docker build -t $(NAME):$(VERSION) .; sleep 3;
-	sed -i.bu 's/docker image-.*-blue/docker image-$(shell docker images --format "{{.Size}}" $(NAME):$(VERSION))-blue/g' ../README.md
+	docker build -t blacktop/$(NAME):$(VERSION) .
+
+size:
+	sed -i.bu 's/docker image-.*-blue/docker image-$(shell docker images --format "{{.Size}}" blacktop/$(NAME):$(VERSION))-blue/g' ../README.md
 
 release:
 	rm -rf release && mkdir release

4.6/config/nginx/kibana.conf

@@ -3,9 +3,6 @@ server {
 
     server_name elstack;
 
-    auth_basic "Restricted Access";
-    auth_basic_user_file /etc/nginx/htpasswd.users;
-
     location / {
         proxy_pass http://127.0.0.1:5601;
         proxy_http_version 1.1;

4.6/config/nginx/ssl.kibana.conf

@@ -0,0 +1,31 @@
+server {
+  	listen [::]:80 default_server;
+    listen 80 default_server;
+
+  	server_name _;
+
+  	return 301 https://$host$request_uri;
+}
+
+server {
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+
+  	server_name _;
+
+    auth_basic "Restricted Access";
+    auth_basic_user_file /etc/nginx/htpasswd.users;
+
+    ssl on;
+    ssl_certificate /etc/nginx/ssl/kibana.crt;
+    ssl_certificate_key /etc/nginx/ssl/kibana.key;
+
+    location / {
+        proxy_pass http://127.0.0.1:5601;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+    }
+}

4.6/config/supervisord/supervisord.conf

@@ -7,15 +7,15 @@ autostart=true
 autorestart=true
 stdout_logfile=/var/log/logstash.stdout.log
 stderr_logfile=/var/log/logstash.stderr.log
-priority=2
+# priority=2
 
 [program:elasticsearch]
 command = /elastic-entrypoint.sh elasticsearch
 autostart=true
 autorestart=true
 stdout_logfile=/var/log/elasticsearch.stdout.log
 stderr_logfile=/var/log/elasticsearch.stderr.log
-priority=1
+# priority=1
 
 [program:kibana]
 command = /kibana-entrypoint.sh kibana
@@ -26,9 +26,9 @@ stdout_logfile=/var/log/kibana.stdout.log
 stderr_logfile=/var/log/kibana.stderr.log
 
 [program:nginx]
-command = nginx -g 'daemon off;'
+command = /nginx-entrypoint.sh
 autostart=true
 autorestart=true
 stdout_logfile=/var/log/nginx.stdout.log
 stderr_logfile=/var/log/nginx.stderr.log
-priority=4
+# priority=4

4.6/entrypoints/nginx-entrypoint.sh

@@ -1,16 +1,27 @@
-#!/bin/sh
+#!/bin/bash
 
-set -e
+: ${ELSK_USER:="admin"}
+: ${ELSK_PASS:="admin"}
+: ${ELSK_DOMAIN:="localhost"}
 
-# Add logstash as command if needed
-if [ "${1:0:1}" = '-' ]; then
-	set -- nginx "$@"
-fi
+if [ -z "$SSL" ]; then
+		echo ">> using non-ssl nginx conf"
+		rm /etc/nginx/conf.d/ssl.kibana.conf
+		exec nginx -g 'daemon off;'
+else
+		echo ">> generating basic auth"
+		htpasswd -b -c /etc/nginx/htpasswd.users "$ELSK_USER" "$ELSK_PASS"
 
-# Run as user "nginx" if the command is "nginx"
-if [ "$1" = 'nginx' ]; then
+		if [ ! -e "/etc/nginx/ssl/*.key" ]; then
+			  echo ">> generating self signed cert"
+			  openssl req -x509 -newkey rsa:4086 \
+			  -subj "/C=XX/ST=XXXX/L=XXXX/O=XXXX/CN=$ELSK_DOMAIN" \
+			  -keyout "/etc/nginx/ssl/kibana.key" \
+			  -out "/etc/nginx/ssl/kibana.crt" \
+			  -days 3650 -nodes -sha256
+		fi
 
-	set -- gosu elstack tini -- "$@"
+		echo ">>  using ssl nginx conf"
+		rm /etc/nginx/conf.d/kibana.conf
+		exec nginx -g 'daemon off;'
 fi
-
-exec "$@"

CHANGELOG.md

@@ -17,7 +17,7 @@ Same as v5.0
 
 ### Added
 
--	Nginx entrypoint to pass USER/PASS in as env vars
+-	Nginx entry-point to pass USER/PASS in as env vars
 -	SSL (auto-create certs if not found)
 -	tini/gosu to all the things  
 -	geoip/user-agent plugin
@@ -36,6 +36,9 @@ Same as v5.0
 
 ### Added
 
+-	Nginx entry-point to pass USER/PASS in as env vars
+-	SSL (auto-create certs if not found)
+
 ### Removed
 
 ### Changed