modify config for production saml

docker-compose.yml.example

@@ -30,7 +30,7 @@ services:
       - "8080:443"
     volumes:
       - ./src:/var/www
-      - ./nginx/conf.d/:/etc/nginx/conf.d
+      - ./nginx/conf.d/app.conf:/etc/nginx/conf.d/app.conf
       - ./nginx/dhparam/:/run/dhparam
       # Saml config
       - ./simplesamlphp-1.18.5:/var/simplesamlphp

docker-compose.yml.prod

@@ -32,17 +32,13 @@ services:
       - "80:80"
     volumes:
       - ./src:/var/www
-      - ./nginx/conf.d/:/etc/nginx/conf.d
+      - ./nginx/conf.d/prod.conf:/etc/nginx/conf.d/prod.conf
       - ./nginx/dhparam/:/run/dhparam
       # Saml config
       - ./simplesamlphp-1.18.5:/var/simplesamlphp
-      - ./simple-saml/cert:/var/simplesamlphp/cert
-      - ./simple-saml/config:/var/simplesamlphp/config
-      - ./simple-saml/metadata:/var/simplesamlphp/metadata
-      - ./simplesamlphp-1.18.5:/var/simplesamlphp-idp
-      - ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
-      - ./simple-saml-idp/config:/var/simplesamlphp-idp/config
-      - ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
+      - ./simple-saml-prod/cert:/var/simplesamlphp/cert
+      - ./simple-saml-prod/config:/var/simplesamlphp/config
+      - ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
     networks:
       - doorcode
   postgres:
@@ -83,12 +79,8 @@ services:
       - ./php/prod.ini:/usr/local/etc/php/conf.d/local.ini
       # Map saml files to the php-fpm server so it has access to them as well
       - ./simplesamlphp-1.18.5:/var/simplesamlphp
-      - ./simple-saml/cert:/var/simplesamlphp/cert
-      - ./simple-saml/config:/var/simplesamlphp/config
-      - ./simple-saml/metadata:/var/simplesamlphp/metadata
-      - ./simplesamlphp-1.18.5:/var/simplesamlphp-idp
-      - ./simple-saml-idp/cert:/var/simplesamlphp-idp/cert
-      - ./simple-saml-idp/config:/var/simplesamlphp-idp/config
-      - ./simple-saml-idp/metadata:/var/simplesamlphp-idp/metadata
+      - ./simple-saml-prod/cert:/var/simplesamlphp/cert
+      - ./simple-saml-prod/config:/var/simplesamlphp/config
+      - ./simple-saml-prod/metadata:/var/simplesamlphp/metadata
     networks:
       - doorcode

nginx/conf.d/prod.conf

+# Only difference between this file and the dev file is the saml config. For prod there is no IDP and the url is changed
+# to just saml
+
+# Thers a stupid bug in nginx that's been around for years that makes it so we can't easily put both front and backend
+# on the same server. So we'll just do a proxy pass...
+# Checkout https://ssl-config.mozilla.org/ for ocnfiguring secure ssl
+upstream localhost.api {
+    server 127.0.0.1:443;
+}
+
+server {
+    listen 80;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name localhost;
+    listen 443 ssl;
+    index  index.php index.html;
+
+    ssl_certificate /run/secrets/webserver_cert;
+    ssl_certificate_key /run/secrets/webserver_key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+    ssl_dhparam /run/dhparam/dhparam;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    ssl_trusted_certificate /run/secrets/root_cert;
+
+    error_log /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/frontend/dist;
+
+    location ^~ /saml {
+        alias /var/simplesamlphp/www;
+
+        location ~ \.php(/|$) {
+            include fastcgi_params;
+            fastcgi_pass api:9000;
+            fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
+            fastcgi_param SCRIPT_FILENAME $request_filename;
+            fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
+        }
+    }
+
+    location /pgadmin4 {
+        proxy_set_header X-Script-Name /pgadmin4/;
+        proxy_set_header X-Scheme $scheme;
+        proxy_set_header Host $http_host;
+        proxy_pass http://dbadmin/;
+        proxy_redirect off;
+    }
+
+    location /api {
+        proxy_pass https://localhost.api;
+    }
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}
+
+
+server {
+    server_name localhost.api;
+    listen 443 ssl;
+    index  index.php index.html;
+
+    ssl_certificate /run/secrets/webserver_cert;
+    ssl_certificate_key /run/secrets/webserver_key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+    ssl_dhparam /run/dhparam/dhparam;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
+
+    ssl_trusted_certificate /run/secrets/root_cert;
+
+    error_log /var/log/nginx/error.log;
+    access_log /var/log/nginx/access.log;
+    root /var/www/backend/public;
+
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass api:9000;
+        include fastcgi_params;
+        fastcgi_param  SCRIPT_FILENAME  $request_filename;
+    }
+}

simple-saml-prod/cert/.gitignore

+*
+!.gitignore
\ No newline at end of file

simple-saml-prod/config/.gitignore

+*
+!.gitignore
\ No newline at end of file

simple-saml-prod/metadata/.gitignore

+*
+!.gitignore
\ No newline at end of file