From 9dffefff0c2a083a5c999e297b6c6fcd080e661f Mon Sep 17 00:00:00 2001
From: hugo gogo <me@tmp.com>
Date: Wed, 31 Aug 2022 18:04:05 +0200
Subject: [PATCH]   modified nginx default conf file + added openssl in nginx
 site conf file + reorganized readme

---
 README.md                                     | 73 ++++++++++---------
 srcs/requirements/nginx/Dockerfile            | 41 ++++++++++-
 .../nginx/conf/inception_nginx.conf           | 25 +++++--
 srcs/requirements/nginx/conf/index.html       |  2 +-
 srcs/requirements/nginx/conf/nginx.conf       |  2 +-
 5 files changed, 95 insertions(+), 48 deletions(-)

diff --git a/README.md b/README.md
index 75a436d..ff31bb0 100644
--- a/README.md
+++ b/README.md
@@ -52,17 +52,17 @@
 
 - [download alpine linux](https://alpinelinux.org/downloads/)
 - [dockerhub alpine image](https://hub.docker.com/_/alpine)
+- [run without sudo on linux](https://docs.docker.com/engine/install/linux-postinstall/)
+
+#### docker :
 - [docker starter guide](https://docs.docker.com/get-started/)
 - [docker glossaire](https://docs.docker.com/glossary/)
 - [Dockerfile syntaxe](https://docs.docker.com/engine/reference/builder/)
 - [determine the parent image](https://forums.docker.com/t/determine-the-parent-image/48611)
 - [docker image from scratch](https://codeburst.io/docker-from-scratch-2a84552470c8)
 - [build context and image context](https://stackoverflow.com/questions/55108649/what-is-app-working-directory-for-a-dockerfile/55109065#55109065)
-- [nginx begginer guide](https://hub.docker.com/_/nginx/)
-- [nginx all directives for conf file](https://nginx.org/en/docs/dirindex.html)
-
-#### docker pid 1
 
+**docker pid 1**
 - nginx by default will create some child process (a master and some workers), then it quits (doc ?)
 - when the first process of a docker container exit, the container exit (doc ?)
 - so we must tell nginx to not go background : "-g 'daemon off'"
@@ -73,44 +73,45 @@
 - "When PID 1 exits, the container will exit" (where is says in the doc ?)
 - ["By design, containers started in detached mode exit when the root process used to run the container exits"](https://docs.docker.com/engine/reference/run/#detached--d)
 
-#### install and use docker and compose
-
+**install and use docker and compose**
 - [how to install docker engine](https://docs.docker.com/engine/install/ubuntu/)
 - [github releases](https://github.com/docker/compose/releases)
 - [install last version of compose manually](https://docs.docker.com/compose/install/compose-plugin/#install-the-plugin-manually)
 - [install manually SO discussion](https://stackoverflow.com/questions/57456212/error-version-in-docker-compose-yml-is-unsupported)
 - [correct release version name for download with a 'v'](https://stackoverflow.com/questions/58747879/docker-compose-usr-local-bin-docker-compose-line-1-not-command-not-found)
 - the version installed with apt is 1.17.1, way out of date
+- **remove old versions**
+	- `sudo apt remove docker docker-engine docker.io containerd runc`
+- **preparing directory**
+	- `sudo apt update`
+	- `sudo apt install ca-certificates curl gnupg lsb-release`
+	- `sudo mkdir -p /etc/apt/keyrings`
+	- `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg`
+	- `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null`
+- **installing docker engine**
+	- `sudo apt update`
+	- `sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin`
+- **check if installation worked**
+	- `sudo docker run hello-world`
+- **installing docker compose** checked version on github release, see above
+	- notice the 'v' below, before the version name (docker doc has it wong)
+	- `sudo curl -L "https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
+	- `sudo chmod +x /usr/local/bin/docker-compose`
+**volumes vs bind mounts :**
+	- [docker doc: use volumes](https://docs.docker.com/storage/volumes/)
+	- [docker doc: use bind mounts](https://docs.docker.com/storage/bind-mounts/)
+	- [comparison volume vs bind mounts](https://devopscook.com/docker-volumes-vs-bind-mounts/)
+	- [fundamentals use of volumes and bind mounts](https://medium.com/dlt-labs-publication/bind-mounts-volumes-in-docker-81523303cbb4)
+	- [how volumes and bind mounts are really differents](https://serverfault.com/questions/996785/docker-volumes-vs-mount-binds-what-are-the-use-cases)
+	- bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files
+	- volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture
 
-**remove old versions**
-- `sudo apt remove docker docker-engine docker.io containerd runc`
-**preparing directory**
-- `sudo apt update`
-- `sudo apt install ca-certificates curl gnupg lsb-release`
-- `sudo mkdir -p /etc/apt/keyrings`
-- `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg`
-- `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null`
-**installing docker engine**
-- `sudo apt update`
-- `sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin`
-**check if installation worked**
-- `sudo docker run hello-world`
-**installing docker compose** checked version on github release, see above
-- notice the 'v' below, before the version name (docker doc has it wong)
-- `sudo curl -L "https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose`
-- `sudo chmod +x /usr/local/bin/docker-compose`
+#### nginx
+- [nginx begginer guide](https://hub.docker.com/_/nginx/)
+- [nginx all directives for conf file](https://nginx.org/en/docs/dirindex.html)
 
-#### volumes vs bind mounts
-
-* [docker doc: use volumes](https://docs.docker.com/storage/volumes/)
-* [docker doc: use bind mounts](https://docs.docker.com/storage/bind-mounts/)
-* [comparison volume vs bind mounts](https://devopscook.com/docker-volumes-vs-bind-mounts/)
-* [fundamentals use of volumes and bind mounts](https://medium.com/dlt-labs-publication/bind-mounts-volumes-in-docker-81523303cbb4)
-* [how volumes and bind mounts are really differents](https://serverfault.com/questions/996785/docker-volumes-vs-mount-binds-what-are-the-use-cases)
-- bind mounts are normal files anywhere on the computer, that docker container can access with absolut path and modify. They can also be modified without docker, since they are juste files
-- volumes are only modifiable by docker, they don't need an absolut path, and they are not dependent of host architecture
-
-#### tips
-
-[run without sudo on linux](https://docs.docker.com/engine/install/linux-postinstall/)
+#### openssl
+- [openssl faq](https://www.openssl.org/docs/faq.html)
+- [openssl req man](https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html)
+- [SO discussion about ssl self signed certificate and becoming a CA](https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl)
 
diff --git a/srcs/requirements/nginx/Dockerfile b/srcs/requirements/nginx/Dockerfile
index f9235ca..2072c53 100644
--- a/srcs/requirements/nginx/Dockerfile
+++ b/srcs/requirements/nginx/Dockerfile
@@ -1,7 +1,13 @@
 FROM debian:buster
 
-RUN apt update && apt install -y nginx
+RUN apt update && apt install -y nginx openssl
 
+# create ssl certificate
+RUN openssl req -newkey rsa:2048 -nodes -x509 \
+	-keyout /etc/nginx/cert/hulamy.42.fr.key -out /etc/nginx/cert/hulamy.42.fr.crt \
+	-subj "/C=fr/ST=ile-de-france/L=paris/O=42/OU=inception/CN=hulamy.42.fr"
+
+# import sites conf files
 COPY ./conf/nginx.conf /etc/nginx/
 COPY ./conf/inception_nginx.conf /etc/nginx/conf.d/
 
@@ -12,6 +18,35 @@ COPY ./conf/salade.jpeg /data/images/
 CMD [ "nginx", "-g", "daemon off;" ]
 
 
+#
 # -g 'daemon off' :
-# daemon off, to avoid the main process of nginx to quit after creating its childs, and therefore make docker exit
-# https://stackoverflow.com/questions/18861300/how-to-run-nginx-within-a-docker-container-without-halting
+#   daemon off, to avoid the main process of nginx to quit after creating its childs, and therefore make docker exit
+#   https://stackoverflow.com/questions/18861300/how-to-run-nginx-within-a-docker-container-without-halting
+#
+# ssl certificate :
+#   openssl faq : https://www.openssl.org/docs/faq.html
+#   openssl req : create ertificate request, and optionally create self signed certificates
+#   openssl req man : https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
+#   exemple of openssl with nginx on docker : https://www.johnmackenzie.co.uk/posts/using-self-signed-ssl-certificates-with-docker-and-nginx/
+#
+#   usually the steps are :
+#   - create a server private key : `openssl genrsa -out server.key 2048`
+#   - create a CSR (certificate signing request) with the key : `openssl req -new -key server.key -out www.exemple.com.csr`
+#   - it will ask for :
+#     -  Country Name (2 letter code)
+#     -  State or Province Name (full name)
+#     -  Locality Name (eg, city)
+#     -  Organization Name (eg, company)
+#     -  Organizational Unit Name (eg, section)
+#     -  Common Name (eg, fully qualified host name)
+#     -  Email Address (put nothing)
+#   - now ask to a CA (certificate authority) for a certificate.crt by giving them your request.csr
+#
+#   alternatively we can generate our self-signed certificate with the `openssl req` command :
+#     - `x509` option is used to output a certificate instead of a certificate request
+#     - a request is created from scratch, if it is not given with `-in`
+#     - `newkey` generate a new private key, unless `-key` is given
+#     - `nodes` create a private key without encryption (no passphrase needed)
+#
+# SO discussion about becomming a real CA to have a certificate that works in deployement : https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl
+
diff --git a/srcs/requirements/nginx/conf/inception_nginx.conf b/srcs/requirements/nginx/conf/inception_nginx.conf
index 13048fc..1047b3f 100644
--- a/srcs/requirements/nginx/conf/inception_nginx.conf
+++ b/srcs/requirements/nginx/conf/inception_nginx.conf
@@ -1,13 +1,24 @@
 server {
-							# http uses port 80, and https uses port 443
-	listen 443 ssl;			# for ipv4.
-	listen [::]:443 ssl;	# for ipv6.
+	listen				80;
+	listen				[::]:80;
+	server_name			localhost;
+	location /			{ root /data/www; }
+	location /images/	{ root /data; }
+}
+
+server {
+	listen				443 ssl;										# for ipv4, on port 443, specifying that accepted connections should works in ssl mode
+	listen				[::]:443 ssl;									# for ipv6
+	server_name			hulamy.42.fr;
+	ssl_certificate		/etc/nginx/cert/hulamy.42.fr.crt				# specifies the file with the ssl certificate (self signed here) generated by openssl
+	ssl_certificate-key	/etc/nginx/cert/hulamy.42.fr.key				# specifies the file with the secret key of the certificate
+
+	root /var/www/html;													# contains default nginx index.nginx-debian.html
+	index index.html index.htm index.nginx-debian.html index.php;		# defines files that will be used as index (https://nginx.org/en/docs/http/ngx_http_index_module.html)
 
-	server_name localhost;
 	location / {
+		try_files $uri $uri/ =404;										# from /etc/nginx/sites-enabled/default : First attempt to serve request as file, then as directory, then fall back to displaying a 404
+		# test
 		root /data/www;
 	}
-	location /images/ {
-		root /data;
-	}
 }
diff --git a/srcs/requirements/nginx/conf/index.html b/srcs/requirements/nginx/conf/index.html
index a95200f..e1a0dae 100644
--- a/srcs/requirements/nginx/conf/index.html
+++ b/srcs/requirements/nginx/conf/index.html
@@ -1 +1 @@
-hello world !
+you are on http connection, on port 80, on localhost
diff --git a/srcs/requirements/nginx/conf/nginx.conf b/srcs/requirements/nginx/conf/nginx.conf
index dfe39df..67efc4f 100644
--- a/srcs/requirements/nginx/conf/nginx.conf
+++ b/srcs/requirements/nginx/conf/nginx.conf
@@ -46,7 +46,7 @@ http {																		# section for http server directives
 	# Gzip Settings
 	##
 
-	gzip on;																# enable gzipping of responses. gzip is an algorithm that compress the data
+	gzip off;																# enable gzipping of responses. gzip is an algorithm that compress the data (disabled for security reasons : https://bugs.debian.org/773332)
 
 	# gzip_vary on;
 	# gzip_proxied any;