Merge pull request okfn#59 from ckan/Potential-Security-Updates

Potential security updates
ccancellieri · Jul 31, 2023 · 1928074 · 1928074
2 parents f1fc48d + 5564c85
commit 1928074
Show file tree

Hide file tree

Showing 15 changed files with 181 additions and 58 deletions.
diff --git a/.env b/.env
@@ -13,13 +13,18 @@ NGINX_PORT_HOST=81
 NGINX_SSLPORT_HOST=8443
 
 # CKAN databases
-POSTGRES_USER=ckan
-POSTGRES_PASSWORD=ckan
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=postgres
+POSTGRES_HOST=db
+CKAN_DB_USER=ckandbuser
+CKAN_DB_PASSWORD=ckandbpassword
+CKAN_DB=ckandb
 DATASTORE_READONLY_USER=datastore_ro
 DATASTORE_READONLY_PASSWORD=datastore
-POSTGRES_HOST=db
-CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
-CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
+DATASTORE_DB=datastore
+CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
+CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
 CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
 
 # Test database connections

diff --git a/.env.example b/.env.example
@@ -13,13 +13,18 @@ NGINX_PORT_HOST=81
 NGINX_SSLPORT_HOST=8443
 
 # CKAN databases
-POSTGRES_USER=ckan
-POSTGRES_PASSWORD=ckan
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=postgres
+POSTGRES_HOST=db
+CKAN_DB_USER=ckandbuser
+CKAN_DB_PASSWORD=ckandbpassword
+CKAN_DB=ckandb
 DATASTORE_READONLY_USER=datastore_ro
 DATASTORE_READONLY_PASSWORD=datastore
-POSTGRES_HOST=db
-CKAN_SQLALCHEMY_URL=postgresql://ckan:ckan@db/ckan
-CKAN_DATASTORE_WRITE_URL=postgresql://ckan:ckan@db/datastore
+DATASTORE_DB=datastore
+CKAN_SQLALCHEMY_URL=postgresql://ckandbuser:ckandbpassword@db/ckandb
+CKAN_DATASTORE_WRITE_URL=postgresql://ckandbuser:ckandbpassword@db/datastore
 CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore
 
 # Test database connections
@@ -30,7 +35,7 @@ TEST_CKAN_DATASTORE_READ_URL=postgresql://datastore_ro:datastore@db/datastore_te
 # CKAN core
 CKAN_VERSION=2.10.0
 CKAN_SITE_ID=default
-CKAN_SITE_URL=http://ckan:5000
+CKAN_SITE_URL=https://localhost:8443
 CKAN_PORT=5000
 CKAN_PORT_HOST=5000
 CKAN___BEAKER__SESSION__SECRET=CHANGE_ME

diff --git a/.gitignore b/.gitignore
@@ -7,3 +7,4 @@ _service-provider/*
 _solr/schema.xml
 _src/*
 local/*
+.env
diff --git a/README.md b/README.md
@@ -206,7 +206,7 @@ running the latest version of Datapusher.
 
 ## 10. NGINX
 
-The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443 and an HTTP port (81). A "self-signed" SSL certificate is generated beforehand and the server certificate and key files are included. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production.
+The base Docker Compose configuration uses an NGINX image as the front-end (ie: reverse proxy). It includes HTTPS running on port number 8443. A "self-signed" SSL certificate is generated as part of the ENTRYPOINT. The NGINX `server_name` directive and the `CN` field in the SSL certificate have been both set to 'localhost'. This should obviously not be used for production.
 
 Creating the SSL cert and key files as follows:
 `openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost" -keyout ckan-local.key -out ckan-local.crt`

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -43,18 +43,15 @@ services:
     container_name: ${POSTGRESQL_CONTAINER_NAME}
     build:
       context: postgresql/
-      args:
-       - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
-       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
     environment:
-      - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - PGDATA=/var/lib/postgresql/data/db
+      - DATASTORE_READONLY_PASSWORD
+      - POSTGRES_PASSWORD
+      - CKAN_DB_PASSWORD
     volumes:
       - pg_data:/var/lib/postgresql/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "pg_isready", "-U", "ckan"]
+      test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"]
 
   solr:
     container_name: ${SOLR_CONTAINER_NAME}

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,5 +1,6 @@
 version: "3"
 
+
 volumes:
   ckan_storage:
   pg_data:
@@ -12,11 +13,13 @@ services:
     build:
       context: nginx/
       dockerfile: Dockerfile
+    networks:
+      - webnet
+      - ckannet
     depends_on:
       ckan:
         condition: service_healthy
     ports:
-      - "0.0.0.0:${NGINX_PORT_HOST}:${NGINX_PORT}"
       - "0.0.0.0:${NGINX_SSLPORT_HOST}:${NGINX_SSLPORT}"
 
   ckan:
@@ -26,6 +29,11 @@ services:
       dockerfile: Dockerfile
       args:
         - TZ=${TZ}
+    networks:
+      - ckannet
+      - dbnet
+      - solrnet
+      - redisnet
     env_file:
       - .env
     depends_on:
@@ -35,8 +43,6 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
-    ports:
-      - "0.0.0.0:${CKAN_PORT_HOST}:${CKAN_PORT}" 
     volumes:
       - ckan_storage:/var/lib/ckan
     restart: unless-stopped
@@ -45,6 +51,9 @@ services:
 
   datapusher:
     container_name: ${DATAPUSHER_CONTAINER_NAME}
+    networks:
+      - ckannet
+      - dbnet
     image: ckan/ckan-base-datapusher:${DATAPUSHER_VERSION}
     restart: unless-stopped
     healthcheck:
@@ -54,21 +63,28 @@ services:
     container_name: ${POSTGRESQL_CONTAINER_NAME}
     build:
       context: postgresql/
-      args:
-       - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
-       - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    networks:
+      - dbnet
     environment:
-      - DATASTORE_READONLY_PASSWORD=${DATASTORE_READONLY_PASSWORD}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
-      - PGDATA=/var/lib/postgresql/data/db
+      - POSTGRES_USER
+      - POSTGRES_PASSWORD
+      - POSTGRES_DB
+      - CKAN_DB_USER
+      - CKAN_DB_PASSWORD
+      - CKAN_DB
+      - DATASTORE_READONLY_USER
+      - DATASTORE_READONLY_PASSWORD
+      - DATASTORE_DB
     volumes:
       - pg_data:/var/lib/postgresql/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD", "pg_isready", "-U", "ckan"]
+      test: ["CMD", "pg_isready", "-U", "${POSTGRES_USER}", "-d", "${POSTGRES_DB}"]
 
   solr:
     container_name: ${SOLR_CONTAINER_NAME}
+    networks:
+      - solrnet
     image: ckan/ckan-solr:${SOLR_IMAGE_VERSION}
     volumes:
       - solr_data:/var/solr
@@ -79,6 +95,18 @@ services:
   redis:
     container_name: ${REDIS_CONTAINER_NAME}
     image: redis:${REDIS_VERSION}
+    networks:
+      - redisnet
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "redis-cli", "-e", "QUIT"]
+
+networks:
+  webnet:
+  ckannet:
+  solrnet:
+    internal: true
+  dbnet:
+    internal: true
+  redisnet:
+    internal: true
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -2,11 +2,22 @@ FROM nginx:stable-alpine
 
 ENV NGINX_DIR=/etc/nginx
 
+RUN apk update --no-cache && \
+    apk upgrade --no-cache && \
+    apk add --no-cache openssl
+
 COPY setup/nginx.conf ${NGINX_DIR}/nginx.conf
 COPY setup/index.html /usr/share/nginx/html/index.html
 COPY setup/default.conf ${NGINX_DIR}/conf.d/
 
 RUN mkdir -p ${NGINX_DIR}/certs
-COPY setup/ckan-local.* ${NGINX_DIR}/certs/
 
-EXPOSE 81
+ENTRYPOINT \
+  openssl req \
+    -subj '/C=DE/ST=Berlin/L=Berlin/O=None/CN=localhost' \
+    -x509 -newkey rsa:4096 \
+    -nodes -keyout /etc/nginx/ssl/default_key.pem \
+    -keyout ${NGINX_DIR}/certs/ckan-local.key \
+    -out ${NGINX_DIR}/certs/ckan-local.crt \
+    -days 365 && \
+  nginx -g 'daemon off;'
diff --git a/nginx/setup/default.conf b/nginx/setup/default.conf
@@ -1,11 +1,23 @@
 server {
-    listen       80;
-    listen  [::]:80;
+    #listen       80;
+    #listen  [::]:80;
     listen       443 ssl;
     listen  [::]:443 ssl;
     server_name  localhost;
     ssl_certificate /etc/nginx/certs/ckan-local.crt;
     ssl_certificate_key /etc/nginx/certs/ckan-local.key;
+
+    # TLS 1.2 & 1.3 only
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    # Disable weak ciphers
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+    # SSL sessions
+    ssl_session_timeout 1d;
+    # ssl_session_cache dfine in stream and http
+    ssl_session_tickets off;
 
     #access_log  /var/log/nginx/host.access.log  main;
 
@@ -20,13 +32,15 @@ server {
         proxy_cache_key $host$scheme$proxy_host$request_uri;
     }
 
-    error_page  404              /404.html;
+    error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;
 
-    # redirect server error pages to the static page /50x.html
+    # redirect server error pages to the static page /error.html
     #
-    error_page   500 502 503 504  /50x.html;
-    location = /50x.html {
-        root   /usr/share/nginx/html;
+    location = /error.html {
+      ssi on;
+      internal;
+      auth_basic off;
+      root /usr/share/nginx/html;
     }
 
 }
diff --git a/nginx/setup/nginx.conf b/nginx/setup/nginx.conf
@@ -22,14 +22,70 @@ http {
     access_log  /var/log/nginx/access.log  main;
 
     sendfile        on;
-    #tcp_nopush     on;
-
+    tcp_nopush     on;
+    tcp_nodelay  on;
+    types_hash_max_size 2048;
     keepalive_timeout  65;
 
-    #gzip  on;
+    # Don't expose Nginx version
+    server_tokens off;
+
+    # Prevent clickjacking attacks
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # Mitigate Cross-Site scripting attack
+    add_header X-XSS-Protection "1; mode=block";
+
+    # Enable gzip encryption
+    gzip  on;
 
     proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=cache:30m max_size=250m;
     proxy_temp_path /tmp/nginx_proxy 1 2;
 
     include /etc/nginx/conf.d/*.conf;
-}
+
+    # Error status text
+    map $status $status_text {
+      400 'Bad Request';
+      401 'Unauthorized';
+      402 'Payment Required';
+      403 'Forbidden';
+      404 'Not Found';
+      405 'Method Not Allowed';
+      406 'Not Acceptable';
+      407 'Proxy Authentication Required';
+      408 'Request Timeout';
+      409 'Conflict';
+      410 'Gone';
+      411 'Length Required';
+      412 'Precondition Failed';
+      413 'Payload Too Large';
+      414 'URI Too Long';
+      415 'Unsupported Media Type';
+      416 'Range Not Satisfiable';
+      417 'Expectation Failed';
+      418 'I\'m a teapot';
+      421 'Misdirected Request';
+      422 'Unprocessable Entity';
+      423 'Locked';
+      424 'Failed Dependency';
+      425 'Too Early';
+      426 'Upgrade Required';
+      428 'Precondition Required';
+      429 'Too Many Requests';
+      431 'Request Header Fields Too Large';
+      451 'Unavailable For Legal Reasons';
+      500 'Internal Server Error';
+      501 'Not Implemented';
+      502 'Bad Gateway';
+      503 'Service Unavailable';
+      504 'Gateway Timeout';
+      505 'HTTP Version Not Supported';
+      506 'Variant Also Negotiates';
+      507 'Insufficient Storage';
+      508 'Loop Detected';
+      510 'Not Extended';
+      511 'Network Authentication Required';
+      default 'Something is wrong';
+    }
+}
diff --git a/postgresql/Dockerfile b/postgresql/Dockerfile
@@ -1,13 +1,4 @@
 FROM postgres:12-alpine
 
-# Allow connections; we don't map out any ports so only linked docker containers can connect
-RUN echo "host all  all    0.0.0.0/0  md5" >> /var/lib/postgresql/data/pg_hba.conf
-
-# Customize default user/pass/db
-ENV POSTGRES_DB ckan
-ENV POSTGRES_USER ckan
-ARG POSTGRES_PASSWORD
-ARG DATASTORE_READONLY_PASSWORD
-
 # Include extra setup scripts (eg datastore)
-ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
+ADD docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh b/postgresql/docker-entrypoint-initdb.d/10_create_ckandb.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE ROLE "$CKAN_DB_USER" NOSUPERUSER CREATEDB CREATEROLE LOGIN PASSWORD '$CKAN_DB_PASSWORD';
+    CREATE DATABASE "$CKAN_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
+EOSQL
diff --git a/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql b/postgresql/docker-entrypoint-initdb.d/10_create_datastore.sql
diff --git a/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh b/postgresql/docker-entrypoint-initdb.d/20_create_datastore.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -e
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE ROLE "$DATASTORE_READONLY_USER" NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN PASSWORD '$DATASTORE_READONLY_PASSWORD';
+    CREATE DATABASE "$DATASTORE_DB" OWNER "$CKAN_DB_USER" ENCODING 'utf-8';
+EOSQL
diff --git a/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql b/postgresql/docker-entrypoint-initdb.d/20_setup_test_databases.sql