Improve security and reliability of traefik-certdumper #54

Open
opened 2021-03-25 09:46:21 +00:00 by 3wordchant · 1 comment
Owner

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves.

The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format.

It seems like the existing forest of certdumper images all have wrinkles: for Mailu, I ended up adding a gnarly custom entrypoint to override behaviour, plus a separate post-run script in the Mailu recipe.

As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) certdumper dumps all certs on the swarm by default and b) it fails open -- I noticed the certdumper in workadventure is giving the workadventure-front container access to all certs 🙈

Improvements welcome!

Several services (CoTURN and Mailu so far, although I'm sure I remember others) want access to the Traefik-generated SSL certificates so that they can encrypt & decrypt traffic themselves. The usual way to do this in Docker-land is a container which loads Traefik's certificate store, and dumps specified certificates in PEM format. It seems like the existing forest of `certdumper` images all have wrinkles: for Mailu, I ended up adding [a gnarly custom `entrypoint` to override behaviour](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/compose.yml#L155-L176), plus [a separate post-run script in the Mailu recipe](https://git.autonomic.zone/coop-cloud/mailu/src/branch/main/certdumper_post.sh). As well as being a lot (too much?) to add to each recipe, the security of this is pretty lol because a) `certdumper` dumps _all_ certs on the swarm by default and b) it fails open -- I noticed the `certdumper` in `workadventure` is giving the `workadventure-front` container access to _all_ certs 🙈 Improvements welcome!
3wordchant added the
bug
enhancement
help wanted
labels 2021-03-25 09:46:21 +00:00
decentral1se added this to the (deleted) project 2021-04-30 07:32:25 +00:00
decentral1se added this to the Pen Testing/security milestone 2021-09-09 14:31:03 +00:00
Owner

Another approach, unsure if "better":

4ae3b7ef2d/compose.yml (L89-L98)

Another approach, unsure if "better": https://git.coopcloud.tech/coop-cloud/snikket/src/commit/4ae3b7ef2d61c3bdbc1b33dc0385c162d43a6e0a/compose.yml#L89-L98
decentral1se added
security
and removed
bug
enhancement
labels 2022-10-22 12:11:28 +00:00
Sign in to join this conversation.
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/organising#54
No description provided.