Open jdddog opened 8 years ago
Get the same F grade too. Do someone have a work around to solve this?
Thanks
This is pretty important.
It seems https://github.com/ckiely91/meteor-up-1/commit/f8afc136109270ff4d921c09dc95f7084a74f915 could have a fix, but I did not try it yet.
@MattiSG That pretty much worked. Thanks. The fork was a bit different, so I had to make a few changes. You just need to just change the <% if(typeof sslConfig === "object") { %>
block in the start.sh
file to the code below. Can confirm this works, got an A+ grade at SSL labs.
<% if(typeof sslConfig === "object") { %>
# We don't need to fail the deployment because of a docker hub downtime
set +e
docker build -t meteorhacks/mup-frontend-server-secure - << EOF
FROM meteorhacks/mup-frontend-server:latest
RUN apt-get update && apt-get install --only-upgrade libssl1.0.0 openssl -y
EOF
set -e
docker run \
-d \
--restart=always \
--volume=/opt/$APPNAME/config/bundle.crt:/bundle.crt \
--volume=/opt/$APPNAME/config/private.key:/private.key \
--link=$APPNAME:backend \
--publish=<%= sslConfig.port %>:443 \
--name=$APPNAME-frontend \
meteorhacks/mup-frontend-server-secure /start.sh
<% } %>
@dkleiman The code you copied seems to be the exact code in https://github.com/ckiely91/meteor-up-1/commit/f8afc136109270ff4d921c09dc95f7084a74f915, the only difference being in the lack of apt-get update
on line 20. Did I miss something?
Also, how exactly do you change the start.sh
file? Do you change it directly in the global node_modules
?
@MattiSG I changed the start.sh in my node_modules and it's works. The code add some upgrade on libssl on a cache version of meteorhacks/mup-frontend-server:latest.
Just when you copy past on your code editor avoid any tabulation in first part (docker file).
Thanks Guys!
Did work for me too, applying to the file at $(dirname $(which mupx))/$(dirname $(readlink $(which mupx)))/../templates/linux/start.sh
the changeset in ckiely91/meteor-up-1@f8afc13.
@MattiSG Sorry about that, I misunderstood. I didn't realize you were only talking about the changeset. I blindly copied the whole file, and that definitely did not work. I didn't use the apt-get update
because that line had installAdditional
which was undefined.
I also changed start.sh
in that directory.
I went a different track to fix, and suggested the ability to config my own nginx docker image here: https://github.com/kadirahq/meteor-up/issues/284
But regardless, this needs to be addressed and fixed, sooner rather than later... good work guys, looks like we are close.
mup.js
The current build of this docker image is vulnerable to OpenSSL Padding Oracle vuln. CVE-2016-2107, which gives an F on SSL Labs SSL Server Test.
The latest Ubuntu security updates fixes the issue by upgrading openssl. It would be great if you could update the build on docker hubs.