search

sublime-security / sublime-platform

A free and open platform for detecting and preventing email attacks like BEC, malware, and credential phishing. Gain visibility and control, hunt for advanced threats, collaborate with the community, and write detections-as-code.
https://sublime.security
MIT License
159 stars 14 forks source link

SSL support via nginx + certbot #81

Closed jkamdjou closed 1 year ago

jkamdjou commented 1 year ago

Also needs https://github.com/sublime-security/sublime-platform/pull/84

When spinning up Sublime on a remote host that isn't in a VPN, such as a DigitalOcean droplet, I found myself uncomfortable proceeding through setup and submitting sensitive creds over the wire in the clear. I don't think I'll be alone.

Users can follow these steps to get SSL (will add to the docs after this is merged):

  1. DNS
    1. Register a new domain (e.g. subliiime.com) if you don’t have one yet, or use a subdomain
    2. Set the A record to point to your VPS/host
    3. Create a CNAME record for www pointing to subliiime.com.
  2. Run install script curl -sL https://sublimesecurity.com/install.sh | sh
  3. cd sublime-platform (+ until this is merged, copy files from josh.letsencrypt branch into this directory)
  4. (sudo) docker compose down

  5. Sublime config

    1. Copy certbot.env.example into certbot.env and update with your domain(s) (subliiime.com) and email address

    2. Update sublime.env with your new domain + specify HTTPS. For example:

      CORS_ALLOW_ORIGINS=https://subliiime.com
BASE_URL=https://subliiime.com
DASHBOARD_PUBLIC_BASE_URL=https://subliiime.com
API_PUBLIC_BASE_URL=https://subliiime.com
    3. Host
    4. Ensure ports 80 and 443 are open to the web (necessary for certbot)
    5. (sudo) LETSENCRYPT_ENV=certbot.env docker compose --profile letsencrypt up
      1. Inspect the output, ensure LetsEncrypt succeeded
      2. Visit your Dashboard at https://subliiime.com
    6. Stop your deployment (ctrl+c) and start again as a daemon:
      1. (sudo) LETSENCRYPT_ENV=certbot.env docker compose --profile letsencrypt up -d

h/t to the @thinkst team - lots of inspiration from https://github.com/thinkst/canarytokens-docker

Considerations

TODO in follow-ups

image
cameron-dunn-sublime commented 1 year ago

(Probably) Get rid of the ./build folder, and add this build to CI instead (cc @cameron-dunn-sublime let me know what you prefer)

Is this still relevant? I don't see a .build folder in the PR.

jkamdjou commented 1 year ago

(Probably) Get rid of the ./build folder, and add this build to CI instead (cc @cameron-dunn-sublime let me know what you prefer)

Is this still relevant? I don't see a .build folder in the PR.

@cameron-dunn-sublime whoops - what i actually meant is that we're building from ./nginx-letsencrypt/, and what we probably want to do instead is publish the build to sublimesec/nginx-letsencrypt like we do with our other images

updated the TODO to be more clear

alexk307 commented 1 year ago

Just curious: how does this handle cert updates/refresh? Let's encrypt usually gives you very short lived certs that have to be renewed either manually or automatically by exposing something that let's encrypt can hit. I run this exact setup for my personal server and it works great other than having to refresh every few months.

jkamdjou commented 1 year ago

Just curious: how does this handle cert updates/refresh? Let's encrypt usually gives you very short lived certs that have to be renewed either manually or automatically by exposing something that let's encrypt can hit. I run this exact setup for my personal server and it works great other than having to refresh every few months.

every time you restart the image the startup script refreshes the cert automatically using certbot:

https://github.com/sublime-security/sublime-platform/pull/81/files#diff-983b4a5265477c1a7aebd4ea31b862602fd5234e911457a2da3f83816ede9d93R38

madirey commented 1 year ago

Just curious: how does this handle cert updates/refresh? Let's encrypt usually gives you very short lived certs that have to be renewed either manually or automatically by exposing something that let's encrypt can hit. I run this exact setup for my personal server and it works great other than having to refresh every few months.

every time you restart the image the startup script refreshes the cert automatically using certbot:

https://github.com/sublime-security/sublime-platform/pull/81/files#diff-983b4a5265477c1a7aebd4ea31b862602fd5234e911457a2da3f83816ede9d93R38

@jkamdjou So this will renew the cert every time the cron update script runs? There's a limit of 5 duplicate certs per week...

hugh-sublime commented 1 year ago

I consolidated the two Docker Compose files into a single one. You can run the SSL mode by running either of the following:

The normal docker compose up -d functionality is untouched.

cc @madirey

jkamdjou commented 1 year ago

Just curious: how does this handle cert updates/refresh? Let's encrypt usually gives you very short lived certs that have to be renewed either manually or automatically by exposing something that let's encrypt can hit. I run this exact setup for my personal server and it works great other than having to refresh every few months.

every time you restart the image the startup script refreshes the cert automatically using certbot: https://github.com/sublime-security/sublime-platform/pull/81/files#diff-983b4a5265477c1a7aebd4ea31b862602fd5234e911457a2da3f83816ede9d93R38

@jkamdjou So this will renew the cert every time the cron update script runs? There's a limit of 5 duplicate certs per week...

that was my worry... does the cron update have to restart the image every time it runs? maybe we want an explicit flag to renew or something if not, and users have to do it manually (which should be like every 3 months? which sounds fine for now)

madirey commented 1 year ago

https://github.com/sublime-security/sublime-platform/pull/81/commits/5b2de4a3807ebcb0f1ce327ebf63ec2a8ccfa477 checks for existence of certbot.env and uses @hugh-sublime 's new profile when it exists. I'm still not sure if we will hit the rate limit. Probably gonna have to try it tomorrow.