diff options
| author | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-03-20 09:44:37 +0100 |
|---|---|---|
| committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-03-20 09:45:05 +0100 |
| commit | bebbf5bd8bef496e08bc0d6a094cc1b915f61a90 (patch) | |
| tree | 302cb1a8589fc8052f587cb9df2b17351fe33b4e | |
| parent | 870511931a6b65dddaa726c5d03d068da03f5857 (diff) | |
| download | nixcfg-bebbf5bd8bef496e08bc0d6a094cc1b915f61a90.tar.gz nixcfg-bebbf5bd8bef496e08bc0d6a094cc1b915f61a90.zip | |
wip rsa-ecc proxy
| -rw-r--r-- | cluster/prod/app/email/integration/README.md | 23 | ||||
| -rw-r--r-- | cluster/prod/app/email/integration/tls-tls-proxy.sh | 13 | ||||
| -rw-r--r-- | cluster/prod/app/email/secrets.toml | 9 | ||||
| -rw-r--r-- | cluster/staging/app/core/deploy/core-system.hcl | 2 |
4 files changed, 46 insertions, 1 deletions
diff --git a/cluster/prod/app/email/integration/README.md b/cluster/prod/app/email/integration/README.md new file mode 100644 index 0000000..d396277 --- /dev/null +++ b/cluster/prod/app/email/integration/README.md @@ -0,0 +1,23 @@ +# Email + +## TLS TLS Proxy + +Required for Android 7.0 that does not support elliptic curves. + +Generate a key: + +```bash +openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout rsa.key -out rsa.crt -subj "/CN=imap.deuxfleurs.fr" -addext "subjectAltName=DNS:smtp.deuxfleurs.fr" +``` + +Run the command: + +```bash +./integration/proxy.sh imap.deuxfleurs.fr:993 1993 +``` + +Test it: + +```bash +openssl s_client localhost:1993 +``` diff --git a/cluster/prod/app/email/integration/tls-tls-proxy.sh b/cluster/prod/app/email/integration/tls-tls-proxy.sh new file mode 100644 index 0000000..afb7317 --- /dev/null +++ b/cluster/prod/app/email/integration/tls-tls-proxy.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +UPSTREAM=$1 +PROXY_PORT=$2 +socat -dd \ +"openssl-listen:${PROXY_PORT},\ +reuseaddr,\ +fork,\ +cert=/tmp/tls-tls-proxy/rsa.crt,\ +key=/tmp/tls-tls-proxy/rsa.key,\ +verify=0,\ +bind=0.0.0.0" \ +"openssl:${UPSTREAM},\ +verify=0" diff --git a/cluster/prod/app/email/secrets.toml b/cluster/prod/app/email/secrets.toml index 6263e33..54bee46 100644 --- a/cluster/prod/app/email/secrets.toml +++ b/cluster/prod/app/email/secrets.toml @@ -21,3 +21,12 @@ password_secret = "email/sogo/ldap_bindpw" type = 'user' description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)' +# ---- TLS TLS PROXY --- + +[secrets."email/tls-tls-proxy/rsa.crt"] +type="user" +description="PEM encoded file containing the RSA certificate" + +[secrets."email/tls-tls-proxy/rsa.key"] +type="user" +description="PEM encoded file containing the RSA key" diff --git a/cluster/staging/app/core/deploy/core-system.hcl b/cluster/staging/app/core/deploy/core-system.hcl index 4d6e503..05fa0f2 100644 --- a/cluster/staging/app/core/deploy/core-system.hcl +++ b/cluster/staging/app/core/deploy/core-system.hcl @@ -121,7 +121,7 @@ EOH data = <<EOH TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }} TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me -TRICOT_ENABLE_COMPRESSION=true +#TRICOT_ENABLE_COMPRESSION=true TRICOT_CONSUL_HOST=https://localhost:8501 TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt |