Mudlet · sasecio · Sep 19, 2021
diff --git a/Dockerfile b/Dockerfile
@@ -9,6 +9,7 @@ RUN set -xe && \
             openssl-dev \
             pcre-dev \
             perl \
+            php-fpm \
             zlib-dev \
             linux-headers
 
@@ -28,3 +29,13 @@ COPY . .
 EXPOSE 8080
 
 CMD lapis migrate $LAPIS_ENVIRONMENT && lapis server $LAPIS_ENVIRONMENT
+
+
+# Add support for Certbot's SSL certificates
+RUN mkdir -p /usr/local/share/ca-certificates
+ADD fullchain.pem /usr/local/share/ca-certificates
+ADD privkey.pem /usr/local/share/ca-certificates
+RUN chmod 644 /usr/local/share/ca-certificates/fullchain.pem
+RUN chmod 644 /usr/local/share/ca-certificates/privkey.pem
+RUN update-ca-certificates
+
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # Mudlet Package Repo
 This server will power the Mudlet package repository and serve as a reference implementation for any other person or organization which may want to host their own repository for Mudlet packages.
 
-Want a preview? Available at http://172.105.1.54:8080 (alpha)
+Want a preview? Available at https://gw.cloudwatch.net:8080 (alpha)
 
 It is implemented using Lapis ([API](https://leafo.net/lapis/reference.html)), which is a lua web framework that runs inside of OpenResty ([API](https://github.com/openresty/lua-nginx-module#ngxtimerat)), a custom implementation of NginX. Check out the [technical vision](https://wiki.mudlet.org/w/Mudlet:Repository_Technical_Vision) to get a sense of our development style.
 
@@ -11,9 +11,7 @@ We make use of the follow luarocks:
 * bcrypt http://github.com/mikejsavage/lua-bcrypt
 * i18n https://github.com/kikito/i18n.lua
 * lua-resty-mail https://github.com/GUI/lua-resty-mail
-* lua-mailgun https://github.com/leafo/lua-mailgun
-
-We do not actually make use of lapis-chan, but it served as an example from which examples and inspiration were drawn: https://github.com/karai17/lapis-chan
+* mailgun https://github.com/leafo/lua-mailgun
 
 # Getting started with development
 
@@ -26,9 +24,10 @@ By choosing Docker you don't have to worry about installing and configuring the
 
 * Install [Docker](https://docs.docker.com/engine/install/)
 * Install [docker-compose](https://docs.docker.com/compose/install/)
+* Open config.lua in your editor and make any necessary edits.
 * Run `docker-compose build` to build the image.
 * Run `docker-compose up` to run the website.
-* Login with `demo` and `supersecretpassword`.
+* Login with the relevant credentials.
 
 To refresh the website, rebuild and re-run it again.
 

diff --git a/config.lua b/config.lua
@@ -21,10 +21,10 @@ config({'development', 'docker', 'kubernetes'}, {
   smtp_port = 1025,
   smtp_username = nil,
   smtp_password = nil,
-  sender_address = "[email protected]",
-  admin_email = "demonnic@gmail.com",
-  admin_password = "supersecretadminpass", -- this can be removed once you've viewed the page for the first time
-  base_url = "http://localhost:8080/",
+  sender_address = "[email protected]",
+  admin_email = "mudletrepotest@gmail.com",
+  admin_password = nil, -- this can be removed once you've viewed the page for the first time
+  base_url = "https://gw.cloudwatch.net:8080/",
   website_name = "Mudlet Package Repository (experimental)"
 })
 

diff --git a/controllers/mail.lua b/controllers/mail.lua
@@ -1,4 +1,5 @@
 local app_helpers = require("lapis.application")
+local lapis_html = require("lapis.html")
 local assert_error  = app_helpers.assert_error
 local mail_handler = require("resty.mail")
 local mail = {
@@ -27,7 +28,7 @@ function mail:send_verification(user, i18n)
   local alternate_url = string.format("%sverifyemail", self.config.base_url)
   local url = string.format("%s?ver_code=%s&email=%s", alternate_url, ver_code, user.email)
   local message_body = i18n("verify_email_body", {user.name, self.config.website_name, url, alternate_url, ver_code})
-  local message_subject = escape(i18n("verify_email_subject", {self.config.website_name}))
+  local message_subject = lapis_html.escape(i18n("verify_email_subject", {self.config.website_name}))
   self:send(message_subject, message_body, user)
 end
 

diff --git a/nginx.conf b/nginx.conf
@@ -26,9 +26,40 @@ http {
     require "lpeg"
   }
   server {
-    listen ${{PORT}};
+    listen ${{PORT}} ssl;
+
+    ssl_certificate      /usr/local/share/ca-certificates/fullchain.pem;
+    ssl_certificate_key  /usr/local/share/ca-certificates/privkey.pem;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    ssl_protocols TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
+
+#    ssl_dhparam /etc/ssl/ffdhe4096.pem;
+    ssl_ecdh_curve secp521r1:secp384r1;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Xss-Protection "1; mode=block" always;
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /usr/local/share/ca-certificates/fullchain.pem;
+
+    resolver 1.1.1.1 1.0.0.1 valid=300s; # Cloudflare
+    resolver_timeout 5s;
+
     lua_code_cache ${{CODE_CACHE}};
 
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+	root /var/www/html;
+    }
+
     location / {
       ${{CUSTOM_RESOLVER}}
       default_type text/html;

diff --git a/nginx.conf.bak b/nginx.conf.bak
@@ -0,0 +1,53 @@
+env REPO_BASE_URL;
+env SMTP_HOST;
+env SMTP_PORT;
+env SMTP_USERNAME;
+env SMTP_PASSWORD;
+env DATA_DIR;
+
+worker_processes ${{NUM_WORKERS}};
+error_log stderr notice;
+daemon off;
+${{CUSTOM_USER}}
+pid logs/nginx.pid;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  log_format perf '$remote_addr $status - $request_length $bytes_sent'
+  include mime.types;
+  client_max_body_size ${{BODY_SIZE}};
+  client_body_buffer_size ${{BODY_SIZE}};
+  init_by_lua_block {
+    require "lfs"
+    require "socket"
+    require "lpeg"
+  }
+  server {
+    listen ${{PORT}};
+    lua_code_cache ${{CODE_CACHE}};
+
+    location / {
+      ${{CUSTOM_RESOLVER}}
+      default_type text/html;
+      content_by_lua '
+        require("lapis").serve("app")
+      ';
+    }
+
+    location /static/ {
+      include mime.types;
+      alias static/;
+    }
+
+    location /data/ {
+      alias ${{DATA_DIR}}/;
+    }
+
+    location /favicon.ico {
+      alias static/favicon.ico;
+    }
+  }
+}