mirror/formbricks
1
0
Fork 0
mirror of https://github.com/formbricks/formbricks.git synced 2026-01-06 09:00:18 -06:00
Code Issues Packages Projects Releases 118 Wiki Activity

feat: adds tls1.2 and 1.3 support, and HSTS config (#2897)

Browse Source 
Co-authored-by: Matthias Nannt <mail@matthiasnannt.com>
This commit is contained in:
Piyush Gupta
2024-08-07 20:22:14 +05:30
committed by GitHub
parent fffe71aa7e
commit 53fb976fb6
2 changed files with 363 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

179
docker/formbricks.sh
View File

@@ -61,54 +61,159 @@ install_formbricks() {
mkdir -p formbricks && cd formbricks
echo "📁 Created Formbricks Quickstart directory at ./formbricks."
# Ask the user for their email address
echo "💡 Please enter your email address for the SSL certificate:"
read email_address
# Ask the user for their domain name
echo "🔗 Please enter your domain name for the SSL certificate (🚨 do NOT enter the protocol (http/https/etc)):"
read domain_name
echo "🔗 Do you want us to set up an HTTPS certificate for you? [Y/n]"
read https_setup
# Set default value for HTTPS setup
if [[ -z $https_setup ]]; then
https_setup="Y"
fi
if [[ $https_setup == "Y" ]]; then
echo "🔗 Please make sure that the domain points to the server's IP address and that ports 80 & 443 are open in your server's firewall. Is everything set up? [Y/n]"
read dns_setup
# Set default value for DNS setup
if [[ -z $dns_setup ]]; then
dns_setup="Y"
fi
if [[ $dns_setup == "Y" ]]; then
echo "💡 Please enter your email address for the SSL certificate:"
read email_address
echo "🔗 Do you want to enforce HTTPS (HSTS)? [Y/n]"
read hsts_enabled
# Set default value for HSTS
if [[ -z $hsts_enabled ]]; then
hsts_enabled="Y"
fi
else
echo "❌ Ports 80 & 443 are not open. We can't help you in providing the SSL certificate."
https_setup="n"
hsts_enabled="n"
fi
else
https_setup="n"
hsts_enabled="n"
fi
# Ask for HSTS configuration for HTTPS redirection if custom certificate is used
if [[ $https_setup == "n" ]]; then
echo "You have chosen not to set up HTTPS certificate for your domain. Please make sure to set up HTTPS on your own. You can refer to the Formbricks documentation(https://formbricks.com/docs/self-hosting/custom-ssl) for more information."
echo "🔗 Do you want to enforce HTTPS (HSTS)? [Y/n]"
read hsts_enabled
# Set default value for HSTS
if [[ -z $hsts_enabled ]]; then
hsts_enabled="Y"
fi
fi
# Installing Traefik
echo "🚗 Configuring Traefik..."
cat <<EOT >traefik.yaml
entryPoints:
web:
address: ":80"
http:
if [[ $hsts_enabled == "Y" ]]; then
hsts_middlewares="middlewares:
- hstsHeader"
http_redirection="http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
http:
tls:
certResolver: default
providers:
docker:
watch: true
exposedByDefault: false
certificatesResolvers:
permanent: true"
else
hsts_middlewares=""
http_redirection=""
fi
if [[ $https_setup == "Y" ]]; then
certResolver="certResolver: default"
certificates_resolvers="certificatesResolvers:
default:
acme:
email: $email_address
storage: acme.json
caServer: "https://acme-v01.api.letsencrypt.org/directory"
tlsChallenge: {}
tlsChallenge: {}"
else
certResolver=""
certificates_resolvers=""
fi
cat <<EOT >traefik.yaml
entryPoints:
web:
address: ":80"
$http_redirection
websecure:
address: ":443"
http:
tls:
$certResolver
options: default
$hsts_middlewares
providers:
docker:
watch: true
exposedByDefault: false
file:
directory: /
$certificates_resolvers
EOT
echo "💡 Created traefik.yaml file with your provided email address."
cat <<EOT >traefik-dynamic.yaml
# configuring min TLS version
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
# TLS 1.2 Ciphers
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
touch acme.json
chmod 600 acme.json
echo "💡 Created acme.json file with correct permissions."
# TLS 1.3 Ciphers (These are automatically used for TLS 1.3 connections)
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
# Ask the user for their domain name
echo "🔗 Please enter your domain name for the SSL certificate (🚨 do NOT enter the protocol (http/https/etc)):"
read domain_name
# Fallback
- TLS_FALLBACK_SCSV
EOT
echo "💡 Created traefik.yaml and traefik-dynamic.yaml file."
if [[ $https_setup == "Y" ]]; then
touch acme.json
chmod 600 acme.json
echo "💡 Created acme.json file with correct permissions."
fi
# Prompt for email service setup
read -p "Do you want to set up the email service? (yes/no) You will need SMTP credentials for the same! " email_service
if [[ $email_service == "yes" ]]; then
read -p "📧 Do you want to set up the email service? You will need SMTP credentials for the same! [y/N]" email_service
# Set default value for email service setup
if [[ -z $email_service ]]; then
email_service="N"
fi
if [[ $email_service == "y" ]]; then
echo "Please provide the following email service details: "
echo -n "Enter your SMTP configured Email ID: "
@@ -163,7 +268,7 @@ EOT
sed -i "s|# SMTP_PASSWORD:|SMTP_PASSWORD: \"$smtp_password\"|" docker-compose.yml
fi
awk -v domain_name="$domain_name" '
awk -v domain_name="$domain_name" -v hsts_enabled="$hsts_enabled" '
/formbricks:/,/^ *$/ {
if ($0 ~ /depends_on:/) {
inserting_labels=1
@@ -173,7 +278,18 @@ EOT
print " - \"traefik.enable=true\" # Enable Traefik for this service"
print " - \"traefik.http.routers.formbricks.rule=Host(\`" domain_name "\`)\" # Use your actual domain or IP"
print " - \"traefik.http.routers.formbricks.entrypoints=websecure\" # Use the websecure entrypoint (port 443 with TLS)"
print " - \"traefik.http.routers.formbricks.tls=true\" # Enable TLS"
print " - \"traefik.http.routers.formbricks.tls.certresolver=default\" # Specify the certResolver"
print " - \"traefik.http.services.formbricks.loadbalancer.server.port=3000\" # Forward traffic to Formbricks on port 3000"
if (hsts_enabled == "Y") {
print " - \"traefik.http.middlewares.hstsHeader.headers.stsSeconds=31536000\" # Set HSTS (HTTP Strict Transport Security) max-age to 1 year (31536000 seconds)"
print " - \"traefik.http.middlewares.hstsHeader.headers.forceSTSHeader=true\" # Ensure the HSTS header is always included in responses"
print " - \"traefik.http.middlewares.hstsHeader.headers.stsPreload=true\" # Allow the domain to be preloaded in browser HSTS preload list"
print " - \"traefik.http.middlewares.hstsHeader.headers.stsIncludeSubdomains=true\" # Apply HSTS policy to all subdomains as well"
} else {
print " - \"traefik.http.routers.formbricks_http.entrypoints=web\" # Use the web entrypoint (port 80)"
print " - \"traefik.http.routers.formbricks_http.rule=Host(\`" domain_name "\`)\" # Use your actual domain or IP"
}
inserting_labels=0
}
print
@@ -192,6 +308,7 @@ EOT
print " - \"8080:8080\""
print " volumes:"
print " - ./traefik.yaml:/traefik.yaml"
print " - ./traefik-dynamic.yaml:/traefik-dynamic.yaml"
print " - ./acme.json:/acme.json"
print " - /var/run/docker.sock:/var/run/docker.sock:ro"
print ""
@@ -280,4 +397,4 @@ uninstall)
echo "🚀 Executing default step of installing Formbricks"
install_formbricks
;;
esac
esac