using https with self-signed cert

4 files changed, 38 insertions, 22 deletions

diff --git a/kvmd/configs/nginx/nginx.conf b/kvmd/configs/nginx/nginx.conf.example
index 51c52c46..cd30f572 100644
--- a/kvmd/configs/nginx/nginx.conf
+++ b/kvmd/configs/nginx/nginx.conf.example
@@ -10,13 +10,26 @@ events {
 }
 
 http {
+	access_log off;
+
 	include mime.types;
 	default_type application/octet-stream;
 	charset utf-8;
 
 	sendfile on;
 	keepalive_timeout 10;
-	# gzip on;
+
+	client_body_temp_path	/tmp/nginx.client_body_temp;
+	fastcgi_temp_path		/tmp/nginx.fastcgi_temp;
+	proxy_temp_path			/tmp/nginx.proxy_temp;
+	scgi_temp_path			/tmp/nginx.scgi_temp;
+	uwsgi_temp_path			/tmp/nginx.uwsgi_temp;
+
+	server {
+		listen 80;
+		server_name localhost;
+		return 301 https://$host$request_uri;
+	}
 
 	upstream kvmd {
 		server localhost:8081 fail_timeout=0s max_fails=0;
@@ -27,17 +40,15 @@ http {
 	}
 
 	server {
-		# access_log /tmp/nginx.access.log;
-		access_log off;
-
-		listen 80;
+		listen 443 ssl http2;
 		server_name localhost;
 
-		client_body_temp_path /tmp/nginx.client_body_temp;
-		fastcgi_temp_path     /tmp/nginx.fastcgi_temp;
-		proxy_temp_path       /tmp/nginx.proxy_temp;
-		scgi_temp_path        /tmp/nginx.scgi_temp;
-		uwsgi_temp_path       /tmp/nginx.uwsgi_temp;
+		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+		ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+		ssl_certificate ssl/server.crt;
+		ssl_certificate_key ssl/server.key;
+
+		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
 		location / {
 			root /usr/share/kvmd/web;
diff --git a/kvmd/testenv/nginx.conf b/kvmd/testenv/nginx.conf
index c9322517..ed6698cf 100644
--- a/kvmd/testenv/nginx.conf
+++ b/kvmd/testenv/nginx.conf
@@ -10,13 +10,20 @@ events {
 }
 
 http {
+	access_log off;
+
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 	charset utf-8;
 
 	sendfile on;
 	keepalive_timeout 10;
-	# gzip on;
+
+	client_body_temp_path	/tmp/nginx.client_body_temp;
+	fastcgi_temp_path		/tmp/nginx.fastcgi_temp;
+	proxy_temp_path			/tmp/nginx.proxy_temp;
+	scgi_temp_path			/tmp/nginx.scgi_temp;
+	uwsgi_temp_path			/tmp/nginx.uwsgi_temp;
 
 	upstream kvmd {
 		server localhost:8081 fail_timeout=0s max_fails=0;
@@ -27,18 +34,9 @@ http {
 	}
 
 	server {
-		# access_log /tmp/nginx.access.log;
-		access_log off;
-
 		listen 8080;
 		server_name localhost;
 
-		client_body_temp_path /tmp/nginx.client_body_temp;
-		fastcgi_temp_path     /tmp/nginx.fastcgi_temp;
-		proxy_temp_path       /tmp/nginx.proxy_temp;
-		scgi_temp_path        /tmp/nginx.scgi_temp;
-		uwsgi_temp_path       /tmp/nginx.uwsgi_temp;
-
 		location / {
 			root /web;
 			index index.html;
diff --git a/kvmd/web/js/session.js b/kvmd/web/js/session.js
index 238ff877..d3bbf91c 100644
--- a/kvmd/web/js/session.js
+++ b/kvmd/web/js/session.js
@@ -20,7 +20,7 @@ var session = new function() {
 	};
 
 	this.startPoller = function() {
-		__ws = new WebSocket("ws://" + location.host + "/kvmd/ws");
+		__ws = new WebSocket((location.protocol == "https:" ? "wss" : "ws") + "://" + location.host + "/kvmd/ws");
 		__ws.onopen = __wsOpenHandler;
 		__ws.onmessage = __wsMessageHandler;
 		__ws.onerror = __wsErrorHandler;
diff --git a/os/platforms/v1/Dockerfile.part b/os/platforms/v1/Dockerfile.part
index 4b355acb..b66d52bf 100644
--- a/os/platforms/v1/Dockerfile.part
+++ b/os/platforms/v1/Dockerfile.part
@@ -19,5 +19,12 @@ RUN sed -i -e "s/console=ttyAMA0\,115200//g" /boot/cmdline.txt \
 	&& sed -i -e "s/kgdboc=ttyAMA0\,115200//g" /boot/cmdline.txt
 RUN systemctl mask [email protected]
 
-RUN cp /usr/share/kvmd/configs/nginx/nginx.conf /etc/nginx/
+RUN cp /usr/share/kvmd/configs/nginx/nginx.conf.example /etc/nginx/
 RUN cp /usr/share/kvmd/configs/kvmd/v1.yaml /etc/kvmd.yaml
+
+RUN mkdir /etc/nginx/ssl \
+	&& cd /etc/nginx/ssl \
+	&& openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 3650 \
+		-subj "/C=RU/ST=Moscow/L=Moscow/O=Pi-KVM/OU=Pi-KVM/CN=localhost" \
+	&& chmod 400 server.key \
+	&& chmod 444 server.crt