feat: 인증서 문제 드디어 해결~!~!~!~!~!~!

LWJ0513 · Feb 21, 2024 · c75ac1e · c75ac1e
1 parent 097ee45
commit c75ac1e
Show file tree

Hide file tree

Showing 10 changed files with 49 additions and 68 deletions.
diff --git a/backend/login/views.py b/backend/login/views.py
@@ -25,7 +25,7 @@
 
 logger = logging.getLogger(__name__)
 
-BASE_URL = 'http://localhost:8000/'
+BASE_URL = 'https://localhost:443/'
 GOOGLE_CALLBACK_URI = BASE_URL + 'api/login/google/callback/'
 INTRA42_CALLBACK_URI = BASE_URL + 'api/login/intra42/callback'
 config = AutoConfig()

diff --git a/backend/requirements.txt b/backend/requirements.txt
@@ -1,30 +1,43 @@
 asgiref==3.7.2
+attrs==23.2.0
+autobahn==23.6.2
+Automat==22.10.0
 certifi==2023.11.17
 cffi==1.16.0
 channels==4.0.0
 charset-normalizer==3.3.2
-cryptography==42.0.0
+click==8.1.7
+constantly==23.10.4
+cryptography==41.0.7
 daphne==4.0.0
 defusedxml==0.8.0rc2
 dj-rest-auth==5.0.2
-Django==4.2.10
+Django==4.2.8
 django-allauth==0.60.1
 django-cors-headers==4.3.1
 django-debug-toolbar==4.2.0
 django-environ==0.11.2
+django-otp==1.3.0
 djangorestframework==3.14.0
 djangorestframework-simplejwt==5.3.1
 drf-yasg==1.21.7
+gunicorn==21.2.0
+h11==0.14.0
 hvac==2.1.0
+hyperlink==21.0.0
 idna==3.6
+incremental==22.10.0
 inflection==0.5.1
 oauthlib==3.2.2
 packaging==23.2
 pillow==10.2.0
 psycopg==3.1.16
 psycopg2-binary==2.9.9
+pyasn1==0.5.1
+pyasn1-modules==0.3.0
 pycparser==2.21
 PyJWT==2.8.0
+pyOpenSSL==24.0.0
 pypng==0.20220715.0
 python-decouple==3.8
 python-environ==0.4.54
@@ -36,9 +49,17 @@ PyYAML==6.0.1
 qrcode==7.4.2
 requests==2.31.0
 requests-oauthlib==1.3.1
+service-identity==24.1.0
+setuptools==69.0.3
+six==1.16.0
 social-auth-app-django==5.4.0
 social-auth-core==4.5.1
 sqlparse==0.4.4
+supervisor==4.2.5
+Twisted==23.10.0
+txaio==23.1.1
 typing_extensions==4.9.0
 uritemplate==4.1.1
 urllib3==2.1.0
+uvicorn==0.27.0.post1
+zope.interface==6.1
diff --git a/backend/src/settings.py b/backend/src/settings.py
@@ -12,7 +12,6 @@
 DEBUG = False
 env.read_env(env_file=ENV_PATH)
 
-
 def wait_for_vault_client(client, retries=5, delay=5):
     for i in range(retries):
         try:
@@ -60,7 +59,7 @@ def wait_for_vault_client(client, retries=5, delay=5):
 else:
     VAULT_URL = env('VAULT_URL')
     VAULT_TOKEN = env('VAULT_TOKEN')
-    client = hvac.Client(url=VAULT_URL, token=VAULT_TOKEN)
+    client = hvac.Client(url=VAULT_URL, token=VAULT_TOKEN, verify='/backend/certs/rootCA.pem')
 
     wait_for_vault_client(client)
     secret_path = "sejokim"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -14,10 +14,10 @@ services:
       - "./volumes/vault/file:/vault/file"
       - "./volumes/vault/logs:/vault/logs"
       - "./volumes/vault/config:/vault/config"
-      - cert-volume:/vault/certs
+      - "./volumes/certs:/vault/certs"
 
     environment:
-      VAULT_ADDR: "http://hashicorp_vault:8200"
+      VAULT_ADDR: "https://hashicorp_vault:8200"
     cap_add:
       - IPC_LOCK
     networks:
@@ -27,12 +27,12 @@ services:
     build: .
     container_name: django_node_container
     ports:
-      - 8000:8000
+      - 8443:8443
     networks:
       - app_network
     volumes:
       - static-volume:/backend/static
-      - cert-volume:/backend/certs
+      - "./volumes/certs:/backend/certs"
     env_file:
       - ./.env
     environment:
@@ -45,7 +45,7 @@ services:
     # LOGSTASH
       LOG_KEY: ${LOG_KEY}
     # Hashicorp vault
-      VAULT_URL: "http://hashicorp_vault:8200"
+      VAULT_URL: "https://hashicorp_vault:8200"
       VAULT_TOKEN: ${VAULT_TOKEN}
     # SMTP EMAIL
       EMAIL_HOST_USER: ${EMAIL_HOST_USER}
@@ -72,7 +72,7 @@ services:
     volumes:
       - "./frontend:/usr/share/nginx/html"
       - static-volume:/usr/share/nginx/html/static
-      - cert-volume:/etc/nginx/certs
+      - "./volumes/certs:/etc/nginx/certs"
       # - "/Users/sejokim/desktop/volumes/nginx/logs:/var/log/nginx"
     logging:
       options:

diff --git a/init.sh b/init.sh
@@ -2,8 +2,4 @@
 
 python manage.py collectstatic --noinput
 
-#exec gunicorn --bind 0.0.0.0:8000 src.wsgi:application
-
-exec daphne -b 0.0.0.0 -p 8000 src.asgi:application
-
-# exec python3 manage.py runserver 0.0.0.0:8000
+daphne -b 0.0.0.0 -e ssl:8443:privateKey=/backend/certs/server.key:certKey=/backend/certs/server.crt src.asgi:application
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -38,7 +38,7 @@ RUN chmod +x /usr/local/bin/mkcert
 
 RUN mkcert -install
 RUN mkdir -p /etc/nginx/certs
-RUN mkcert -key-file /etc/nginx/certs/server.key -cert-file /etc/nginx/certs/server.crt localhost 127.0.0.1 ::1
+RUN mkcert -key-file /etc/nginx/certs/server.key -cert-file /etc/nginx/certs/server.crt "hashicorp_vault" localhost 127.0.0.1 ::1
 
 # Nginx 설정 파일 복사 및 모듈 로드
 COPY ./config/nginx.conf /etc/nginx/nginx.conf

diff --git a/nginx/config/nginx.conf b/nginx/config/nginx.conf
@@ -39,38 +39,6 @@ http {
         return 301 https://$host$request_uri;
     }
 
-    # server {
-    #     listen 8000;
-
-
-    #     location /static/ {
-    #         alias /usr/share/nginx/html/static/;
-    #     }
-
-    #     location / {
-    #         proxy_pass http://django_node_app:8000;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Host $server_name;
-    #     }
-    # }
-
-    # server {
-    #     listen 8200;
-
-    #     # location / {
-    #         proxy_pass http://hashicorp_vault:8200;
-    #         proxy_http_version 1.1;
-    #         proxy_set_header Host $host;
-    #         proxy_set_header X-Real-IP $remote_addr;
-    #         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    #         proxy_set_header X-Forwarded-Host $server_name;
-    #         proxy_set_header X-Forwarded-Proto https;
-    #    }
-    # }
-
     # HTTPS 서버 설정
     server {
         listen 443 ssl;
@@ -95,7 +63,7 @@ http {
 
             # Django 관리자 및 Swagger 문서를 위한 위치 설정
         location ~ ^/(admin|redoc|swagger) {
-            proxy_pass http://django_node_app:8000;
+            proxy_pass https://django_node_app:8443;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection 'upgrade';
@@ -107,7 +75,7 @@ http {
         }
 
         location /api {
-            proxy_pass http://django_node_app:8000;
+            proxy_pass https://django_node_app:8443;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection 'upgrade';
@@ -116,7 +84,7 @@ http {
         }
 
         location /ws/ {
-            proxy_pass http://django_node_app:8000;
+            proxy_pass https://django_node_app:8443;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
@@ -125,15 +93,5 @@ http {
             add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
             add_header 'Access-Control-Allow-Headers' 'Origin, X-Requested-With, Content-Type, Accept, Authorization' always;
         }
-
-        location /vault {
-            proxy_pass http://hashicorp_vault:8200;
-            proxy_http_version 1.1;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Host $server_name;
-            proxy_set_header X-Forwarded-Proto https;
-        }
     }
 }
diff --git a/vault/Dockerfile b/vault/Dockerfile
@@ -1,10 +1,11 @@
 FROM hashicorp/vault:latest
 
+RUN apk add --no-cache bash jq curl
+
 COPY entrypoints.sh /entrypoints.sh
 
-COPY ./config/vault.hcl /vault/config/vault.hcl
+COPY ./config/vault.hcl /vault
 
-RUN chmod +x /entrypoints.sh && \
-	apk add --no-cache jq
+RUN chmod +x /entrypoints.sh
 
 ENTRYPOINT ["/entrypoints.sh"]
diff --git a/vault/config/vault.hcl b/vault/config/vault.hcl
@@ -1,13 +1,16 @@
 listener "tcp" {
   address     = "0.0.0.0:8200"
-  tls_disable = 1
+  tls_cert_file = "/vault/certs/server.crt"
+  tls_key_file = "/vault/certs/server.key"
+  tls_client_ca_file = "/vault/certs/rootCA.pem"
+  tls_disable_client_certs = "true"
 }
 
 storage "file" {
   path = "/vault/file"
 }
 
-api_addr = "http://localhost:8200"
+api_addr = "https://hashicorp_vault:8200"
 
 disable_mlock = true
 

diff --git a/vault/entrypoints.sh b/vault/entrypoints.sh
@@ -1,10 +1,13 @@
 #!/bin/sh
 
-vault server -config=/vault/config/vault.hcl &
+vault server -config=/vault/vault.hcl &
 sleep 5
 
 echo "Waiting for Vault server to start..."
 
+export VAULT_CACERT=/vault/certs/rootCA.pem
+
+# Check if Vault is already initialized by checking for the existence of the unseal key and root token files
 if [ ! -f /vault/config/unseal.key ] || [ ! -f /vault/config/root.token ]; then
   echo "Initializing Vault..."
   VAULT_INIT_RESPONSE=$(vault operator init -key-shares=1 -key-threshold=1 -format=json)