Merge pull request #5 from b310-digital/4-better-defaults-for-more-se…

…curity

Better defaults for more security in production

.env.default

@@ -16,10 +16,13 @@ DOCKER_COMPOSE_APP_ENV_POSTGRES_TEST_USER=mindmapper-user
 # Environment Variables PRODUCTION
 APP_PROD_PORT=3011
 
-POSTGRES_PROD_DB=mindmapper-backend-prod
-POSTGRES_PROD_PASSWORD=mindmapper-password
-POSTGRES_PROD_PORT=5433
-POSTGRES_SSL_REJECT_UNAUTHORIZED=true
-POSTGRES_PROD_USER=mindmapper-user
+POSTGRES_PROD_DB=
+POSTGRES_PROD_PASSWORD=
+POSTGRES_PROD_PORT=5432
+# Enable ssl connection to database
+POSTGRES_PROD_SSL=true
+# Disabling self-signed ssl certificates by default; please use POSTGRES_PROD_SSL_REJECT_UNAUTHORIZED=true to enable self-singed (unauthorized) ssl certificate.
+POSTGRES_PROD_SSL_REJECT_UNAUTHORIZED=false
+POSTGRES_PROD_USER=
 # PROD Requires SSL Connection Support. Use DEV if not available.
 PROD_MODE=PROD

.gitignore

@@ -43,7 +43,10 @@ testem.log
 .DS_Store
 Thumbs.db
 docker-compose.override.yml
+
+# Environment vars
 .env
+.env.prod
 
 ca/*.crt
 ca/*.pem

README.md

@@ -78,7 +78,7 @@ Mindmapper is based on mindmapp (https://github.com/cedoor/mindmapp , discontinu
     cp .env.default .env.prod
     ```
 
--   Adjust all configs in `.env.prod`, e.g. database settings, ports
+-   Adjust all configs in `.env.prod`, e.g. database settings, ports, disable ssl env vars if necessary
 
 -   Start everything at once:
 

docker-compose-prod.yml

@@ -9,11 +9,12 @@ services:
     environment:
       MODE: ${PROD_MODE:-DEV}
       BINDING: "0.0.0.0"
-      POSTGRES_DATABASE: ${POSTGRES_PROD_DB:-mindmapper-backend-prod}
+      POSTGRES_DATABASE: ${POSTGRES_PROD_DB}
       POSTGRES_HOST: ${POSTGRES_PROD_HOST:-postgres_prod}
-      POSTGRES_PASSWORD: ${POSTGRES_PROD_PASSWORD:-mindmapper-password}
+      POSTGRES_PASSWORD: ${POSTGRES_PROD_PASSWORD}
       POSTGRES_PORT: ${POSTGRES_PROD_PROD_PORT:-5432}
-      POSTGRES_SSL_REJECT_UNAUTHORIZED: ${POSTGRES_SSL_REJECT_UNAUTHORIZED:-true}
+      POSTGRES_SSL: ${POSTGRES_PROD_SSL:-true}
+      POSTGRES_SSL_REJECT_UNAUTHORIZED: ${POSTGRES_PROD_SSL_REJECT_UNAUTHORIZED:-false}
       POSTGRES_USER: ${POSTGRES_PROD_USER:-mindmapper-user}
     ports:
       - "${APP_PROD_PORT:-80}:3000"
@@ -27,13 +28,10 @@ services:
     command: -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key
     environment:
       PGDATA: /var/lib/postgresql/data/pgdata
-      POSTGRES_DB: ${POSTGRES_PROD_DB:-mindmapper-backend-prod}
-      POSTGRES_PASSWORD: ${POSTGRES_PROD_PASSWORD:-mindmapper-password}
-      POSTGRES_USER: ${POSTGRES_PROD_USER:-mindmapper-user}
-    # Exposing the port is not needed unless you want to access this database instance from the host.
-    # Be careful when other postgres docker container are running on the same port
-    ports:
-      - "${POSTGRES_PROD_PORT:-5432}:5432"
+      POSTGRES_DB: ${POSTGRES_PROD_DB}
+      POSTGRES_PASSWORD: ${POSTGRES_PROD_PASSWORD}
+      POSTGRES_PORT: ${POSTGRES_PROD_PORT:-5432}
+      POSTGRES_USER: ${POSTGRES_PROD_USER}
     volumes:
       # To setup an ssl-enabled postgres server locally, you need to generate a self-signed ssl certificate.
       # See README.md for more information.

mindmapper-backend/src/config.service.ts

@@ -65,7 +65,7 @@ class ConfigService {
       //
       // See https://www.andronio.me/2020/08/20/connecting-typeorm-to-a-postgres-database-on-heroku/
       // See https://github.com/typeorm/typeorm/issues/278
-      ssl: this.isProduction() && { rejectUnauthorized: this.getValue('POSTGRES_SSL_REJECT_UNAUTHORIZED', true) !== 'false' },
+      ssl: this.getValue('POSTGRES_SSL') !== 'false'  && { rejectUnauthorized: this.getValue('POSTGRES_SSL_REJECT_UNAUTHORIZED') !== 'false' },
     };
   }
 }