feat: Add the TLS and proxy option

Author: ZPascal

README.md

@@ -9,6 +9,10 @@ You can execute `docker-compose up -d --build --force-recreate` to start and bui
 
 It is possible to adapt the `pretixuser` crontab entries by modifying the [crontab](docker/pretix/crontab.bak) file.
 
+## TLS setup
+
+You can specify the used TLS certificates by adapting the mounted [certificate](docker/pretix/files/config/ssl/domain.crt) and [key](docker/pretix/files/config/ssl/domain.key) e.g. from LetsEncrypt or generating new self-signed certificates by following the [manual](scripts/EXAMPLE-CERT-CREATION.md) and moving the generated files.
+
 ## Contribution
 If you would like to contribute something, have an improvement request, or want to make a change inside the code, please open a pull request.
 

docker-compose.yml

@@ -12,9 +12,11 @@ services:
     volumes:
       - pretix_data:/data
       - ./docker/pretix/pretix.cfg:/etc/pretix/pretix.cfg
+      - ./docker/pretix/nginx/nginx.conf:/etc/nginx/nginx.conf
       - ./docker/pretix/crontab:/tmp/crontab
     ports:
-      - "8000:80"
+      - "80:80"
+      - "443:443"
     networks:
       - backend
 

docker/pretix/Dockerfile

@@ -2,15 +2,18 @@ FROM pretix/standalone:stable
 
 USER root
 
-ENV IMAGE_CRON_DIR="/image/cron"
+ENV IMAGE_CRON_DIR="/image/cron" \
+    IMAGE_CONFIG_DIR="/image/config"
 
 ADD files /image
 COPY crontab /tmp/crontab
 
 RUN mv /image/supervisord/crond.conf /etc/supervisord/crond.conf && \
-    pip install crontab && chmod +x $IMAGE_CRON_DIR/cron.py
+    pip install crontab && chmod 644 $IMAGE_CONFIG_DIR/ssl/*.crt && chmod +x $IMAGE_CRON_DIR/cron.py
 
 USER pretixuser
 
+EXPOSE 443
+
 ENTRYPOINT ["pretix"]
 CMD ["all"]

docker/pretix/files/config/ssl/.placeholder

@@ -0,0 +1,89 @@
+user www-data www-data;
+worker_processes auto;
+pid /var/run/nginx.pid;
+daemon off;
+worker_rlimit_nofile 262144;
+
+events {
+    worker_connections 16384;
+    multi_accept on;
+    use epoll;
+}
+
+http {
+        server_tokens off;
+        sendfile on;
+        charset utf-8;
+        tcp_nopush on;
+        tcp_nodelay on;
+
+        log_format private '[$time_local] $host "$request" $status $body_bytes_sent';
+
+        types_hash_max_size 2048;
+        server_names_hash_bucket_size 64;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+        add_header X-Content-Type-Options nosniff;
+
+        access_log /var/log/nginx/access.log private;
+        error_log /var/log/nginx/error.log;
+        add_header Referrer-Policy same-origin;
+
+        gzip on;
+        gzip_disable "msie6";
+        gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml;
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_comp_level 6;
+        gzip_buffers 16 8k;
+
+        include /etc/nginx/conf.d/*.conf;
+
+    server {
+        listen 80 backlog=4096 default_server;
+        listen [::]:80 ipv6only=on default_server;
+        listen 443 backlog=4096 default_server ssl;
+        listen [::]:443 ipv6only=on default_server ssl;
+        server_name _;
+        ssl_certificate     /image/config/ssl/domain.crt;
+        ssl_certificate_key /image/config/ssl/domain.key;
+
+        index index.php index.html;
+        root /var/www;
+
+        location /media/ {
+            alias /data/media/;
+            expires 7d;
+            access_log off;
+        }
+        location ^~ /media/cachedfiles {
+            deny all;
+            return 404;
+        }
+        location ^~ /media/invoices {
+            deny all;
+            return 404;
+        }
+        location /static/ {
+            alias /pretix/src/pretix/static.dist/;
+            access_log off;
+            expires 365d;
+            add_header Cache-Control "public";
+            add_header Access-Control-Allow-Origin "*";
+            gzip on;
+        }
+        location / {
+            # Very important:
+            #   proxy_pass http://unix:/tmp/pretix.sock:;
+            # is not the same as
+            #   proxy_pass http://unix:/tmp/pretix.sock:/;
+            # In the latter case, nginx will apply its URL parsing, in the former it doesn't.
+            # There are situations in which pretix' API will deal with "file names" containing %2F%2F, which
+            # nginx will normalize to %2F, which can break ticket validation.
+            proxy_pass http://unix:/tmp/pretix.sock:;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header Host $http_host;
+        }
+    }
+}

docker/pretix/files/config/ssl/domain.crt

@@ -0,0 +1,21 @@
+# Example of the cert creation for the Nginx setup
+
+## Creation
+
+Please execute the following script `bash create-tls-certs.sh` to create all necessary certificates for the complete setup of all related components.
+
+## Adaptation
+
+Please adjust the configuration files inside the [config](./config) folder and adapt the corresponding values for the req_distinguished_names and subjectAltNames based on your organisation and configuration. You can find [here](https://support.dnsimple.com/articles/what-is-common-name/) and [here](https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates) more information about the corresponding values and CA certificates in general.
+
+## Ca Certificates
+
+### Nginx
+
+Describes the Certificate Authority (certificate & key) for the Nginx server.
+
+## Server Certificates
+
+### Nginx
+
+Describes the server certificate and key for the Nginx server, and it's signed by the Nginx CA.

docker/pretix/files/config/ssl/domain.key

@@ -0,0 +1,20 @@
+[req]
+distinguished_name = req_distinguished_name
+default_bits = 4096
+prompt = no
+default_md = sha256
+
+[req_distinguished_name]
+C = DE
+ST = Baden-Wuerttemberg
+L = Mannheim
+O = TheIOTStudio
+CN = Pretix Nginx CA
+emailAddress = [email protected]
+
+[ext]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:3
+keyUsage = critical, cRLSign, keyCertSign
+nsCertType = sslCA, emailCA