Comments: Setting Up a Static Site with Hugo and Push to Deploy

[jtreminio]

https://jtreminio.com/blog/setting-up-a-static-site-with-hugo-and-push-to-deploy/

[Celerrime]

Thanks for the detailed how-to on your blog. I'm considering an automated build approach vs a simple script that updates my server with new posts.

Some of my concerns with your approach as detailed in the post:

• your process relies on several non-official repositories from docker hub. Though it looks clean now, there's a possibility of upstream poisoning that would affect your server downstream during the automated build process. Are there precautions to guard against this?
• similarly, if it's not malware, I'm concerned these non-official repos might make breaking changes at any moment. I'd be more comfortable cloning their repos and updating when necessary.

Any thoughts?

Thanks again.

[jtreminio]

For business-critical needs, sure, using more official images makes sense. For learning purposes I would say it's ok, but you're right in that it can be better.

A bad actor could def. inject some malware into the generated HTML code, for example. Since this wouldn't require root access, simply changing user to non-root wouldn't help prevent the issue, as it would in other "what if bad code tries to take over my whole server?" situations.

Since Hugo is a static go binary, it makes sense to keep your own image around for safety purposes.

[McFateM]

I absolutely love this project and approach. However, I have run into one security concern that I've been unable to resolve... My ITS folks show a vulnerability in one deployment due to "weak" ciphers in the Traefik service as it is currently deployed. In other servers of mine that use a traefik.toml file the remedy appears to be this syntax:

[entryPoints]
  [entryPoints.http]
  address = ":80"
     [entryPoints.http.redirect]
       entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    ##mod## Adding this section to remove default/weak cipher suites per https://docs.traefik.io/configuration/entrypoints/
    minVersion = "VersionTLS12"
    ## Suggested cipher list per https://stackoverflow.com/questions/52128979/recommended-tls-ciphers-for-traefik
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
    ]
    ##end##

So, in the case of the deployment technique used in this project I tried this in files/docker-compose.yml:

     #--entrypoints="Name:https Address::443 TLS" \   Line below added to remove weak ciphers in Traefik.  17-Apr-2019
      --entryPoints="Name:https Address::443 TLS:MinVersion:VersionTLS12 TLS:CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" \

But the correct syntax for this kind of entryPoint definition escapes me. Anybody know what it might be? Thanks and take care.

[McFateM]

The powers that be here at GC finally opened my blog to the world today, so I'm pleased to share the solution I found for my comment above. See https://static.grinnell.edu/blogs/McFateM/post/removing-traefik-weak-ciphers/ for details.

Note that my blog still needs some work in terms of navigation and page addressing, so feel free to browse, but some things aren't working properly in production yet. Curiously, I have things working flawlessly in my Docksal dev environment, but my push to production isn't quite there yet.

[McFateM]

Unfortunately, I have run into another problem/issue that I'm unable to resolve...with Traefik. I'm using a fork of docker-bootstrap and have successfully introduced Portainer into the mix there and make it available (authentication protected) at this address. So now I'm trying to also expose the Traefik dashboard in a similar fashion, but am unsure of the correct syntax.

What I have in my proxy service definition of my docker-bootstrap/docker-compose.yml thus far is:

  proxy:
    container_name: traefik_proxy
    image: traefik
    command: >-
      --docker --logLevel=INFO \
      --acme \
      --acme.acmelogging \
      --acme.dnschallenge=false \
      --acme.entrypoint="https" \
      --acme.httpchallenge \
      --acme.httpChallenge.entryPoint="http" \
      --acme.onhostrule=true \
      --acme.storage="/root/acme.json" \
      --acme.email="${LE_EMAIL}" \
      --entrypoints="Name:http Address::80 Redirect.EntryPoint:https" \
      --entryPoints="Name:https Address::443 TLS TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" \
      --defaultentrypoints="http,https" \
      --api \
      --api.dashboard=true

    labels:
      traefik.enable: true
      traefik.frontend.auth.basic: "admin:$$2y$$05$$pJEzHJBzfoYYS7/hGAedcOP8XdsqNXE7j.LHFBVjueASOqOvvjGOy"
      traefik.frontend.redirect.regex: "^(.*)/traefik$$"
      traefik.frontend.redirect.replacement: "$$1/traefik/"
      traefik.frontend.rule: "PathPrefix:/traefik;ReplacePathRegex: ^/traefik/(.*) /$$1"
      traefik.port: 8080

    networks:
      - webgateway
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    restart: always
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /dev/null:/traefik.toml
      - /root/acme.json:/root/acme.json

Can anyone see the problem here? Thanks in advance.