RomkeVdMeulen · September 4, 2019 19:28 · Jul 16, 2016 · Feb 13, 2015 · Jan 29, 2015 · Jan 29, 2015
diff --git a/_secure_docker_connection.md b/_secure_docker_connection.md
@@ -1,9 +0,0 @@
-Based on [this Docker article](https://docs.docker.com/articles/https/).
-
-Run this script to generate signed server and client keys to create a secure connection to the Docker daemon running on your server.
-
-Usage: `secure_expose_docker.sh [host] [password]`
-
-The password isn't really important as you'll have direct access to the key files, but if you want you can keep track of it in case you want to use the generated keyfiles for something else in the future.
-
-For host, use the domain of your server. You'll be connecting to this domain once the Docker daemon is set up.

diff --git a/_README.md → _secure_docker_connection.md b/_README.md → _secure_docker_connection.md
diff --git a/secure_expose_docker.sh b/secure_expose_docker.sh
@@ -56,7 +56,4 @@ echo "Let's test the connection by running:"
 echo "docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version"
 echo
 
-docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version
-
-
-
+docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version
diff --git a/_README.md b/_README.md
@@ -1,4 +1,4 @@
-Based on [this Docker article](https://docs.docker.com/articles/https/)
+Based on [this Docker article](https://docs.docker.com/articles/https/).
 
 Run this script to generate signed server and client keys to create a secure connection to the Docker daemon running on your server.
 

diff --git a/_README.md b/_README.md
@@ -1,5 +1,3 @@
-# Secure Docker daemon connection #
-
 Based on [this Docker article](https://docs.docker.com/articles/https/)
 
 Run this script to generate signed server and client keys to create a secure connection to the Docker daemon running on your server.

diff --git a/_README.md b/_README.md
@@ -0,0 +1,11 @@
+# Secure Docker daemon connection #
+
+Based on [this Docker article](https://docs.docker.com/articles/https/)
+
+Run this script to generate signed server and client keys to create a secure connection to the Docker daemon running on your server.
+
+Usage: `secure_expose_docker.sh [host] [password]`
+
+The password isn't really important as you'll have direct access to the key files, but if you want you can keep track of it in case you want to use the generated keyfiles for something else in the future.
+
+For host, use the domain of your server. You'll be connecting to this domain once the Docker daemon is set up.
diff --git a/secure_expose_docker.sh b/secure_expose_docker.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+if [ $# -lt 2 ]; then
+        echo "Usage: $0 [domain to connect] [password]"
+        exit 1
+fi
+
+set -e
+
+red='\033[0;31m'
+green='\033[0;32m'
+orange='\033[0;33m'
+blue='\033[0;34m'
+nocolor='\033[0m'
+
+if [ -d /etc/docker ] && [ -f /etc/docker/ca-key.pem ]; then
+        echo -ne "${orange}Docker security config already exists: overwrite? [Y/n] ${nocolor}"
+        read answer
+        if [ "x${answer}" == "xn" ]; then exit; fi
+fi
+
+echo -e "${blue}Creating secure public connection for Docker daemon${nocolor}"
+
+[ -d /etc/docker ] || sudo mkdir /etc/docker
+cd /etc/docker
+sudo rm -v *
+
+echo -e "${blue}Generating Certificate Authority${nocolor}"
+sudo openssl genrsa -aes256 -passout pass:$2 -out ca-key.pem 2048
+sudo openssl req -new -x509 -days 365 -key ca-key.pem -passin pass:$2 -sha256 -out ca.pem \
+                 -subj '/C=NL/ST=./L=./O=./CN=$1'
+
+echo -e "${blue}Generating and signing server key${nocolor}"
+sudo openssl genrsa -out server-key.pem 2048
+sudo openssl req -subj "/CN=$1" -new -key server-key.pem -out server.csr
+sudo openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
+             -CAcreateserial -out server-cert.pem
+
+echo -e "${blue}Generating and signing client key${nocolor}"
+sudo openssl genrsa -out key.pem 2048
+sudo openssl req -subj '/CN=client' -new -key key.pem -out client.csr
+sudo sh -c 'echo "extendedKeyUsage = clientAuth" > extfile.cnf'
+sudo openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -passin pass:$2 \
+                  -CAcreateserial -out cert.pem -extfile extfile.cnf
+
+sudo rm client.csr server.csr
+sudo chmod 0400 ca-key.pem key.pem server-key.pem
+sudo chmod 0444 ca.pem server-cert.pem cert.pem
+
+echo -e "${blue}Configuring Docker${nocolor}"
+echo 'DOCKER_OPTS="--tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/server-key.pem -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"' >> /etc/default/docker
+sudo service docker restart
+
+echo -e "${green}Secure Docker daemon connection now available on port 4243${nocolor}"
+echo "Let's test the connection by running:"
+echo "docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version"
+echo
+
+docker --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/cert.pem --tlskey=/etc/docker/key.pem -H=$1:4243 version
+
+
+