Skip to content

Commit

Permalink
Add QUIC Workflow (#295)
Browse files Browse the repository at this point in the history
Signed-off-by: PI <[email protected]>
  • Loading branch information
pi-314159 authored Aug 23, 2024
1 parent 3725dba commit 69a5e36
Show file tree
Hide file tree
Showing 4 changed files with 115 additions and 10 deletions.
56 changes: 56 additions & 0 deletions .github/workflows/quic.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: QUIC

on:
push:
branches: ['main']
paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
pull_request:
paths: ['.github/workflows/quic.yml', 'curl/**', 'nginx/**']
schedule:
- cron: '2 7 18,28 * *'
workflow_dispatch:

env:
TARGET_NAME: openquantumsafe

jobs:
test-push:
name: Test and push QUIC images
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Create a shared volume
run: docker volume create shared-1
shell: bash
- name: Generate a quantum-safe certificate chain
run: |
docker run -v shared-1:/certs $TARGET_NAME/openssl3 /bin/sh -c "\
openssl req -x509 -new -newkey p256_falcon512 -keyout /certs/CA.key -out /certs/CA.crt -nodes -subj '/C=US/O=Open Quantum Safe/CN=OQS Demos' -days 1461 && \
openssl req -new -newkey mldsa87 -keyout /certs/server.key -out /certs/server.csr -nodes -subj /CN=host.docker.internal && \
openssl x509 -req -in /certs/server.csr -out /certs/server.crt -CA /certs/CA.crt -CAkey /certs/CA.key -CAcreateserial -days 365"
shell: bash
- name: Build NGINX with QUIC support and start the server
working-directory: ./nginx
run: |
docker build -t $TARGET_NAME/nginx-quic:latest -f Dockerfile-QUIC . && \
docker run -d -p 443:443/udp -v shared-1:/certs --name nginx-quic-daemon $TARGET_NAME/nginx-quic:latest && \
docker cp ./nginx-conf/nginx-quic.conf nginx-quic-daemon:/etc/nginx/nginx-quic.conf && \
docker exec nginx-quic-daemon bash -c "cd /etc/nginx && rm nginx.conf && mv nginx-quic.conf nginx.conf && nginx -s reload"
shell: bash
- name: Build cURL with QUIC support and test it with the server that's started earlier
working-directory: ./curl
run: |
docker build -t $TARGET_NAME/curl-quic:latest -f Dockerfile-QUIC . && \
docker run -v shared-1:/certs --add-host=host.docker.internal:host-gateway $TARGET_NAME/curl-quic:latest \
curl --cacert /certs/CA.crt --http3-only https://host.docker.internal --curves hqc192 -vvvv
shell: bash
- name: Push Docker images to Docker Hub
run: |
docker push $TARGET_NAME/curl-quic:latest
docker push $TARGET_NAME/nginx-quic:latest
shell: bash
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
[![GitHub actions](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/linux.yml)
[![QUIC](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml/badge.svg)](https://github.com/open-quantum-safe/oqs-demos/actions/workflows/quic.yml)
[![open-quantum-safe](https://circleci.com/gh/open-quantum-safe/oqs-demos.svg?style=svg)](https://app.circleci.com/pipelines/github/open-quantum-safe/oqs-demos)

oqs-demos
Expand All @@ -18,9 +19,9 @@ Currently available integrations at their respective support level:

| | **Build instructions** | **Pre-built Docker image or binary files** | Support? |
| ---------------- | -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- | -------- |
| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl) | @baentsch, @pi-314159
| **curl** | [Github: oqs-demos/curl](curl) | [Dockerhub: openquantumsafe/curl](https://hub.docker.com/repository/docker/openquantumsafe/curl), [Dockerhub: openquantumsafe/curl-quic](https://hub.docker.com/repository/docker/openquantumsafe/curl-quic) | @baentsch, @pi-314159
| **Apache httpd** | [Github: oqs-demos/httpd](httpd) | [Dockerhub: openquantumsafe/httpd](https://hub.docker.com/repository/docker/openquantumsafe/httpd) | @baentsch
| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx) | @baentsch, @bhess, @pi-314159
| **nginx** | [Github: oqs-demos/nginx](nginx) | [Dockerhub: openquantumsafe/nginx](https://hub.docker.com/repository/docker/openquantumsafe/nginx), [Dockerhub: openquantumsafe/nginx-quic](https://hub.docker.com/repository/docker/openquantumsafe/nginx-quic) | @baentsch, @bhess, @pi-314159
| **Chromium** | [Github: oqs-demos/chromium](chromium) (limited support) | - | @pi-314159 |
| **OpenSSH** | [Github: oqs-demos/openssh](openssh) | [Dockerhub: openquantumsafe/openssh](https://hub.docker.com/repository/docker/openquantumsafe/openssh) | unsupported
| **Wireshark** | [Github: oqs-demos/wireshark](wireshark) | [Dockerhub: openquantumsafe/wireshark](https://hub.docker.com/repository/docker/openquantumsafe/wireshark) | unsupported
Expand Down
15 changes: 7 additions & 8 deletions nginx/Dockerfile-QUIC
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
FROM ubuntu:latest AS build

ARG NGINX_VERSION=1.26.1
ARG NGINX_VERSION=1.26.2

RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
apt install -y g++ make git libssl-dev libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \
apt install -y g++ make git libpcre3 libpcre3-dev build-essential zlib1g-dev wget && \
# liboqs deps
liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3 python3-psutil golang-go" && apt install -y $liboqs_pkgs && \
liboqs_pkgs="cmake gcc ninja-build libunwind-dev pkg-config python3" && apt install -y $liboqs_pkgs && \
# Download liboqs
git clone --branch main --single-branch --depth 1 https://github.com/open-quantum-safe/liboqs.git && \
# Download open-quantum-safe/boringssl
Expand All @@ -18,9 +18,9 @@ RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
# prepare dir
cp -p ssl/libssl.so /usr/local/lib && cp -p crypto/libcrypto.so /usr/local/lib && cd ../.. && \
# Download nginx
wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && \
wget https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -O nginx.tgz && tar xvf nginx.tgz && mv nginx-${NGINX_VERSION} nginx && \
# build nginx
cd nginx-${NGINX_VERSION} && \
cd nginx && \
./configure \
--prefix=/etc/nginx \
--sbin-path=/usr/sbin/nginx \
Expand Down Expand Up @@ -62,9 +62,8 @@ RUN apt update && apt upgrade -y && mkdir /home/build && cd /home/build && \
make

FROM ubuntu:latest
ARG NGINX_VERSION=1.26.1
COPY --from=build /home/build/nginx-${NGINX_VERSION}/objs/nginx /usr/sbin/nginx
COPY --from=build /home/build/nginx-${NGINX_VERSION}/conf /etc/nginx
COPY --from=build /home/build/nginx/objs/nginx /usr/sbin/nginx
COPY --from=build /home/build/nginx/conf /etc/nginx
COPY --from=build /usr/local/lib /usr/local/lib
RUN set -x \
&& apt update && apt upgrade -y && apt install --no-install-recommends --no-install-suggests -y adduser libpcre3 && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
Expand Down
49 changes: 49 additions & 0 deletions nginx/nginx-conf/nginx-quic.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@

#user nobody;
worker_processes 1;

events {
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;

server {
listen 443 ssl;
listen 443 quic reuseport;
listen [::]:443 ssl;
listen [::]:443 quic reuseport;

http2 on;
http3 on;
ssl_early_data on;
quic_retry on;
add_header Alt-Svc 'h3=":443"; ma=86400';

server_name host.docker.internal;
ssl_certificate /certs/server.crt;
ssl_certificate_key /certs/server.key;

ssl_ecdh_curve 'mlkem1024:bikel3:hqc192:x25519_frodo640shake';

location / {
add_header Content-Type text/plain;
return 200 'OK';
}

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
}
}

0 comments on commit 69a5e36

Please sign in to comment.