History

stefan 65a0084f91 docs: Migrationsplan für Projekt-Restrukturierung hinzugefügt - Detaillierter Plan zur Migration von alter zu neuer Modulstruktur - Umfasst Überführung von shared-kernel zu core-Modulen - Definiert Migration von Fachdomänen zu bounded contexts: * master-data → masterdata-Module * member-management → members-Module * horse-registry → horses-Module * event-management → events-Module - Beschreibt Verlagerung von api-gateway zu infrastructure/gateway - Strukturiert nach Domain-driven Design Prinzipien - Berücksichtigt Clean Architecture Layering (domain, application, infrastructure, api)	2025-07-25 13:05:42 +02:00
..
README-de.md	docs: Migrationsplan für Projekt-Restrukturierung hinzugefügt	2025-07-25 13:05:42 +02:00
README.md	refactor: Migrate from monolithic to modular architecture	2025-07-24 14:20:48 +02:00

stefan 65a0084f91 docs: Migrationsplan für Projekt-Restrukturierung hinzugefügt

- Detaillierter Plan zur Migration von alter zu neuer Modulstruktur
- Umfasst Überführung von shared-kernel zu core-Modulen
- Definiert Migration von Fachdomänen zu bounded contexts:
  * master-data → masterdata-Module
  * member-management → members-Module
  * horse-registry → horses-Module
  * event-management → events-Module
- Beschreibt Verlagerung von api-gateway zu infrastructure/gateway
- Strukturiert nach Domain-driven Design Prinzipien
- Berücksichtigt Clean Architecture Layering (domain, application, infrastructure, api)

2025-07-25 13:05:42 +02:00

README-de.md

docs: Migrationsplan für Projekt-Restrukturierung hinzugefügt

2025-07-25 13:05:42 +02:00

README.md

refactor: Migrate from monolithic to modular architecture

2025-07-24 14:20:48 +02:00

README.md

SSL/TLS Certificate Setup for Production

This directory contains SSL/TLS certificates and keys for securing the Meldestelle application in production.

Directory Structure

config/ssl/
├── postgres/          # PostgreSQL SSL certificates
├── redis/             # Redis TLS certificates
├── keycloak/          # Keycloak HTTPS certificates
├── prometheus/        # Prometheus HTTPS certificates
├── grafana/           # Grafana HTTPS certificates
├── nginx/             # Nginx SSL certificates
└── README.md          # This file

Certificate Requirements

1. PostgreSQL SSL Certificates

Place the following files in config/ssl/postgres/:

server.crt - Server certificate
server.key - Server private key
ca.crt - Certificate Authority certificate

2. Redis TLS Certificates

Place the following files in config/ssl/redis/:

redis.crt - Redis server certificate
redis.key - Redis server private key
ca.crt - Certificate Authority certificate
redis.dh - Diffie-Hellman parameters

3. Keycloak HTTPS Certificates

Place the following files in config/ssl/keycloak/:

server.crt.pem - Server certificate in PEM format
server.key.pem - Server private key in PEM format

4. Prometheus HTTPS Certificates

Place the following files in config/ssl/prometheus/:

prometheus.crt - Prometheus server certificate
prometheus.key - Prometheus server private key
web.yml - Prometheus web configuration file

5. Grafana HTTPS Certificates

Place the following files in config/ssl/grafana/:

server.crt - Grafana server certificate
server.key - Grafana server private key

6. Nginx SSL Certificates

Place the following files in config/ssl/nginx/:

server.crt - Main SSL certificate
server.key - Main SSL private key
dhparam.pem - Diffie-Hellman parameters

Generating Self-Signed Certificates (Development/Testing)

⚠️ Warning: Only use self-signed certificates for development and testing. Use proper CA-signed certificates in production.

Generate CA Certificate

# Create CA private key
openssl genrsa -out ca.key 4096

# Create CA certificate
openssl req -new -x509 -days 365 -key ca.key -out ca.crt \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Meldestelle/OU=IT/CN=Meldestelle-CA"

Generate Server Certificates

# For each service, generate private key and certificate signing request
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr \
  -subj "/C=AT/ST=Vienna/L=Vienna/O=Meldestelle/OU=IT/CN=your-domain.com"

# Sign the certificate with CA
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out server.crt

# Clean up
rm server.csr

Generate Diffie-Hellman Parameters

openssl dhparam -out dhparam.pem 2048

Production Certificate Setup

Option 1: Let's Encrypt (Recommended)

Use Certbot to obtain free SSL certificates:

# Install certbot
sudo apt-get install certbot

# Obtain certificates
sudo certbot certonly --standalone -d your-domain.com -d www.your-domain.com

# Copy certificates to appropriate directories
sudo cp /etc/letsencrypt/live/your-domain.com/fullchain.pem config/ssl/nginx/server.crt
sudo cp /etc/letsencrypt/live/your-domain.com/privkey.pem config/ssl/nginx/server.key

Option 2: Commercial CA

Generate Certificate Signing Requests (CSRs)
Submit CSRs to your Certificate Authority
Download signed certificates
Place certificates in appropriate directories

Option 3: Internal CA

If using an internal Certificate Authority:

Generate CSRs for each service
Sign certificates with your internal CA
Distribute CA certificate to all clients

File Permissions

Ensure proper file permissions for security:

# Set restrictive permissions on private keys
chmod 600 config/ssl/*/server.key
chmod 600 config/ssl/*/redis.key
chmod 600 config/ssl/*/prometheus.key

# Set readable permissions on certificates
chmod 644 config/ssl/*/server.crt
chmod 644 config/ssl/*/ca.crt

# Set directory permissions
chmod 755 config/ssl/*/

Docker Volume Mounts

The certificates are mounted as read-only volumes in the Docker containers:

volumes:
  - ./config/ssl/nginx:/etc/ssl/nginx:ro
  - ./config/ssl/keycloak:/opt/keycloak/conf:ro
  # ... other mounts

Certificate Renewal

Automated Renewal (Let's Encrypt)

Set up a cron job for automatic renewal:

# Add to crontab
0 12 * * * /usr/bin/certbot renew --quiet --post-hook "docker-compose -f docker-compose.prod.yml restart nginx"

Manual Renewal

Generate new certificates
Replace old certificates in SSL directories

Restart affected services:

docker-compose -f docker-compose.prod.yml restart nginx keycloak grafana prometheus

Security Best Practices

Use Strong Encryption: Use at least 2048-bit RSA keys or 256-bit ECDSA keys
Regular Rotation: Rotate certificates regularly (annually or bi-annually)
Secure Storage: Store private keys securely and limit access
Monitor Expiration: Set up monitoring for certificate expiration
Use HSTS: Enable HTTP Strict Transport Security
Perfect Forward Secrecy: Use ECDHE cipher suites
Certificate Transparency: Monitor CT logs for unauthorized certificates

Troubleshooting

Common Issues

Permission Denied

# Fix file permissions
sudo chown -R $USER:$USER config/ssl/
chmod -R 755 config/ssl/
chmod 600 config/ssl/*/server.key

Certificate Verification Failed

# Verify certificate
openssl x509 -in config/ssl/nginx/server.crt -text -noout

# Check certificate chain
openssl verify -CAfile config/ssl/nginx/ca.crt config/ssl/nginx/server.crt

TLS Handshake Errors
- Check certificate validity dates
- Verify certificate matches hostname
- Ensure proper cipher suite configuration

Testing SSL Configuration

# Test SSL certificate
openssl s_client -connect your-domain.com:443 -servername your-domain.com

# Test with specific protocol
openssl s_client -connect your-domain.com:443 -tls1_2

# Check certificate expiration
openssl x509 -in config/ssl/nginx/server.crt -noout -dates

Support

For certificate-related issues:

Check service logs: docker-compose -f docker-compose.prod.yml logs [service-name]
Verify certificate files exist and have correct permissions
Test SSL configuration with OpenSSL tools
Consult service-specific SSL documentation