Simple to use, simple to deploy, one time self destruct messaging service, with hashicorp vault as a backend
sup3rS3cretMes5age!
A simple, secure self-destructing message service, using HashiCorp Vault product as a backend.
Read more about the reasoning behind this project in the relevant blog post.
Now using Let's Encrypt for simple and free SSL certs!
Deployment Testing it locally
You can just run docker-compose up --build
: it will build the Docker image and then run it alongside a standalone Vault server.
By default, the docker-compose.yml
is configured to run the webapp on port 8082 in cleartext HTTP (so you can access it on http://localhost:8082).
Optionally, you can modify the docker-compose.yml
and tweak the options (enable HTTPS, disable HTTP or enable redirection to HTTPS, etc.). See Configuration options.
Production Deployment
We recommend deploying the project via Docker and a container orchestration tool:
Dockerfile
You can read the configuration examples below.
Security notice!
Whatever deployment method you choose, you should always run this behind SSL/TLS, otherwise secrets will be sent unencrypted!
Depending on your infrastructure/deployment, you can have TLS termination either inside the container (see Configuration examples - TLS), or before e.g. at a load balancer/reverse proxy in front of the service. It is interesting to have TLS termination before the container so you don't have to manage the certificate/key there, but make sure the network between your TLS termination point and your container is secure.
Configuration options
VAULT_ADDR
: address of the Vault server used for storing the temporary secrets.VAULT_TOKEN
: Vault token used to authenticate to the Vault server.SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS
: HTTP binding address (e.g. :80
).SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS
: HTTPS binding address (e.g. :443
).SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED
: whether to enable HTTPS redirection or not (e.g. true
).SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN
: domain to use for "Auto" TLS, i.e. automatic generation of certificate with Let's Encrypt. See Configuration examples - TLS - Auto TLS.SUPERSECRETMESSAGE_TLS_CERT_FILEPATH
: certificate filepath to use for "manual" TLS.SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH
: certificate key filepath to use for "manual" TLS.SUPERSECRETMESSAGE_VAULT_PREFIX
: vault prefix for secrets (default cubbyhole/
)Configuration example
Here is an example of a functionnal docker-compose.yml file
version: '3.2'Configuration types Plain HTTPservices: vault: image: vault:latest container_name: vault environment: VAULT_DEV_ROOT_TOKEN_ID: root cap_add: - IPC_LOCK expose: - 8200
supersecret: build: ./ image: algolia/supersecretmessage:latest container_name: supersecret environment: VAULT_ADDR: http://vault:8200 VAULT_TOKEN: root SUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS: ":80" SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS: ":443" SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED: "true" SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN: secrets.example.com ports: - "80:80" - "443:443" depends_on: - vault
VAULT_ADDR=http://vault:8200 VAULT_TOKEN=rootTLS Auto TLSSUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80
VAULT_ADDR=http://vault:8200 VAULT_TOKEN=rootAuto TLS with HTTP > HTTPS redirectionSUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443 SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com
VAULT_ADDR=http://vault:8200 VAULT_TOKEN=rootManual TLSSUPERSECRETMESSAGE_HTTP_BINDING_ADDRESS=:80 SUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443 SUPERSECRETMESSAGE_HTTPS_REDIRECT_ENABLED=true SUPERSECRETMESSAGE_TLS_AUTO_DOMAIN=secrets.example.com
VAULT_ADDR=http://vault:8200 VAULT_TOKEN=rootScreenshotSUPERSECRETMESSAGE_HTTPS_BINDING_ADDRESS=:443 SUPERSECRETMESSAGE_TLS_CERT_FILEPATH=/mnt/ssl/cert_secrets.example.com.pem SUPERSECRETMESSAGE_TLS_CERT_KEY_FILEPATH=/mnt/ssl/key_secrets.example.com.pem
Contributing
Pull requests are very welcome! They will be reviewed by our team at Algolia.
Thanks!
This project is heavaily depandent on Echo Go Web Frameworkand on Hashicorp Vault.
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.