diff --git a/application.Dockerfile b/application.Dockerfile
index 89583f3..58eadb3 100644
--- a/application.Dockerfile
+++ b/application.Dockerfile
@@ -42,9 +42,9 @@ STOPSIGNAL SIGWINCH
COPY docker/apache-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
-COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/
-COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/
-COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt
+COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
COPY docker/cacert.conf /etc/apache2/conf-available/
diff --git a/cats.Dockerfile b/cats.Dockerfile
new file mode 100644
index 0000000..870ce48
--- /dev/null
+++ b/cats.Dockerfile
@@ -0,0 +1,42 @@
+FROM debian:jessie
+
+RUN apt-get update \
+ && DEBIAN_FRONTEND=noninteractive \
+ apt-get install -y --no-install-recommends \
+ ca-certificates \
+ curl \
+ gettext \
+ libapache2-mod-php5 \
+ locales-all \
+ nullmailer \
+ php5-mysql \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/*
+
+STOPSIGNAL SIGWINCH
+
+COPY docker/apache-cats-foreground /usr/local/bin/
+COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
+COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
+COPY testca/certs/cats.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
+COPY testca/certs/cats.cacert.localhost.key.pem /etc/apache2/ssl/private/
+COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
+COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
+
+COPY docker/apache-cats-virtualhost.conf /etc/apache2/sites-available/cats.cacert.localhost.conf
+
+VOLUME /var/www/cats
+
+RUN a2ensite cats.cacert.localhost ; \
+ a2dissite 000-default ; \
+ a2enmod headers ; \
+ a2enmod rewrite ; \
+ a2enmod ssl ; \
+ cd /usr/local/share/ca-certificates ; \
+ curl -O http://www.cacert.org/certs/root_X0F.crt ; \
+ curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
+ update-ca-certificates
+
+EXPOSE 443
+
+CMD ["/usr/local/bin/apache-cats-foreground"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 5487f09..97c5c3e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,8 @@ services:
dockerfile: mariadb.Dockerfile
env_file:
- ./.env
+ environment:
+ MYSQL_CATS_DATABASE: cats
volumes:
- db:/var/lib/mysql
ports:
@@ -66,7 +68,23 @@ services:
- db
- mail
volumes:
- - ./cacert-mgr:/var/www
+ - ./cacert-mgr:/var/www/mgr
+ cats:
+ build:
+ context: .
+ dockerfile: cats.Dockerfile
+ env_file:
+ - ./.env
+ environment:
+ CATS_NORMAL_HOSTNAME: "cats.cacert.localhost:7443"
+ CATS_SECURE_HOSTNAME: "cats.cacert.localhost:7443"
+ MYSQL_CATS_DATABASE: cats
+ ports:
+ - "7443:443"
+ depends_on:
+ - db
+ volumes:
+ - ./cacert-cats:/var/www/cats
volumes:
db: { }
diff --git a/docker/apache-cats-foreground b/docker/apache-cats-foreground
new file mode 100755
index 0000000..b75131f
--- /dev/null
+++ b/docker/apache-cats-foreground
@@ -0,0 +1,17 @@
+#!/bin/sh
+set -eux
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/apache2.pid
+
+sed "s/@CATS_NORMAL_HOSTNAME@/${CATS_NORMAL_HOSTNAME}/g;
+ s/@CATS_SECURE_HOSTNAME@/${CATS_SECURE_HOSTNAME}/g;
+ s/@CATS_DB_HOSTNAME@/db/g;
+ s/@CATS_DB_USER@/${MYSQL_CATS_USER}/g;
+ s/@CATS_DB_PASSWORD@/${MYSQL_CATS_PASSWORD}/g;
+ s/@CATS_DATABASE@/${MYSQL_CATS_DATABASE}/g" \
+ /var/www/cats/includes/db_connect.inc.template > /var/www/cats/includes/db_connect.inc
+
+apache2ctl start "$@"
+
+exec tail -F --follow=name --retry /var/log/apache2/error.log
diff --git a/docker/apache-cats-virtualhost.conf b/docker/apache-cats-virtualhost.conf
new file mode 100644
index 0000000..2ff69e9
--- /dev/null
+++ b/docker/apache-cats-virtualhost.conf
@@ -0,0 +1,25 @@
+
+ ServerName cats.cacert.localhost
+ ServerAlias www.cats.cacert.localhost
+ DocumentRoot /var/www/cats
+
+ SSLEngine on
+ SSLStrictSNIVHostCheck on
+ SSLProtocol all -SSLv2 -SSLv3 -TLSv1
+ SSLHonorCipherOrder on
+ SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+ SSLCertificateFile /etc/apache2/ssl/certs/cats.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/cats.cacert.localhost.key.pem
+
+ SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+ SSLVerifyClient optional
+ SSLVerifyDepth 2
+ SSLOptions +StdEnvVars
+
+
+ Options Indexes FollowSymlinks MultiViews
+ AllowOverride Options FileInfo
+
+
+ Header always set Strict-Transport-Security "max-age=31536000"
+
diff --git a/docker/apache-mgr-foreground b/docker/apache-mgr-foreground
index 90f9c64..439e586 100755
--- a/docker/apache-mgr-foreground
+++ b/docker/apache-mgr-foreground
@@ -5,11 +5,14 @@ set -eux
rm -f /run/apache2/apache2.pid
sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \
- /usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini
+ /usr/local/etc/mgr-application.ini > /var/www/mgr/manager/application/configs/application.ini
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
-VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU');
+VALUES (
+ 1, 2,'${CLIENT_CERT_EMAIL}',
+ 'emailAddress=${CLIENT_CERT_EMAIL},CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'
+);
UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';
diff --git a/docker/apache-mgr-virtualhost.conf b/docker/apache-mgr-virtualhost.conf
index 30417b7..8294671 100644
--- a/docker/apache-mgr-virtualhost.conf
+++ b/docker/apache-mgr-virtualhost.conf
@@ -1,23 +1,23 @@
ServerName mgr.cacert.localhost
ServerAlias www.mgr.cacert.localhost
- DocumentRoot /var/www/manager/public
+ DocumentRoot /var/www/mgr/manager/public
SSLEngine on
SSLStrictSNIVHostCheck on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem
- SSLCertificateChainFile /etc/ssl/certs/combined.crt
+ SSLCertificateFile /etc/apache2/ssl/certs/mgr.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/mgr.cacert.localhost.key.pem
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
+ SSLCADNRequestFile /etc/apache2/ssl/certs/clientca.crt
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdEnvVars
-
+
Options Indexes FollowSymlinks MultiViews
AllowOverride Options FileInfo
diff --git a/docker/apache-virtualhost.conf b/docker/apache-virtualhost.conf
index 8d61b51..dbcf0f5 100644
--- a/docker/apache-virtualhost.conf
+++ b/docker/apache-virtualhost.conf
@@ -24,9 +24,8 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
Header always set Strict-Transport-Security "max-age=31536000"
@@ -50,11 +49,12 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
- SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem
- SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem
+ SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
+ SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
+
SSLVerifyClient require
SSLVerifyDepth 2
- SSLCACertificateFile /etc/ssl/certs/combined.crt
+ SSLCACertificateFile /etc/ssl/apache2/certs/combined.crt
#SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
#SSLOCSPEnable on
#SSLOCSPDefaultResponder http://ocsp.cacert.localhost/
diff --git a/docker/initdb.sh b/docker/initdb.sh
index 9273d82..bca293f 100755
--- a/docker/initdb.sh
+++ b/docker/initdb.sh
@@ -4,6 +4,7 @@ set -eux
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
+CREATE database $MYSQL_CATS_DATABASE CHARSET latin1 COLLATE latin1_swedish_ci;
CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci;
EOF
@@ -13,6 +14,11 @@ done
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr