From 0c56512174157d9f567e5c155f06f3951de7265d Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Tue, 22 Dec 2020 15:51:13 +0100 Subject: [PATCH] Add cats to the docker-compose setup --- application.Dockerfile | 6 ++--- cats.Dockerfile | 42 +++++++++++++++++++++++++++++ docker-compose.yml | 20 +++++++++++++- docker/apache-cats-foreground | 17 ++++++++++++ docker/apache-cats-virtualhost.conf | 25 +++++++++++++++++ docker/apache-mgr-foreground | 7 +++-- docker/apache-mgr-virtualhost.conf | 12 ++++----- docker/apache-virtualhost.conf | 12 ++++----- docker/initdb.sh | 10 ++++++- mariadb.Dockerfile | 3 ++- mgr.Dockerfile | 8 +++--- setup_test_ca.sh | 4 +-- 12 files changed, 140 insertions(+), 26 deletions(-) create mode 100644 cats.Dockerfile create mode 100755 docker/apache-cats-foreground create mode 100644 docker/apache-cats-virtualhost.conf diff --git a/application.Dockerfile b/application.Dockerfile index 89583f3..58eadb3 100644 --- a/application.Dockerfile +++ b/application.Dockerfile @@ -42,9 +42,9 @@ STOPSIGNAL SIGWINCH COPY docker/apache-foreground /usr/local/bin/ COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt -COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/ -COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/ -COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt +COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/ +COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/ +COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/ COPY docker/cacert.conf /etc/apache2/conf-available/ diff --git a/cats.Dockerfile b/cats.Dockerfile new file mode 100644 index 0000000..870ce48 --- /dev/null +++ b/cats.Dockerfile @@ -0,0 +1,42 @@ +FROM debian:jessie + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + gettext \ + libapache2-mod-php5 \ + locales-all \ + nullmailer \ + php5-mysql \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +STOPSIGNAL SIGWINCH + +COPY docker/apache-cats-foreground /usr/local/bin/ +COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt +COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt +COPY testca/certs/cats.cacert.localhost.crt.pem /etc/apache2/ssl/certs/ +COPY testca/certs/cats.cacert.localhost.key.pem /etc/apache2/ssl/private/ +COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt +COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt + +COPY docker/apache-cats-virtualhost.conf /etc/apache2/sites-available/cats.cacert.localhost.conf + +VOLUME /var/www/cats + +RUN a2ensite cats.cacert.localhost ; \ + a2dissite 000-default ; \ + a2enmod headers ; \ + a2enmod rewrite ; \ + a2enmod ssl ; \ + cd /usr/local/share/ca-certificates ; \ + curl -O http://www.cacert.org/certs/root_X0F.crt ; \ + curl -O http://www.cacert.org/certs/class3_X0E.crt ; \ + update-ca-certificates + +EXPOSE 443 + +CMD ["/usr/local/bin/apache-cats-foreground"] diff --git a/docker-compose.yml b/docker-compose.yml index 5487f09..97c5c3e 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -7,6 +7,8 @@ services: dockerfile: mariadb.Dockerfile env_file: - ./.env + environment: + MYSQL_CATS_DATABASE: cats volumes: - db:/var/lib/mysql ports: @@ -66,7 +68,23 @@ services: - db - mail volumes: - - ./cacert-mgr:/var/www + - ./cacert-mgr:/var/www/mgr + cats: + build: + context: . + dockerfile: cats.Dockerfile + env_file: + - ./.env + environment: + CATS_NORMAL_HOSTNAME: "cats.cacert.localhost:7443" + CATS_SECURE_HOSTNAME: "cats.cacert.localhost:7443" + MYSQL_CATS_DATABASE: cats + ports: + - "7443:443" + depends_on: + - db + volumes: + - ./cacert-cats:/var/www/cats volumes: db: { } diff --git a/docker/apache-cats-foreground b/docker/apache-cats-foreground new file mode 100755 index 0000000..b75131f --- /dev/null +++ b/docker/apache-cats-foreground @@ -0,0 +1,17 @@ +#!/bin/sh +set -eux + +# Apache gets grumpy about PID files pre-existing +rm -f /run/apache2/apache2.pid + +sed "s/@CATS_NORMAL_HOSTNAME@/${CATS_NORMAL_HOSTNAME}/g; + s/@CATS_SECURE_HOSTNAME@/${CATS_SECURE_HOSTNAME}/g; + s/@CATS_DB_HOSTNAME@/db/g; + s/@CATS_DB_USER@/${MYSQL_CATS_USER}/g; + s/@CATS_DB_PASSWORD@/${MYSQL_CATS_PASSWORD}/g; + s/@CATS_DATABASE@/${MYSQL_CATS_DATABASE}/g" \ + /var/www/cats/includes/db_connect.inc.template > /var/www/cats/includes/db_connect.inc + +apache2ctl start "$@" + +exec tail -F --follow=name --retry /var/log/apache2/error.log diff --git a/docker/apache-cats-virtualhost.conf b/docker/apache-cats-virtualhost.conf new file mode 100644 index 0000000..2ff69e9 --- /dev/null +++ b/docker/apache-cats-virtualhost.conf @@ -0,0 +1,25 @@ + + ServerName cats.cacert.localhost + ServerAlias www.cats.cacert.localhost + DocumentRoot /var/www/cats + + SSLEngine on + SSLStrictSNIVHostCheck on + SSLProtocol all -SSLv2 -SSLv3 -TLSv1 + SSLHonorCipherOrder on + SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL + SSLCertificateFile /etc/apache2/ssl/certs/cats.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/cats.cacert.localhost.key.pem + + SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt + SSLVerifyClient optional + SSLVerifyDepth 2 + SSLOptions +StdEnvVars + + + Options Indexes FollowSymlinks MultiViews + AllowOverride Options FileInfo + + + Header always set Strict-Transport-Security "max-age=31536000" + diff --git a/docker/apache-mgr-foreground b/docker/apache-mgr-foreground index 90f9c64..439e586 100755 --- a/docker/apache-mgr-foreground +++ b/docker/apache-mgr-foreground @@ -5,11 +5,14 @@ set -eux rm -f /run/apache2/apache2.pid sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \ - /usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini + /usr/local/etc/mgr-application.ini > /var/www/mgr/manager/application/configs/application.ini mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn) -VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'); +VALUES ( + 1, 2,'${CLIENT_CERT_EMAIL}', + 'emailAddress=${CLIENT_CERT_EMAIL},CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU' +); UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled'; UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost'; diff --git a/docker/apache-mgr-virtualhost.conf b/docker/apache-mgr-virtualhost.conf index 30417b7..8294671 100644 --- a/docker/apache-mgr-virtualhost.conf +++ b/docker/apache-mgr-virtualhost.conf @@ -1,23 +1,23 @@ ServerName mgr.cacert.localhost ServerAlias www.mgr.cacert.localhost - DocumentRoot /var/www/manager/public + DocumentRoot /var/www/mgr/manager/public SSLEngine on SSLStrictSNIVHostCheck on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL - SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem - SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem - SSLCertificateChainFile /etc/ssl/certs/combined.crt + SSLCertificateFile /etc/apache2/ssl/certs/mgr.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/mgr.cacert.localhost.key.pem - SSLCACertificateFile /etc/ssl/certs/combined.crt + SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt + SSLCADNRequestFile /etc/apache2/ssl/certs/clientca.crt SSLVerifyClient optional SSLVerifyDepth 2 SSLOptions +StdEnvVars - + Options Indexes FollowSymlinks MultiViews AllowOverride Options FileInfo diff --git a/docker/apache-virtualhost.conf b/docker/apache-virtualhost.conf index 8d61b51..dbcf0f5 100644 --- a/docker/apache-virtualhost.conf +++ b/docker/apache-virtualhost.conf @@ -24,9 +24,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL - SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem - SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem - SSLCACertificateFile /etc/ssl/certs/combined.crt + SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem Header always set Strict-Transport-Security "max-age=31536000" @@ -50,11 +49,12 @@ SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL - SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem - SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem + SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem + SSLVerifyClient require SSLVerifyDepth 2 - SSLCACertificateFile /etc/ssl/certs/combined.crt + SSLCACertificateFile /etc/ssl/apache2/certs/combined.crt #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl #SSLOCSPEnable on #SSLOCSPDefaultResponder http://ocsp.cacert.localhost/ diff --git a/docker/initdb.sh b/docker/initdb.sh index 9273d82..bca293f 100755 --- a/docker/initdb.sh +++ b/docker/initdb.sh @@ -4,6 +4,7 @@ set -eux mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci; +CREATE database $MYSQL_CATS_DATABASE CHARSET latin1 COLLATE latin1_swedish_ci; CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci; EOF @@ -13,6 +14,11 @@ done mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr