jan/cacert-devsetup
1
0
Fork 1
Code Issues Pull requests Releases Wiki Activity

Add cats to the docker-compose setup

Browse source
This commit is contained in:
Jan Dittberner 2020-12-22 15:51:13 +01:00
parent af156f24c6
commit 0c56512174
12 changed files with 140 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
application.Dockerfile
View file

@ -42,9 +42,9 @@ STOPSIGNAL SIGWINCH
COPY docker/apache-foreground /usr/local/bin/ COPY docker/apache-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/ssl/certs/ COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/ssl/private/ COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/ COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
COPY docker/cacert.conf /etc/apache2/conf-available/ COPY docker/cacert.conf /etc/apache2/conf-available/

42
cats.Dockerfile Normal file
View file

@ -0,0 +1,42 @@
FROM debian:jessie
RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
gettext \
libapache2-mod-php5 \
locales-all \
nullmailer \
php5-mysql \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
STOPSIGNAL SIGWINCH
COPY docker/apache-cats-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
COPY testca/certs/cats.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/cats.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
COPY docker/apache-cats-virtualhost.conf /etc/apache2/sites-available/cats.cacert.localhost.conf
VOLUME /var/www/cats
RUN a2ensite cats.cacert.localhost ; \
a2dissite 000-default ; \
a2enmod headers ; \
a2enmod rewrite ; \
a2enmod ssl ; \
cd /usr/local/share/ca-certificates ; \
curl -O http://www.cacert.org/certs/root_X0F.crt ; \
curl -O http://www.cacert.org/certs/class3_X0E.crt ; \
update-ca-certificates
EXPOSE 443
CMD ["/usr/local/bin/apache-cats-foreground"]

20
docker-compose.yml
View file

@ -7,6 +7,8 @@ services:
dockerfile: mariadb.Dockerfile dockerfile: mariadb.Dockerfile
env_file: env_file:
- ./.env - ./.env
environment:
MYSQL_CATS_DATABASE: cats
volumes: volumes:
- db:/var/lib/mysql - db:/var/lib/mysql
ports: ports:
@ -66,7 +68,23 @@ services:
- db - db
- mail - mail
volumes: volumes:
- ./cacert-mgr:/var/www - ./cacert-mgr:/var/www/mgr
cats:
build:
context: .
dockerfile: cats.Dockerfile
env_file:
- ./.env
environment:
CATS_NORMAL_HOSTNAME: "cats.cacert.localhost:7443"
CATS_SECURE_HOSTNAME: "cats.cacert.localhost:7443"
MYSQL_CATS_DATABASE: cats
ports:
- "7443:443"
depends_on:
- db
volumes:
- ./cacert-cats:/var/www/cats
volumes: volumes:
db: { } db: { }

17
docker/apache-cats-foreground Executable file
View file

@ -0,0 +1,17 @@
#!/bin/sh
set -eux
# Apache gets grumpy about PID files pre-existing
rm -f /run/apache2/apache2.pid
sed "s/@CATS_NORMAL_HOSTNAME@/${CATS_NORMAL_HOSTNAME}/g;
s/@CATS_SECURE_HOSTNAME@/${CATS_SECURE_HOSTNAME}/g;
s/@CATS_DB_HOSTNAME@/db/g;
s/@CATS_DB_USER@/${MYSQL_CATS_USER}/g;
s/@CATS_DB_PASSWORD@/${MYSQL_CATS_PASSWORD}/g;
s/@CATS_DATABASE@/${MYSQL_CATS_DATABASE}/g" \
/var/www/cats/includes/db_connect.inc.template > /var/www/cats/includes/db_connect.inc
apache2ctl start "$@"
exec tail -F --follow=name --retry /var/log/apache2/error.log

25
docker/apache-cats-virtualhost.conf Normal file
View file

@ -0,0 +1,25 @@
<VirtualHost *:443>
ServerName cats.cacert.localhost
ServerAlias www.cats.cacert.localhost
DocumentRoot /var/www/cats
SSLEngine on
SSLStrictSNIVHostCheck on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/apache2/ssl/certs/cats.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/cats.cacert.localhost.key.pem
SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
SSLVerifyClient optional
SSLVerifyDepth 2
SSLOptions +StdEnvVars
<Directory /var/www/cats>
Options Indexes FollowSymlinks MultiViews
AllowOverride Options FileInfo
</Directory>
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>

7
docker/apache-mgr-foreground
View file

@ -5,11 +5,14 @@ set -eux
rm -f /run/apache2/apache2.pid rm -f /run/apache2/apache2.pid
sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \ sed "s/@MYSQL_MGR_USER@/${MYSQL_MGR_USER}/g; s/@MYSQL_MGR_PASSWORD@/${MYSQL_MGR_PASSWORD}/g" \
/usr/local/etc/mgr-application.ini > /var/www/manager/application/configs/application.ini /usr/local/etc/mgr-application.ini > /var/www/mgr/manager/application/configs/application.ini
mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF mysql -u "${MYSQL_MGR_USER}" -h db "-p${MYSQL_MGR_PASSWORD}" mgr <<-EOF
REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn) REPLACE INTO system_user (id, system_role_id, login, user_client_crt_s_dn_i_dn)
VALUES (1, 2,'${CLIENT_CERT_EMAIL}','CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'); VALUES (
1, 2,'${CLIENT_CERT_EMAIL}',
'emailAddress=${CLIENT_CERT_EMAIL},CN=${CLIENT_CERT_USERNAME}//CN=Class 3 Test CA,O=CAcert Inc.,C=AU'
);
UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled'; UPDATE system_config SET config_value='1' WHERE config_key='log.file.enabled';
UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost'; UPDATE system_config SET config_value='mail' WHERE config_key='imap.mailhost';

12
docker/apache-mgr-virtualhost.conf
View file

@ -1,23 +1,23 @@
<VirtualHost *:443> <VirtualHost *:443>
ServerName mgr.cacert.localhost ServerName mgr.cacert.localhost
ServerAlias www.mgr.cacert.localhost ServerAlias www.mgr.cacert.localhost
DocumentRoot /var/www/manager/public DocumentRoot /var/www/mgr/manager/public
SSLEngine on SSLEngine on
SSLStrictSNIVHostCheck on SSLStrictSNIVHostCheck on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/ssl/certs/mgr.cacert.localhost.crt.pem SSLCertificateFile /etc/apache2/ssl/certs/mgr.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/ssl/private/mgr.cacert.localhost.key.pem SSLCertificateKeyFile /etc/apache2/ssl/private/mgr.cacert.localhost.key.pem
SSLCertificateChainFile /etc/ssl/certs/combined.crt
SSLCACertificateFile /etc/ssl/certs/combined.crt SSLCACertificateFile /etc/apache2/ssl/certs/combined.crt
SSLCADNRequestFile /etc/apache2/ssl/certs/clientca.crt
SSLVerifyClient optional SSLVerifyClient optional
SSLVerifyDepth 2 SSLVerifyDepth 2
SSLOptions +StdEnvVars SSLOptions +StdEnvVars
<Directory /var/www/manager/public> <Directory /var/www/mgr/manager/public>
Options Indexes FollowSymlinks MultiViews Options Indexes FollowSymlinks MultiViews
AllowOverride Options FileInfo AllowOverride Options FileInfo
</Directory> </Directory>

12
docker/apache-virtualhost.conf
View file

@ -24,9 +24,8 @@
SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/ssl/certs/test.cacert.localhost.crt.pem SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/ssl/private/test.cacert.localhost.key.pem SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
SSLCACertificateFile /etc/ssl/certs/combined.crt
Header always set Strict-Transport-Security "max-age=31536000" Header always set Strict-Transport-Security "max-age=31536000"
@ -50,11 +49,12 @@
SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/ssl/certs/secure.test.cacert.localhost.crt.pem SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/ssl/private/secure.test.cacert.localhost.key.pem SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
SSLVerifyClient require SSLVerifyClient require
SSLVerifyDepth 2 SSLVerifyDepth 2
SSLCACertificateFile /etc/ssl/certs/combined.crt SSLCACertificateFile /etc/ssl/apache2/certs/combined.crt
#SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
#SSLOCSPEnable on #SSLOCSPEnable on
#SSLOCSPDefaultResponder http://ocsp.cacert.localhost/ #SSLOCSPDefaultResponder http://ocsp.cacert.localhost/

10
docker/initdb.sh
View file

@ -4,6 +4,7 @@ set -eux
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci; CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
CREATE database $MYSQL_CATS_DATABASE CHARSET latin1 COLLATE latin1_swedish_ci;
CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci; CREATE database mgr CHARSET utf8 COLLATE utf8_unicode_ci;
EOF EOF
@ -13,6 +14,11 @@ done
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr </mgr_dbadm/ca_mgr.mysql mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" mgr </mgr_dbadm/ca_mgr.mysql
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/create_db.sql
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update1.sql
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/update2.sql
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" "${MYSQL_CATS_DATABASE}" </cats_db/sample_test.sql
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert <<-'EOF' mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert <<-'EOF'
INSERT INTO languages (locale, en_co, en_lang, country, lang) INSERT INTO languages (locale, en_co, en_lang, country, lang)
VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqip&euml;ria', 'shqipe'), VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqip&euml;ria', 'shqipe'),
@ -122,7 +128,9 @@ GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%'; GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD'; CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
GRANT CREATE TEMPORARY TABLES ON mgr.* TO $MYSQL_MGR_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%'; GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%'; GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_MGR_USER@'%';
CREATE USER $MYSQL_CATS_USER@'%' IDENTIFIED BY '$MYSQL_CATS_PASSWORD';
GRANT SELECT, INSERT, UPDATE, DELETE ON $MYSQL_CATS_DATABASE.* TO $MYSQL_CATS_USER@'%';
EOF EOF

1
mariadb.Dockerfile
View file

@ -3,3 +3,4 @@ FROM mariadb:focal
COPY docker/initdb.sh /docker-entrypoint-initdb.d/initdb.sh COPY docker/initdb.sh /docker-entrypoint-initdb.d/initdb.sh
COPY cacert-software/scripts/db_migrations/*.sh /db_migrations/ COPY cacert-software/scripts/db_migrations/*.sh /db_migrations/
COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/ COPY cacert-mgr/dbadm/ca_mgr.mysql /mgr_dbadm/
COPY cacert-cats/database/*.sql /cats_db/

8
mgr.Dockerfile
View file

@ -21,10 +21,10 @@ STOPSIGNAL SIGWINCH
COPY docker/apache-mgr-foreground /usr/local/bin/ COPY docker/apache-mgr-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/ssl/certs/ COPY testca/certs/mgr.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/mgr.cacert.localhost.key.pem /etc/ssl/private/ COPY testca/certs/mgr.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/cachain.crt.pem /etc/ssl/certs/combined.crt COPY testca/certs/cachain.crt.pem /etc/apache2/ssl/certs/combined.crt
COPY testca/class3/ca.crt.pem /etc/ssl/certs/clientca.crt COPY testca/class3/ca.crt.pem /etc/apache2/ssl/certs/clientca.crt
COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf COPY docker/apache-mgr-virtualhost.conf /etc/apache2/sites-available/mgr.cacert.localhost.conf
COPY docker/mgr-application.ini /usr/local/etc/ COPY docker/mgr-application.ini /usr/local/etc/

4
setup_test_ca.sh
View file

@ -58,7 +58,7 @@ RANDFILE = \$dir/private/.rand
policy = policy_any policy = policy_any
unique_subject = no unique_subject = no
email_in_dn = no email_in_dn = yes
copy_extensions = copy copy_extensions = copy
default_md = sha256 default_md = sha256
@ -219,7 +219,7 @@ fi
if [ ! -f certs/testclient.p12 ]; then if [ ! -f certs/testclient.p12 ]; then
openssl req -new -keyout certs/testclient.key.pem -nodes \ openssl req -new -keyout certs/testclient.key.pem -nodes \
-out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}" \ -out certs/testclient.csr.pem -subj "/CN=${CLIENT_CERT_USERNAME}/emailAddress=${CLIENT_CERT_EMAIL}" \
-addext "subjectAltName=email:${CLIENT_CERT_EMAIL}" -addext "subjectAltName=email:${CLIENT_CERT_EMAIL}"
openssl ca -config ca.cnf \ openssl ca -config ca.cnf \
-name class3_ca \ -name class3_ca \