Implement docker-compose setup for CAcert software

docker/apache-foreground

@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eux
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/apache2.pid
+
+cp /usr/local/etc/testca/certs/test.cacert.org.crt.pem /etc/ssl/certs/test.cacert.org.crt
+cp /usr/local/etc/testca/certs/test.cacert.org.key.pem /etc/ssl/private/test.cacert.org.pem
+(
+  openssl x509 -in /usr/local/etc/testca/class3/ca.crt.pem
+  openssl x509 -in /usr/local/etc/testca/root/ca.crt.pem
+) >/etc/ssl/certs/combined.crt
+
+cp /usr/local/etc/testca/certs/secure.test.cacert.org.crt.pem /etc/ssl/certs/secure.crt
+cp /usr/local/etc/testca/certs/secure.test.cacert.org.key.pem /etc/ssl/private/secure_test_cacert_org.pem
+
+sed -i "s/@MYSQL_USERNAME@/$MYSQL_APP_USER/g; s/@MYSQL_PASSWORD@/$MYSQL_APP_PASSWORD/g" \
+  /usr/local/etc/application/mysql.php
+if [ ! -f /www/includes/mysql.php ]; then
+  rm -f /www/includes/mysql.php
+  cp /usr/local/etc/application/mysql.php /www/includes/mysql.php
+fi
+cp /usr/local/etc/application/feed.rss /www/pages/index/feed.rss
+
+apache2ctl start "$@"
+
+exec tail -F --follow=name --retry /var/log/apache2/error.log /var/log/apache2/phperror.log

docker/apache-virtualhost.conf

@@ -0,0 +1,74 @@
+<VirtualHost *:80>
+  ServerName test.cacert.org
+  ServerAlias www.test.cacert.org
+  DocumentRoot /www/www
+
+  ScriptAlias /cgi-bin/ /www/cgi-bin/
+  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  RewriteEngine On
+  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+  RewriteRule .* - [F]
+  <Directory /www/www/policy>
+    AddDefaultCharset utf-8
+  </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName test.cacert.org
+  ServerAlias www.test.cacert.org
+  DocumentRoot /www/www
+
+  SSLEngine on
+  SSLStrictSNIVHostCheck on
+  SSLProtocol all -SSLv2 -SSLv3
+  SSLHonorCipherOrder on
+  SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+  SSLCertificateFile /etc/ssl/certs/test.cacert.org.crt
+  SSLCertificateKeyFile /etc/ssl/private/test.cacert.org.pem
+  SSLCACertificateFile /etc/ssl/certs/combined.crt
+
+  Header always set Strict-Transport-Security "max-age=31536000"
+
+  ScriptAlias /cgi-bin/ /www/cgi-bin/
+  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  RewriteEngine On
+  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+  RewriteRule .* - [F]
+  <Directory /www/www/policy>
+    AddDefaultCharset utf-8
+  </Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+  ServerName secure.test.cacert.org
+  ServerAlias secure.test.cacert.org
+  DocumentRoot /www/www
+
+  SSLEngine on
+  SSLStrictSNIVHostCheck on
+  SSLProtocol all -SSLv2 -SSLv3
+  SSLHonorCipherOrder on
+  SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
+  SSLCertificateFile /etc/ssl/certs/secure.crt
+  SSLCertificateKeyFile /etc/ssl/private/secure_test_cacert_org.pem
+  SSLVerifyClient require
+  SSLVerifyDepth 2
+  SSLCACertificateFile /etc/ssl/certs/combined.crt
+  #SSLCARevocationFile /etc/ssl/crls/cacert-combined.crl
+  #SSLOCSPEnable on
+  #SSLOCSPDefaultResponder http://ocsp.cacert.org/
+  SSLOptions +StdEnvVars
+
+  Header always set Strict-Transport-Security "max-age=31536000"
+
+  Redirect permanent /revoke.crl        http://crl.cacert.org/revoke.crl
+  Redirect permanent /class3-revoke.crl http://crl.cacert.org/class3-revoke.crl
+  RewriteEngine On
+  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+  RewriteRule .* - [F]
+  <Directory /www/www/policy>
+    AddDefaultCharset utf-8
+  </Directory>
+</VirtualHost>

docker/cacert.conf

@@ -0,0 +1,55 @@
+# customized settings for CAcert webserver
+
+MaxRequestsPerChild	100
+
+ServerAdmin	support@cacert.org
+ServerName	cacert.org
+
+Header always set X-Frame-Options "DENY"
+Header always set X-XSS-Protection "1; mode=block"
+Header always set X-Content-Type-Options "nosniff"
+
+DocumentRoot /www/www
+
+<Directory />
+    Options -Indexes +Includes +FollowSymLinks
+    AllowOverride None
+</Directory>
+
+<Directory /www/www>
+    Options -Indexes +Includes +FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+
+<Directory /www/www/docs>
+    Options +Indexes +Includes +FollowSymLinks +MultiViews
+    AllowOverride None
+</Directory>
+
+<Directory /www/stamp>
+    Options -Indexes +Includes +FollowSymLinks
+    AllowOverride All
+    Require all granted
+</Directory>
+
+UseCanonicalName	off
+HostnameLookups		on
+
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" mod_gzip: %{mod_gzip_compression_ratio}npct. %T %v" full
+
+CustomLog /var/log/apache2/access.log full
+
+ServerSignature	off
+
+AddDefaultCharset on
+
+<IfModule mod_ssl.c>
+	# OCSP Stapling, only in httpd 2.3.3 and later
+	SSLUseStapling                          on
+	SSLStaplingResponderTimeout             5
+	SSLStaplingReturnResponderErrors        off
+	SSLStaplingCache                        shmcb:${APACHE_RUN_DIR}/ocsp(1280000)
+	SSLStaplingFakeTryLater                 off
+	SSLStaplingStandardCacheTimeout         86400
+</IfModule>

docker/feed.rss

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?><!-- generator="WordPress/2.5.1" -->
+<rss version="0.92">
+        <channel>
+                <title>CAcert NEWS Blog</title>
+                <link>http://blog.cacert.org</link>
+                <description>CAcert NEWS and up coming events.</description>
+                <lastBuildDate>Fri, 20 Aug 2010 11:54:30 +0000</lastBuildDate>
+                <docs>http://backend.userland.com/rss092</docs>
+                <language>en</language>
+
+                <item>
+                        <title>Looking for confirmation email on creating account?</title>
+                        <description>Please go to https://ca-mgr1.it-sls.de/login login with your just created account and password. Under MAIL you'll find your individual confirmation email.
+                        </description>
+                        <link>https://ca-mgr1.it-sls.de/testsystemdoc.html</link>
+                </item>
+        </channel>
+</rss>

docker/initdb.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+
+set -eux
+
+mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
+CREATE database cacert CHARSET latin1 COLLATE latin1_swedish_ci;
+CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD';
+GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
+GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
+EOF
+
+for script in /db_migrations/*.sh; do
+  sh "$script" -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" cacert
+done

docker/mysql.php

@@ -0,0 +1,114 @@
+<? /*
+    LibreSSL - CAcert web application
+    Copyright (C) 2004-2008  CAcert Inc.
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 of the License.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+$_SESSION['mconn'] = mysql_connect("db", "@MYSQL_USERNAME@", "@MYSQL_PASSWORD@");
+if ($_SESSION['mconn'] != FALSE)
+{
+    mysql_select_db("cacert");
+    $_SESSION['mconn'] = TRUE;
+}
+$_SESSION['_config']['normalhostname'] = "test.cacert.org:8443";
+$_SESSION['_config']['securehostname'] = "secure.test.cacert.org:8443";
+$_SESSION['_config']['tverify'] = "tverify.cacert.org";
+
+function sendmail($to, $subject, $message, $from, $replyto = "", $toname = "", $fromname = "", $errorsto = "returns@cacert.org", $use_utf8 = true)
+{
+    $lines = explode("\n", $message);
+    $message = "";
+    foreach($lines as $line)
+    {
+        $line = trim($line);
+        if($line == ".")
+            $message .= " .\n";
+        else
+            $message .= $line."\n";
+    }
+
+    if($fromname == "")
+        $fromname = $from;
+
+    $bits = explode(",", $from);
+    $from = addslashes($bits['0']);
+    $fromname = addslashes($fromname);
+
+    $smtp = fsockopen("smtp", 25);
+    if(!$smtp)
+    {
+        echo("Could not connect to mailserver at localhost:25\n");
+        return;
+    }
+    $InputBuffer = fgets($smtp, 1024);
+    fputs($smtp, "EHLO test.cacert.org\r\n");
+    $InputBuffer = fgets($smtp, 1024);
+    fputs($smtp, "MAIL FROM:<returns@cacert.org>\r\n");
+    $InputBuffer = fgets($smtp, 1024);
+    $bits = explode(",", $to);
+    foreach($bits as $user)
+        fputs($smtp, "RCPT TO:<".trim($user).">\r\n");
+    $InputBuffer = fgets($smtp, 1024);
+    fputs($smtp, "DATA\r\n");
+    $InputBuffer = fgets($smtp, 1024);
+    fputs($smtp, "X-Mailer: CAcert.org Website\r\n");
+    if (array_key_exists("REMOTE_ADDR", $_SERVER))
+        fputs($smtp, "X-OriginatingIP: ".$_SERVER["REMOTE_ADDR"]."\r\n");
+    fputs($smtp, "Sender: $errorsto\r\n");
+    fputs($smtp, "Errors-To: $errorsto\r\n");
+    if($replyto != "")
+        fputs($smtp, "Reply-To: $replyto\r\n");
+    else
+        fputs($smtp, "Reply-To: $from\r\n");
+    fputs($smtp, "From: $from\r\n");
+    fputs($smtp, "To: $to\r\n");
+    if(preg_match("/[^a-zA-Z0-9 .-\[\]!_@]/",$subject))
+    {
+        fputs($smtp, "Subject: =?utf-8?B?".base64_encode(recode("html..utf-8", $subject))."?=\r\n");
+    }
+    else
+    {
+        fputs($smtp, "Subject: $subject\r\n");
+    }
+    fputs($smtp, "Mime-Version: 1.0\r\n");
+    if($use_utf8)
+    {
+        fputs($smtp, "Content-Type: text/plain; charset=\"utf-8\"\r\n");
+    }
+    else
+    {
+        fputs($smtp, "Content-Type: text/plain; charset=\"iso-8859-1\"\r\n");
+    }
+    fputs($smtp, "Content-Transfer-Encoding: quoted-printable\r\n");
+    fputs($smtp, "Content-Disposition: inline\r\n");
+
+//		fputs($smtp, "Content-Transfer-Encoding: BASE64\r\n");
+    fputs($smtp, "\r\n");
+//		fputs($smtp, chunk_split(base64_encode(recode("html..utf-8", $message)))."\r\n.\r\n");
+    $encoded_lines = explode( "\n", str_replace("\r", "", $message) );
+    array_walk( $encoded_lines,
+        function (&$a) {
+            $a = quoted_printable_encode(recode("html..utf-8", $a));
+        });
+    $encoded_message = implode("\n", $encoded_lines);
+
+    $encoded_message = str_replace("\r.", "\r=2E", $encoded_message);
+    $encoded_message = str_replace("\n.", "\n=2E", $encoded_message);
+    fputs($smtp, $encoded_message);
+    fputs($smtp, "\r\n.\r\n");
+    fputs($smtp, "QUIT\n");
+    $InputBuffer = fgets($smtp, 1024);
+    fclose($smtp);
+}

docker/php5-cacert.ini

@@ -0,0 +1,20 @@
+;
+; Additional settings for CAcert webdb application
+;
+safe_mode_allowed_env_vars = LC_ALL,LANG,LANGUAGE,PHP_
+disable_functions = passthru
+expose_php = Off
+memory_limit = 18M
+display_errors = Off
+log_errors = On
+error_log = /var/log/apache2/phperrors.log
+sendmail_path = "/usr/sbin/sendmail -t -i -freturns@cacert.org"
+session.use_only_cookies = On
+session.cookie_secure = On
+error_reporting = E_ALL
+short_open_tag = On
+
+; Starting with PHP 5.6, PHP's default character set is set to UTF-8.
+; This is not what the current CAcert application code expects, so we
+; overrrule it with the earlier default.
+default_charset = "iso-8859-1"

docker/run-postfix

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -eu
+
+mkdir -p /home/catchall/Maildir/tmp /home/catchall/Maildir/new /home/catchall/Maildir/cur
+chown -Rc catchall.catchall /home/catchall/Maildir
+
+postfix start-fg