Rename application to webdb

This commit renames the application container to webdb and drops the
test suffix in favour of using www.cacert.localhost directly. The server
certificate for www.cacert.localhost got an additional
subjectAlternativeName secure.cacert.localhost and is used for both
hostnames now.

Environment variables containing _APP have been renamed to _WEBDB to
keep consistency.
This commit is contained in:
Jan Dittberner 2020-12-23 07:17:06 +01:00
parent 714533350b
commit f9b0eb5195
7 changed files with 34 additions and 48 deletions

View file

@ -45,13 +45,13 @@ Variable | Usage
`CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12`
`CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
`MYSQL_APP_PASSWORD` | Database password for webdb
`MYSQL_APP_USER` | Database user for webdb
`MYSQL_CATS_PASSWORD` | Database password for cats
`MYSQL_CATS_USER` | Database user for cats
`MYSQL_MGR_PASSWORD` | Database password for the test manager
`MYSQL_MGR_USER` | Database user for the test manager
`MYSQL_ROOT_PASSWORD` | Database root password
`MYSQL_WEBDB_PASSWORD` | Database password for webdb
`MYSQL_WEBDB_USER` | Database user for webdb
```shell
@ -59,8 +59,8 @@ echo "CATCHALL_MAILBOX_PASSWORD=$(openssl rand -base64 18)
CLIENT_CERT_EMAIL=user@example.org
CLIENT_CERT_PASSWORD=$(openssl rand -base64 18)
CLIENT_CERT_USERNAME="John Doe"
MYSQL_APP_PASSWORD=$(openssl rand -base64 18)
MYSQL_APP_USER=cacert_dev
MYSQL_WEBDB_PASSWORD=$(openssl rand -base64 18)
MYSQL_WEBDB_USER=cacert_dev
MYSQL_CATS_PASSWORD=$(openssl rand -base64 18)
MYSQL_CATS_USER=cats
MYSQL_MGR_PASSWORD=$(openssl rand -base64 18)
@ -71,7 +71,7 @@ docker-compose up
```
After these steps you should be able to reach the CAcert application at
https://test.cacert.localhost:8443/. The test manager application is reachable
https://www.cacert.localhost:8443/. The test manager application is reachable
at https://mgr.cacert.localhost:9443/. CATS is reachable at
https://cats.cacert.localhost:7443/. The magic hostname resolution works on
systems using systemd's nss module for host resolution. If you do not have that

View file

@ -29,19 +29,19 @@ services:
- maildir:/home/catchall/Maildir
env_file:
- ./.env
application:
webdb:
build:
context: .
dockerfile: application.Dockerfile
dockerfile: webdb.Dockerfile
environment:
DEPLOYMENT_NAME: "CAcert.org Website (local development)"
MYSQL_APP_HOSTNAME: db
MYSQL_APP_DATABASE: cacert
MYSQL_WEBDB_HOSTNAME: db
MYSQL_WEBDB_DATABASE: cacert
CSR_DIRECTORY: /csr
CRT_DIRECTORY: /crt
DEFAULT_HOSTNAME: test.cacert.localhost
SECURE_HOSTNAME: secure.test.cacert.localhost
TVERIFY_HOSTNAME: tverify.test.cacert.localhost
DEFAULT_HOSTNAME: www.cacert.localhost
SECURE_HOSTNAME: secure.cacert.localhost
TVERIFY_HOSTNAME: tverify.cacert.localhost
INSECURE_PORT: 8080
SECURE_PORT: 8443
RETURN_ADDRESS: "returns@cacert.localhost"

View file

@ -1,6 +1,5 @@
<VirtualHost *:80>
ServerName test.cacert.localhost
ServerAlias www.test.cacert.localhost
ServerName www.cacert.localhost
DocumentRoot /www/www
ScriptAlias /cgi-bin/ /www/cgi-bin/
@ -15,8 +14,7 @@
</VirtualHost>
<VirtualHost *:443>
ServerName test.cacert.localhost
ServerAlias www.test.cacert.localhost
ServerName www.cacert.localhost
DocumentRoot /www/www
SSLEngine on
@ -24,8 +22,8 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
Header always set Strict-Transport-Security "max-age=31536000"
@ -41,7 +39,7 @@
</VirtualHost>
<VirtualHost *:443>
ServerName secure.test.cacert.localhost
ServerName secure.cacert.localhost
DocumentRoot /www/www
SSLEngine on
@ -49,8 +47,8 @@
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
SSLVerifyClient require
SSLVerifyDepth 2

View file

@ -123,9 +123,9 @@ VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqip&euml;ria', 'shqipe'),
EOF
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD';
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
CREATE USER $MYSQL_WEBDB_USER@'%' IDENTIFIED BY '$MYSQL_WEBDB_PASSWORD';
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_WEBDB_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_WEBDB_USER@'%';
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';

View file

@ -192,26 +192,14 @@ if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
-extensions server_ext \
-batch
fi
if [ ! -f certs/secure.test.cacert.localhost.crt.pem ]; then
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
-addext "subjectAltName=DNS:secure.test.cacert.localhost"
if [ ! -f certs/www.cacert.localhost.crt.pem ]; then
openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \
-out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \
-addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"
openssl ca -config ca.cnf \
-name class3_ca \
-in certs/secure.test.cacert.localhost.csr.pem \
-out certs/secure.test.cacert.localhost.crt.pem \
-rand_serial \
-extensions server_ext \
-batch
fi
if [ ! -f certs/test.cacert.localhost.crt.pem ]; then
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
openssl ca -config ca.cnf \
-name class3_ca \
-in certs/test.cacert.localhost.csr.pem \
-out certs/test.cacert.localhost.crt.pem \
-in certs/www.cacert.localhost.csr.pem \
-out certs/www.cacert.localhost.crt.pem \
-rand_serial \
-extensions server_ext \
-batch

View file

@ -39,21 +39,21 @@ RUN apt-get update \
STOPSIGNAL SIGWINCH
COPY docker/apache-foreground /usr/local/bin/
COPY docker/apache-webdb-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/www.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/www.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
COPY docker/apache-webdb-virtualhost.conf /etc/apache2/sites-available/www.cacert.localhost.conf
COPY docker/cacert.conf /etc/apache2/conf-available/
COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
COPY docker/feed.rss /usr/local/etc/application/feed.rss
VOLUME /www
RUN a2ensite apache-virtualhost ; \
RUN a2ensite www.cacert.localhost ; \
a2dissite 000-default ; \
a2enconf cacert ; \
a2enmod headers ; \
@ -68,4 +68,4 @@ RUN a2ensite apache-virtualhost ; \
EXPOSE 80
EXPOSE 443
CMD ["/usr/local/bin/apache-foreground"]
CMD ["/usr/local/bin/apache-webdb-foreground"]