From f9b0eb51952c6cc7de5dfe0f3da6882efcb1eea5 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Wed, 23 Dec 2020 07:17:06 +0100 Subject: [PATCH] Rename application to webdb This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency. --- README.md | 10 ++++---- docker-compose.yml | 14 +++++------ ...che-foreground => apache-webdb-foreground} | 0 ...ost.conf => apache-webdb-virtualhost.conf} | 16 ++++++------- docker/initdb.sh | 6 ++--- setup_test_ca.sh | 24 +++++-------------- application.Dockerfile => webdb.Dockerfile | 12 +++++----- 7 files changed, 34 insertions(+), 48 deletions(-) rename docker/{apache-foreground => apache-webdb-foreground} (100%) rename docker/{apache-virtualhost.conf => apache-webdb-virtualhost.conf} (79%) rename application.Dockerfile => webdb.Dockerfile (78%) diff --git a/README.md b/README.md index 43588fe..586ac73 100644 --- a/README.md +++ b/README.md @@ -45,13 +45,13 @@ Variable | Usage `CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12` `CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate `CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh` -`MYSQL_APP_PASSWORD` | Database password for webdb -`MYSQL_APP_USER` | Database user for webdb `MYSQL_CATS_PASSWORD` | Database password for cats `MYSQL_CATS_USER` | Database user for cats `MYSQL_MGR_PASSWORD` | Database password for the test manager `MYSQL_MGR_USER` | Database user for the test manager `MYSQL_ROOT_PASSWORD` | Database root password +`MYSQL_WEBDB_PASSWORD` | Database password for webdb +`MYSQL_WEBDB_USER` | Database user for webdb ```shell @@ -59,8 +59,8 @@ echo "CATCHALL_MAILBOX_PASSWORD=$(openssl rand -base64 18) CLIENT_CERT_EMAIL=user@example.org CLIENT_CERT_PASSWORD=$(openssl rand -base64 18) CLIENT_CERT_USERNAME="John Doe" -MYSQL_APP_PASSWORD=$(openssl rand -base64 18) -MYSQL_APP_USER=cacert_dev +MYSQL_WEBDB_PASSWORD=$(openssl rand -base64 18) +MYSQL_WEBDB_USER=cacert_dev MYSQL_CATS_PASSWORD=$(openssl rand -base64 18) MYSQL_CATS_USER=cats MYSQL_MGR_PASSWORD=$(openssl rand -base64 18) @@ -71,7 +71,7 @@ docker-compose up ``` After these steps you should be able to reach the CAcert application at -https://test.cacert.localhost:8443/. The test manager application is reachable +https://www.cacert.localhost:8443/. The test manager application is reachable at https://mgr.cacert.localhost:9443/. CATS is reachable at https://cats.cacert.localhost:7443/. The magic hostname resolution works on systems using systemd's nss module for host resolution. If you do not have that diff --git a/docker-compose.yml b/docker-compose.yml index 97c5c3e..ff62842 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -29,19 +29,19 @@ services: - maildir:/home/catchall/Maildir env_file: - ./.env - application: + webdb: build: context: . - dockerfile: application.Dockerfile + dockerfile: webdb.Dockerfile environment: DEPLOYMENT_NAME: "CAcert.org Website (local development)" - MYSQL_APP_HOSTNAME: db - MYSQL_APP_DATABASE: cacert + MYSQL_WEBDB_HOSTNAME: db + MYSQL_WEBDB_DATABASE: cacert CSR_DIRECTORY: /csr CRT_DIRECTORY: /crt - DEFAULT_HOSTNAME: test.cacert.localhost - SECURE_HOSTNAME: secure.test.cacert.localhost - TVERIFY_HOSTNAME: tverify.test.cacert.localhost + DEFAULT_HOSTNAME: www.cacert.localhost + SECURE_HOSTNAME: secure.cacert.localhost + TVERIFY_HOSTNAME: tverify.cacert.localhost INSECURE_PORT: 8080 SECURE_PORT: 8443 RETURN_ADDRESS: "returns@cacert.localhost" diff --git a/docker/apache-foreground b/docker/apache-webdb-foreground similarity index 100% rename from docker/apache-foreground rename to docker/apache-webdb-foreground diff --git a/docker/apache-virtualhost.conf b/docker/apache-webdb-virtualhost.conf similarity index 79% rename from docker/apache-virtualhost.conf rename to docker/apache-webdb-virtualhost.conf index dbcf0f5..c001561 100644 --- a/docker/apache-virtualhost.conf +++ b/docker/apache-webdb-virtualhost.conf @@ -1,6 +1,5 @@ - ServerName test.cacert.localhost - ServerAlias www.test.cacert.localhost + ServerName www.cacert.localhost DocumentRoot /www/www ScriptAlias /cgi-bin/ /www/cgi-bin/ @@ -15,8 +14,7 @@ - ServerName test.cacert.localhost - ServerAlias www.test.cacert.localhost + ServerName www.cacert.localhost DocumentRoot /www/www SSLEngine on @@ -24,8 +22,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL - SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem - SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem + SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem Header always set Strict-Transport-Security "max-age=31536000" @@ -41,7 +39,7 @@ - ServerName secure.test.cacert.localhost + ServerName secure.cacert.localhost DocumentRoot /www/www SSLEngine on @@ -49,8 +47,8 @@ SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL - SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem - SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem + SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem + SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem SSLVerifyClient require SSLVerifyDepth 2 diff --git a/docker/initdb.sh b/docker/initdb.sh index bca293f..fdec50b 100755 --- a/docker/initdb.sh +++ b/docker/initdb.sh @@ -123,9 +123,9 @@ VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqipëria', 'shqipe'), EOF mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF -CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD'; -GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%'; -GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%'; +CREATE USER $MYSQL_WEBDB_USER@'%' IDENTIFIED BY '$MYSQL_WEBDB_PASSWORD'; +GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_WEBDB_USER@'%'; +GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_WEBDB_USER@'%'; CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD'; GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%'; diff --git a/setup_test_ca.sh b/setup_test_ca.sh index 5968215..6b9a5fc 100755 --- a/setup_test_ca.sh +++ b/setup_test_ca.sh @@ -192,26 +192,14 @@ if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then -extensions server_ext \ -batch fi -if [ ! -f certs/secure.test.cacert.localhost.crt.pem ]; then - openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \ - -out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \ - -addext "subjectAltName=DNS:secure.test.cacert.localhost" +if [ ! -f certs/www.cacert.localhost.crt.pem ]; then + openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \ + -out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \ + -addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost" openssl ca -config ca.cnf \ -name class3_ca \ - -in certs/secure.test.cacert.localhost.csr.pem \ - -out certs/secure.test.cacert.localhost.crt.pem \ - -rand_serial \ - -extensions server_ext \ - -batch -fi -if [ ! -f certs/test.cacert.localhost.crt.pem ]; then - openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \ - -out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \ - -addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost" - openssl ca -config ca.cnf \ - -name class3_ca \ - -in certs/test.cacert.localhost.csr.pem \ - -out certs/test.cacert.localhost.crt.pem \ + -in certs/www.cacert.localhost.csr.pem \ + -out certs/www.cacert.localhost.crt.pem \ -rand_serial \ -extensions server_ext \ -batch diff --git a/application.Dockerfile b/webdb.Dockerfile similarity index 78% rename from application.Dockerfile rename to webdb.Dockerfile index 58eadb3..0df244a 100644 --- a/application.Dockerfile +++ b/webdb.Dockerfile @@ -39,21 +39,21 @@ RUN apt-get update \ STOPSIGNAL SIGWINCH -COPY docker/apache-foreground /usr/local/bin/ +COPY docker/apache-webdb-foreground /usr/local/bin/ COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt -COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/ -COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/ +COPY testca/certs/www.cacert.localhost.crt.pem /etc/apache2/ssl/certs/ +COPY testca/certs/www.cacert.localhost.key.pem /etc/apache2/ssl/private/ COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt -COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/ +COPY docker/apache-webdb-virtualhost.conf /etc/apache2/sites-available/www.cacert.localhost.conf COPY docker/cacert.conf /etc/apache2/conf-available/ COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini COPY docker/feed.rss /usr/local/etc/application/feed.rss VOLUME /www -RUN a2ensite apache-virtualhost ; \ +RUN a2ensite www.cacert.localhost ; \ a2dissite 000-default ; \ a2enconf cacert ; \ a2enmod headers ; \ @@ -68,4 +68,4 @@ RUN a2ensite apache-virtualhost ; \ EXPOSE 80 EXPOSE 443 -CMD ["/usr/local/bin/apache-foreground"] +CMD ["/usr/local/bin/apache-webdb-foreground"]