Rename application to webdb
This commit renames the application container to webdb and drops the test suffix in favour of using www.cacert.localhost directly. The server certificate for www.cacert.localhost got an additional subjectAlternativeName secure.cacert.localhost and is used for both hostnames now. Environment variables containing _APP have been renamed to _WEBDB to keep consistency.
This commit is contained in:
parent
714533350b
commit
f9b0eb5195
7 changed files with 34 additions and 48 deletions
10
README.md
10
README.md
|
@ -45,13 +45,13 @@ Variable | Usage
|
||||||
`CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12`
|
`CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12`
|
||||||
`CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate
|
`CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate
|
||||||
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
|
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
|
||||||
`MYSQL_APP_PASSWORD` | Database password for webdb
|
|
||||||
`MYSQL_APP_USER` | Database user for webdb
|
|
||||||
`MYSQL_CATS_PASSWORD` | Database password for cats
|
`MYSQL_CATS_PASSWORD` | Database password for cats
|
||||||
`MYSQL_CATS_USER` | Database user for cats
|
`MYSQL_CATS_USER` | Database user for cats
|
||||||
`MYSQL_MGR_PASSWORD` | Database password for the test manager
|
`MYSQL_MGR_PASSWORD` | Database password for the test manager
|
||||||
`MYSQL_MGR_USER` | Database user for the test manager
|
`MYSQL_MGR_USER` | Database user for the test manager
|
||||||
`MYSQL_ROOT_PASSWORD` | Database root password
|
`MYSQL_ROOT_PASSWORD` | Database root password
|
||||||
|
`MYSQL_WEBDB_PASSWORD` | Database password for webdb
|
||||||
|
`MYSQL_WEBDB_USER` | Database user for webdb
|
||||||
|
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
@ -59,8 +59,8 @@ echo "CATCHALL_MAILBOX_PASSWORD=$(openssl rand -base64 18)
|
||||||
CLIENT_CERT_EMAIL=user@example.org
|
CLIENT_CERT_EMAIL=user@example.org
|
||||||
CLIENT_CERT_PASSWORD=$(openssl rand -base64 18)
|
CLIENT_CERT_PASSWORD=$(openssl rand -base64 18)
|
||||||
CLIENT_CERT_USERNAME="John Doe"
|
CLIENT_CERT_USERNAME="John Doe"
|
||||||
MYSQL_APP_PASSWORD=$(openssl rand -base64 18)
|
MYSQL_WEBDB_PASSWORD=$(openssl rand -base64 18)
|
||||||
MYSQL_APP_USER=cacert_dev
|
MYSQL_WEBDB_USER=cacert_dev
|
||||||
MYSQL_CATS_PASSWORD=$(openssl rand -base64 18)
|
MYSQL_CATS_PASSWORD=$(openssl rand -base64 18)
|
||||||
MYSQL_CATS_USER=cats
|
MYSQL_CATS_USER=cats
|
||||||
MYSQL_MGR_PASSWORD=$(openssl rand -base64 18)
|
MYSQL_MGR_PASSWORD=$(openssl rand -base64 18)
|
||||||
|
@ -71,7 +71,7 @@ docker-compose up
|
||||||
```
|
```
|
||||||
|
|
||||||
After these steps you should be able to reach the CAcert application at
|
After these steps you should be able to reach the CAcert application at
|
||||||
https://test.cacert.localhost:8443/. The test manager application is reachable
|
https://www.cacert.localhost:8443/. The test manager application is reachable
|
||||||
at https://mgr.cacert.localhost:9443/. CATS is reachable at
|
at https://mgr.cacert.localhost:9443/. CATS is reachable at
|
||||||
https://cats.cacert.localhost:7443/. The magic hostname resolution works on
|
https://cats.cacert.localhost:7443/. The magic hostname resolution works on
|
||||||
systems using systemd's nss module for host resolution. If you do not have that
|
systems using systemd's nss module for host resolution. If you do not have that
|
||||||
|
|
|
@ -29,19 +29,19 @@ services:
|
||||||
- maildir:/home/catchall/Maildir
|
- maildir:/home/catchall/Maildir
|
||||||
env_file:
|
env_file:
|
||||||
- ./.env
|
- ./.env
|
||||||
application:
|
webdb:
|
||||||
build:
|
build:
|
||||||
context: .
|
context: .
|
||||||
dockerfile: application.Dockerfile
|
dockerfile: webdb.Dockerfile
|
||||||
environment:
|
environment:
|
||||||
DEPLOYMENT_NAME: "CAcert.org Website (local development)"
|
DEPLOYMENT_NAME: "CAcert.org Website (local development)"
|
||||||
MYSQL_APP_HOSTNAME: db
|
MYSQL_WEBDB_HOSTNAME: db
|
||||||
MYSQL_APP_DATABASE: cacert
|
MYSQL_WEBDB_DATABASE: cacert
|
||||||
CSR_DIRECTORY: /csr
|
CSR_DIRECTORY: /csr
|
||||||
CRT_DIRECTORY: /crt
|
CRT_DIRECTORY: /crt
|
||||||
DEFAULT_HOSTNAME: test.cacert.localhost
|
DEFAULT_HOSTNAME: www.cacert.localhost
|
||||||
SECURE_HOSTNAME: secure.test.cacert.localhost
|
SECURE_HOSTNAME: secure.cacert.localhost
|
||||||
TVERIFY_HOSTNAME: tverify.test.cacert.localhost
|
TVERIFY_HOSTNAME: tverify.cacert.localhost
|
||||||
INSECURE_PORT: 8080
|
INSECURE_PORT: 8080
|
||||||
SECURE_PORT: 8443
|
SECURE_PORT: 8443
|
||||||
RETURN_ADDRESS: "returns@cacert.localhost"
|
RETURN_ADDRESS: "returns@cacert.localhost"
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
<VirtualHost *:80>
|
<VirtualHost *:80>
|
||||||
ServerName test.cacert.localhost
|
ServerName www.cacert.localhost
|
||||||
ServerAlias www.test.cacert.localhost
|
|
||||||
DocumentRoot /www/www
|
DocumentRoot /www/www
|
||||||
|
|
||||||
ScriptAlias /cgi-bin/ /www/cgi-bin/
|
ScriptAlias /cgi-bin/ /www/cgi-bin/
|
||||||
|
@ -15,8 +14,7 @@
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
ServerName test.cacert.localhost
|
ServerName www.cacert.localhost
|
||||||
ServerAlias www.test.cacert.localhost
|
|
||||||
DocumentRoot /www/www
|
DocumentRoot /www/www
|
||||||
|
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
@ -24,8 +22,8 @@
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
SSLProtocol all -SSLv2 -SSLv3
|
||||||
SSLHonorCipherOrder on
|
SSLHonorCipherOrder on
|
||||||
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||||
SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem
|
SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
|
||||||
SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem
|
SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
|
||||||
|
|
||||||
Header always set Strict-Transport-Security "max-age=31536000"
|
Header always set Strict-Transport-Security "max-age=31536000"
|
||||||
|
|
||||||
|
@ -41,7 +39,7 @@
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
ServerName secure.test.cacert.localhost
|
ServerName secure.cacert.localhost
|
||||||
DocumentRoot /www/www
|
DocumentRoot /www/www
|
||||||
|
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
@ -49,8 +47,8 @@
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
SSLProtocol all -SSLv2 -SSLv3
|
||||||
SSLHonorCipherOrder on
|
SSLHonorCipherOrder on
|
||||||
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
|
||||||
SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem
|
SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
|
||||||
SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem
|
SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
|
||||||
|
|
||||||
SSLVerifyClient require
|
SSLVerifyClient require
|
||||||
SSLVerifyDepth 2
|
SSLVerifyDepth 2
|
|
@ -123,9 +123,9 @@ VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqipëria', 'shqipe'),
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
|
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
|
||||||
CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD';
|
CREATE USER $MYSQL_WEBDB_USER@'%' IDENTIFIED BY '$MYSQL_WEBDB_PASSWORD';
|
||||||
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%';
|
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_WEBDB_USER@'%';
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%';
|
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_WEBDB_USER@'%';
|
||||||
|
|
||||||
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
|
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
|
||||||
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
|
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';
|
||||||
|
|
|
@ -192,26 +192,14 @@ if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
|
||||||
-extensions server_ext \
|
-extensions server_ext \
|
||||||
-batch
|
-batch
|
||||||
fi
|
fi
|
||||||
if [ ! -f certs/secure.test.cacert.localhost.crt.pem ]; then
|
if [ ! -f certs/www.cacert.localhost.crt.pem ]; then
|
||||||
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \
|
openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \
|
||||||
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \
|
-out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \
|
||||||
-addext "subjectAltName=DNS:secure.test.cacert.localhost"
|
-addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"
|
||||||
openssl ca -config ca.cnf \
|
openssl ca -config ca.cnf \
|
||||||
-name class3_ca \
|
-name class3_ca \
|
||||||
-in certs/secure.test.cacert.localhost.csr.pem \
|
-in certs/www.cacert.localhost.csr.pem \
|
||||||
-out certs/secure.test.cacert.localhost.crt.pem \
|
-out certs/www.cacert.localhost.crt.pem \
|
||||||
-rand_serial \
|
|
||||||
-extensions server_ext \
|
|
||||||
-batch
|
|
||||||
fi
|
|
||||||
if [ ! -f certs/test.cacert.localhost.crt.pem ]; then
|
|
||||||
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
|
|
||||||
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
|
|
||||||
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
|
|
||||||
openssl ca -config ca.cnf \
|
|
||||||
-name class3_ca \
|
|
||||||
-in certs/test.cacert.localhost.csr.pem \
|
|
||||||
-out certs/test.cacert.localhost.crt.pem \
|
|
||||||
-rand_serial \
|
-rand_serial \
|
||||||
-extensions server_ext \
|
-extensions server_ext \
|
||||||
-batch
|
-batch
|
||||||
|
|
|
@ -39,21 +39,21 @@ RUN apt-get update \
|
||||||
|
|
||||||
STOPSIGNAL SIGWINCH
|
STOPSIGNAL SIGWINCH
|
||||||
|
|
||||||
COPY docker/apache-foreground /usr/local/bin/
|
COPY docker/apache-webdb-foreground /usr/local/bin/
|
||||||
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
|
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
|
||||||
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
|
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
|
||||||
COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
|
COPY testca/certs/www.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
|
||||||
COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/
|
COPY testca/certs/www.cacert.localhost.key.pem /etc/apache2/ssl/private/
|
||||||
COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
|
COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
|
||||||
|
|
||||||
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/
|
COPY docker/apache-webdb-virtualhost.conf /etc/apache2/sites-available/www.cacert.localhost.conf
|
||||||
COPY docker/cacert.conf /etc/apache2/conf-available/
|
COPY docker/cacert.conf /etc/apache2/conf-available/
|
||||||
COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
|
COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
|
||||||
COPY docker/feed.rss /usr/local/etc/application/feed.rss
|
COPY docker/feed.rss /usr/local/etc/application/feed.rss
|
||||||
|
|
||||||
VOLUME /www
|
VOLUME /www
|
||||||
|
|
||||||
RUN a2ensite apache-virtualhost ; \
|
RUN a2ensite www.cacert.localhost ; \
|
||||||
a2dissite 000-default ; \
|
a2dissite 000-default ; \
|
||||||
a2enconf cacert ; \
|
a2enconf cacert ; \
|
||||||
a2enmod headers ; \
|
a2enmod headers ; \
|
||||||
|
@ -68,4 +68,4 @@ RUN a2ensite apache-virtualhost ; \
|
||||||
EXPOSE 80
|
EXPOSE 80
|
||||||
EXPOSE 443
|
EXPOSE 443
|
||||||
|
|
||||||
CMD ["/usr/local/bin/apache-foreground"]
|
CMD ["/usr/local/bin/apache-webdb-foreground"]
|
Loading…
Reference in a new issue