Rename application to webdb

This commit renames the application container to webdb and drops the
test suffix in favour of using www.cacert.localhost directly. The server
certificate for www.cacert.localhost got an additional
subjectAlternativeName secure.cacert.localhost and is used for both
hostnames now.

Environment variables containing _APP have been renamed to _WEBDB to
keep consistency.
This commit is contained in:
Jan Dittberner 2020-12-23 07:17:06 +01:00
parent 714533350b
commit f9b0eb5195
7 changed files with 34 additions and 48 deletions

View file

@ -45,13 +45,13 @@ Variable | Usage
`CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12` `CLIENT_CERT_PASSWORD` | password used to encrypt `testca/certs/testclient.p12`
`CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate `CLIENT_CERT_USERNAME` | full name for a user that is included in the CN field of the subject distinguished name in the test client certificate
`CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh` `CLIENT_CERT_USERNAME` | user name for client certificate generated by `setup_test_ca.sh`
`MYSQL_APP_PASSWORD` | Database password for webdb
`MYSQL_APP_USER` | Database user for webdb
`MYSQL_CATS_PASSWORD` | Database password for cats `MYSQL_CATS_PASSWORD` | Database password for cats
`MYSQL_CATS_USER` | Database user for cats `MYSQL_CATS_USER` | Database user for cats
`MYSQL_MGR_PASSWORD` | Database password for the test manager `MYSQL_MGR_PASSWORD` | Database password for the test manager
`MYSQL_MGR_USER` | Database user for the test manager `MYSQL_MGR_USER` | Database user for the test manager
`MYSQL_ROOT_PASSWORD` | Database root password `MYSQL_ROOT_PASSWORD` | Database root password
`MYSQL_WEBDB_PASSWORD` | Database password for webdb
`MYSQL_WEBDB_USER` | Database user for webdb
```shell ```shell
@ -59,8 +59,8 @@ echo "CATCHALL_MAILBOX_PASSWORD=$(openssl rand -base64 18)
CLIENT_CERT_EMAIL=user@example.org CLIENT_CERT_EMAIL=user@example.org
CLIENT_CERT_PASSWORD=$(openssl rand -base64 18) CLIENT_CERT_PASSWORD=$(openssl rand -base64 18)
CLIENT_CERT_USERNAME="John Doe" CLIENT_CERT_USERNAME="John Doe"
MYSQL_APP_PASSWORD=$(openssl rand -base64 18) MYSQL_WEBDB_PASSWORD=$(openssl rand -base64 18)
MYSQL_APP_USER=cacert_dev MYSQL_WEBDB_USER=cacert_dev
MYSQL_CATS_PASSWORD=$(openssl rand -base64 18) MYSQL_CATS_PASSWORD=$(openssl rand -base64 18)
MYSQL_CATS_USER=cats MYSQL_CATS_USER=cats
MYSQL_MGR_PASSWORD=$(openssl rand -base64 18) MYSQL_MGR_PASSWORD=$(openssl rand -base64 18)
@ -71,7 +71,7 @@ docker-compose up
``` ```
After these steps you should be able to reach the CAcert application at After these steps you should be able to reach the CAcert application at
https://test.cacert.localhost:8443/. The test manager application is reachable https://www.cacert.localhost:8443/. The test manager application is reachable
at https://mgr.cacert.localhost:9443/. CATS is reachable at at https://mgr.cacert.localhost:9443/. CATS is reachable at
https://cats.cacert.localhost:7443/. The magic hostname resolution works on https://cats.cacert.localhost:7443/. The magic hostname resolution works on
systems using systemd's nss module for host resolution. If you do not have that systems using systemd's nss module for host resolution. If you do not have that

View file

@ -29,19 +29,19 @@ services:
- maildir:/home/catchall/Maildir - maildir:/home/catchall/Maildir
env_file: env_file:
- ./.env - ./.env
application: webdb:
build: build:
context: . context: .
dockerfile: application.Dockerfile dockerfile: webdb.Dockerfile
environment: environment:
DEPLOYMENT_NAME: "CAcert.org Website (local development)" DEPLOYMENT_NAME: "CAcert.org Website (local development)"
MYSQL_APP_HOSTNAME: db MYSQL_WEBDB_HOSTNAME: db
MYSQL_APP_DATABASE: cacert MYSQL_WEBDB_DATABASE: cacert
CSR_DIRECTORY: /csr CSR_DIRECTORY: /csr
CRT_DIRECTORY: /crt CRT_DIRECTORY: /crt
DEFAULT_HOSTNAME: test.cacert.localhost DEFAULT_HOSTNAME: www.cacert.localhost
SECURE_HOSTNAME: secure.test.cacert.localhost SECURE_HOSTNAME: secure.cacert.localhost
TVERIFY_HOSTNAME: tverify.test.cacert.localhost TVERIFY_HOSTNAME: tverify.cacert.localhost
INSECURE_PORT: 8080 INSECURE_PORT: 8080
SECURE_PORT: 8443 SECURE_PORT: 8443
RETURN_ADDRESS: "returns@cacert.localhost" RETURN_ADDRESS: "returns@cacert.localhost"

View file

@ -1,6 +1,5 @@
<VirtualHost *:80> <VirtualHost *:80>
ServerName test.cacert.localhost ServerName www.cacert.localhost
ServerAlias www.test.cacert.localhost
DocumentRoot /www/www DocumentRoot /www/www
ScriptAlias /cgi-bin/ /www/cgi-bin/ ScriptAlias /cgi-bin/ /www/cgi-bin/
@ -15,8 +14,7 @@
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName test.cacert.localhost ServerName www.cacert.localhost
ServerAlias www.test.cacert.localhost
DocumentRoot /www/www DocumentRoot /www/www
SSLEngine on SSLEngine on
@ -24,8 +22,8 @@
SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/apache2/ssl/certs/test.cacert.localhost.crt.pem SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/test.cacert.localhost.key.pem SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
Header always set Strict-Transport-Security "max-age=31536000" Header always set Strict-Transport-Security "max-age=31536000"
@ -41,7 +39,7 @@
</VirtualHost> </VirtualHost>
<VirtualHost *:443> <VirtualHost *:443>
ServerName secure.test.cacert.localhost ServerName secure.cacert.localhost
DocumentRoot /www/www DocumentRoot /www/www
SSLEngine on SSLEngine on
@ -49,8 +47,8 @@
SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on SSLHonorCipherOrder on
SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL SSLCipherSuite kEECDH:kEDH:AESGCM:ALL:!3DES!RC4:!LOW:!EXP:!MD5:!aNULL:!eNULL
SSLCertificateFile /etc/apache2/ssl/certs/secure.test.cacert.localhost.crt.pem SSLCertificateFile /etc/apache2/ssl/certs/www.cacert.localhost.crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/secure.test.cacert.localhost.key.pem SSLCertificateKeyFile /etc/apache2/ssl/private/www.cacert.localhost.key.pem
SSLVerifyClient require SSLVerifyClient require
SSLVerifyDepth 2 SSLVerifyDepth 2

View file

@ -123,9 +123,9 @@ VALUES ('sq_AL', 'Albania', 'Albanian', 'Shqip&euml;ria', 'shqipe'),
EOF EOF
mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF mysql -h localhost -u root "-p$MYSQL_ROOT_PASSWORD" <<-EOF
CREATE USER $MYSQL_APP_USER@'%' IDENTIFIED BY '$MYSQL_APP_PASSWORD'; CREATE USER $MYSQL_WEBDB_USER@'%' IDENTIFIED BY '$MYSQL_WEBDB_PASSWORD';
GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_APP_USER@'%'; GRANT CREATE TEMPORARY TABLES ON cacert.* TO $MYSQL_WEBDB_USER@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_APP_USER@'%'; GRANT SELECT, INSERT, UPDATE, DELETE ON cacert.* TO $MYSQL_WEBDB_USER@'%';
CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD'; CREATE USER $MYSQL_MGR_USER@'%' IDENTIFIED BY '$MYSQL_MGR_PASSWORD';
GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%'; GRANT SELECT, INSERT, UPDATE, DELETE ON mgr.* TO $MYSQL_MGR_USER@'%';

View file

@ -192,26 +192,14 @@ if [ ! -f certs/mgr.cacert.localhost.crt.pem ]; then
-extensions server_ext \ -extensions server_ext \
-batch -batch
fi fi
if [ ! -f certs/secure.test.cacert.localhost.crt.pem ]; then if [ ! -f certs/www.cacert.localhost.crt.pem ]; then
openssl req -new -keyout certs/secure.test.cacert.localhost.key.pem -nodes \ openssl req -new -keyout certs/www.cacert.localhost.key.pem -nodes \
-out certs/secure.test.cacert.localhost.csr.pem -subj "/CN=secure.test.cacert.localhost" \ -out certs/www.cacert.localhost.csr.pem -subj "/CN=www.cacert.localhost" \
-addext "subjectAltName=DNS:secure.test.cacert.localhost" -addext "subjectAltName=DNS:www.cacert.localhost,DNS:secure.cacert.localhost"
openssl ca -config ca.cnf \ openssl ca -config ca.cnf \
-name class3_ca \ -name class3_ca \
-in certs/secure.test.cacert.localhost.csr.pem \ -in certs/www.cacert.localhost.csr.pem \
-out certs/secure.test.cacert.localhost.crt.pem \ -out certs/www.cacert.localhost.crt.pem \
-rand_serial \
-extensions server_ext \
-batch
fi
if [ ! -f certs/test.cacert.localhost.crt.pem ]; then
openssl req -new -keyout certs/test.cacert.localhost.key.pem -nodes \
-out certs/test.cacert.localhost.csr.pem -subj "/CN=test.cacert.localhost" \
-addext "subjectAltName=DNS:test.cacert.localhost,DNS:www.test.cacert.localhost"
openssl ca -config ca.cnf \
-name class3_ca \
-in certs/test.cacert.localhost.csr.pem \
-out certs/test.cacert.localhost.crt.pem \
-rand_serial \ -rand_serial \
-extensions server_ext \ -extensions server_ext \
-batch -batch

View file

@ -39,21 +39,21 @@ RUN apt-get update \
STOPSIGNAL SIGWINCH STOPSIGNAL SIGWINCH
COPY docker/apache-foreground /usr/local/bin/ COPY docker/apache-webdb-foreground /usr/local/bin/
COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt COPY testca/root/ca.crt.pem /usr/local/share/ca-certificates/testca_root.crt
COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt COPY testca/class3/ca.crt.pem /usr/local/share/ca-certificates/testca_class3.crt
COPY testca/certs/test.cacert.localhost.crt.pem testca/certs/secure.test.cacert.localhost.crt.pem /etc/apache2/ssl/certs/ COPY testca/certs/www.cacert.localhost.crt.pem /etc/apache2/ssl/certs/
COPY testca/certs/test.cacert.localhost.key.pem testca/certs/secure.test.cacert.localhost.key.pem /etc/apache2/ssl/private/ COPY testca/certs/www.cacert.localhost.key.pem /etc/apache2/ssl/private/
COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt COPY testca/certs/cachain.crt.pem /etc/ssl/apache2/certs/combined.crt
COPY docker/apache-virtualhost.conf /etc/apache2/sites-available/ COPY docker/apache-webdb-virtualhost.conf /etc/apache2/sites-available/www.cacert.localhost.conf
COPY docker/cacert.conf /etc/apache2/conf-available/ COPY docker/cacert.conf /etc/apache2/conf-available/
COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini COPY docker/php5-cacert.ini /etc/php5/mods-available/cacert.ini
COPY docker/feed.rss /usr/local/etc/application/feed.rss COPY docker/feed.rss /usr/local/etc/application/feed.rss
VOLUME /www VOLUME /www
RUN a2ensite apache-virtualhost ; \ RUN a2ensite www.cacert.localhost ; \
a2dissite 000-default ; \ a2dissite 000-default ; \
a2enconf cacert ; \ a2enconf cacert ; \
a2enmod headers ; \ a2enmod headers ; \
@ -68,4 +68,4 @@ RUN a2ensite apache-virtualhost ; \
EXPOSE 80 EXPOSE 80
EXPOSE 443 EXPOSE 443
CMD ["/usr/local/bin/apache-foreground"] CMD ["/usr/local/bin/apache-webdb-foreground"]