Commit 260c24b2 authored by Sebastian Kehr's avatar Sebastian Kehr 🚣🏼
Browse files

Initial commit

parent 73c7263c
Pipeline #374 failed with stage
in 11 seconds
......@@ -17,13 +17,13 @@ stages:
--build-arg http_proxy=${HTTP_PROXY} \
--build-arg https_proxy=${HTTPS_PROXY} \
--build-arg no_proxy=${NO_PROXY} \
-t ubleipzig/httpd:2.4 \
-t ubleipzig/symfony-httpd:2.4 \
-f 2.4/Dockerfile \
2.4
docker push ubleipzig/httpd:2.4
docker push ubleipzig/symfony-httpd:2.4
for tag in "latest" "2" "2.4-${suffix}"; do
docker tag ubleipzig/httpd:2.4 ubleipzig/httpd:${tag}
docker push ubleipzig/httpd:${tag}
docker tag ubleipzig/symfony-httpd:2.4 ubleipzig/symfony-httpd:${tag}
docker push ubleipzig/symfony-httpd:${tag}
done
tags:
- docker
......@@ -44,7 +44,7 @@ github_mirror:
cd /tmp
git clone --mirror ${CI_REPOSITORY_URL} project
cd project
git remote add github https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/ubleipzig/httpd.git
git remote add github https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/ubleipzig/symfony-httpd.git
git push --mirror github
tags:
- docker
FROM debian:stretch-slim
#ENTRYPOINT [ "/docker-entrypoint" ]
CMD ["apache2", "-D", "FOREGROUND"]
ENV SHIB_HANDLER_URL=/Shibboleth.sso \
APACHE_RUN_DIR=/var/run/apache2 \
APACHE_RUN_USER=www-data \
APACHE_RUN_GROUP=www-data \
APACHE_DOC_ROOT=/var/www/html
#ADD assets/docker-entrypoint /docker-entrypoint
ADD assets/*.conf /etc/apache2/conf-available/
#RUN chmod a+x /docker-entrypoint \
RUN apt-get update \
&& apt-get install -y --no-install-recommends libapache2-mod-shib2 openssl apache2 \
&& openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048 \
&& openssl req -nodes -new -x509 -newkey rsa:4096 -subj "/CN=localhost" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 3650 \
&& apt-get purge -y openssl \
&& apt-get autoremove -y --purge \
&& sed -e 's!^\(ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/apache2.conf \
&& sed -e 's!^\(PidFile.*\)$!#\1!' -i /etc/apache2/apache2.conf \
&& sed -e 's!/var/www/html!${APACHE_DOC_ROOT}!g' -i /etc/apache2/sites-available/000-default.conf \
&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/000-default.conf \
&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/000-default.conf \
&& sed -e 's!/var/www/html!${APACHE_DOC_ROOT}!g' -i /etc/apache2/sites-available/default-ssl.conf \
&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/default-ssl.conf \
&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/default-ssl.conf \
&& a2disconf serve-cgi-bin other-vhosts-access-log \
&& a2dismod shib2 \
&& a2enmod rewrite proxy_fcgi \
&& a2ensite default-ssl \
&& a2enconf debug ssl shibboleth \
&& rm -r /var/lib/apt/lists/*
\ No newline at end of file
FROM ubleipzig/httpd:2.4-1
COPY assets/symfony.conf /etc/apache2/conf-available/symfony.conf
RUN a2enconf symfony
\ No newline at end of file
<IfDefine debug>
ProxyTimeout 3600
</IfDefine>
#!/bin/bash
set -e
exec "$@"
\ No newline at end of file
<IfDefine shibboleth>
LoadModule mod_shib /usr/lib/apache2/modules/mod_shib2.so
<Location ${SHIB_HANDLER_URL}>
RewriteEngine On
RewriteRule .* - [L]
</Location>
<Location /shibboleth-secure>
ShibRequestSetting requireSession 1
require shib-session
</Location>
</IfDefine>
\ No newline at end of file
<IfDefine ssl>
LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
IncludeOptional mods-available/ssl.conf
Listen 443
</IfDefine>
<FilesMatch \.php$>
SetHandler "proxy:fcgi://php:9000"
</FilesMatch>
<Directory ${APACHE_DOC_ROOT}>
# AllowOverride All
Require all granted
# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
DirectoryIndex index.php
# By default, Apache does not evaluate symbolic links if you did not enable this
# feature in your server configuration. Uncomment the following line if you
# install assets as symlinks or if you experience problems related to symlinks
# when compiling LESS/Sass/CoffeScript assets.
# Options FollowSymlinks
# Disabling MultiViews prevents unwanted negotiation, e.g. "/index" should not resolve
# to the front controller "/index.php" but be rewritten to "/index.php/index".
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
# Determine the RewriteBase automatically and set it as environment variable.
# If you are using Apache aliases to do mass virtual hosting or installed the
# project in a subdirectory, the base path will be prepended to allow proper
# resolution of the index.php file and to redirect to the correct URI. It will
# work in environments without path prefix as well, providing a safe, one-size
# fits all solution. But as you do not need it in this case, you can comment
# the following 2 lines to eliminate the overhead.
RewriteCond %{REQUEST_URI}::$1 ^(/.+)/(.*)::\2$
RewriteRule ^(.*) - [E=BASE:%1]
# Sets the HTTP_AUTHORIZATION header removed by Apache
RewriteCond %{HTTP:Authorization} .
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect to URI without front controller to prevent duplicate content
# (with and without `/index.php`). Only do this redirect on the initial
# rewrite by Apache and not on subsequent cycles. Otherwise we would get an
# endless redirect loop (request -> rewrite to front controller ->
# redirect -> request -> ...).
# So in case you get a "too many redirects" error or you always get redirected
# to the start page because your Apache does not expose the REDIRECT_STATUS
# environment variable, you have 2 choices:
# - disable this feature by commenting the following 2 lines or
# - use Apache >= 2.3.9 and replace all L flags by END flags and remove the
# following RewriteCond (best solution)
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L]
# If the requested filename exists, simply serve it.
# We only want to let Apache serve files and not directories.
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [L]
# Rewrite all other queries to the front controller.
RewriteRule ^ %{ENV:BASE}/index.php [L]
</IfModule>
<IfModule !mod_rewrite.c>
<IfModule mod_alias.c>
# When mod_rewrite is not available, we instruct a temporary redirect of
# the start page to the front controller explicitly so that the website
# and the generated links can still be used.
RedirectMatch 307 ^/$ /index.php/
# RedirectTemp cannot be used instead
</IfModule>
</IfModule>
</Directory>
\ No newline at end of file
# Changelog
## 2.4-1 - 2018-07-02
### Added
* *DocumentRoot* configurable via `APACHE_DOC_ROOT` environment variable
## 2.4-0 - 2018-07-02
* initial release
## 2.4-1 - 2018-07-10
* Initial release
\ No newline at end of file
# httpd
# syfmony-http
*httpd* is a webserver container, which delivers file-requests and passes requests through to the php-service. the image is based on [debian:stretch-slim].
*symfony-httpd* is a webserver container based on [ubleipzig:httpd] with additional configuration based on [symfony/apache-pack].
The image is extended by shibboleth-support which depends on a running container based on [ubleipzig/shibboleth] though. Furthermore a self-signed certificate was added to the image to provide ssl-reguests.
## supported tags
## Supported tags
* 2.4-*, 2.4, 2, latest ([2.4/Dockerfile])
## Usage of the image
The image can be used in connection with an application server which can be accessed via proxy-fcgi. The user is responsible for a specific configuration for that, i.e. by creating a new inheriting image, such as [ubleipzig/vufind-httpd], which uses the application server ([ubleipzig/vufind-php]) of [VuFind]
out-of-the-box the server is only delivering static content. To start the webserver do as follows:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd
```
Be aware that the httpd-daemon needs read-access to the files it has to serve.
## advanced startup
By providing additional start options several features can be used
### SSL
To start containers with ssl-support enabled use the following startup command:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
-p 443:443 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D ssl
```
The files for key and certificate are located under `/etc/ssl/private/ssl-cert-snakeoil.key` and `/etc/ssl/certs/ssl-cert-snakeoil.pem`. If you want to provide a real certificate, you have to overwrite these files or create a custom configuration.
### Debug
To prevent timeouts in debug-sessions the httpd-daemon can be started as follows:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D debug
```
By this the directive `ProxyTimeout 3600` is set, which increases the timeout for (FCGI-)Proxy-Requests to one hour.
### Shibboleth
In order to use shibboleth we depend on a configured up and running shibboleth-authenticator - accessable at `/var/run/shibd.sock`. You can get one for example by creating a container based on the image [ubleipzig/shibboleth] and link it into the httpd-container at startup:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
--volumes-from shibboleth \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
## Advanced configuration
* `SHIB_HANDLER_URL=/Shibboleth.sso`: where apache's sibboleth-handler listens. only with `-D shibboleth`.
* `APACHE_RUN_DIR=/var/run/apache2`: the working directory of the httpd-daemon. almost always unnecessary to change. know, what you do.
* `APACHE_RUN_USER=www-data`: the user the httpd-daemon runs with. almost always unnecessary to change. know, what you do.
* `APACHE_RUN_GROUP=www-data`: the group the httpd-daemon runs with. almost always unnecessary to change. know, what you do.
* `APACHE_DOC_ROOT=/var/www/html`: the document root of the content to deliver.
See [ubleipzig:httpd].
[VuFind]: https://github.com/vufind-org/vufind
[ubleipzig/shibboleth]: https://hub.docker.com/r/ubleipzig/shibboleth/
[ubleipzig/vufind-php]: https://hub.docker.com/r/ubleipzig/vufind-php/
[ubleipzig/vufind-httpd]: https://hub.docker.com/r/ubleipzig/vufind-httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.4/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/2.4/Dockerfile
[ubleipzig:httpd]: https://hub.docker.com/r/ubleipzig/httpd
[symfony/apache-pack]: https://github.com/symfony/recipes-contrib/blob/master/symfony/apache-pack/1.0/public/.htaccess
[2.4/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/symfony-httpd/blob/master/.gitlab-ci.yml
# httpd
# symfony-httpd
*httpd* ist der Standard-Webserver, welcher Datei-Requests ausliefert und Anfragen an den PHP-Service weiterleitet. Das Basis-Image ist [debian:stretch-slim].
Das Image wurde um Shibboleth-Support ergänzt, benötigt dazu jedoch das [ubleipzig/shibboleth]-Image. Weiterhin wurde ein selbstsigniertes Zertifikat hinzugefügt, um Zugriffe per SSL zu ermöglichen.
*symfony-httpd* ist ein Webserver-Container basierend auf [ubleipzig:httpd] mit zusätzlicher Konfiguration basierend auf [symfony/apache-pack].
## Unterstützte tags
......@@ -10,75 +8,8 @@ Das Image wurde um Shibboleth-Support ergänzt, benötigt dazu jedoch das [ublei
## Nutzung des Images
Das Image kann im Zusammenhang mit einem Applikationsserver, welcher per proxy-fcgi angesprochen werden kann, genutzt werden. Die Konfiguration hierzu obliegt dem Nutzer, beispielsweise durch die Erstellung eines ableitenden Images, siehe [ubleipzig/vufind-httpd], welches den Applikationsserver ([ubleipzig/vufind-php]) von [VuFind] nutzt.
Out-of-the-Box ist der Server lediglich zum Ausliefern statischer Inhalte nutzbar. Man kann den Webserver wie folgt starten:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd
```
Dabei muss darauf geachtet werden, dass der httpd-daemon entsprechende Zugriffsrechte auf die Dateien hat.
## erweiterte Startoptionen
Mithilfe erweiterter Startoptionen lassen sich zusätzliche Fähigkeiten nutzen
### SSL
Um den Zugriff via SSL zu ermöglichen, muss der httpd-Daemon mit wiefolgt gestartet werden:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
-p 443:443 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D ssl
```
Die SSL-Dateien liegen unter `/etc/ssl/private/ssl-cert-snakeoil.key` und `/etc/ssl/certs/ssl-cert-snakeoil.pem`. Möchte man ein echtes Zertifikat verwenden, so muss man entweder diese Dateien überschreiben oder eine eigene Konfiguration einfügen.
### Debug
Um Timeouts beim Debuggen zu vermeiden, kann der httpd-Daemon wiefolgt gestartet werden:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D debug
```
Dadurch wird die Direktive `ProxyTimeout 3600` gesetzt, welche das Timeout für FCGI-Proxy-Requests auf eine Stunde setzt.
### Shibboleth
Um Shibboleth-Support nutzen zu können, wird ein konfigurierter Shibboleth-Authenticator - erreichbar an `/var/run/shibd.sock` - erwartet. Diesen erhält man beispielsweise, in dem man einen Container basierend auf dem [ubleipzig/shibboleth]-Image startet und beim Start des httpd-Container in den Container verlinkt:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
--volumes-from shibboleth \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
## Advanced configuration
* `SHIB_HANDLER_URL=/Shibboleth.sso`: Wo Apache's Shibboleth-Handler Anfragen erwartet. Nur sinnvoll in Verbindung mit `-D shibboleth`.
* `APACHE_RUN_DIR=/var/run/apache2`: Das Arbeitsverzeichnis des httpd-Daemons. So gut wie nie notwendig, anzupassen. Wisse, was du tust.
* `APACHE_RUN_USER=www-data`: Der Benutzer mit dem der httpd-Daemon startet. So gut wie nie notwendig, anzupassen. Wisse, was du tust.
* `APACHE_RUN_GROUP=www-data`: Die Gruppe mit dem der httpd-Daemon startet. So gut wie nie notwendig, anzupassen. Wisse, was du tust.
* `APACHE_DOC_ROOT=/var/www/html`: Das Document-Root aus dem der Inhalt ausgeliefert wird.
Siehe [ubleipzig:httpd].
[VuFind]: https://github.com/vufind-org/vufind
[ubleipzig/shibboleth]: https://hub.docker.com/r/ubleipzig/shibboleth/
[ubleipzig/vufind-php]: https://hub.docker.com/r/ubleipzig/vufind-php/
[ubleipzig/vufind-httpd]: https://hub.docker.com/r/ubleipzig/vufind-httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.4/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/2.4/Dockerfile
[ubleipzig:httpd]: https://hub.docker.com/r/ubleipzig/httpd
[symfony/apache-pack]: https://github.com/symfony/recipes-contrib/blob/master/symfony/apache-pack/1.0/public/.htaccess
[2.4/Dockerfile]: https://github.com/ubleipzig/symfony-httpd/blob/master/2.4/Dockerfile
\ No newline at end of file
HTTP_PROXY = http://proxy.uni-leipzig.de:3128
HTTPS_PROXY = http://proxy.uni-leipzig.de:3128
IMAGE_NAME = ubleipzig/httpd
IMAGE_NAME = ubleipzig/symfony-httpd
.PHONY: 2.4
......
# httpd
# symfony-httpd
This repository holds the Dockerfiles and configuration for the Apache2-webserver, adjusted to serve vufind and other php-related applications developed by UBL.
This repository holds the Dockerfiles for a webserver container based on [ubleipzig:httpd] with additional configuration based on [symfony/apache-pack].
Basically we added shibboleth-support and expect all application-requests to be made by proxy-fcgi. every application using this service has to bring its own proxy-fcgi configuration. Furthermore we added ssl to support ssl-request out-of-the-box and add the debug-feature to increase ProxyTimeout, which is useful in debug-sessions.
See [ubleipzig:httpd] for further information.
## Image-Tags
......@@ -33,6 +33,8 @@ In case you want to contribute please fork and make a pull-request at [Gitlab-ho
* Tests
[.gitlab-ci.yml]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/.gitlab-ci.yml
[Gitlab-hosting of Leipzig University]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd
[Docker-Hub]: https://hub.docker.com/r/ubleipzig/httpd/
\ No newline at end of file
[ubleipzig:httpd]: https://hub.docker.com/r/ubleipzig/httpd
[symfony/apache-pack]: https://github.com/symfony/recipes-contrib/blob/master/symfony/apache-pack/1.0/public/.htaccess
[.gitlab-ci.yml]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/symfony-httpd/blob/master/.gitlab-ci.yml
[Gitlab-hosting of Leipzig University]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/symfony-httpd
[Docker-Hub]: https://hub.docker.com/r/ubleipzig/symfony-httpd/
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment