Commit 4a97ac11 authored by Ulf Seltmann's avatar Ulf Seltmann
Browse files

initial commit

parents
stages:
- image
- mirror
'2.4':
stage: image
image: docker:latest
services:
- docker:dind
script: |
mkdir -p ~/.docker && echo "$DOCKER_AUTH_CONFIG" >~/.docker/config.json
export suffix=`expr $CI_COMMIT_TAG ':' '2.4-\(.*\)'`
docker build --pull \
--build-arg HTTP_PROXY=${HTTP_PROXY} \
--build-arg HTTPS_PROXY=${HTTPS_PROXY} \
--build-arg NO_PROXY=${NO_PROXY} \
--build-arg http_proxy=${HTTP_PROXY} \
--build-arg https_proxy=${HTTPS_PROXY} \
--build-arg no_proxy=${NO_PROXY} \
-t ubleipzig/httpd:2.4 \
-f 2.4/Dockerfile \
2.4
docker push ubleipzig/httpd:2.4
for tag in "latest" "2" "2.4-${suffix}"; do
docker tag ubleipzig/httpd:2.4 ubleipzig/httpd:${tag}
docker push ubleipzig/httpd:${tag}
done
tags:
- docker
only:
- /^2.4/
except:
- branches
github_mirror:
stage: mirror
image:
name: alpine/git
entrypoint: [ "/bin/sh", "-c" ]
variables:
GIT_STRATEGY: clone
GIT_CHECKOUT: "false"
script: |
cd /tmp
git clone --mirror ${CI_REPOSITORY_URL} project
cd project
git remote add github https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/ubleipzig/httpd.git
git push --mirror github
tags:
- docker
FROM debian:stretch-slim
#ENTRYPOINT [ "/docker-entrypoint" ]
CMD ["apache2", "-D", "FOREGROUND"]
ENV BASE_PATH="" \
SHIB_HANDLER_URL=/Shibboleth.sso \
APACHE_RUN_DIR=/var/run/apache2 \
APACHE_RUN_USER=www-data \
APACHE_RUN_GROUP=www-data
#ADD assets/docker-entrypoint /docker-entrypoint
ADD assets/*.conf /etc/apache2/conf-available/
#RUN chmod a+x /docker-entrypoint \
RUN apt-get update \
&& apt-get install -y --no-install-recommends libapache2-mod-shib2 openssl apache2 \
&& openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048 \
&& openssl req -nodes -new -x509 -newkey rsa:4096 -subj "/CN=localhost" -keyout /etc/ssl/private/ssl-cert-snakeoil.key -out /etc/ssl/certs/ssl-cert-snakeoil.pem -days 3650 \
&& apt-get purge -y openssl \
&& apt-get autoremove -y --purge \
&& sed -e 's!^\(ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/apache2.conf \
&& sed -e 's!^\(PidFile.*\)$!#\1!' -i /etc/apache2/apache2.conf \
&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/000-default.conf \
&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/000-default.conf \
&& sed -e 's!^\(\s*ErrorLog\).*$!\1 /proc/self/fd/2!' -i /etc/apache2/sites-available/default-ssl.conf \
&& sed -e 's!^\(\s*CustomLog\).*$!\1 /proc/self/fd/1 combined!' -i /etc/apache2/sites-available/default-ssl.conf \
&& a2disconf serve-cgi-bin other-vhosts-access-log \
&& a2dismod shib2 \
&& a2enmod rewrite proxy_fcgi \
&& a2ensite default-ssl \
&& a2enconf debug ssl shibboleth \
&& rm -r /var/lib/apt/lists/*
\ No newline at end of file
<IfDefine debug>
ProxyTimeout 3600
</IfDefine>
#!/bin/bash
set -e
exec "$@"
\ No newline at end of file
<IfDefine shibboleth>
LoadModule mod_shib /usr/lib/apache2/modules/mod_shib2.so
<Location ${SHIB_HANDLER_URL}>
RewriteEngine On
RewriteRule .* - [L]
</Location>
<Location /shibboleth-secure>
ShibRequestSetting requireSession 1
require shib-session
</Location>
</IfDefine>
\ No newline at end of file
<IfDefine ssl>
LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
IncludeOptional mods-available/ssl.conf
Listen 443
</IfDefine>
# Changelog
## 2.4-0 - 2018-07-02
* initial release
# httpd
*httpd* is a webserver container, which delivers file-requests and passes requests through to the php-service. the image is based on [debian:stretch-slim].
The image is extended by shibboleth-support which depends on a running container based on [ubleipzig/shibboleth] though. Furthermore a self-signed certificate was added to the image to provide ssl-reguests.
## supported tags
* 2.4-*, 2.4, 2, latest ([2.4/Dockerfile])
## Usage of the image
The image can be used in connection with an application server which can be accessed via proxy-fcgi. The user is responsible for a specific configuration for that, i.e. by creating a new inheriting image, such as [ubleipzig/vufind-httpd], which uses the application server ([ubleipzig/vufind-php]) of [VuFind]
out-of-the-box the server is only delivering static content. To start the webserver do as follows:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd
```
Be aware that the httpd-daemon needs read-access to the files it has to serve.
## advanced startup
By providing additional start options several features can be used
### SSL
To start containers with ssl-support enabled use the following startup command:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
-p 443:443 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D ssl
```
The files for key and certificate are located under `/etc/ssl/private/ssl-cert-snakeoil.key` and `/etc/ssl/certs/ssl-cert-snakeoil.pem`. If you want to provide a real certificate, you have to overwrite these files or create a custom configuration.
### Debug
To prevent timeouts in debug-sessions the httpd-daemon can be started as follows:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D debug
```
By this the directive `ProxyTimeout 3600` is set, which increases the timeout for (FCGI-)Proxy-Requests to one hour.
### Shibboleth
In order to use shibboleth we depend on a configured up and running shibboleth-authenticator - accessable at `/var/run/shibd.sock`. You can get one for example by creating a container based on the image [ubleipzig/shibboleth] and link it into the httpd-container at startup:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
--volumes-from shibboleth \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
[VuFind]: https://github.com/vufind-org/vufind
[ubleipzig/shibboleth]: https://hub.docker.com/r/ubleipzig/vufind-shibboleth/
[ubleipzig/vufind-php]: https://hub.docker.com/r/ubleipzig/vufind-php/
[ubleipzig/vufind-httpd]: https://hub.docker.com/r/ubleipzig/vufind-httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.4/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/2.4/Dockerfile
This diff is collapsed.
# httpd
*httpd* ist der Standard-Webserver, welcher Datei-Requests ausliefert und Anfragen an den PHP-Service weiterleitet. Das Basis-Image ist [debian:stretch-slim].
Das Image wurde um Shibboleth-Support ergänzt, benötigt dazu jedoch das [ubleipzig/shibboleth]-Image. Weiterhin wurde ein selbstsigniertes Zertifikat hinzugefügt, um Zugriffe per SSL zu ermöglichen.
## Unterstützte tags
* 2.4-*, 2.4, 2, latest ([2.4/Dockerfile])
## Nutzung des Images
Das Image kann im Zusammenhang mit einem Applikationsserver, welcher per proxy-fcgi angesprochen werden kann, genutzt werden. Die Konfiguration hierzu obliegt dem Nutzer, beispielsweise durch die Erstellung eines ableitenden Images, siehe [ubleipzig/vufind-httpd], welches den Applikationsserver ([ubleipzig/vufind-php]) von [VuFind] nutzt.
Out-of-the-Box ist der Server lediglich zum Ausliefern statischer Inhalte nutzbar. Man kann den Webserver wie folgt starten:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd
```
Dabei muss darauf geachtet werden, dass der httpd-daemon entsprechende Zugriffsrechte auf die Dateien hat.
## erweiterte Startoptionen
Mithilfe erweiterter Startoptionen lassen sich zusätzliche Fähigkeiten nutzen
### SSL
Um den Zugriff via SSL zu ermöglichen, muss der httpd-Daemon mit wiefolgt gestartet werden:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
-p 443:443 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D ssl
```
Die SSL-Dateien liegen unter `/etc/ssl/private/ssl-cert-snakeoil.key` und `/etc/ssl/certs/ssl-cert-snakeoil.pem`. Möchte man ein echtes Zertifikat verwenden, so muss man entweder diese Dateien überschreiben oder eine eigene Konfiguration einfügen.
### Debug
Um Timeouts beim Debuggen zu vermeiden, kann der httpd-Daemon wiefolgt gestartet werden:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
ubleipzig/httpd \
apache2 -D FOREGROUND -D debug
```
Dadurch wird die Direktive `ProxyTimeout 3600` gesetzt, welche das Timeout für FCGI-Proxy-Requests auf eine Stunde setzt.
### Shibboleth
Um Shibboleth-Support nutzen zu können, wird ein konfigurierter Shibboleth-Authenticator - erreichbar an `/var/run/shibd.sock` - erwartet. Diesen erhält man beispielsweise, in dem man einen Container basierend auf dem [ubleipzig/shibboleth]-Image startet und beim Start des httpd-Container in den Container verlinkt:
```bash
$# docker run --name httpd \
-v /path/to/static/files:/var/www/html \
-p 8:80 \
--volumes-from shibboleth \
ubleipzig/httpd \
apache2 -D FOREGROUND -D shibboleth
```
[VuFind]: https://github.com/vufind-org/vufind
[ubleipzig/shibboleth]: https://hub.docker.com/r/ubleipzig/vufind-shibboleth/
[ubleipzig/vufind-php]: https://hub.docker.com/r/ubleipzig/vufind-php/
[ubleipzig/vufind-httpd]: https://hub.docker.com/r/ubleipzig/vufind-httpd/
[debian:stretch-slim]: https://hub.docker.com/_/debian/
[2.4/Dockerfile]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/2.4/Dockerfile
HTTP_PROXY = http://proxy.uni-leipzig.de:3128
HTTPS_PROXY = http://proxy.uni-leipzig.de:3128
IMAGE_NAME = ubleipzig/httpd
.PHONY: 2.4
2.4:
docker build --pull \
--build-arg HTTP_PROXY=$(HTTP_PROXY) \
--build-arg HTTPS_PROXY=$(HTTPS_PROXY) \
--build-arg NO_PROXY=$(NO_PROXY) \
--build-arg http_proxy=$(HTTP_PROXY) \
--build-arg https_proxy=$(HTTPS_PROXY) \
--build-arg no_proxy=$(NO_PROXY) \
-t $(IMAGE_NAME):2.4 \
2.4
\ No newline at end of file
# httpd
This repository holds the Dockerfiles and configuration for the Apache2-webserver, adjusted to serve vufind and other php-related applications developed by UBL.
Basically we added shibboleth-support and expect all application-requests to be made by proxy-fcgi. every application using this service has to bring its own proxy-fcgi configuration. Furthermore we added ssl to support ssl-request out-of-the-box and add the debug-feature to increase ProxyTimeout, which is useful in debug-sessions.
## Image-Tags
The images are created via a gitlab-pipeline, see [.gitlab-ci.yml]. There are several tags which can be used:
* `2.4-*`: points to a specific build. Each build is specified by a number. The higher, the latter.
* `2.4`: points to the latest build from the `2.4`-line. It is the same as the last `2.4-*`.
* `2`: points to the latest build from the `2`-line. If there will be a `2.6`-line it will point to that latest build.
* `latest`: always points to the latest build.
## create Images
Pushing the Code to the Repository does nothing. Images are created via GIT-Tags.
```
git tag -a 2.4-2 -m 'minor optimization'
git push origin 2.4-2
```
_this will create a new image with a tag named `2.4-2`. Also the Tags `2.4`, `2`, and `latest` will point to this image._
Only Repository-Masters will be able to create a new Tag.
## Contribution
In case you want to contribute please fork and make a pull-request at [Gitlab-hosting of Leipzig University]. This is due to internal policies and the higher flexibility when it comes to build images and push to [Docker-Hub]
## Todo
* Tests
[.gitlab-ci.yml]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd/blob/master/.gitlab-ci.yml
[Gitlab-hosting of Leipzig University]: https://git.sc.uni-leipzig.de/ubl/bdd_dev/docker/httpd
[Docker-Hub]: https://hub.docker.com/r/ubleipzig/httpd/
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment