From d43f732c55df37795eee45fe30c7867bde748a9c Mon Sep 17 00:00:00 2001
From: Ulf Seltmann <seltmann@ub.uni-leipzig.de>
Date: Mon, 18 Jun 2018 16:28:06 +0200
Subject: [PATCH] added ssl-support, #2 modified build-process
---
.gitlab-ci.yml | 5 ++---
2.4/Dockerfile | 7 ++++++-
2.4/assets/httpd.conf | 19 +++++++++--------
{vufind1 => 2.4/vufind1}/Dockerfile | 0
{vufind1 => 2.4/vufind1}/assets/httpd.conf | 0
Docker.md | 21 +++++++++++++++++++
Liesmich.md | 24 +++++++++++++++++++++-
7 files changed, 62 insertions(+), 14 deletions(-)
rename {vufind1 => 2.4/vufind1}/Dockerfile (100%)
rename {vufind1 => 2.4/vufind1}/assets/httpd.conf (100%)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 243622e..f071ebb 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -11,7 +11,7 @@ stages:
mkdir -p ~/.docker && echo "$DOCKER_AUTH_CONFIG" >~/.docker/config.json
export suffix=`expr $CI_COMMIT_TAG ':' '2.4-\(.*\)'`
cd 2.4
- docker build --pull -t ubleipzig/vufind-httpd:2.4 .
+ docker build --pull -t ubleipzig/vufind-httpd:2.4 -f 2.4/Dockerfile 2.4
docker push ubleipzig/vufind-httpd:2.4
for tag in "latest" "2" "2.4-${suffix}"; do
docker tag ubleipzig/vufind-httpd:2.4 ubleipzig/vufind-httpd:${tag}
@@ -32,8 +32,7 @@ vufind1:
script: |
mkdir -p ~/.docker && echo "$DOCKER_AUTH_CONFIG" >~/.docker/config.json
export suffix=`expr ${CI_COMMIT_TAG} ':' 'vufind1-2.4-\(.*\)'`
- cd vufind1
- docker build --pull -t ubleipzig/vufind-httpd:vufind1 .
+ docker build --pull -t ubleipzig/vufind-httpd:vufind1 -f 2.4/vufind1/Dockerfile 2.4/vufind1
docker push ubleipzig/vufind-httpd:vufind1
for tag in "2" "2.4" "2.4-${suffix}"; do
docker tag ubleipzig/vufind-httpd:vufind1 ubleipzig/vufind-httpd:vufind1-${tag}
diff --git a/2.4/Dockerfile b/2.4/Dockerfile
index 475d7a9..7f8f64a 100644
--- a/2.4/Dockerfile
+++ b/2.4/Dockerfile
@@ -5,6 +5,11 @@ CMD ["httpd-foreground"]
ENV BASE_PATH=""
ADD assets/docker-entrypoint /docker-entrypoint
-RUN chmod a+x /docker-entrypoint
ADD assets/httpd.conf /usr/local/apache2/conf/httpd.conf
+
+RUN chmod a+x /docker-entrypoint \
+ && apk add --no-cache openssl \
+ && openssl genrsa -out /usr/local/apache2/conf/server.key 2048 \
+ && openssl req -nodes -new -x509 -newkey rsa:4096 -subj "/CN=localhost" -keyout /usr/local/apache2/conf/server.key -out /usr/local/apache2/conf/server.crt -days 3650 \
+ && apk del --no-cache openssl
diff --git a/2.4/assets/httpd.conf b/2.4/assets/httpd.conf
index ec598a3..4781ffb 100644
--- a/2.4/assets/httpd.conf
+++ b/2.4/assets/httpd.conf
@@ -88,10 +88,7 @@ LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule allowmethods_module modules/mod_allowmethods.so
#LoadModule isapi_module modules/mod_isapi.so
#LoadModule file_cache_module modules/mod_file_cache.so
-#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
-#LoadModule cache_socache_module modules/mod_cache_socache.so
-#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
#LoadModule socache_memcache_module modules/mod_socache_memcache.so
#LoadModule watchdog_module modules/mod_watchdog.so
@@ -155,7 +152,12 @@ LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule session_dbd_module modules/mod_session_dbd.so
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
-#LoadModule ssl_module modules/mod_ssl.so
+<IfDefine ssl>
+ LoadModule ssl_module modules/mod_ssl.so
+ LoadModule cache_module modules/mod_cache.so
+ LoadModule cache_socache_module modules/mod_cache_socache.so
+ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+</IfDefine>
#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so
#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so
#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so
@@ -258,8 +260,8 @@ ServerAdmin you@example.com
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/usr/local/vufind/public"
-<Directory "/usr/local/vufind/public">
+DocumentRoot "/usr/local/apache2/htdocs"
+<Directory "/usr/local/apache2/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
@@ -533,14 +535,13 @@ LogLevel warn
Include conf/extra/proxy-html.conf
</IfModule>
-# Secure (SSL/TLS) connections
-#Include conf/extra/httpd-ssl.conf
-#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
+# Secure (SSL/TLS) connections
<IfModule ssl_module>
+Include conf/extra/httpd-ssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
diff --git a/vufind1/Dockerfile b/2.4/vufind1/Dockerfile
similarity index 100%
rename from vufind1/Dockerfile
rename to 2.4/vufind1/Dockerfile
diff --git a/vufind1/assets/httpd.conf b/2.4/vufind1/assets/httpd.conf
similarity index 100%
rename from vufind1/assets/httpd.conf
rename to 2.4/vufind1/assets/httpd.conf
diff --git a/Docker.md b/Docker.md
index 45de0c3..94ad074 100644
--- a/Docker.md
+++ b/Docker.md
@@ -24,6 +24,27 @@ You can start the webserver as follows:n:
--environment BASE_PATH=/vufind
ubleipzig/vufind-httpd
```
+## advanced configuration
+
+### SSL
+
+To start containers with ssl-support enabled one has to modify the containers startup command:
+
+ httpd -D FOREGROUND -D ssl
+
+By this apache will load all necessary modules and configuration to enable SSL on port 443. The provided key and certificate are self-signed and not meant for production usage. to provide a valid key and certificate the files `/usr/local/apache2/conf/server.key` and `/usr/local/apache2/conf/server.crt` have to be overridden e.g.
+
+```bash
+$# docker run --name httpd \
+ --link php:php \
+ --volume /path/to/vufind:/usr/local/vufind:ro \
+ --volume /path/to/cache:/var/cache/vufind:ro \
+ --volume /path/to/ssl_key.pem:/usr/local/apache2/conf/server.key:ro \
+ --volume /path/to/ssl_cert.pem:/usr/local/apache2/conf/server.crt \
+ --environment BASE_PATH=/vufind \
+ ubleipzig/vufind-httpd \
+ httpd -D FOREGROUND -D ssl
+```
## Notes
diff --git a/Liesmich.md b/Liesmich.md
index 2c75d92..b9e2622 100644
--- a/Liesmich.md
+++ b/Liesmich.md
@@ -21,10 +21,32 @@ $# docker run --name httpd \
--link php:php \
--volume /path/to/vufind:/usr/local/vufind:ro \
--volume /path/to/cache:/var/cache/vufind:ro \
- --environment BASE_PATH=/vufind
+ --environment BASE_PATH=/vufind \
ubleipzig/vufind-httpd
```
+## erweiterte Konfiguration
+
+### SSL
+
+Um den Container mit SSL-Unterstützung zu starten, muss der Startbefehl angepasst werden:
+
+ httpd -D FOREGROUND -D ssl
+
+Dadurch werden in Apache2 erforderiche Module und Konfigurationen geladen, um SSL an Port 443 zur Verfügung zu stellen. Als Schlüssel und Zertifikate werden im Image eingebaute selbstignierte Objekte benutzt. Möchte man eigens erstellte Objekte nutzen, so müssen die Dateien `/usr/local/apache2/conf/server.key` und `/usr/local/apache2/conf/server.crt` entsprechend überschrieben werden. z.B.
+
+```bash
+$# docker run --name httpd \
+ --link php:php \
+ --volume /path/to/vufind:/usr/local/vufind:ro \
+ --volume /path/to/cache:/var/cache/vufind:ro \
+ --volume /path/to/ssl_key.pem:/usr/local/apache2/conf/server.key:ro \
+ --volume /path/to/ssl_cert.pem:/usr/local/apache2/conf/server.crt \
+ --environment BASE_PATH=/vufind \
+ ubleipzig/vufind-httpd \
+ httpd -D FOREGROUND -D ssl
+```
+
## Anmerkungen
* Das *vufind1*-Image existiert, um Entwicklern das Umschalten zu VuFind1-Instanzen so einfach wie möglich zu machen. Hier wird keine weitere Arbeit investiert, z.B. funktioniert die Pfad-Konfiguration über die `BASE_PATH`-Variable nicht.
--
GitLab