From e063e38355117ecd13c1a3f6e8af2843fa96f32e Mon Sep 17 00:00:00 2001 From: Guillaume Vincent Date: Sat, 18 Apr 2020 21:59:01 +0200 Subject: [PATCH] wip refactor containers --- .github/workflows/test.yml | 9 - containers/.env | 25 +- containers/.gitignore | 4 +- containers/docker-compose.override.yml | 14 + containers/docker-compose.yml | 42 +- containers/ssl/README.md | 4 + containers/ssl/domains.ext | 9 + containers/webserver/Dockerfile | 15 +- containers/webserver/entrypoint.sh | 29 +- containers/webserver/generate_apache_conf.py | 16 - containers/webserver/httpd-ssl.conf | 168 ++++++++ containers/webserver/httpd.conf | 567 +++++++++++++++++++++++++++ containers/webserver/lesspass.conf.j2 | 61 --- 13 files changed, 829 insertions(+), 134 deletions(-) create mode 100644 containers/docker-compose.override.yml create mode 100644 containers/ssl/README.md create mode 100644 containers/ssl/domains.ext delete mode 100644 containers/webserver/generate_apache_conf.py create mode 100644 containers/webserver/httpd-ssl.conf create mode 100644 containers/webserver/httpd.conf delete mode 100644 containers/webserver/lesspass.conf.j2 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ef1d934..bcf06d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -55,12 +55,3 @@ jobs: python -m pip install --upgrade pip python -m pip install -r requirements.txt python manage.py test - - test-containers: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - - name: test containers - run: | - cd containers - ./test diff --git a/containers/.env b/containers/.env index db1fd3a..c063a59 100644 --- a/containers/.env +++ b/containers/.env @@ -1,10 +1,25 @@ -SECRET_KEY=azertyuiopqsdfghjklmwxcvbn123456 +POSTGRES_DB=postgres +POSTGRES_USER=postgres +POSTGRES_PASSWORD=postgres +SECRET_KEY=azertyuiop DATABASE_ENGINE=django.db.backends.postgresql DATABASE_NAME=postgres DATABASE_USER=postgres -DATABASE_PASSWORD= +DATABASE_PASSWORD=postgres DATABASE_HOST=db DATABASE_PORT=5432 -FQDN=localhost -DEBUG=1 -EMAIL=admin@example.org \ No newline at end of file +FRONTEND_HOST=www.lesspass.local +FQDN=lesspass.local +REACT_APP_BACKEND_HOST=https://api.lesspass.local +EMAIL=admin@lesspass.local +CRT_PATH=ssl/lesspass.crt +KEY_PATH=ssl/lesspass.key +DEBUG=0 +COMPOSE_PROJECT_NAME=lesspass +EMAIL_BACKEND=django.core.mail.backends.console.EmailBackend +EMAIL_HOST=localhost +EMAIL_PORT=25 +EMAIL_HOST_USER= +EMAIL_HOST_PASSWORD= +EMAIL_USE_TLS=0 +EMAIL_USE_SSL=0 \ No newline at end of file diff --git a/containers/.gitignore b/containers/.gitignore index 3758a7d..c569b6d 100644 --- a/containers/.gitignore +++ b/containers/.gitignore @@ -1 +1,3 @@ -ssl \ No newline at end of file +ssl/* +!ssl/domains.ext +!ssl/README.md \ No newline at end of file diff --git a/containers/docker-compose.override.yml b/containers/docker-compose.override.yml new file mode 100644 index 0000000..2ad2f0b --- /dev/null +++ b/containers/docker-compose.override.yml @@ -0,0 +1,14 @@ +version: "3" +services: + backend: + restart: "no" + build: ./backend + frontend: + restart: "no" + build: + context: ./frontend + args: + - REACT_APP_BACKEND_HOST=${REACT_APP_BACKEND_HOST} + webserver: + restart: "no" + build: ./webserver diff --git a/containers/docker-compose.yml b/containers/docker-compose.yml index 2703c74..c9338d7 100644 --- a/containers/docker-compose.yml +++ b/containers/docker-compose.yml @@ -1,35 +1,59 @@ version: "3" - services: db: + restart: always image: postgres:9.5 volumes: - postgresql:/var/lib/postgresql/data + environment: + - POSTGRES_DB + - POSTGRES_USER + - POSTGRES_PASSWORD backend: - build: ./backend + restart: always + image: quay.io/lesspass/lesspass-backend:latest links: - db environment: - DATABASE_ENGINE - DATABASE_HOST - DATABASE_NAME + - DATABASE_USER - DATABASE_PASSWORD - DATABASE_PORT - - DATABASE_USER - DEBUG - SECRET_KEY + - FRONTEND_HOST + - EMAIL_BACKEND + - DEFAULT_FROM_EMAIL + - EMAIL_HOST + - EMAIL_HOST_USER + - EMAIL_HOST_PASSWORD + - EMAIL_PORT + - EMAIL_USE_TLS + volumes: + - www:/app/www frontend: - build: ./frontend + restart: always + image: quay.io/lesspass/lesspass-frontend:latest webserver: - build: ./webserver + restart: always + image: quay.io/lesspass/lesspass-webserver:latest ports: - 80:80 - 443:443 - volumes: - - ./ssl:/app/ssl + links: + - backend + - frontend environment: - FQDN - EMAIL - + - CRT_PATH + - KEY_PATH + volumes: + - ${PWD}/${CRT_PATH}:/usr/local/apache2/conf/${CRT_PATH}:Z + - ${PWD}/${KEY_PATH}:/usr/local/apache2/conf/${KEY_PATH}:Z + - www:/var/www/html/ volumes: - postgresql: \ No newline at end of file + postgresql: + www: \ No newline at end of file diff --git a/containers/ssl/README.md b/containers/ssl/README.md new file mode 100644 index 0000000..3fc75db --- /dev/null +++ b/containers/ssl/README.md @@ -0,0 +1,4 @@ +openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Root-CA" +openssl x509 -outform pem -in RootCA.pem -out RootCA.crt +openssl req -new -nodes -newkey rsa:2048 -keyout lesspass.key -out lesspass.csr -subj "/C=FR/ST=Gironde/L=Bordeaux/O=LessPass/CN=lesspass.local" +openssl x509 -req -sha256 -days 1024 -in lesspass.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out lesspass.crt \ No newline at end of file diff --git a/containers/ssl/domains.ext b/containers/ssl/domains.ext new file mode 100644 index 0000000..e2fa373 --- /dev/null +++ b/containers/ssl/domains.ext @@ -0,0 +1,9 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names +[alt_names] +DNS.1 = lesspass.local +DNS.2 = www.lesspass.local +DNS.3 = api.lesspass.local +DNS.4 = admin.lesspass.local \ No newline at end of file diff --git a/containers/webserver/Dockerfile b/containers/webserver/Dockerfile index 6fa4a7c..8fb6c19 100644 --- a/containers/webserver/Dockerfile +++ b/containers/webserver/Dockerfile @@ -1,16 +1,13 @@ -FROM centos:7 +FROM httpd:2.4 MAINTAINER "LessPass " LABEL name="LessPass Web Server" -RUN yum -y --setopt=tsflags=nodocs update && \ - yum -y --setopt=tsflags=nodocs install httpd mod_ssl openssl python python-jinja2 && \ - yum clean all +COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf +COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf +COPY entrypoint.sh /entrypoint.sh -EXPOSE 80 443 +ENTRYPOINT ["/entrypoint.sh"] -ADD . /app -RUN chmod +x /app/entrypoint.sh - -CMD ["/app/entrypoint.sh"] \ No newline at end of file +CMD ["httpd-foreground"] \ No newline at end of file diff --git a/containers/webserver/entrypoint.sh b/containers/webserver/entrypoint.sh index 83ef3e1..e8fb97b 100755 --- a/containers/webserver/entrypoint.sh +++ b/containers/webserver/entrypoint.sh @@ -1,27 +1,8 @@ #!/usr/bin/env bash -create_wildcard_certificate () { - openssl req -x509 -newkey rsa:4096 -nodes -keyout ${1}.key -out ${1}.crt -days 365 -subj "/C=FR/ST=Gironde/L=Bordeaux/O=LessPass/OU=LessPass/CN=*.${1}" -} +sed -i "s~FQDN~${FQDN}~" conf/httpd.conf conf/extra/httpd-ssl.conf +sed -i "s~EMAIL~${EMAIL}~" conf/httpd.conf conf/extra/httpd-ssl.conf +sed -i "s~CRT_PATH~${CRT_PATH}~" conf/extra/httpd-ssl.conf +sed -i "s~KEY_PATH~${KEY_PATH}~" conf/extra/httpd-ssl.conf -if [[ ! -f /app/ssl/${FQDN}.crt || ! -f /app/ssl/${FQDN}.key ]]; then - echo "${FQDN}.crt or ${FQDN}.key not found! Generate wildcard certificate" - cd /app/ssl - create_wildcard_certificate ${FQDN} -fi - -mkdir -p /etc/httpd/ssl -chmod 755 /etc/httpd/ssl -cp /app/ssl/${FQDN}.crt /etc/httpd/ssl/ -chmod 644 /etc/httpd/ssl/${FQDN}.crt - -mkdir -p /etc/httpd/ssl/private -chmod 710 /etc/httpd/ssl/private -cp /app/ssl/${FQDN}.key /etc/httpd/ssl/private/ -chmod 640 /etc/httpd/ssl/private/${FQDN}.key - -python /app/generate_apache_conf.py - -cat /etc/httpd/conf.d/lesspass.conf - -exec /usr/sbin/httpd -D FOREGROUND \ No newline at end of file +exec "$@" \ No newline at end of file diff --git a/containers/webserver/generate_apache_conf.py b/containers/webserver/generate_apache_conf.py deleted file mode 100644 index d781b08..0000000 --- a/containers/webserver/generate_apache_conf.py +++ /dev/null @@ -1,16 +0,0 @@ -import os - -from jinja2 import Template - - -if __name__ == "__main__": - fqdn = os.environ.get("FQDN", "localhost") - context = { - "FQDN": fqdn, - "SSL_CERTIFICATE_FILE": "/etc/httpd/ssl/%s.crt" % fqdn, - "SSL_CERTIFICATE_KEY_FILE": "/etc/httpd/ssl/private/%s.key" % fqdn, - "DEBUG": os.environ.get("DEBUG", "0") == "1", - } - jinja_template = Template(open("/app/lesspass.conf.j2").read()) - with open("/etc/httpd/conf.d/lesspass.conf", "w") as f: - f.write(jinja_template.render(context)) diff --git a/containers/webserver/httpd-ssl.conf b/containers/webserver/httpd-ssl.conf new file mode 100644 index 0000000..dff75c3 --- /dev/null +++ b/containers/webserver/httpd-ssl.conf @@ -0,0 +1,168 @@ +# +# This is the Apache server configuration file providing SSL support. +# It contains the configuration directives to instruct the server how to +# serve pages over an https connection. For detailed information about these +# directives see +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Required modules: mod_log_config, mod_setenvif, mod_ssl, +# socache_shmcb_module (for default value of SSLSessionCache) + +# +# Pseudo Random Number Generator (PRNG): +# Configure one or more sources to seed the PRNG of the SSL library. +# The seed data should be of good random quality. +# WARNING! On some platforms /dev/random blocks if not enough entropy +# is available. This means you then cannot use the /dev/random device +# because it would lead to very long connection times (as long as +# it requires to make more entropy available). But usually those +# platforms additionally provide a /dev/urandom device which doesn't +# block. So, if available, use this one instead. Read the mod_ssl User +# Manual for more details. +# +#SSLRandomSeed startup file:/dev/random 512 +#SSLRandomSeed startup file:/dev/urandom 512 +#SSLRandomSeed connect file:/dev/random 512 +#SSLRandomSeed connect file:/dev/urandom 512 + + +# +# When we also provide SSL we have to listen to the +# standard HTTP port (see above) and to the HTTPS port +# +Listen 443 + +## +## SSL Global Context +## +## All SSL configuration in this context applies both to +## the main server and all SSL-enabled virtual hosts. +## + +# SSL Cipher Suite: +# List the ciphers that the client is permitted to negotiate, +# and that httpd will negotiate as the client of a proxied server. +# See the OpenSSL documentation for a complete list of ciphers, and +# ensure these follow appropriate best practices for this deployment. +# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, +# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES + +# By the end of 2016, only TLSv1.2 ciphers should remain in use. +# Older ciphers should be disallowed as soon as possible, while the +# kRSA ciphers do not offer forward secrecy. These changes inhibit +# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy +# non-browser tooling) from successfully connecting. +# +# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable +# those protocols which do not support forward secrecy, replace +# the SSLCipherSuite and SSLProxyCipherSuite directives above with +# the following two directives, as soon as practical. +# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA +# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA + +# User agents such as web browsers are not configured for the user's +# own preference of either security or performance, therefore this +# must be the prerogative of the web server administrator who manages +# cpu load versus confidentiality, so enforce the server's cipher order. +SSLHonorCipherOrder on + +# SSL Protocol support: +# List the protocol versions which clients are allowed to connect with. +# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be +# disabled as quickly as practical. By the end of 2016, only the TLSv1.2 +# protocol or later should remain in use. +SSLProtocol all -SSLv3 +SSLProxyProtocol all -SSLv3 + +# Pass Phrase Dialog: +# Configure the pass phrase gathering process. +# The filtering dialog program (`builtin' is an internal +# terminal dialog) has to provide the pass phrase on stdout. +SSLPassPhraseDialog builtin + +# Inter-Process Session Cache: +# Configure the SSL Session Cache: First the mechanism +# to use and second the expiring timeout (in seconds). +#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache" +SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" +SSLSessionCacheTimeout 300 + +# OCSP Stapling (requires OpenSSL 0.9.8h or later) +# +# This feature is disabled by default and requires at least +# the two directives SSLUseStapling and SSLStaplingCache. +# Refer to the documentation on OCSP Stapling in the SSL/TLS +# How-To for more information. +# +# Enable stapling for all SSL-enabled servers: +#SSLUseStapling On + +# Define a relatively small cache for OCSP Stapling using +# the same mechanism that is used for the SSL session cache +# above. If stapling is used with more than a few certificates, +# the size may need to be increased. (AH01929 will be logged.) +#SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)" + +# Seconds before valid OCSP responses are expired from the cache +#SSLStaplingStandardCacheTimeout 3600 + +# Seconds before invalid OCSP responses are expired from the cache +#SSLStaplingErrorCacheTimeout 600 + +## +## SSL Virtual Host Context +## + + + +ErrorLog /proc/self/fd/2 +TransferLog /proc/self/fd/1 +ServerAdmin EMAIL + + + ServerName admin.FQDN + Alias /static/ /var/www/html/static/ + + Require all granted + + ProxyPass /static/ ! + ProxyPass / http://backend:8000/ + ProxyPassReverse / http://backend:8000/ + SSLEngine on + SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" + SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + + + + ServerName api.FQDN + Alias /static/ /var/www/html/static/ + + Require all granted + + ProxyPass /static/ ! + ProxyPass / http://backend:8000/api/ + ProxyPassReverse / http://backend:8000/api/ + SSLEngine on + SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" + SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + + + + ServerName FQDN + + Redirect / https://www.FQDN/ + + + + ServerName www.FQDN + ProxyPass / http://frontend/ + ProxyPassReverse / http://frontend/ + SSLEngine on + SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" + SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + diff --git a/containers/webserver/httpd.conf b/containers/webserver/httpd.conf new file mode 100644 index 0000000..cefe1f1 --- /dev/null +++ b/containers/webserver/httpd.conf @@ -0,0 +1,567 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/usr/local/apache2" + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:logs + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 80 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule mpm_event_module modules/mod_mpm_event.so +#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +#LoadModule mpm_worker_module modules/mod_mpm_worker.so +LoadModule authn_file_module modules/mod_authn_file.so +#LoadModule authn_dbm_module modules/mod_authn_dbm.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule authn_socache_module modules/mod_authn_socache.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbd_module modules/mod_authz_dbd.so +LoadModule authz_core_module modules/mod_authz_core.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +#LoadModule auth_form_module modules/mod_auth_form.so +#LoadModule auth_digest_module modules/mod_auth_digest.so +#LoadModule allowmethods_module modules/mod_allowmethods.so +#LoadModule isapi_module modules/mod_isapi.so +#LoadModule file_cache_module modules/mod_file_cache.so +#LoadModule cache_module modules/mod_cache.so +#LoadModule cache_disk_module modules/mod_cache_disk.so +#LoadModule cache_socache_module modules/mod_cache_socache.so +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so +#LoadModule socache_dbm_module modules/mod_socache_dbm.so +#LoadModule socache_memcache_module modules/mod_socache_memcache.so +#LoadModule socache_redis_module modules/mod_socache_redis.so +#LoadModule watchdog_module modules/mod_watchdog.so +#LoadModule macro_module modules/mod_macro.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule bucketeer_module modules/mod_bucketeer.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule echo_module modules/mod_echo.so +#LoadModule example_hooks_module modules/mod_example_hooks.so +#LoadModule case_filter_module modules/mod_case_filter.so +#LoadModule case_filter_in_module modules/mod_case_filter_in.so +#LoadModule example_ipc_module modules/mod_example_ipc.so +#LoadModule buffer_module modules/mod_buffer.so +#LoadModule data_module modules/mod_data.so +#LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +#LoadModule ext_filter_module modules/mod_ext_filter.so +#LoadModule request_module modules/mod_request.so +#LoadModule include_module modules/mod_include.so +LoadModule filter_module modules/mod_filter.so +#LoadModule reflector_module modules/mod_reflector.so +#LoadModule substitute_module modules/mod_substitute.so +#LoadModule sed_module modules/mod_sed.so +#LoadModule charset_lite_module modules/mod_charset_lite.so +#LoadModule deflate_module modules/mod_deflate.so +#LoadModule xml2enc_module modules/mod_xml2enc.so +#LoadModule proxy_html_module modules/mod_proxy_html.so +#LoadModule brotli_module modules/mod_brotli.so +LoadModule mime_module modules/mod_mime.so +#LoadModule ldap_module modules/mod_ldap.so +LoadModule log_config_module modules/mod_log_config.so +#LoadModule log_debug_module modules/mod_log_debug.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule logio_module modules/mod_logio.so +#LoadModule lua_module modules/mod_lua.so +LoadModule env_module modules/mod_env.so +#LoadModule mime_magic_module modules/mod_mime_magic.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule unique_id_module modules/mod_unique_id.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +#LoadModule remoteip_module modules/mod_remoteip.so +LoadModule proxy_module modules/mod_proxy.so +#LoadModule proxy_connect_module modules/mod_proxy_connect.so +#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +LoadModule proxy_http_module modules/mod_proxy_http.so +#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so +#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so +#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so +#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so +#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so +#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +#LoadModule proxy_express_module modules/mod_proxy_express.so +#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so +#LoadModule session_module modules/mod_session.so +#LoadModule session_cookie_module modules/mod_session_cookie.so +#LoadModule session_crypto_module modules/mod_session_crypto.so +#LoadModule session_dbd_module modules/mod_session_dbd.so +#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so +#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so +LoadModule ssl_module modules/mod_ssl.so +#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so +#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so +#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so +#LoadModule optional_fn_export_module modules/mod_optional_fn_export.so +#LoadModule dialup_module modules/mod_dialup.so +#LoadModule http2_module modules/mod_http2.so +#LoadModule proxy_http2_module modules/mod_proxy_http2.so +#LoadModule md_module modules/mod_md.so +#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so +#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so +#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so +#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so +LoadModule unixd_module modules/mod_unixd.so +#LoadModule heartbeat_module modules/mod_heartbeat.so +#LoadModule heartmonitor_module modules/mod_heartmonitor.so +#LoadModule dav_module modules/mod_dav.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +#LoadModule asis_module modules/mod_asis.so +#LoadModule info_module modules/mod_info.so +#LoadModule suexec_module modules/mod_suexec.so + + #LoadModule cgid_module modules/mod_cgid.so + + + #LoadModule cgi_module modules/mod_cgi.so + +#LoadModule dav_fs_module modules/mod_dav_fs.so +#LoadModule dav_lock_module modules/mod_dav_lock.so +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +#LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +#LoadModule imagemap_module modules/mod_imagemap.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule speling_module modules/mod_speling.so +#LoadModule userdir_module modules/mod_userdir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User daemon +Group daemon + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + + + ServerName www.FQDN + ServerAlias FQDN + Redirect / https://www.FQDN/ + + + + ServerName api.FQDN + Redirect / https://api.FQDN/ + + + + ServerName admin.FQDN + Redirect / https://admin.FQDN/ + + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin EMAIL + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +ServerName www.FQDN:80 + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/usr/local/apache2/htdocs" + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog /proc/self/fd/2 + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + #CustomLog /proc/self/fd/1 common + CustomLog /proc/self/fd/1 combined + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + #CustomLog "logs/access_log" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig conf/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile conf/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +# Supplemental configuration +# +# The configuration files in the conf/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include conf/extra/httpd-mpm.conf + +# Multi-language error messages +#Include conf/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include conf/extra/httpd-autoindex.conf + +# Language settings +#Include conf/extra/httpd-languages.conf + +# User home directories +#Include conf/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include conf/extra/httpd-info.conf + +# Virtual hosts +#Include conf/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include conf/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include conf/extra/httpd-dav.conf + +# Various default settings +#Include conf/extra/httpd-default.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include conf/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +Include conf/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + + diff --git a/containers/webserver/lesspass.conf.j2 b/containers/webserver/lesspass.conf.j2 deleted file mode 100644 index 83844ac..0000000 --- a/containers/webserver/lesspass.conf.j2 +++ /dev/null @@ -1,61 +0,0 @@ -ServerName {{ FQDN }} - -TransferLog /dev/stdout -ErrorLog /dev/stderr - - - ServerName www.{{ FQDN }} - ServerAlias {{ FQDN }} - # Redirect permanent / https://www.{{ FQDN }}/ - Redirect / https://www.{{ FQDN }}/ - - - - ServerName {{ FQDN }} - ProxyPass /api/ http://backend:8000/api/ - ProxyPassReverse /api/ http://backend:8000/api/ - SSLEngine on - SSLCertificateFile {{ SSL_CERTIFICATE_FILE }} - SSLCertificateKeyFile {{ SSL_CERTIFICATE_KEY_FILE }} - - - - ServerName api.{{ FQDN }} - ProxyPass / http://backend:8000/api/ - ProxyPassReverse / http://backend:8000/api/ - SSLEngine on - SSLCertificateFile {{ SSL_CERTIFICATE_FILE }} - SSLCertificateKeyFile {{ SSL_CERTIFICATE_KEY_FILE }} - - - - ServerName www.{{ FQDN }} - ServerAlias {{ FQDN }} - - ProxyPass / http://frontend:8080/ - ProxyPassReverse / http://frontend:8080/ - SSLEngine on - SSLCertificateFile {{ SSL_CERTIFICATE_FILE }} - SSLCertificateKeyFile {{ SSL_CERTIFICATE_KEY_FILE }} - - - - ServerName profiles.{{ FQDN }} - ProxyPass / http://profiles:8108/ - ProxyPassReverse / http://profiles:8108/ - SSLEngine on - SSLCertificateFile {{ SSL_CERTIFICATE_FILE }} - SSLCertificateKeyFile {{ SSL_CERTIFICATE_KEY_FILE }} - - -SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 -SSLHonorCipherOrder on -SSLCompression off -SSLSessionTickets off -{% if not DEBUG %} -SSLUseStapling on -SSLStaplingResponderTimeout 5 -SSLStaplingReturnResponderErrors off -SSLStaplingCache shmcb:/var/run/ocsp(128000) -{% endif %}