Feature/apache ssl2ssl (#7)

* Add apache SSL to SSL config

.gitignore

@@ -1 +1,3 @@
-tests/**/proxy-https-to-http/server.*
+*.crt
+*.key
+*.csr

.travis.yml

@@ -24,6 +24,12 @@ env:
     config: ../../../apache/proxy-https-to-http.conf
     url: https://localhost
 
+  - path: apache/proxy-https-to-https    
+    ssl: true
+    ssl_backend: true
+    config: ../../../apache/proxy-https-to-https.conf
+    url: https://localhost
+
   - path: traefik/minimal
     url: http://localhost
 

apache/proxy-https-to-https.conf

@@ -0,0 +1,51 @@
+# Use this example for proxy HTTPS traffic to the document server running at 'backendserver-address'.
+# Replace /etc/ssl/certs/server.crt with the path to the ssl certificate file
+# Replace /etc/ssl/private/server.key with the path to the ssl private key file
+
+Listen 80
+Listen 443
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule ssl_module modules/mod_ssl.so
+
+<IfModule unixd_module>
+  User daemon
+  Group daemon
+</IfModule>
+
+SSLEngine on
+SSLCertificateFile "/etc/ssl/certs/server.crt"
+SSLCertificateKeyFile "/etc/ssl/private/server.key"
+
+## Strong SSL Security
+## https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
+
+SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+SSLProtocol All -SSLv2 -SSLv3
+SSLCompression off
+SSLHonorCipherOrder on
+
+## [Optional] Generate a stronger DHE parameter:
+##   cd /etc/ssl/certs
+##   sudo openssl dhparam -out dhparam.pem 4096
+##
+# SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
+
+SSLProxyEngine On
+SSLProxyCheckPeerCN on
+SSLProxyCheckPeerExpire on
+
+SetEnvIf Host "^(.*)$" THE_HOST=$1
+RequestHeader setifempty X-Forwarded-Proto https
+RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
+ProxyAddHeaders Off
+
+ProxyPassMatch (.*)(\/websocket)$ "wss://backendserver-address/$1$2"
+ProxyPass / "https://backendserver-address/"
+ProxyPassReverse / "https://backendserver-address/"

tests/apache/proxy-https-to-https/Readme.md

@@ -0,0 +1,8 @@
+#### Generation of Self Signed Certificates
+```
+./gen-onlyoffice-cert.sh
+```
+#### To run test
+```
+sudo docker-compose up -d
+```

tests/apache/proxy-https-to-https/docker-compose.yaml

@@ -0,0 +1,40 @@
+version: '2'
+services:
+  onlyoffice-documentserver:
+    container_name: onlyoffice-documentserver
+    image: onlyoffice/4testing-documentserver-ie:latest
+    stdin_open: true
+    volumes:
+      - ./backend.crt:/var/www/onlyoffice/Data/certs/onlyoffice.crt
+      - ./backend.key:/var/www/onlyoffice/Data/certs/onlyoffice.key
+    restart: always
+    networks:
+      onlyoffice:
+        aliases:
+          - backendserver-address
+    expose:
+      - '80'
+      - '443'
+
+  onlyoffice-httpd:
+    container_name: onlyoffice-httpd
+    image: httpd:2.4.23
+    depends_on:
+      - onlyoffice-documentserver
+    stdin_open: true
+    volumes:
+      - ../../../apache/proxy-https-to-https.conf:/usr/local/apache2/conf/httpd.conf
+      - ./server.crt:/etc/ssl/certs/server.crt
+      - ./server.key:/etc/ssl/private/server.key
+      - ./backend.crt:/usr/share/ca-certificates/backend.crt
+    restart: always
+    networks:
+     - onlyoffice
+    ports:
+      - '80:80'
+      - '443:443'
+
+networks:
+  onlyoffice:
+    driver: 'bridge'
+

tests/apache/proxy-https-to-https/gen-onlyoffice-cert.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+private_key=backend.key
+certificate_request=backend.csr
+certificate=backend.crt
+
+# Generate certificate
+openssl genrsa -out ${private_key} 2048
+openssl req \
+  -new \
+  -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=backendserver-address" \
+  -key ${private_key} \
+  -out ${certificate_request}
+openssl x509 -req -days 365 -in ${certificate_request} -signkey ${private_key} -out ${certificate}

tests/test.sh

@@ -13,6 +13,12 @@ certificate=server.crt
 
 ssl_path=/etc/ssl
 
+# SSL backend specific options
+ssl_backend=${ssl_backend:-false}
+backend_private_key=backend.key
+backend_certificate_request=backend.csr
+backend_certificate=backend.crt
+
 # Check if the test folder exists
 if [ ! -d ${path} ]; then
   echo "File ${path} doesn't exist!"
@@ -51,14 +57,38 @@ if [ "${ssl}" == "true" ]; then
   sed 's,{{SSL_KEY_PATH}},'"${ssl_path}/private/${private_key}"',' -i ${config}
 fi
 
+# Check if the ssl back enabled
+if [ "${ssl_backend}" == "true" ]; then
+
+  # Generate backend certificate
+  openssl genrsa -out ${backend_private_key} 2048
+  openssl req \
+    -new \
+    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=backendserver-address" \
+    -key ${backend_private_key} \
+    -out ${backend_certificate_request}
+  openssl x509 -req -days 365 -in ${backend_certificate_request} -signkey ${backend_private_key} -out ${backend_certificate}
+
+fi
+
 # Run test environment
 docker-compose up -d
 
-# Wait for documentserver start up
-sleep 15s
-
-# Get documentserver healthcheck status
-healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
+wakeup_attempts=30
+wakeup_timeout=5
+
+for ((i=0; i<${wakeup_attempts}; i++))
+do
+  # Get documentserver healthcheck status
+  healthcheck_res=$(wget --no-check-certificate -qO - ${url}/healthcheck)
+
+  if [ "${healthcheck_res}" == "true" ]; then
+    break
+  else
+    echo "Wait for service wake up #${i}"
+    sleep ${wakeup_timeout}
+  fi
+done
 
 # Fail if it isn't true
 if [ "${healthcheck_res}" == "true" ]; then