More improvements to shibboleth docker setup

dlareau · Feb 24, 2020 · 311f1f5 · 311f1f5
1 parent 1fc4b5d
commit 311f1f5
Show file tree

Hide file tree

Showing 14 changed files with 118 additions and 175 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1 @@
+docker/
diff --git a/.gitignore b/.gitignore
@@ -14,4 +14,5 @@ setup.cfg
 /cover/
 .coverage
 debug.log
-/docker/configs/certs/
+/docker/configs/certs/
+*.env
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,16 @@
 FROM python:3.7
 
 ENV PYTHONUNBUFFERED 1
+ENV DJANGO_ENABLE_DEBUG False
+ENV DJANGO_USE_SHIBBOLETH False
+ENV DJANGO_SETTINGS_MODULE puzzlehunt_server.settings.env_settings
 
 RUN mkdir /code
 WORKDIR /code
 
-COPY requirements.txt /code/
-
+COPY requirements.txt ./
 RUN pip install -r requirements.txt
+COPY . .
 
-COPY . /code/
-
-EXPOSE 8000
+EXPOSE 8000
+CMD ["gunicorn", "--workers=2", "--bind=0.0.0.0:8000", "puzzlehunt_server.wsgi:application"]
diff --git a/config/puzzlehunt_cmu.conf b/config/puzzlehunt_cmu.conf
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -5,7 +5,7 @@ services:
     image: postgres
     restart: always
     environment:
-      POSTGRES_DB: puzzlehunt_db
+      POSTGRES_DB: ${DB_NAME}
       POSTGRES_USER: ${DB_USER}
       POSTGRES_PASSWORD: ${DB_PASSWORD}
 
@@ -17,22 +17,18 @@ services:
         https_proxy:
         no_proxy:
     restart: always
-    command: gunicorn --workers=2 --bind=0.0.0.0:8000 puzzlehunt_server.wsgi:application
     volumes:
-      - .:/code
+#      - .:/code  # Enables live modification of django files
       - static:/static
       - media:/media
-
-    ports:
-      - "8000:8000"
     environment:
       - DJANGO_SECRET_KEY
       - DJANGO_ENABLE_DEBUG
       - DJANGO_EMAIL_USER
       - DJANGO_EMAIL_PASSWORD
       - DJANGO_USE_SHIBBOLETH
       - DJANGO_SETTINGS_MODULE=puzzlehunt_server.settings.env_settings
-      - DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@db/puzzlehunt_db
+      - DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@db/${DB_NAME}
     depends_on:
       - db
 
@@ -41,8 +37,11 @@ services:
     container_name: web_server
     build:
       context: ./docker/
-      # dockerfile: nginxDockerfile
       dockerfile: apacheDockerfile
+      args:
+        http_proxy:
+        https_proxy:
+        no_proxy:
     depends_on:
       - app
     volumes:

diff --git a/docker/apacheDockerfile b/docker/apacheDockerfile
@@ -1,17 +1,15 @@
 FROM debian:10
 
-RUN apt-get update
-RUN apt-get install -y apache2 libapache2-mod-xsendfile
-RUN a2enmod proxy proxy_http proxy_html xsendfile 
+RUN apt-get update && \
+    apt-get install -y apache2 libapache2-mod-xsendfile
 
-RUN rm /etc/apache2/sites-enabled/*
 
 COPY configs/puzzlehunt_apache.conf /etc/apache2/sites-available/puzzlehunt.conf
-
-RUN a2ensite puzzlehunt
-
-RUN mkdir -p /static
-RUN mkdir -p /media
+RUN rm /etc/apache2/sites-enabled/* && \
+    a2enmod proxy proxy_http proxy_html xsendfile && \
+    a2ensite puzzlehunt && \
+    mkdir -p /static && \
+    mkdir -p /media
 
 ENTRYPOINT ["/usr/sbin/apache2ctl"]
 CMD ["-D", "FOREGROUND"]
diff --git a/docker/apacheShibDockerfile b/docker/apacheShibDockerfile
@@ -1,28 +1,27 @@
 FROM debian:10
 
-RUN apt-get update
-RUN apt-get install -y apache2 gnupg curl ntp
-RUN cd /tmp
-RUN curl --fail --remote-name https://pkg.switch.ch/switchaai/debian/dists/buster/main/binary-all/misc/switchaai-apt-source_1.0.0_all.deb
-RUN apt-get install -y ./switchaai-apt-source_1.0.0_all.deb
-RUN rm ./switchaai-apt-source_1.0.0_all.deb
-RUN apt-get update
-RUN apt-get install -y --install-recommends shibboleth
-RUN apt-get install -y libapache2-mod-xsendfile libapache2-mod-shib
-RUN a2enmod proxy proxy_http proxy_html xsendfile shib
+# System setup
+RUN apt-get update && \
+    apt-get install -y apache2 gnupg curl ntp && \
+    apt-get install -y certbot python-certbot-apache && \
+    curl --fail --remote-name https://pkg.switch.ch/switchaai/debian/dists/buster/main/binary-all/misc/switchaai-apt-source_1.0.0_all.deb && \
+    apt-get install -y ./switchaai-apt-source_1.0.0_all.deb && \
+    rm ./switchaai-apt-source_1.0.0_all.deb && \
+    apt-get update && \
+    apt-get install -y --install-recommends shibboleth
 
-RUN rm /etc/apache2/sites-enabled/*
-
-COPY configs/puzzlehunt_apache.conf /etc/apache2/sites-available/puzzlehunt.conf
-COPY --chown=_shibd:_shibd configs/certs/sp-cert.pem /etc/shibboleth/sp-cert.pem
-COPY --chown=_shibd:_shibd configs/certs/sp-key.pem /etc/shibboleth/sp-key.pem
-RUN chmod 644 /etc/shibboleth/sp-*
+# Shibboleth setup
+RUN mkdir /etc/shibboleth/certs
 COPY configs/shibboleth2.xml /etc/shibboleth/shibboleth2.xml
 
-RUN a2ensite puzzlehunt
-
-RUN mkdir -p /static
-RUN mkdir -p /media
+# Server setup
+COPY configs/puzzlehunt_apache_shib.conf /etc/apache2/sites-available/puzzlehunt.conf
+RUN rm /etc/apache2/sites-enabled/* && \
+    apt-get install -y libapache2-mod-xsendfile libapache2-mod-shib && \
+    a2enmod proxy proxy_http proxy_html xsendfile shib && \
+    a2ensite puzzlehunt && \
+    mkdir -p /static && \
+    mkdir -p /media
 
 COPY apacheShibForeground /usr/local/bin/
 RUN chmod +x /usr/local/bin/apacheShibForeground

diff --git a/docker/apacheShibForeground b/docker/apacheShibForeground
@@ -1,6 +1,10 @@
 #!/bin/bash
 
 rm -f /etc/apache2/run/httpd.pid /var/lock/subsys/shibd
+cp /etc/shibboleth/certs/sp-* /etc/shibboleth/
+chmod 644 /etc/shibboleth/sp-cert.pem
+chmod 600 /etc/shibboleth/sp-key.pem
+chown _shibd:_shibd /etc/shibboleth/sp-*
 
 service shibd start
 

diff --git a/docker/configs/puzzlehunt_apache_shib.conf b/docker/configs/puzzlehunt_apache_shib.conf
@@ -0,0 +1,58 @@
+<VirtualHost *:80>
+        ServerName puzzlehunt.club.cc.cmu.edu
+
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+        Redirect / https://puzzlehunt.club.cc.cmu.edu/
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+	ServerName puzzlehunt.club.cc.cmu.edu
+
+	ServerAdmin webmaster@localhost
+	DocumentRoot /var/www/html
+
+	Alias /static /static
+	<Directory /static>
+	    Require all granted
+	</Directory>
+
+	Alias /media /media
+	Alias /media/puzzles /media/puzzles
+	XSendFile	On
+	XSendFilePath	/media
+	<Directory /media>
+	    Require all granted
+	</Directory>
+	<Directory /media/puzzles>
+		Require all denied
+	</Directory>
+
+	<Location /shib/>
+		  AuthType Shibboleth
+		  ShibUseHeaders On
+		  ShibRequireSession On
+		  ShibApplicationId default
+		  ShibExportAssertion On
+		  require valid-user
+	</Location>
+
+    <Location /Shibboleth.sso>
+          Options +Indexes
+          SetHandler shib
+    </Location>
+
+	ProxyPass	 /static/ !
+	ProxyPass	 /media/ !
+	ProxyPass	 /Shibboleth.sso/ !
+
+	ProxyPass / http://app:8000/
+	ProxyPassReverse / http://app:8000/
+	ProxyPreserveHost On
+
+	SSLCertificateFile /etc/letsencrypt/live/puzzlehunt.club.cc.cmu.edu/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/puzzlehunt.club.cc.cmu.edu/privkey.pem
+	Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>
diff --git a/docker/configs/puzzlehunt_nginx.conf b/docker/configs/puzzlehunt_nginx.conf
diff --git a/docker/mysql_override.yml b/docker/mysql_override.yml
@@ -4,11 +4,11 @@ services:
   db:
     image: mariadb
     environment:
-      MYSQL_DATABASE: puzzlehunt_db
+      MYSQL_DATABASE: ${DB_USER}
       MYSQL_USER: ${DB_USER}
       MYSQL_PASSWORD: ${DB_PASSWORD}
       MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD}
 
   app:
     environment:
-      - DATABASE_URL=mysql://${DB_USER}:${DB_PASSWORD}@db/puzzlehunt_db
+      - DATABASE_URL=mysql://${DB_USER}:${DB_PASSWORD}@db/${DB_USER}
diff --git a/docker/nginxDockerfile b/docker/nginxDockerfile
diff --git a/docker/shib_override.yml b/docker/shib_override.yml
@@ -3,4 +3,9 @@ version: '3'
 services:
   web:
     build:
-      dockerfile: apacheShibDockerfile
+      dockerfile: apacheShibDockerfile
+    volumes:
+      - ./docker/configs/certs/:/etc/shibboleth/certs/
+  app:
+    environment:
+      - DJANGO_USE_SHIBBOLETH=True