-
Notifications
You must be signed in to change notification settings - Fork 54
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Install voms-client into the dev container: xrdgsiproxy generates wrong proxy certificates, which don't work with standart SSL. Rework the webdav container: - move compilation of mod-want-digest into a deb package. This way, the correct configuration for usage with a2enmod is created by existing helper scripts. - add a self-written module which enables support of gsi proxy certificates in mod_ssl. - rework and simplify the dockerfile.
- Loading branch information
Showing
21 changed files
with
243 additions
and
154 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,84 +1,55 @@ | ||
FROM httpd:latest | ||
|
||
# These variables are inherited from the httpd:alpine image: | ||
# ENV HTTPD_PREFIX /usr/local/apache2 | ||
# WORKDIR "$HTTPD_PREFIX" | ||
FROM ubuntu:noble as deb_builder | ||
RUN set -ex; \ | ||
apt-get update; \ | ||
apt-get install -y \ | ||
apache2-dev \ | ||
apache2-ssl-dev \ | ||
build-essential \ | ||
curl \ | ||
libaprutil1-dev \ | ||
libapr1-dev \ | ||
libtool \ | ||
zlib1g-dev | ||
|
||
COPY libapache2-mod-want-digest/ mod-want-digest/ | ||
RUN cd mod-want-digest/; dpkg-buildpackage | ||
|
||
COPY libapache2-mod-gsiproxy mod-gsiproxy | ||
RUN cd mod-gsiproxy; dpkg-buildpackage | ||
|
||
# Copy in our configuration files. | ||
COPY conf/ conf/ | ||
|
||
FROM ubuntu:noble | ||
|
||
RUN set -ex; \ | ||
# Download current `mod_want_digest.c` file (and store into root dir) | ||
cd /;\ | ||
apt-get update; \ | ||
apt-get install -y curl; \ | ||
curl -LJ https://github.com/wetzel-desy/mod_want_digest/tarball/main -o wetzel-desy-tarball; \ | ||
tar -xf wetzel-desy-tarball; \ | ||
FILENAME=$(find . -name mod_want_digest.c); \ | ||
mv $FILENAME .; \ | ||
rm -rf wetzel-desy-*; \ | ||
cd $HTTPD_PREFIX;\ | ||
\ | ||
# Create empty default DocumentRoot. | ||
mkdir -p "/var/www/html"; \ | ||
# Create directories for Dav data and lock database. | ||
mkdir -p "/var/lib/dav/data"; \ | ||
touch "/var/lib/dav/DavLock"; \ | ||
chown -R www-data:www-data "/var/lib/dav"; \ | ||
\ | ||
# Enable DAV modules. | ||
for i in dav dav_fs; do \ | ||
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \ | ||
done; \ | ||
\ | ||
# Make sure authentication modules are enabled. | ||
for i in authn_core authn_file authz_core authz_user auth_basic auth_digest; do \ | ||
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \ | ||
done; \ | ||
\ | ||
# Make sure other modules are enabled. | ||
for i in alias headers mime setenvif; do \ | ||
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \ | ||
done; \ | ||
\ | ||
# Run httpd as "www-data" (instead of "daemon"). | ||
for i in User Group; do \ | ||
sed -i -e "s|^$i .*|$i www-data|" "conf/httpd.conf"; \ | ||
done; \ | ||
\ | ||
# Include enabled configs and sites. | ||
printf '%s\n' "Include conf/conf-enabled/*.conf" \ | ||
>> "conf/httpd.conf"; \ | ||
printf '%s\n' "Include conf/sites-enabled/*.conf" \ | ||
>> "conf/httpd.conf"; \ | ||
\ | ||
# Write output to file and to std(err|out)??? | ||
sed -i -e 's/\/proc\/self\/fd\/2/"|\$tee -a \/proc\/self\/fd\/2 \/usr\/local\/apache2\/logs\/apacheerrors.log"/g' conf/httpd.conf; \ | ||
sed -i -e 's/LogLevel warn/LogLevel debug/g' conf/httpd.conf; \ | ||
touch logs/apacheerrors.log; \ | ||
\ | ||
# Enable dav and default site. | ||
mkdir -p "conf/conf-enabled"; \ | ||
mkdir -p "conf/sites-enabled"; \ | ||
ln -s ../conf-available/dav.conf "conf/conf-enabled"; \ | ||
ln -s ../sites-available/default.conf "conf/sites-enabled"; \ | ||
# Install openssl if we need to generate a self-signed certificate. | ||
# apk add --no-cache openssl | ||
apt-get install openssl; \ | ||
\ | ||
# install mod_want_digest | ||
mv /mod_want_digest.c mod_want_digest.c; \ | ||
apt-get install -y libtool libaprutil1-dev libapr1-dev zlib1g-dev build-essential; \ | ||
ln -s /usr/lib/x86_64-linux-gnu/libz.so /usr/lib/x86_64-linux-gnu/libzlib.so; \ | ||
apxs -c -lzlib mod_want_digest.c; \ | ||
apxs -ia mod_want_digest.la; \ | ||
\ | ||
# enable SSL | ||
ln -s "../sites-available/default-ssl.conf" "conf/sites-enabled"; \ | ||
sed -i -e "/^#LoadModule ssl_module.*/s/^#//" "conf/httpd.conf" | ||
apt-get install -y \ | ||
apache2 \ | ||
apache2-dev \ | ||
libapache2-mod-auth-openidc \ | ||
libapache2-mod-oauth2 \ | ||
gridsite \ | ||
; \ | ||
apt-get clean | ||
|
||
|
||
# Configure apache | ||
COPY conf/ conf/ | ||
RUN set -ex; \ | ||
cp -R conf/* /etc/apache2/; \ | ||
# Create directory for webdav | ||
mkdir -p /var/www/webdav/digests /var/www/webdav/data; \ | ||
chown -R www-data:www-data /var/www/webdav; \ | ||
\ | ||
a2enmod dav dav_fs auth_basic auth_digest auth_openidc alias headers mime setenvif; \ | ||
a2dismod zgridsite; \ | ||
a2dissite 000-default | ||
|
||
# Install compiled modules | ||
COPY --from=deb_builder /*.deb /tmp/ | ||
RUN dpkg -i /tmp/*.deb | ||
|
||
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh | ||
EXPOSE 80/tcp 443/tcp | ||
ENTRYPOINT [ "docker-entrypoint.sh" ] | ||
CMD [ "httpd-foreground" ] | ||
CMD ["apache2","-D","FOREGROUND"] |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,18 +1,29 @@ | ||
Listen 443 | ||
<VirtualHost *:443> | ||
Protocols h2 http/1.1 | ||
ServerName localhost | ||
DocumentRoot "/var/www/html/" | ||
<Directory "/var/www/html/"> | ||
Require all denied | ||
</Directory> | ||
DocumentRoot /var/www/webdav/data/ | ||
|
||
CustomLog /proc/self/fd/1 combined | ||
ErrorLog /proc/self/fd/2 | ||
|
||
SSLEngine on | ||
SSLCertificateFile /web1cert.pem | ||
SSLCertificateKeyFile /web1key.pem | ||
SSLProtocol all -SSLv3 | ||
SSLCertificateFile /etc/grid-security/hostcert.pem | ||
SSLCertificateKeyFile /etc/grid-security/hostkey.pem | ||
SSLCACertificatePath /etc/grid-security/certificates/ | ||
SSLVerifyClient require | ||
SSLVerifyDepth 10 | ||
SSLOptions +StdEnvVars | ||
SSLProtocol TLSv1.2 | ||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS | ||
SSLHonorCipherOrder on | ||
SSLSessionTickets off | ||
|
||
AllowEncodedSlashes on | ||
|
||
<Location /> | ||
Dav On | ||
Options Indexes FollowSymLinks | ||
DigestRootDir /var/www/webdav/digests/ | ||
|
||
<RequireAny> | ||
Require all granted | ||
</RequireAny> | ||
</Location> | ||
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,19 @@ | ||
<VirtualHost *:80> | ||
ServerName localhost | ||
DocumentRoot "/var/www/html/" | ||
<Directory "/var/www/html/"> | ||
Require all denied | ||
</Directory> | ||
DocumentRoot /var/www/webdav/data/ | ||
|
||
CustomLog /proc/self/fd/1 combined | ||
ErrorLog /proc/self/fd/2 | ||
# This lets certain DAV methods work behind an SSL reverse proxy. | ||
RequestHeader edit Destination ^https http early | ||
|
||
AllowEncodedSlashes on | ||
|
||
<Location /> | ||
Dav On | ||
Options Indexes FollowSymLinks | ||
DigestRootDir /var/www/webdav/digests/ | ||
|
||
<RequireAny> | ||
Require all granted | ||
</RequireAny> | ||
</Location> | ||
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,14 @@ | ||
#!/bin/sh | ||
set -e | ||
|
||
. /etc/apache2/envvars | ||
|
||
# Just in case this environment variable has gone missing. | ||
HTTPD_PREFIX="${HTTPD_PREFIX:-/usr/local/apache2}" | ||
|
||
# Configure vhosts. | ||
if [ "x$SERVER_NAMES" != "x" ]; then | ||
# Use first domain as Apache ServerName. | ||
SERVER_NAME="${SERVER_NAMES%%,*}" | ||
sed -e "s|ServerName .*|ServerName $SERVER_NAME|" \ | ||
-i "$HTTPD_PREFIX"/conf/sites-available/default*.conf | ||
|
||
# Replace commas with spaces and set as Apache ServerAlias. | ||
SERVER_ALIAS="`printf '%s\n' "$SERVER_NAMES" | tr ',' ' '`" | ||
sed -e "/ServerName/a\ \ ServerAlias $SERVER_ALIAS" \ | ||
-i "$HTTPD_PREFIX"/conf/sites-available/default*.conf | ||
fi | ||
|
||
# Configure dav.conf | ||
if [ "x$LOCATION" != "x" ]; then | ||
sed -e "s|Alias .*|Alias $LOCATION /var/lib/dav/data/|" \ | ||
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf" | ||
fi | ||
if [ "x$REALM" != "x" ]; then | ||
sed -e "s|AuthName .*|AuthName \"$REALM\"|" \ | ||
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf" | ||
# Certificates have been mounted by the user. | ||
a2dismod zgridsite | ||
if [ -e /etc/grid-security/hostcert.pem ] && [ -e /etc/grid-security/hostkey.pem ]; then | ||
a2ensite default-ssl | ||
else | ||
REALM="WebDAV" | ||
a2dissite default | ||
fi | ||
if [ "x$AUTH_TYPE" != "x" ]; then | ||
# Only support "Basic" and "Digest". | ||
if [ "$AUTH_TYPE" != "Basic" ] && [ "$AUTH_TYPE" != "Digest" ]; then | ||
printf '%s\n' "$AUTH_TYPE: Unknown AuthType" 1>&2 | ||
exit 1 | ||
fi | ||
sed -e "s|AuthType .*|AuthType $AUTH_TYPE|" \ | ||
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf" | ||
fi | ||
|
||
# This will either be the self-signed certificate generated above or one that | ||
# has been bind mounted in by the user. | ||
if [ -e /privkey.pem ] && [ -e /cert.pem ]; then | ||
# Enable SSL Apache modules. | ||
for i in http2 ssl; do | ||
sed -e "/^#LoadModule ${i}_module.*/s/^#//" \ | ||
-i "$HTTPD_PREFIX/conf/httpd.conf" | ||
done | ||
# Enable SSL vhost. | ||
ln -sf ../sites-available/default-ssl.conf \ | ||
"$HTTPD_PREFIX/conf/sites-enabled" | ||
fi | ||
|
||
# Create directories for Dav data and lock database. | ||
[ ! -d "/var/lib/dav/data" ] && mkdir -p "/var/lib/dav/data" | ||
[ ! -d "/var/lib/dav/data/rucio" ] && mkdir -p "/var/lib/dav/data/rucio" | ||
[ ! -e "/var/lib/dav/DavLock" ] && touch "/var/lib/dav/DavLock" | ||
chown -R www-data:www-data "/var/lib/dav" | ||
|
||
exec "$@" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
mod .libs/mod_gsiproxy.so | ||
mod debian/conf/zgsiproxy.load |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
libapache2-mod-gsiproxy (1.0.0) stable; urgency=medium | ||
|
||
* Initial commit | ||
|
||
-- Radu Carpa <radu.carpa@cern.ch> Fri, 22 Dec 2023 11:39:22 +0100 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
12 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Depends: ssl | ||
LoadModule gsi_proxy_certs_module /usr/lib/apache2/modules/mod_gsiproxy.so |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
Source: libapache2-mod-gsiproxy | ||
Maintainer: Rucio | ||
Section: web | ||
Priority: optional | ||
Standards-Version: 1.0.0 | ||
Build-Depends: | ||
apache2-dev, | ||
apache2-ssl-dev | ||
|
||
Package: libapache2-mod-gsiproxy | ||
Architecture: any | ||
Depends: | ||
${shlibs:Depends}, | ||
${misc:Depends} | ||
Description: Apache2 module which activates support for GSI X509 proxy certificates in mod_ssl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/usr/bin/make -f | ||
|
||
override_dh_auto_build: | ||
apxs -Wc,-ffile-prefix-map=$(CURDIR)=. -lz -c mod_gsiproxy.c | ||
|
||
override_dh_clean: | ||
rm -rf .libs | ||
dh_clean | ||
|
||
%: | ||
dh $@ --with apache2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
3.0 (native) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
#include "http_core.h" | ||
#include "openssl/ssl.h" | ||
#include "openssl/x509.h" | ||
#include "mod_ssl.h" | ||
|
||
extern module AP_MODULE_DECLARE_DATA ssl_module; | ||
|
||
#ifndef BOOL | ||
#define BOOL unsigned int | ||
#endif | ||
|
||
typedef struct { | ||
void *sc; | ||
SSL_CTX *ssl_ctx; | ||
} modssl_ctx_t; | ||
|
||
typedef enum { | ||
SSL_ENABLED_UNSET = -1, | ||
SSL_ENABLED_FALSE = 0, | ||
SSL_ENABLED_TRUE = 1, | ||
SSL_ENABLED_OPTIONAL = 3 | ||
} ssl_enabled_t; | ||
|
||
typedef struct { | ||
void *mc; | ||
ssl_enabled_t enabled; | ||
BOOL proxy_enabled; | ||
const char *vhost_id; | ||
int vhost_id_len; | ||
int session_cache_timeout; | ||
BOOL cipher_server_pref; | ||
BOOL insecure_reneg; | ||
modssl_ctx_t *server; | ||
modssl_ctx_t *proxy; | ||
} SSLSrvConfigRec; | ||
|
||
int hook_post_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *base_server) | ||
{ | ||
SSLSrvConfigRec *sc; | ||
server_rec *s; | ||
for (s = base_server; s; s = s->next) { | ||
sc = (SSLSrvConfigRec *)ap_get_module_config(s->module_config, &ssl_module); | ||
if (sc && sc->enabled && sc->server && sc->server->ssl_ctx){ | ||
X509_VERIFY_PARAM *param = SSL_CTX_get0_param(sc->server->ssl_ctx); | ||
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS); | ||
} | ||
} | ||
return OK; | ||
} | ||
|
||
static void register_hooks(apr_pool_t *pool) | ||
{ | ||
static const char * const dep[] = { "mod_ssl.c", NULL }; | ||
ap_hook_post_config(hook_post_config, dep, NULL, APR_HOOK_MIDDLE); | ||
} | ||
|
||
module AP_MODULE_DECLARE_DATA gsi_proxy_certs_module = | ||
{ | ||
STANDARD20_MODULE_STUFF, | ||
NULL, | ||
NULL, | ||
NULL, | ||
NULL, | ||
NULL, | ||
register_hooks | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
mod .libs/mod_want_digest.so | ||
mod debian/conf/want_digest.load |
Oops, something went wrong.