From b5e5a75d36726024ea656d978238f199930e9d97 Mon Sep 17 00:00:00 2001 From: Arno Date: Sat, 26 Oct 2024 10:16:37 +0000 Subject: [PATCH] svg --- .gitignore | 3 +- env/.env | 1 + misc/images/apache/nine.conf | 22 ---------- .../containers/nineapache/Dockerfile | 13 +++++- .../containers/nineapache/addcertif.sh | 15 +++++++ .../containers/nineapache/site.conf | 20 +++++++-- .../containers/nineapache/sslletsencrypt.conf | 43 +++++++++++++++++++ .../nineapache/{ssl.conf => sslself.conf} | 0 nine.sh | 10 +++++ services/10-nineapache/apache/apache.conf | 18 +++++++- .../dockercompose/dockercompose.yml | 2 +- .../10-nineapache/volume/ssl/selfsigned.crt | 21 --------- .../10-nineapache/volume/ssl/selfsigned.key | 28 ------------ .../50-nextcloud/volume/prestart/prestart.sh | 1 + 14 files changed, 118 insertions(+), 79 deletions(-) delete mode 100644 misc/images/apache/nine.conf create mode 100644 misc/images/nineapache81/containers/nineapache/addcertif.sh create mode 100644 misc/images/nineapache81/containers/nineapache/sslletsencrypt.conf rename misc/images/nineapache81/containers/nineapache/{ssl.conf => sslself.conf} (100%) delete mode 100644 services/10-nineapache/volume/ssl/selfsigned.crt delete mode 100644 services/10-nineapache/volume/ssl/selfsigned.key diff --git a/.gitignore b/.gitignore index 6a97812..caaee30 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,7 @@ docker-compose.yml -/services/10-nineapache/volume/apache +/services/10-nineapache/volume /services/15-mariadb/volume/mysql @@ -19,6 +19,7 @@ docker-compose.yml /services/50-nextcloud/volume/html /services/50-nextcloud/volume/app +/services/50-nineboard/volume/data /services/50-nineboard/volume/data /services/50-ninefolio/volume/data /services/50-ninefolio/volume/apache diff --git a/env/.env b/env/.env index b02444c..0a6eb00 100644 --- a/env/.env +++ b/env/.env @@ -33,6 +33,7 @@ MODE_AUTH=CAS NINEAPACHE_SERVICE_NAME=nineapache NINEAPACHE_ACTIVATE=1 NINEAPACHE_LOCAL=1 +NINEAPACHE_LETSENCRYPT=0 # FAKESMTP # fake-smtp server diff --git a/misc/images/apache/nine.conf b/misc/images/apache/nine.conf deleted file mode 100644 index 06a7361..0000000 --- a/misc/images/apache/nine.conf +++ /dev/null @@ -1,22 +0,0 @@ -ProxyPass /auth http://nine.local:8080/auth retry=0 keepalive=On -ProxyPassReverse /auth http://nine.local:8080/auth retry=0 - -ProxyPass /ninegate http://nine.local:9000/ninegate retry=0 keepalive=On -ProxyPassReverse /ninegate http://nine.local:9000/ninegate retry=0 -ProxyPass /wssninegate ws://nine.local:9000/wssninegate retry=0 keepalive=On -ProxyPassReverse /wssninegate ws://nine.local:9000/wssninegate retry=0 - -ProxyPass /nextcloud http://nine.local:9001 retry=0 keepalive=On -ProxyPassReverse /nextcloud http://nine.local:9001 retry=0 - -ProxyPass /adminer http://nine.local:9100 retry=0 keepalive=On -ProxyPassReverse /adminer http://nine.local:9100 retry=0 - -ProxyPass /phpldapadmin http://nine.local:9101/phpldapadmin retry=0 keepalive=On -ProxyPassReverse /phpldapadmin http://nine.local:9101/phpldapadmin retry=0 - -ProxyPass /nineapache http://nine.local:9102 retry=0 keepalive=On -ProxyPassReverse /nineapache http://nine.local:9102 retry=0 - - - diff --git a/misc/images/nineapache81/containers/nineapache/Dockerfile b/misc/images/nineapache81/containers/nineapache/Dockerfile index 6eca3f8..1a031a7 100755 --- a/misc/images/nineapache81/containers/nineapache/Dockerfile +++ b/misc/images/nineapache81/containers/nineapache/Dockerfile @@ -13,7 +13,9 @@ RUN apk add --no-cache \ unzip \ zip \ openssl \ - mariadb-client + mariadb-client \ + certbot \ + gettext RUN apk add --no-cache \ apache2 \ @@ -64,7 +66,14 @@ RUN chmod +x /etc/apache2/apache2.sh COPY php.local.ini /etc/php81/conf.d/ COPY httpd.conf /etc/apache2/httpd.conf COPY site.conf /etc/apache2/conf.d/nine/site.conf -COPY ssl.conf /etc/apache2/conf.d/ssl.conf +COPY sslself.conf /etc/apache2/conf.d/ssl.conf COPY index.php /app/public/index.php +RUN mkdir /nine +COPY sslletsencrypt.conf /nine/ssl.conf +RUN mkdir -p /usr/local/apache2/htdocs/.well-known/acme-challenge +COPY addcertif.sh /nine/addcertif.sh +RUN chmod +x /nine/addcertif.sh +RUN echo "0 1 * * * /etc/apache2/addcertif.sh >> /var/log/addcertif.log 2>&1" >> /var/spool/cron/crontabs/root + CMD /etc/apache2/apache2.sh \ No newline at end of file diff --git a/misc/images/nineapache81/containers/nineapache/addcertif.sh b/misc/images/nineapache81/containers/nineapache/addcertif.sh new file mode 100644 index 0000000..6715448 --- /dev/null +++ b/misc/images/nineapache81/containers/nineapache/addcertif.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +if [[ $NINEAPACHE_LETSENCRYPT == 1 ]] +then + # On génère ou renouvel le certificat + echo "CERTIFICAT LETSENCRYPT" + certbot certonly --webroot -w /usr/local/apache2/htdocs -d ${WEB_URL} --non-interactive --agree-tos --email ${ADMIN_EMAIL} + + # On supprime la conf ssl pour placer celle de letsencrypt en y placant la web_url + rm -f /etc/apache2/conf.d/ssl.conf + envsubst < "/nine/ssl.conf" > "/etc/apache2/conf.d/ssl.conf" + + # On redemarre apache + httpd -k graceful +fi \ No newline at end of file diff --git a/misc/images/nineapache81/containers/nineapache/site.conf b/misc/images/nineapache81/containers/nineapache/site.conf index f774c5b..bab7452 100755 --- a/misc/images/nineapache81/containers/nineapache/site.conf +++ b/misc/images/nineapache81/containers/nineapache/site.conf @@ -1,13 +1,28 @@ - LoadModule rewrite_module modules/mod_rewrite.so ServerName nineapache.local DocumentRoot "/app/public" + +# Alias pour le répertoire de validation de Certbot +Alias /.well-known/acme-challenge /usr/local/apache2/htdocs/.well-known/acme-challenge + +# Exclure les requêtes pour .well-known/acme-challenge de la redirection vers index.php + + Options None + AllowOverride None + Require all granted + + Options Indexes FollowSymLinks AllowOverride All Require all granted RewriteEngine On + + # Exclure les requêtes vers .well-known/acme-challenge de la redirection + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge + + # Règles de réécriture existantes RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$ RewriteRule .* - [E=BASE:%1] RewriteCond %{HTTP:Authorization} .+ @@ -15,6 +30,5 @@ DocumentRoot "/app/public" RewriteCond %{ENV:REDIRECT_STATUS} ="" RewriteRule ^index\.php(?:/(.*)|$) %{ENV:BASE}/$1 [R=301,L] RewriteCond %{REQUEST_FILENAME} !-f - RewriteRule ^ %{ENV:BASE}/index.php [L] + RewriteRule ^ %{ENV:BASE}/index.php [L] - diff --git a/misc/images/nineapache81/containers/nineapache/sslletsencrypt.conf b/misc/images/nineapache81/containers/nineapache/sslletsencrypt.conf new file mode 100644 index 0000000..975d824 --- /dev/null +++ b/misc/images/nineapache81/containers/nineapache/sslletsencrypt.conf @@ -0,0 +1,43 @@ +LoadModule ssl_module modules/mod_ssl.so +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so + +SSLRandomSeed startup file:/dev/urandom 512 +SSLRandomSeed connect builtin + +Listen 443 + +SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH +SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH +SSLHonorCipherOrder on +SSLProtocol all -SSLv3 +SSLProxyProtocol all -SSLv3 +SSLPassPhraseDialog builtin +SSLSessionCache "shmcb:/var/cache/mod_ssl/scache(512000)" +SSLSessionCacheTimeout 300 + + + DocumentRoot "/app/public" + ServerName www.example.com:443 + ServerAdmin you@example.com + ErrorLog logs/ssl_error.log + TransferLog logs/ssl_access.log + + SSLEngine on + + SSLCertificateFile /etc/letsencrypt/live/${WEB_URL}/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/${WEB_URL}/privkey.pem + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + CustomLog logs/ssl_request.log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + \ No newline at end of file diff --git a/misc/images/nineapache81/containers/nineapache/ssl.conf b/misc/images/nineapache81/containers/nineapache/sslself.conf similarity index 100% rename from misc/images/nineapache81/containers/nineapache/ssl.conf rename to misc/images/nineapache81/containers/nineapache/sslself.conf diff --git a/nine.sh b/nine.sh index fc7b8bc..d342883 100755 --- a/nine.sh +++ b/nine.sh @@ -342,6 +342,15 @@ then up$2 fi docker-compose logs -f $2 +elif [[ $1 == "letsencrypt" ]] +then + Title ${NINEAPACHE_SERVICE_NAME^^} LETSENCRYPT + if [[ $NINEAPACHE_ACTIVATE == 1 && $NINEAPACHE_LOCAL == 1 ]] + then + docker-compose exec ${NINEAPACHE_SERVICE_NAME} /nine/addcertif.sh + else + EchoRouge "Service ${NINEAPACHE_SERVICE_NAME} non actif" + fi else EchoRouge "Action possible =" EchoRouge "nine.sh > UP de l'ensemble des services actifs" @@ -362,6 +371,7 @@ else EchoRouge "nine.sh iswait monservice > monservice est-il en cours de construction" EchoRouge "nine.sh regen > lance destroyall puis up sur l'ensemble des service" EchoRouge "nine.sh regen monservice > lance destroy monservice puis up monservice" + EchoRouge "nine.sh letsencrypt > genere ou renouvelle le certificat letsencrypt" fi echo echo diff --git a/services/10-nineapache/apache/apache.conf b/services/10-nineapache/apache/apache.conf index dce74e7..20fac88 100644 --- a/services/10-nineapache/apache/apache.conf +++ b/services/10-nineapache/apache/apache.conf @@ -2,6 +2,10 @@ LoadModule rewrite_module modules/mod_rewrite.so ServerName nineapache.local +RewriteEngine On +RewriteCond %{HTTPS} !=on +RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] + # Options Proxy ProxyRequests Off ProxyPreserveHost On @@ -16,14 +20,26 @@ RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s" RequestHeader set Host "%{HTTP_HOST}s" RequestHeader set X-Forwarded-Proto "http" +# Alias pour le répertoire de validation de Certbot +Alias /.well-known/acme-challenge /usr/local/apache2/htdocs/.well-known/acme-challenge + +# Exclure les requêtes pour .well-known/acme-challenge de la redirection vers index.php + + Options None + Require all granted + + # Page interne au proxy DocumentRoot "/app/public" Options Indexes FollowSymLinks AllowOverride All Require all granted - RewriteEngine On + + # Exclure les requêtes vers .well-known/acme-challenge de la redirection + RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge + RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$ RewriteRule .* - [E=BASE:%1] RewriteCond %{HTTP:Authorization} .+ diff --git a/services/10-nineapache/dockercompose/dockercompose.yml b/services/10-nineapache/dockercompose/dockercompose.yml index 569422e..a1d2064 100644 --- a/services/10-nineapache/dockercompose/dockercompose.yml +++ b/services/10-nineapache/dockercompose/dockercompose.yml @@ -14,4 +14,4 @@ services: - "443:443" volumes: - ./services/10-nineapache/volume/apache:/etc/apache2/conf.d/nine - - ./services/10-nineapache/volume/ssl:/etc/apache2/ssl + - ./services/10-nineapache/volume/letsencrypt:/etc/letsencrypt diff --git a/services/10-nineapache/volume/ssl/selfsigned.crt b/services/10-nineapache/volume/ssl/selfsigned.crt deleted file mode 100644 index 49d040f..0000000 --- a/services/10-nineapache/volume/ssl/selfsigned.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDYTCCAkmgAwIBAgIUQ+F6GtJo7VWyn1uemlBWSqYDGyYwDQYJKoZIhvcNAQEL -BQAwQDELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFRGlq -b24xEDAOBgNVBAoMB0NhZG9sZXMwHhcNMjQwNzI4MTU1NjM0WhcNMjUwNzI4MTU1 -NjM0WjBAMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ4wDAYDVQQHDAVE -aWpvbjEQMA4GA1UECgwHQ2Fkb2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAKLfE1bjieaMAKV7e9blEPGSQtp2gFfrsYwjLaFnT+JyUtNbAKtAUxsB -SOLMC+cBMluQyv1E69xeL+8v9QgkmpvUw/nJy32/hU1AVSxzfU67wZHWusjx4089 -tHLmJymDQkjvKnshLoPSXQTD3bA1HScMyuymqdXlUTIHm3xoOmi+9T+58UgCsTaj -7j8TavNdbU5PXSWyk8WHoYZJMEefLypvARa8g0xDYq3S7MomTIIulS/p/pD2RVA6 -th8SrjBiIvI7OrNP2TyYbZbVGit64+03+YIiCr8UUqA+a4FZlOzvWo9pHsErb/9a -uQeQ2ICS6ZnrLNHcNY/mppUW4TfEn6kCAwEAAaNTMFEwHQYDVR0OBBYEFGZEJEsY -Y4TL3Q2UMm1CfJNywqJuMB8GA1UdIwQYMBaAFGZEJEsYY4TL3Q2UMm1CfJNywqJu -MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAITdEJjIwNhzPomS -ybcf1MES4zHSzQNmE6eRgKrB3V7qKANyjaav8vuDaH5drs5cEs+r/uheuVEQFrSV -Jk4zLllo3XTdOE2Hydjzxy7Ztqel11hA8dD5tgdJBDxLj4lMbgAbMBWTfH2VjGYC -xPtr8dV9kH2/91sJixRgKBVZ5ywzbqPIZU3iraXe8VOd9Uj+hDrNomAXJFrI/QV4 -81bEvHwTmBHWU+plTu0YyhlBkW5byScFZNek5eOxI721phnog/t9UDbsi20mrH0e -iLfJ169LZ3yAWGy4NRq3oQnJUalu3HwlZr0fp0Eih0t7CD5O8Lt4ymN7EywrrI7J -VnR5yZU= ------END CERTIFICATE----- diff --git a/services/10-nineapache/volume/ssl/selfsigned.key b/services/10-nineapache/volume/ssl/selfsigned.key deleted file mode 100644 index fb22b8a..0000000 --- a/services/10-nineapache/volume/ssl/selfsigned.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCi3xNW44nmjACl -e3vW5RDxkkLadoBX67GMIy2hZ0/iclLTWwCrQFMbAUjizAvnATJbkMr9ROvcXi/v -L/UIJJqb1MP5yct9v4VNQFUsc31Ou8GR1rrI8eNPPbRy5icpg0JI7yp7IS6D0l0E -w92wNR0nDMrspqnV5VEyB5t8aDpovvU/ufFIArE2o+4/E2rzXW1OT10lspPFh6GG -STBHny8qbwEWvINMQ2Kt0uzKJkyCLpUv6f6Q9kVQOrYfEq4wYiLyOzqzT9k8mG2W -1RoreuPtN/mCIgq/FFKgPmuBWZTs71qPaR7BK2//WrkHkNiAkumZ6yzR3DWP5qaV -FuE3xJ+pAgMBAAECggEAONndCktKa2sbHqhHxe8XRvti0pbinc3rn5r35osFW2nE -d3ogdaZyW87K/j9zOCM2zLdx444XNki6OqdmxHziatqNvbcujKo5gYmfMXDuoHjx -TFLDyDiGu7YyMpkbumXS0VqKXYhrkB/x0CP+Ue94SZUxkAFs7vioqun04CwRl1Xh -8Z0fU8IFSP1gEOmJMk1nLfCcYPdgsVDWNauhe1NAPCoZQGGYGfuGI6aBERy7vkAD -S5kt7SAnhznXbo2K1hNHuj2exOLUpjWUeA7k/pyiIuK+PBoizB0nOgGClvOY9TCu -il8jljLyH2lHeNhO1q6e+mu2oggjfozbMD5NcwduMQKBgQDGgj7+5fzhYtziFJOC -DtCDgOEx8F7WxluxwuniG+WasnrpvF3mERQfj+Lx1X4gSSiZBu/ygq+e+NVuw6oL -XNYyArvzsH+Ti9xzXhdJA0ujPXwoQ9km7GrM16x/OJGmA8Ruj7Xi5FSaP1mQeZze -6JttYTVLw2vOe+4OQpxRSSe/FwKBgQDSCp4TRh7HJ3/cx/VMt1r8YvD8O/RrS+Df -zKmTp57zaua8aVVXw34LN5RXnpom/zE1dg2uV0Lh4hneNEZgcm6OcJQrofkfrMUr -LJKyym635VmYOmLdZYfHU3YpyJmPSb9+VwObPN9WGqgMMhoG8b7AeTqLihait5OA -I0gj2+/PPwKBgGGeAySOLMEZQM3cmH1Ik7lXU2afccPkX4sW8rTCSzK7uj3e574P -f/nVZCDQf+mYkGJQSwbSxVJDw5FonuJfkOWe+pZnoRUJnisNhh3dhQCNZ9TVKKA/ -enWpSaZ2RwmAqMRF34foCMKhjIXDiCUF9gjf2LmdLBKqVvKkRwKiGu2ZAoGBAMbo -VSBthBIXnueG2Q8IiHqAfDRx1pqRpehqmaCB2W4tK0r7+Vz+fevDe5CqWtNZUdGN -9ZDHhEgDZXnfSVJmq7nqdPcJEbHkXGfxcw8r00QFRx55FE0TrEygBkO1e26NaXIM -lxa4w8t3vPKns6wl3P3LEB067Qq1DFMJlnSXAHfjAoGAAPbkr4ETFLswU/qdWAag -mp5l2q7lAr9WUW+grJsY7PAc+RWvYiqs8zSyqIP39FyiwCdvJbQ7yhmUUI4Xsap+ -sseQwQ77KvZbAmbaht/8CCEpEvIunlmDPPvdmC2aBjjiXPCdfuI9oZW1vHg+DMR0 -EJyRdCAFQ4+712mehLzSSFQ= ------END PRIVATE KEY----- diff --git a/services/50-nextcloud/volume/prestart/prestart.sh b/services/50-nextcloud/volume/prestart/prestart.sh index dc3d7c8..2a575ac 100755 --- a/services/50-nextcloud/volume/prestart/prestart.sh +++ b/services/50-nextcloud/volume/prestart/prestart.sh @@ -16,6 +16,7 @@ run_as 'php occ config:system:set trusted_domains 1 --value '${WEB_URL} run_as 'php occ config:system:set overwrite.cli.url --value '${NEXTCLOUD_URL} run_as 'php occ config:system:set overwritewebroot --value '${NEXTCLOUD_ALIAS} run_as 'php occ config:system:set htaccess.RewriteBase --value '${NEXTCLOUD_ALIAS} +run_as 'php occ config:system:set overwriteprotocol --value '${PROTOCOLE} echo echo "== CALENDAR"