This commit is contained in:
Arno 2024-10-26 10:16:37 +00:00
parent 6410bf5e34
commit b5e5a75d36
14 changed files with 118 additions and 79 deletions

3
.gitignore vendored
View File

@ -3,7 +3,7 @@
docker-compose.yml docker-compose.yml
/services/10-nineapache/volume/apache /services/10-nineapache/volume
/services/15-mariadb/volume/mysql /services/15-mariadb/volume/mysql
@ -19,6 +19,7 @@ docker-compose.yml
/services/50-nextcloud/volume/html /services/50-nextcloud/volume/html
/services/50-nextcloud/volume/app /services/50-nextcloud/volume/app
/services/50-nineboard/volume/data
/services/50-nineboard/volume/data /services/50-nineboard/volume/data
/services/50-ninefolio/volume/data /services/50-ninefolio/volume/data
/services/50-ninefolio/volume/apache /services/50-ninefolio/volume/apache

1
env/.env vendored
View File

@ -33,6 +33,7 @@ MODE_AUTH=CAS
NINEAPACHE_SERVICE_NAME=nineapache NINEAPACHE_SERVICE_NAME=nineapache
NINEAPACHE_ACTIVATE=1 NINEAPACHE_ACTIVATE=1
NINEAPACHE_LOCAL=1 NINEAPACHE_LOCAL=1
NINEAPACHE_LETSENCRYPT=0
# FAKESMTP # FAKESMTP
# fake-smtp server # fake-smtp server

View File

@ -1,22 +0,0 @@
ProxyPass /auth http://nine.local:8080/auth retry=0 keepalive=On
ProxyPassReverse /auth http://nine.local:8080/auth retry=0
ProxyPass /ninegate http://nine.local:9000/ninegate retry=0 keepalive=On
ProxyPassReverse /ninegate http://nine.local:9000/ninegate retry=0
ProxyPass /wssninegate ws://nine.local:9000/wssninegate retry=0 keepalive=On
ProxyPassReverse /wssninegate ws://nine.local:9000/wssninegate retry=0
ProxyPass /nextcloud http://nine.local:9001 retry=0 keepalive=On
ProxyPassReverse /nextcloud http://nine.local:9001 retry=0
ProxyPass /adminer http://nine.local:9100 retry=0 keepalive=On
ProxyPassReverse /adminer http://nine.local:9100 retry=0
ProxyPass /phpldapadmin http://nine.local:9101/phpldapadmin retry=0 keepalive=On
ProxyPassReverse /phpldapadmin http://nine.local:9101/phpldapadmin retry=0
ProxyPass /nineapache http://nine.local:9102 retry=0 keepalive=On
ProxyPassReverse /nineapache http://nine.local:9102 retry=0

View File

@ -13,7 +13,9 @@ RUN apk add --no-cache \
unzip \ unzip \
zip \ zip \
openssl \ openssl \
mariadb-client mariadb-client \
certbot \
gettext
RUN apk add --no-cache \ RUN apk add --no-cache \
apache2 \ apache2 \
@ -64,7 +66,14 @@ RUN chmod +x /etc/apache2/apache2.sh
COPY php.local.ini /etc/php81/conf.d/ COPY php.local.ini /etc/php81/conf.d/
COPY httpd.conf /etc/apache2/httpd.conf COPY httpd.conf /etc/apache2/httpd.conf
COPY site.conf /etc/apache2/conf.d/nine/site.conf COPY site.conf /etc/apache2/conf.d/nine/site.conf
COPY ssl.conf /etc/apache2/conf.d/ssl.conf COPY sslself.conf /etc/apache2/conf.d/ssl.conf
COPY index.php /app/public/index.php COPY index.php /app/public/index.php
RUN mkdir /nine
COPY sslletsencrypt.conf /nine/ssl.conf
RUN mkdir -p /usr/local/apache2/htdocs/.well-known/acme-challenge
COPY addcertif.sh /nine/addcertif.sh
RUN chmod +x /nine/addcertif.sh
RUN echo "0 1 * * * /etc/apache2/addcertif.sh >> /var/log/addcertif.log 2>&1" >> /var/spool/cron/crontabs/root
CMD /etc/apache2/apache2.sh CMD /etc/apache2/apache2.sh

View File

@ -0,0 +1,15 @@
#!/bin/bash
if [[ $NINEAPACHE_LETSENCRYPT == 1 ]]
then
# On génère ou renouvel le certificat
echo "CERTIFICAT LETSENCRYPT"
certbot certonly --webroot -w /usr/local/apache2/htdocs -d ${WEB_URL} --non-interactive --agree-tos --email ${ADMIN_EMAIL}
# On supprime la conf ssl pour placer celle de letsencrypt en y placant la web_url
rm -f /etc/apache2/conf.d/ssl.conf
envsubst < "/nine/ssl.conf" > "/etc/apache2/conf.d/ssl.conf"
# On redemarre apache
httpd -k graceful
fi

View File

@ -1,13 +1,28 @@
LoadModule rewrite_module modules/mod_rewrite.so LoadModule rewrite_module modules/mod_rewrite.so
ServerName nineapache.local ServerName nineapache.local
DocumentRoot "/app/public" DocumentRoot "/app/public"
# Alias pour le répertoire de validation de Certbot
Alias /.well-known/acme-challenge /usr/local/apache2/htdocs/.well-known/acme-challenge
# Exclure les requêtes pour .well-known/acme-challenge de la redirection vers index.php
<Location "/.well-known/acme-challenge">
Options None
AllowOverride None
Require all granted
</Location>
<Directory "/app/public"> <Directory "/app/public">
Options Indexes FollowSymLinks Options Indexes FollowSymLinks
AllowOverride All AllowOverride All
Require all granted Require all granted
RewriteEngine On RewriteEngine On
# Exclure les requêtes vers .well-known/acme-challenge de la redirection
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
# Règles de réécriture existantes
RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$ RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
RewriteRule .* - [E=BASE:%1] RewriteRule .* - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .+ RewriteCond %{HTTP:Authorization} .+
@ -17,4 +32,3 @@ DocumentRoot "/app/public"
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ %{ENV:BASE}/index.php [L] RewriteRule ^ %{ENV:BASE}/index.php [L]
</Directory> </Directory>

View File

@ -0,0 +1,43 @@
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/cache/mod_ssl/scache(512000)"
SSLSessionCacheTimeout 300
<VirtualHost _default_:443>
DocumentRoot "/app/public"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog logs/ssl_error.log
TransferLog logs/ssl_access.log
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/${WEB_URL}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${WEB_URL}/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/app/public/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request.log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

10
nine.sh
View File

@ -342,6 +342,15 @@ then
up$2 up$2
fi fi
docker-compose logs -f $2 docker-compose logs -f $2
elif [[ $1 == "letsencrypt" ]]
then
Title ${NINEAPACHE_SERVICE_NAME^^} LETSENCRYPT
if [[ $NINEAPACHE_ACTIVATE == 1 && $NINEAPACHE_LOCAL == 1 ]]
then
docker-compose exec ${NINEAPACHE_SERVICE_NAME} /nine/addcertif.sh
else
EchoRouge "Service ${NINEAPACHE_SERVICE_NAME} non actif"
fi
else else
EchoRouge "Action possible =" EchoRouge "Action possible ="
EchoRouge "nine.sh > UP de l'ensemble des services actifs" EchoRouge "nine.sh > UP de l'ensemble des services actifs"
@ -362,6 +371,7 @@ else
EchoRouge "nine.sh iswait monservice > monservice est-il en cours de construction" EchoRouge "nine.sh iswait monservice > monservice est-il en cours de construction"
EchoRouge "nine.sh regen > lance destroyall puis up sur l'ensemble des service" EchoRouge "nine.sh regen > lance destroyall puis up sur l'ensemble des service"
EchoRouge "nine.sh regen monservice > lance destroy monservice puis up monservice" EchoRouge "nine.sh regen monservice > lance destroy monservice puis up monservice"
EchoRouge "nine.sh letsencrypt > genere ou renouvelle le certificat letsencrypt"
fi fi
echo echo
echo echo

View File

@ -2,6 +2,10 @@ LoadModule rewrite_module modules/mod_rewrite.so
ServerName nineapache.local ServerName nineapache.local
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Options Proxy # Options Proxy
ProxyRequests Off ProxyRequests Off
ProxyPreserveHost On ProxyPreserveHost On
@ -16,14 +20,26 @@ RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RequestHeader set Host "%{HTTP_HOST}s" RequestHeader set Host "%{HTTP_HOST}s"
RequestHeader set X-Forwarded-Proto "http" RequestHeader set X-Forwarded-Proto "http"
# Alias pour le répertoire de validation de Certbot
Alias /.well-known/acme-challenge /usr/local/apache2/htdocs/.well-known/acme-challenge
# Exclure les requêtes pour .well-known/acme-challenge de la redirection vers index.php
<Location "/.well-known/acme-challenge">
Options None
Require all granted
</Location>
# Page interne au proxy # Page interne au proxy
DocumentRoot "/app/public" DocumentRoot "/app/public"
<Directory "/app/public"> <Directory "/app/public">
Options Indexes FollowSymLinks Options Indexes FollowSymLinks
AllowOverride All AllowOverride All
Require all granted Require all granted
RewriteEngine On RewriteEngine On
# Exclure les requêtes vers .well-known/acme-challenge de la redirection
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$ RewriteCond %{REQUEST_URI}::$0 ^(/.+)/(.*)::\2$
RewriteRule .* - [E=BASE:%1] RewriteRule .* - [E=BASE:%1]
RewriteCond %{HTTP:Authorization} .+ RewriteCond %{HTTP:Authorization} .+

View File

@ -14,4 +14,4 @@ services:
- "443:443" - "443:443"
volumes: volumes:
- ./services/10-nineapache/volume/apache:/etc/apache2/conf.d/nine - ./services/10-nineapache/volume/apache:/etc/apache2/conf.d/nine
- ./services/10-nineapache/volume/ssl:/etc/apache2/ssl - ./services/10-nineapache/volume/letsencrypt:/etc/letsencrypt

View File

@ -1,21 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIUQ+F6GtJo7VWyn1uemlBWSqYDGyYwDQYJKoZIhvcNAQEL
BQAwQDELMAkGA1UEBhMCRlIxDzANBgNVBAgMBkZyYW5jZTEOMAwGA1UEBwwFRGlq
b24xEDAOBgNVBAoMB0NhZG9sZXMwHhcNMjQwNzI4MTU1NjM0WhcNMjUwNzI4MTU1
NjM0WjBAMQswCQYDVQQGEwJGUjEPMA0GA1UECAwGRnJhbmNlMQ4wDAYDVQQHDAVE
aWpvbjEQMA4GA1UECgwHQ2Fkb2xlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKLfE1bjieaMAKV7e9blEPGSQtp2gFfrsYwjLaFnT+JyUtNbAKtAUxsB
SOLMC+cBMluQyv1E69xeL+8v9QgkmpvUw/nJy32/hU1AVSxzfU67wZHWusjx4089
tHLmJymDQkjvKnshLoPSXQTD3bA1HScMyuymqdXlUTIHm3xoOmi+9T+58UgCsTaj
7j8TavNdbU5PXSWyk8WHoYZJMEefLypvARa8g0xDYq3S7MomTIIulS/p/pD2RVA6
th8SrjBiIvI7OrNP2TyYbZbVGit64+03+YIiCr8UUqA+a4FZlOzvWo9pHsErb/9a
uQeQ2ICS6ZnrLNHcNY/mppUW4TfEn6kCAwEAAaNTMFEwHQYDVR0OBBYEFGZEJEsY
Y4TL3Q2UMm1CfJNywqJuMB8GA1UdIwQYMBaAFGZEJEsYY4TL3Q2UMm1CfJNywqJu
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAITdEJjIwNhzPomS
ybcf1MES4zHSzQNmE6eRgKrB3V7qKANyjaav8vuDaH5drs5cEs+r/uheuVEQFrSV
Jk4zLllo3XTdOE2Hydjzxy7Ztqel11hA8dD5tgdJBDxLj4lMbgAbMBWTfH2VjGYC
xPtr8dV9kH2/91sJixRgKBVZ5ywzbqPIZU3iraXe8VOd9Uj+hDrNomAXJFrI/QV4
81bEvHwTmBHWU+plTu0YyhlBkW5byScFZNek5eOxI721phnog/t9UDbsi20mrH0e
iLfJ169LZ3yAWGy4NRq3oQnJUalu3HwlZr0fp0Eih0t7CD5O8Lt4ymN7EywrrI7J
VnR5yZU=
-----END CERTIFICATE-----

View File

@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCi3xNW44nmjACl
e3vW5RDxkkLadoBX67GMIy2hZ0/iclLTWwCrQFMbAUjizAvnATJbkMr9ROvcXi/v
L/UIJJqb1MP5yct9v4VNQFUsc31Ou8GR1rrI8eNPPbRy5icpg0JI7yp7IS6D0l0E
w92wNR0nDMrspqnV5VEyB5t8aDpovvU/ufFIArE2o+4/E2rzXW1OT10lspPFh6GG
STBHny8qbwEWvINMQ2Kt0uzKJkyCLpUv6f6Q9kVQOrYfEq4wYiLyOzqzT9k8mG2W
1RoreuPtN/mCIgq/FFKgPmuBWZTs71qPaR7BK2//WrkHkNiAkumZ6yzR3DWP5qaV
FuE3xJ+pAgMBAAECggEAONndCktKa2sbHqhHxe8XRvti0pbinc3rn5r35osFW2nE
d3ogdaZyW87K/j9zOCM2zLdx444XNki6OqdmxHziatqNvbcujKo5gYmfMXDuoHjx
TFLDyDiGu7YyMpkbumXS0VqKXYhrkB/x0CP+Ue94SZUxkAFs7vioqun04CwRl1Xh
8Z0fU8IFSP1gEOmJMk1nLfCcYPdgsVDWNauhe1NAPCoZQGGYGfuGI6aBERy7vkAD
S5kt7SAnhznXbo2K1hNHuj2exOLUpjWUeA7k/pyiIuK+PBoizB0nOgGClvOY9TCu
il8jljLyH2lHeNhO1q6e+mu2oggjfozbMD5NcwduMQKBgQDGgj7+5fzhYtziFJOC
DtCDgOEx8F7WxluxwuniG+WasnrpvF3mERQfj+Lx1X4gSSiZBu/ygq+e+NVuw6oL
XNYyArvzsH+Ti9xzXhdJA0ujPXwoQ9km7GrM16x/OJGmA8Ruj7Xi5FSaP1mQeZze
6JttYTVLw2vOe+4OQpxRSSe/FwKBgQDSCp4TRh7HJ3/cx/VMt1r8YvD8O/RrS+Df
zKmTp57zaua8aVVXw34LN5RXnpom/zE1dg2uV0Lh4hneNEZgcm6OcJQrofkfrMUr
LJKyym635VmYOmLdZYfHU3YpyJmPSb9+VwObPN9WGqgMMhoG8b7AeTqLihait5OA
I0gj2+/PPwKBgGGeAySOLMEZQM3cmH1Ik7lXU2afccPkX4sW8rTCSzK7uj3e574P
f/nVZCDQf+mYkGJQSwbSxVJDw5FonuJfkOWe+pZnoRUJnisNhh3dhQCNZ9TVKKA/
enWpSaZ2RwmAqMRF34foCMKhjIXDiCUF9gjf2LmdLBKqVvKkRwKiGu2ZAoGBAMbo
VSBthBIXnueG2Q8IiHqAfDRx1pqRpehqmaCB2W4tK0r7+Vz+fevDe5CqWtNZUdGN
9ZDHhEgDZXnfSVJmq7nqdPcJEbHkXGfxcw8r00QFRx55FE0TrEygBkO1e26NaXIM
lxa4w8t3vPKns6wl3P3LEB067Qq1DFMJlnSXAHfjAoGAAPbkr4ETFLswU/qdWAag
mp5l2q7lAr9WUW+grJsY7PAc+RWvYiqs8zSyqIP39FyiwCdvJbQ7yhmUUI4Xsap+
sseQwQ77KvZbAmbaht/8CCEpEvIunlmDPPvdmC2aBjjiXPCdfuI9oZW1vHg+DMR0
EJyRdCAFQ4+712mehLzSSFQ=
-----END PRIVATE KEY-----

View File

@ -16,6 +16,7 @@ run_as 'php occ config:system:set trusted_domains 1 --value '${WEB_URL}
run_as 'php occ config:system:set overwrite.cli.url --value '${NEXTCLOUD_URL} run_as 'php occ config:system:set overwrite.cli.url --value '${NEXTCLOUD_URL}
run_as 'php occ config:system:set overwritewebroot --value '${NEXTCLOUD_ALIAS} run_as 'php occ config:system:set overwritewebroot --value '${NEXTCLOUD_ALIAS}
run_as 'php occ config:system:set htaccess.RewriteBase --value '${NEXTCLOUD_ALIAS} run_as 'php occ config:system:set htaccess.RewriteBase --value '${NEXTCLOUD_ALIAS}
run_as 'php occ config:system:set overwriteprotocol --value '${PROTOCOLE}
echo echo
echo "== CALENDAR" echo "== CALENDAR"