mirror of
https://github.com/chevereto/docker.git
synced 2026-06-21 22:40:02 +02:00
wip https
This commit is contained in:
Rodolfo Berrios
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,2 +1,3 @@
|
||||
.DS_Store
|
||||
/chevereto
|
||||
/letsencrypt
|
||||
|
||||
23
Dockerfile
23
Dockerfile
@@ -15,11 +15,8 @@ RUN apt-get update && apt-get install -y \
|
||||
rsync \
|
||||
inotify-tools \
|
||||
imagemagick libmagickwand-dev --no-install-recommends \
|
||||
&& a2enmod rewrite \
|
||||
&& docker-php-ext-configure gd \
|
||||
--with-freetype=/usr/include/ \
|
||||
--with-jpeg=/usr/include/ \
|
||||
--with-webp=/usr/include/ \
|
||||
&& a2enmod rewrite && a2enmod ssl && a2enmod socache_shmcb \
|
||||
&& docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ --with-webp=/usr/include/ \
|
||||
&& docker-php-ext-configure opcache --enable-opcache \
|
||||
&& docker-php-ext-install -j$(nproc) exif gd pdo_mysql zip opcache bcmath \
|
||||
&& pecl install imagick \
|
||||
@@ -27,8 +24,20 @@ RUN apt-get update && apt-get install -y \
|
||||
&& php -m
|
||||
|
||||
RUN echo "sendmail_path=/usr/sbin/sendmail -t -i" >> /usr/local/etc/php/conf.d/sendmail.ini \
|
||||
&& sed -i '/#!\/bin\/sh/aservice sendmail restart' /usr/local/bin/docker-php-entrypoint \
|
||||
&& sed -i '/#!\/bin\/sh/aecho "$(hostname -i)\t$(hostname) $(hostname).localhost" >> /etc/hosts' /usr/local/bin/docker-php-entrypoint
|
||||
&& sed -i \
|
||||
-e '/#!\/bin\/sh/a\echo "$(hostname -i)\t$(hostname) $(hostname).localhost" >> /etc/hosts' \
|
||||
-e '/#!\/bin\/sh/a\service sendmail restart' \
|
||||
/usr/local/bin/docker-php-entrypoint
|
||||
|
||||
RUN sed -i \
|
||||
-e '/SSLCertificateFile.*snakeoil\.pem/c\SSLCertificateFile /etc/ssl/certs/cert.pem' \
|
||||
-e '/SSLCertificateKeyFile.*snakeoil\.key/c\SSLCertificateKeyFile /etc/ssl/private/key.pem' \
|
||||
/etc/apache2/sites-available/default-ssl.conf \
|
||||
&& sed -i \
|
||||
-e 's~^ServerSignature On$~ServerSignature Off~g' \
|
||||
-e 's~^ServerTokens OS$~ServerTokens Prod~g' \
|
||||
/etc/apache2/conf-available/security.conf \
|
||||
&& a2ensite default-ssl
|
||||
|
||||
RUN rm -rf /var/lib/apt/lists/*
|
||||
|
||||
|
||||
76
Makefile
76
Makefile
@@ -9,7 +9,10 @@ PROTOCOL ?= http
|
||||
NAMESPACE ?= chevereto
|
||||
SERVICE ?= php
|
||||
|
||||
PORT ?= 8420
|
||||
PORT_HTTP ?= 8420
|
||||
PORT_HTTPS ?= 8430
|
||||
PORT = $(shell [[ \${PROTOCOL} == "http" ]] && echo \${PORT_HTTP} || echo \${PORT_HTTPS})
|
||||
HTTPS = $(shell [[ \${PROTOCOL} == "http" ]] && echo 0 || echo 1)
|
||||
|
||||
URL = ${PROTOCOL}://${HOSTNAME}:${PORT}/
|
||||
PROJECT = $(shell [[ \${TARGET} == "prod" ]] && echo \${NAMESPACE}_chevereto || echo \${NAMESPACE}_chevereto-${TARGET})
|
||||
@@ -26,7 +29,16 @@ FEEDBACK_SHORT = $(shell echo 👉 \${TARGET} V\${VERSION} [PHP \${PHP}] \(\${DO
|
||||
|
||||
LICENSE ?= $(shell stty -echo; read -p "Chevereto V4 License key: 🔑" license; stty echo; echo $$license)
|
||||
|
||||
DOCKER_COMPOSE = $(shell echo docker compose -p \${PROJECT} -f \${COMPOSE_FILE})
|
||||
DOCKER_COMPOSE = $(shell echo @CONTAINER_BASENAME=\${CONTAINER_BASENAME} \
|
||||
PORT_HTTP=\${PORT_HTTP} \
|
||||
PORT_HTTPS=\${PORT_HTTPS} \
|
||||
HTTPS=\${HTTPS} \
|
||||
TAG_BASENAME=\${TAG_BASENAME} \
|
||||
VERSION=\${VERSION} \
|
||||
HOSTNAME=\${HOSTNAME} \
|
||||
HOSTNAME_PATH=\${HOSTNAME_PATH} \
|
||||
URL=\${URL} \
|
||||
docker compose -p \${PROJECT} -f \${COMPOSE_FILE})
|
||||
|
||||
feedback:
|
||||
@./scripts/logo.sh
|
||||
@@ -65,16 +77,19 @@ image-custom: feedback--short
|
||||
-t ${TAG_BASENAME}_php
|
||||
|
||||
volume-cp:
|
||||
docker run --rm -it -v ${VOLUME_FROM}:/from -v ${VOLUME_TO}:/to alpine ash -c "cd /from ; cp -av . /to"
|
||||
@docker run --rm -it -v ${VOLUME_FROM}:/from -v ${VOLUME_TO}:/to alpine ash -c "cd /from ; cp -av . /to"
|
||||
|
||||
volume-rm:
|
||||
docker volume rm ${VOLUME}
|
||||
@docker volume rm ${VOLUME}
|
||||
|
||||
bash: feedback
|
||||
@docker exec -it --user ${DOCKER_USER} \
|
||||
${CONTAINER_BASENAME}_${SERVICE} \
|
||||
bash
|
||||
|
||||
log: feedback
|
||||
@docker logs -f ${CONTAINER_BASENAME}_${SERVICE}
|
||||
|
||||
log-access: feedback
|
||||
@docker logs ${CONTAINER_BASENAME}_${SERVICE} -f 2>/dev/null
|
||||
|
||||
@@ -84,51 +99,46 @@ log-error: feedback
|
||||
# docker compose
|
||||
|
||||
up: feedback feedback--compose feedback--url
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
TAG_BASENAME=${TAG_BASENAME} \
|
||||
VERSION=${VERSION} \
|
||||
HOSTNAME=${HOSTNAME} \
|
||||
HOSTNAME_PATH=${HOSTNAME_PATH} \
|
||||
URL=${URL} \
|
||||
${DOCKER_COMPOSE} up
|
||||
|
||||
up-d: feedback feedback--compose feedback--url
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
TAG_BASENAME=${TAG_BASENAME} \
|
||||
VERSION=${VERSION} \
|
||||
HOSTNAME=${HOSTNAME} \
|
||||
HOSTNAME_PATH=${HOSTNAME_PATH} \
|
||||
URL=${URL} \
|
||||
${DOCKER_COMPOSE} up -d
|
||||
|
||||
stop: feedback feedback--compose
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
VERSION=${VERSION} \
|
||||
${DOCKER_COMPOSE} stop
|
||||
|
||||
start: feedback feedback--compose
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
VERSION=${VERSION} \
|
||||
${DOCKER_COMPOSE} start
|
||||
|
||||
restart: feedback feedback--compose
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
VERSION=${VERSION} \
|
||||
${DOCKER_COMPOSE} restart
|
||||
|
||||
down: feedback feedback--compose
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
VERSION=${VERSION} \
|
||||
${DOCKER_COMPOSE} down
|
||||
|
||||
down--volumes: feedback feedback--compose
|
||||
@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
|
||||
PORT=${PORT} \
|
||||
VERSION=${VERSION} \
|
||||
${DOCKER_COMPOSE} down --volumes
|
||||
|
||||
# tools
|
||||
|
||||
certbot:
|
||||
@echo "🔐 Generating certificate"
|
||||
@HOSTNAME=${HOSTNAME} \
|
||||
docker container run \
|
||||
-it \
|
||||
--rm \
|
||||
-v ${PWD}/letsencrypt/certs:/etc/letsencrypt \
|
||||
-v ${PWD}/letsencrypt/data:/data/letsencrypt \
|
||||
certbot/certbot certonly \
|
||||
--webroot \
|
||||
--webroot-path=/data/letsencrypt \
|
||||
-d ${HOSTNAME} \
|
||||
--dry-run \
|
||||
&& cp ${PWD}/letsencrypt/certs/live/${HOSTNAME}/fullchain.pem ${PWD}/https/cert.pem \
|
||||
&& cp ${PWD}/letsencrypt/certs/live/${HOSTNAME}/privkey.pem ${PWD}/https/key.pem
|
||||
|
||||
cert-self:
|
||||
@echo "🔐 Generating self-signed certificate"
|
||||
@cd ${PWD}/https \
|
||||
&& openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
|
||||
|
||||
|
||||
11
default.yml
11
default.yml
@@ -40,8 +40,15 @@ services:
|
||||
volumes:
|
||||
- storage:/var/www/html/images/
|
||||
- assets:/var/www/html/_assets/
|
||||
- type: bind
|
||||
source: ${PWD}/https/cert.pem
|
||||
target: /etc/ssl/certs/cert.pem
|
||||
- type: bind
|
||||
source: ${PWD}/https/key.pem
|
||||
target: /etc/ssl/private/key.pem
|
||||
ports:
|
||||
- ${PORT}:80
|
||||
- ${PORT_HTTP}:80
|
||||
- ${PORT_HTTPS}:443
|
||||
restart: always
|
||||
environment:
|
||||
CHEVERETO_DB_HOST: database
|
||||
@@ -51,7 +58,7 @@ services:
|
||||
CHEVERETO_DB_NAME: chevereto
|
||||
CHEVERETO_HOSTNAME: ${HOSTNAME}
|
||||
CHEVERETO_HOSTNAME_PATH: ${HOSTNAME_PATH}
|
||||
CHEVERETO_HTTPS: 0
|
||||
CHEVERETO_HTTPS: ${HTTPS}
|
||||
CHEVERETO_ASSET_STORAGE_TYPE: local
|
||||
CHEVERETO_ASSET_STORAGE_URL: ${URL}_assets/
|
||||
CHEVERETO_ASSET_STORAGE_BUCKET: /var/www/html/_assets/
|
||||
|
||||
26
docs/HTTPS.md
Normal file
26
docs/HTTPS.md
Normal file
@@ -0,0 +1,26 @@
|
||||
# HTTPS
|
||||
|
||||
Place the certificate and private key at `https/`.
|
||||
|
||||
| Type | File |
|
||||
| ----------- | ---------- |
|
||||
| Certificate | `cert.pem` |
|
||||
| Private key | `key.pem` |
|
||||
|
||||
## Create certificate
|
||||
|
||||
To create a certificate using certbot:
|
||||
|
||||
```sh
|
||||
make certbot HOSTNAME=chevereto.com
|
||||
```
|
||||
|
||||
The above command uses `certbot/certbot` for providing the files required, it will place the generated files at `https/`.
|
||||
|
||||
## Use HTTPS
|
||||
|
||||
Alter the commands to use `PROTOCOL=https`:
|
||||
|
||||
```sh
|
||||
make up-d PROTOCOL=https HOSTNAME=chevereto.com
|
||||
```
|
||||
22
https/cert.pem
Normal file
22
https/cert.pem
Normal file
@@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDtjCCAp4CCQC9rx8BAlN2IDANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMC
|
||||
Q0wxGjAYBgNVBAgMEVJlZ2lvbiBkZWwgQmlvYmlvMRMwEQYDVQQHDApDb25jZXBj
|
||||
aW9uMRswGQYDVQQKDBJDaGV2ZXJldG8gU29mdHdhcmUxCzAJBgNVBAsMAklUMRIw
|
||||
EAYDVQQDDAlsb2NhbGhvc3QxHjAcBgkqhkiG9w0BCQEWD2FkbWluQGxvY2FsaG9z
|
||||
dDAeFw0yMjEwMTcxMjI5MjZaFw0zMjEwMTQxMjI5MjZaMIGcMQswCQYDVQQGEwJD
|
||||
TDEaMBgGA1UECAwRUmVnaW9uIGRlbCBCaW9iaW8xEzARBgNVBAcMCkNvbmNlcGNp
|
||||
b24xGzAZBgNVBAoMEkNoZXZlcmV0byBTb2Z0d2FyZTELMAkGA1UECwwCSVQxEjAQ
|
||||
BgNVBAMMCWxvY2FsaG9zdDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbG9jYWxob3N0
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0t/WPCE0i4AgOXBo2tK
|
||||
EvGdqfU5cGjQ6qYZeOrAG4tU1LqUhZWucAG97K9yOwc/ySNcEvg7ZSFc/jxQ3AjE
|
||||
mIvNf1rIZ1DhOYaqu/EseEsh2uz2QCMRkZeBWAh/32k2qm5khFX6NRbV4MAHt8Tc
|
||||
6FACjZz+p8tQHwrPgQc1PwN+J++d5k7DU34cYoGaeH+3Mlo2pNodrIVgT/NidEzT
|
||||
qrpqxMkm+YcuGvZeNk6iWRGc18Q6d+Z6HftmoSDqH5bxpt9OPA0MnS8mHqyB8McK
|
||||
7b8VBZuHzMmKyf/Q7lNQU6egDuql2zaeXrUX3tgt7PQql4tmWU1VLRz1zZrph0AC
|
||||
nwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB/x+IfDS4Nl0EyRnvBlkMLNOTL+8qO
|
||||
syr2p+M44eUX0fT2s+RN7Wbf3Rl5iGvG4kn3udaJ07vuH5EH8BZITw0945YaWb5F
|
||||
aV8h7ZKd0kDeNcU2rUy+a2xrSh2KJJHbYL8cUWNcVE/RGon/o7gfQBzb4htRiJcW
|
||||
EYtImBdkxdhKoXSYDTz8xP7z8NxiFDpuhKv5bzQB62DtGjnDl8BHxmlUCP8OSprQ
|
||||
tAtoZD20pFqoLj+LZvVHQUsJmd8bRg6aatmDNjSUkvKrnhZnlSXM3MR9xN484JgQ
|
||||
AhqsPV4rGOBaTIAKSz8VTWPlqpvhJdPq2C4Vmbt00C+1px6d5Rt1B4pn
|
||||
-----END CERTIFICATE-----
|
||||
28
https/key.pem
Normal file
28
https/key.pem
Normal file
@@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPS39Y8ITSLgCA
|
||||
5cGja0oS8Z2p9TlwaNDqphl46sAbi1TUupSFla5wAb3sr3I7Bz/JI1wS+DtlIVz+
|
||||
PFDcCMSYi81/WshnUOE5hqq78Sx4SyHa7PZAIxGRl4FYCH/faTaqbmSEVfo1FtXg
|
||||
wAe3xNzoUAKNnP6ny1AfCs+BBzU/A34n753mTsNTfhxigZp4f7cyWjak2h2shWBP
|
||||
82J0TNOqumrEySb5hy4a9l42TqJZEZzXxDp35nod+2ahIOoflvGm3048DQydLyYe
|
||||
rIHwxwrtvxUFm4fMyYrJ/9DuU1BTp6AO6qXbNp5etRfe2C3s9CqXi2ZZTVUtHPXN
|
||||
mumHQAKfAgMBAAECggEADw8kBDkM3Rv8a2DFjXKo4fFti8BF2PW0X6eLaC5doGKh
|
||||
2gZn7cBu+LIXsw8X1FP1fU41TSd9YR5oXAvTr/hvF8noNt1Ie8Dza7NtydN+cIq8
|
||||
vePDC+vARfxkqBmN+JPzJbR5VufMEnlDNl2c8eu6RKIzXUhPc68gdfDaHDyC0L31
|
||||
vn+VfGLWXvMYhEIwEx11Vl51AyUb1oBu4YeJS0PTcA0cwob8f57Hdl3ThjyZFbRP
|
||||
bXq+uRzXrAKT5CsIRlysRvTUmPEZU3M0n482hqmwARryATZEkvkN8S4TwgscbuHT
|
||||
lrePAjRh6NdIAVVwrNq2gNLXRQEXLRgHZ5PMhTgbIQKBgQDoRpwGHbpattqHUMmV
|
||||
YxPYM0dqc+JXMy+3H66MOf6fA65vU1tzhHgexc/KOVtLxjQyDhe58/4Ui7EygkZ9
|
||||
y8jhU/7RP4VG7KEpdgKmueqmMvqKKLPUfaoDA/seTtBrXZzE1vy81W4s/XBBq8hx
|
||||
XT5qEFTw+HQ24HFledmRO5ZfcQKBgQDkd7RFyRmcS+ehXREZZH0bY74JBtv6HUPz
|
||||
LapdTylxXZ7yRItF8s/7pRdrtfefXMA2ew1wVoyRnf+Taj5AKSr/g3q5psh/RmI2
|
||||
zA2YcDjlaa9Z3qoy5JIQxHU9/S+h6PZYNHrpFs6ezcRVjEvMI46kUuA0wT0fCtgq
|
||||
j7K20pebDwKBgGxijmmYM54i1wPvYbEwo1DuVLPK0WIpQ2mrAfLzGOoweJQADJtx
|
||||
w+9wFI7jhsNsAG0fAFlIDlad/Jh6C9SlY94pKK2Re2pl/qnvJDuSY3kcLqaLaaaM
|
||||
4Ok5UVOKKV0AOKftPdALs7aQqHIsa4LipL4vUsOC3A/DWYalfi1z5a4xAoGBAId4
|
||||
I0Ct+a2fpH0d/iGcYEJ5ZhlcI9uutrffAAHMCrrZ1IG6+wpC6+g/ACAyCd5I1QB4
|
||||
/oL6DufZU85JVRgeUQypHYAv0PsG9P2hCP62rEX74KndSfZbafDfTNWw5ymORWQP
|
||||
2kGT8HhhcmV3hwpImy/8pE0jt+ZMO9kg08tsG9EpAoGANOn2zocpyVuUOAWkJdAh
|
||||
GUD4URTwkImkk9WkcxltevKb562hBwZpQ2Kecz51cBF/zWJz3sBZPudyuFnQbzOX
|
||||
z/prZ27Hhv/+77xhscxuP2yGab2IYRa8gNft/L4Mk+Z3wLpaztu19NpLAXBFwgsV
|
||||
rB7sPZrzeAvRcuvuFl2zwmA=
|
||||
-----END PRIVATE KEY-----
|
||||
Reference in New Issue
Block a user