From 175489dd68ad3b3ecf96e90e29baf5349d4e9a5e Mon Sep 17 00:00:00 2001
From: Rodolfo Berrios <20590102+rodber@users.noreply.github.com>
Date: Mon, 17 Oct 2022 10:22:01 -0300
Subject: [PATCH] wip https

---
 .gitignore     |  1 +
 Dockerfile     | 23 ++++++++++-----
 Makefile       | 76 ++++++++++++++++++++++++++++----------------------
 default.yml    | 11 ++++++--
 docs/HTTPS.md  | 26 +++++++++++++++++
 https/cert.pem | 22 +++++++++++++++
 https/key.pem  | 28 +++++++++++++++++++
 7 files changed, 145 insertions(+), 42 deletions(-)
 create mode 100644 docs/HTTPS.md
 create mode 100644 https/cert.pem
 create mode 100644 https/key.pem

diff --git a/.gitignore b/.gitignore
index b897fc2..4df9441 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .DS_Store
 /chevereto
+/letsencrypt
diff --git a/Dockerfile b/Dockerfile
index 6042144..c7744e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,11 +15,8 @@ RUN apt-get update && apt-get install -y \
     rsync \
     inotify-tools \
     imagemagick libmagickwand-dev --no-install-recommends \
-    && a2enmod rewrite \
-    && docker-php-ext-configure gd \
-    --with-freetype=/usr/include/ \
-    --with-jpeg=/usr/include/ \
-    --with-webp=/usr/include/ \
+    && a2enmod rewrite && a2enmod ssl && a2enmod socache_shmcb \
+    && docker-php-ext-configure gd --with-freetype=/usr/include/ --with-jpeg=/usr/include/ --with-webp=/usr/include/ \
     && docker-php-ext-configure opcache --enable-opcache \
     && docker-php-ext-install -j$(nproc) exif gd pdo_mysql zip opcache bcmath \
     && pecl install imagick \
@@ -27,8 +24,20 @@ RUN apt-get update && apt-get install -y \
     && php -m
 
 RUN echo "sendmail_path=/usr/sbin/sendmail -t -i" >> /usr/local/etc/php/conf.d/sendmail.ini \
-    && sed -i '/#!\/bin\/sh/aservice sendmail restart' /usr/local/bin/docker-php-entrypoint \
-    && sed -i '/#!\/bin\/sh/aecho "$(hostname -i)\t$(hostname) $(hostname).localhost" >> /etc/hosts' /usr/local/bin/docker-php-entrypoint
+    && sed -i \
+    -e '/#!\/bin\/sh/a\echo "$(hostname -i)\t$(hostname) $(hostname).localhost" >> /etc/hosts' \
+    -e '/#!\/bin\/sh/a\service sendmail restart' \
+    /usr/local/bin/docker-php-entrypoint
+
+RUN sed -i \
+    -e '/SSLCertificateFile.*snakeoil\.pem/c\SSLCertificateFile /etc/ssl/certs/cert.pem' \
+    -e '/SSLCertificateKeyFile.*snakeoil\.key/c\SSLCertificateKeyFile /etc/ssl/private/key.pem' \
+    /etc/apache2/sites-available/default-ssl.conf \
+    && sed -i \
+    -e 's~^ServerSignature On$~ServerSignature Off~g' \
+    -e 's~^ServerTokens OS$~ServerTokens Prod~g' \
+    /etc/apache2/conf-available/security.conf \
+    && a2ensite default-ssl
 
 RUN rm -rf /var/lib/apt/lists/*
 
diff --git a/Makefile b/Makefile
index 9f2df94..c9f901a 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,10 @@ PROTOCOL ?= http
 NAMESPACE ?= chevereto
 SERVICE ?= php
 
-PORT ?= 8420
+PORT_HTTP ?= 8420
+PORT_HTTPS ?= 8430
+PORT = $(shell [[ \${PROTOCOL} == "http" ]] && echo \${PORT_HTTP} || echo \${PORT_HTTPS})
+HTTPS = $(shell [[ \${PROTOCOL} == "http" ]] && echo 0 || echo 1)
 
 URL = ${PROTOCOL}://${HOSTNAME}:${PORT}/
 PROJECT = $(shell [[ \${TARGET} == "prod" ]] && echo \${NAMESPACE}_chevereto || echo \${NAMESPACE}_chevereto-${TARGET})
@@ -26,7 +29,16 @@ FEEDBACK_SHORT = $(shell echo 👉 \${TARGET} V\${VERSION} [PHP \${PHP}] \(\${DO
 
 LICENSE ?= $(shell stty -echo; read -p "Chevereto V4 License key: 🔑" license; stty echo; echo $$license)
 
-DOCKER_COMPOSE = $(shell echo docker compose -p \${PROJECT} -f \${COMPOSE_FILE})
+DOCKER_COMPOSE = $(shell echo @CONTAINER_BASENAME=\${CONTAINER_BASENAME} \
+	PORT_HTTP=\${PORT_HTTP} \
+	PORT_HTTPS=\${PORT_HTTPS} \
+	HTTPS=\${HTTPS} \
+	TAG_BASENAME=\${TAG_BASENAME} \
+	VERSION=\${VERSION} \
+	HOSTNAME=\${HOSTNAME} \
+	HOSTNAME_PATH=\${HOSTNAME_PATH} \
+	URL=\${URL} \
+	docker compose -p \${PROJECT} -f \${COMPOSE_FILE})
 
 feedback:
 	@./scripts/logo.sh
@@ -65,16 +77,19 @@ image-custom: feedback--short
 		-t ${TAG_BASENAME}_php
 
 volume-cp:
-	docker run --rm -it -v ${VOLUME_FROM}:/from -v ${VOLUME_TO}:/to alpine ash -c "cd /from ; cp -av . /to"
+	@docker run --rm -it -v ${VOLUME_FROM}:/from -v ${VOLUME_TO}:/to alpine ash -c "cd /from ; cp -av . /to"
 
 volume-rm:
-	docker volume rm ${VOLUME}
+	@docker volume rm ${VOLUME}
 
 bash: feedback
 	@docker exec -it --user ${DOCKER_USER} \
 		${CONTAINER_BASENAME}_${SERVICE} \
 		bash
 
+log: feedback
+	@docker logs -f ${CONTAINER_BASENAME}_${SERVICE}
+
 log-access: feedback
 	@docker logs ${CONTAINER_BASENAME}_${SERVICE} -f 2>/dev/null
 
@@ -84,51 +99,46 @@ log-error: feedback
 # docker compose
 
 up: feedback feedback--compose feedback--url
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	TAG_BASENAME=${TAG_BASENAME} \
-	VERSION=${VERSION} \
-	HOSTNAME=${HOSTNAME} \
-	HOSTNAME_PATH=${HOSTNAME_PATH} \
-	URL=${URL} \
 	${DOCKER_COMPOSE} up
 
 up-d: feedback feedback--compose feedback--url
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	TAG_BASENAME=${TAG_BASENAME} \
-	VERSION=${VERSION} \
-	HOSTNAME=${HOSTNAME} \
-	HOSTNAME_PATH=${HOSTNAME_PATH} \
-	URL=${URL} \
 	${DOCKER_COMPOSE} up -d
 
 stop: feedback feedback--compose
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	VERSION=${VERSION} \
 	${DOCKER_COMPOSE} stop
 
 start: feedback feedback--compose
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	VERSION=${VERSION} \
 	${DOCKER_COMPOSE} start
 
 restart: feedback feedback--compose
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	VERSION=${VERSION} \
 	${DOCKER_COMPOSE} restart
 
 down: feedback feedback--compose
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	VERSION=${VERSION} \
 	${DOCKER_COMPOSE} down
 
 down--volumes: feedback feedback--compose
-	@CONTAINER_BASENAME=${CONTAINER_BASENAME} \
-	PORT=${PORT} \
-	VERSION=${VERSION} \
 	${DOCKER_COMPOSE} down --volumes
+
+# tools
+
+certbot:
+	@echo "🔐 Generating certificate"
+	@HOSTNAME=${HOSTNAME} \
+	docker container run \
+		-it \
+		--rm \
+		-v ${PWD}/letsencrypt/certs:/etc/letsencrypt \
+		-v ${PWD}/letsencrypt/data:/data/letsencrypt \
+		certbot/certbot certonly \
+		--webroot \
+		--webroot-path=/data/letsencrypt \
+		-d ${HOSTNAME} \
+		--dry-run \
+	&& cp ${PWD}/letsencrypt/certs/live/${HOSTNAME}/fullchain.pem ${PWD}/https/cert.pem \
+	&& cp ${PWD}/letsencrypt/certs/live/${HOSTNAME}/privkey.pem ${PWD}/https/key.pem
+
+cert-self:
+	@echo "🔐 Generating self-signed certificate"
+	@cd ${PWD}/https \
+	&& openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem
+
diff --git a/default.yml b/default.yml
index 74673ab..62406ec 100644
--- a/default.yml
+++ b/default.yml
@@ -40,8 +40,15 @@ services:
     volumes:
       - storage:/var/www/html/images/
       - assets:/var/www/html/_assets/
+      - type: bind
+        source: ${PWD}/https/cert.pem
+        target: /etc/ssl/certs/cert.pem
+      - type: bind
+        source: ${PWD}/https/key.pem
+        target: /etc/ssl/private/key.pem
     ports:
-      - ${PORT}:80
+      - ${PORT_HTTP}:80
+      - ${PORT_HTTPS}:443
     restart: always
     environment:
       CHEVERETO_DB_HOST: database
@@ -51,7 +58,7 @@ services:
       CHEVERETO_DB_NAME: chevereto
       CHEVERETO_HOSTNAME: ${HOSTNAME}
       CHEVERETO_HOSTNAME_PATH: ${HOSTNAME_PATH}
-      CHEVERETO_HTTPS: 0
+      CHEVERETO_HTTPS: ${HTTPS}
       CHEVERETO_ASSET_STORAGE_TYPE: local
       CHEVERETO_ASSET_STORAGE_URL: ${URL}_assets/
       CHEVERETO_ASSET_STORAGE_BUCKET: /var/www/html/_assets/
diff --git a/docs/HTTPS.md b/docs/HTTPS.md
new file mode 100644
index 0000000..f7909e1
--- /dev/null
+++ b/docs/HTTPS.md
@@ -0,0 +1,26 @@
+# HTTPS
+
+Place the certificate and private key at `https/`.
+
+| Type        | File       |
+| ----------- | ---------- |
+| Certificate | `cert.pem` |
+| Private key | `key.pem`  |
+
+## Create certificate
+
+To create a certificate using certbot:
+
+```sh
+make certbot HOSTNAME=chevereto.com
+```
+
+The above command uses `certbot/certbot` for providing the files required, it will place the generated files at `https/`.
+
+## Use HTTPS
+
+Alter the commands to use `PROTOCOL=https`:
+
+```sh
+make up-d PROTOCOL=https HOSTNAME=chevereto.com
+```
diff --git a/https/cert.pem b/https/cert.pem
new file mode 100644
index 0000000..96177a3
--- /dev/null
+++ b/https/cert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp4CCQC9rx8BAlN2IDANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMC
+Q0wxGjAYBgNVBAgMEVJlZ2lvbiBkZWwgQmlvYmlvMRMwEQYDVQQHDApDb25jZXBj
+aW9uMRswGQYDVQQKDBJDaGV2ZXJldG8gU29mdHdhcmUxCzAJBgNVBAsMAklUMRIw
+EAYDVQQDDAlsb2NhbGhvc3QxHjAcBgkqhkiG9w0BCQEWD2FkbWluQGxvY2FsaG9z
+dDAeFw0yMjEwMTcxMjI5MjZaFw0zMjEwMTQxMjI5MjZaMIGcMQswCQYDVQQGEwJD
+TDEaMBgGA1UECAwRUmVnaW9uIGRlbCBCaW9iaW8xEzARBgNVBAcMCkNvbmNlcGNp
+b24xGzAZBgNVBAoMEkNoZXZlcmV0byBTb2Z0d2FyZTELMAkGA1UECwwCSVQxEjAQ
+BgNVBAMMCWxvY2FsaG9zdDEeMBwGCSqGSIb3DQEJARYPYWRtaW5AbG9jYWxob3N0
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz0t/WPCE0i4AgOXBo2tK
+EvGdqfU5cGjQ6qYZeOrAG4tU1LqUhZWucAG97K9yOwc/ySNcEvg7ZSFc/jxQ3AjE
+mIvNf1rIZ1DhOYaqu/EseEsh2uz2QCMRkZeBWAh/32k2qm5khFX6NRbV4MAHt8Tc
+6FACjZz+p8tQHwrPgQc1PwN+J++d5k7DU34cYoGaeH+3Mlo2pNodrIVgT/NidEzT
+qrpqxMkm+YcuGvZeNk6iWRGc18Q6d+Z6HftmoSDqH5bxpt9OPA0MnS8mHqyB8McK
+7b8VBZuHzMmKyf/Q7lNQU6egDuql2zaeXrUX3tgt7PQql4tmWU1VLRz1zZrph0AC
+nwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB/x+IfDS4Nl0EyRnvBlkMLNOTL+8qO
+syr2p+M44eUX0fT2s+RN7Wbf3Rl5iGvG4kn3udaJ07vuH5EH8BZITw0945YaWb5F
+aV8h7ZKd0kDeNcU2rUy+a2xrSh2KJJHbYL8cUWNcVE/RGon/o7gfQBzb4htRiJcW
+EYtImBdkxdhKoXSYDTz8xP7z8NxiFDpuhKv5bzQB62DtGjnDl8BHxmlUCP8OSprQ
+tAtoZD20pFqoLj+LZvVHQUsJmd8bRg6aatmDNjSUkvKrnhZnlSXM3MR9xN484JgQ
+AhqsPV4rGOBaTIAKSz8VTWPlqpvhJdPq2C4Vmbt00C+1px6d5Rt1B4pn
+-----END CERTIFICATE-----
diff --git a/https/key.pem b/https/key.pem
new file mode 100644
index 0000000..2954b7d
--- /dev/null
+++ b/https/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDPS39Y8ITSLgCA
+5cGja0oS8Z2p9TlwaNDqphl46sAbi1TUupSFla5wAb3sr3I7Bz/JI1wS+DtlIVz+
+PFDcCMSYi81/WshnUOE5hqq78Sx4SyHa7PZAIxGRl4FYCH/faTaqbmSEVfo1FtXg
+wAe3xNzoUAKNnP6ny1AfCs+BBzU/A34n753mTsNTfhxigZp4f7cyWjak2h2shWBP
+82J0TNOqumrEySb5hy4a9l42TqJZEZzXxDp35nod+2ahIOoflvGm3048DQydLyYe
+rIHwxwrtvxUFm4fMyYrJ/9DuU1BTp6AO6qXbNp5etRfe2C3s9CqXi2ZZTVUtHPXN
+mumHQAKfAgMBAAECggEADw8kBDkM3Rv8a2DFjXKo4fFti8BF2PW0X6eLaC5doGKh
+2gZn7cBu+LIXsw8X1FP1fU41TSd9YR5oXAvTr/hvF8noNt1Ie8Dza7NtydN+cIq8
+vePDC+vARfxkqBmN+JPzJbR5VufMEnlDNl2c8eu6RKIzXUhPc68gdfDaHDyC0L31
+vn+VfGLWXvMYhEIwEx11Vl51AyUb1oBu4YeJS0PTcA0cwob8f57Hdl3ThjyZFbRP
+bXq+uRzXrAKT5CsIRlysRvTUmPEZU3M0n482hqmwARryATZEkvkN8S4TwgscbuHT
+lrePAjRh6NdIAVVwrNq2gNLXRQEXLRgHZ5PMhTgbIQKBgQDoRpwGHbpattqHUMmV
+YxPYM0dqc+JXMy+3H66MOf6fA65vU1tzhHgexc/KOVtLxjQyDhe58/4Ui7EygkZ9
+y8jhU/7RP4VG7KEpdgKmueqmMvqKKLPUfaoDA/seTtBrXZzE1vy81W4s/XBBq8hx
+XT5qEFTw+HQ24HFledmRO5ZfcQKBgQDkd7RFyRmcS+ehXREZZH0bY74JBtv6HUPz
+LapdTylxXZ7yRItF8s/7pRdrtfefXMA2ew1wVoyRnf+Taj5AKSr/g3q5psh/RmI2
+zA2YcDjlaa9Z3qoy5JIQxHU9/S+h6PZYNHrpFs6ezcRVjEvMI46kUuA0wT0fCtgq
+j7K20pebDwKBgGxijmmYM54i1wPvYbEwo1DuVLPK0WIpQ2mrAfLzGOoweJQADJtx
+w+9wFI7jhsNsAG0fAFlIDlad/Jh6C9SlY94pKK2Re2pl/qnvJDuSY3kcLqaLaaaM
+4Ok5UVOKKV0AOKftPdALs7aQqHIsa4LipL4vUsOC3A/DWYalfi1z5a4xAoGBAId4
+I0Ct+a2fpH0d/iGcYEJ5ZhlcI9uutrffAAHMCrrZ1IG6+wpC6+g/ACAyCd5I1QB4
+/oL6DufZU85JVRgeUQypHYAv0PsG9P2hCP62rEX74KndSfZbafDfTNWw5ymORWQP
+2kGT8HhhcmV3hwpImy/8pE0jt+ZMO9kg08tsG9EpAoGANOn2zocpyVuUOAWkJdAh
+GUD4URTwkImkk9WkcxltevKb562hBwZpQ2Kecz51cBF/zWJz3sBZPudyuFnQbzOX
+z/prZ27Hhv/+77xhscxuP2yGab2IYRa8gNft/L4Mk+Z3wLpaztu19NpLAXBFwgsV
+rB7sPZrzeAvRcuvuFl2zwmA=
+-----END PRIVATE KEY-----