From a70286d29f4d14482d8f59f0d87bf31d6ea8ca07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Mon, 3 Jan 2022 16:24:12 +0100 Subject: [PATCH 1/8] Log Shibboleth and FPM output --- Dockerfile | 2 +- content/etc/shibboleth.dist/shibd.logger | 108 +++++++++++++++++++++ content/etc/supervisor/conf.d/php-fpm.conf | 2 +- 3 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 content/etc/shibboleth.dist/shibd.logger diff --git a/Dockerfile b/Dockerfile index 69973d8..d33a0e4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -67,7 +67,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \ && a2enmod setenvif \ && usermod -aG tty www-data \ && chmod o+w /dev/std* \ - && mv /etc/dokuwiki /etc/dokuwiki.dist \ + && mv -n /etc/dokuwiki /etc/dokuwiki.dist \ && mv /etc/shibboleth /etc/shibboleth.dist \ && mv /var/lib/dokuwiki /var/lib/dokuwiki.dist \ && mkdir -p /run/shibboleth && chown _shibd /run/shibboleth \ diff --git a/content/etc/shibboleth.dist/shibd.logger b/content/etc/shibboleth.dist/shibd.logger new file mode 100644 index 0000000..6401dd6 --- /dev/null +++ b/content/etc/shibboleth.dist/shibd.logger @@ -0,0 +1,108 @@ +# set overall behavior +log4j.rootCategory=INFO, console + +# fairly verbose for DEBUG, so generally leave at INFO +log4j.category.XMLTooling.XMLObject=INFO +log4j.category.XMLTooling.XMLObjectBuilder=INFO +log4j.category.XMLTooling.KeyInfoResolver=INFO +log4j.category.Shibboleth.IPRange=INFO +log4j.category.Shibboleth.PropertySet=INFO + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=INFO + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +#log4j.category.XMLTooling.SOAPClient=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# logs XML being signed or verified if set to DEBUG +log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log +log4j.additivity.XMLTooling.Signature.Debugger=false +log4j.ownAppenders.XMLTooling.Signature.Debugger=true + +# the tran log blocks the "default" appender(s) at runtime +# Level should be left at INFO for this category +log4j.category.Shibboleth-TRANSACTION=INFO, tran_log +log4j.additivity.Shibboleth-TRANSACTION=false +log4j.ownAppenders.Shibboleth-TRANSACTION=true + +# uncomment to suppress particular event types +#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN +#log4j.category.Shibboleth-TRANSACTION.Login=WARN +#log4j.category.Shibboleth-TRANSACTION.Logout=WARN + +# define the appenders + +#log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender +#log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log +#log4j.appender.shibd_log.maxFileSize=1000000 +#log4j.appender.shibd_log.maxBackupIndex=10 +#log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n +# +#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender +#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log +#log4j.appender.warn_log.maxFileSize=1000000 +#log4j.appender.warn_log.maxBackupIndex=10 +#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n +#log4j.appender.warn_log.threshold=WARN +# +#log4j.appender.tran_log=org.apache.log4j.RollingFileAppender +#log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log +#log4j.appender.tran_log.maxFileSize=1000000 +#log4j.appender.tran_log.maxBackupIndex=20 +#log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S}|%c|%m%n +# +#log4j.appender.sig_log=org.apache.log4j.FileAppender +#log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log +#log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout +#log4j.appender.sig_log.layout.ConversionPattern=%m + + +log4j.rootCategory=WARN, console + +# fairly verbose for DEBUG, so generally leave at INFO +log4j.category.XMLTooling.XMLObject=INFO +log4j.category.XMLTooling.XMLObjectBuilder=INFO +log4j.category.XMLTooling.KeyInfoResolver=INFO +log4j.category.Shibboleth.IPRange=INFO +log4j.category.Shibboleth.PropertySet=INFO + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=INFO + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# define the appender + +log4j.appender.console=org.apache.log4j.ConsoleAppender +#log4j.appender.console.layout=org.apache.log4j.BasicLayout +log4j.appender.console.layout=org.apache.log4j.PatternLayout +log4j.appender.console.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n diff --git a/content/etc/supervisor/conf.d/php-fpm.conf b/content/etc/supervisor/conf.d/php-fpm.conf index 612eeea..b2d473d 100644 --- a/content/etc/supervisor/conf.d/php-fpm.conf +++ b/content/etc/supervisor/conf.d/php-fpm.conf @@ -1,5 +1,5 @@ [program:php-fpm] -command = /usr/sbin/php-fpm7.4 -F +command = /usr/sbin/php-fpm7.4 -F -O user = www-data autorestart = true startretries = 3 -- GitLab From 294babb42a6cb239687a9bdf5f6a9e2a24825aa5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Mon, 3 Jan 2022 16:30:50 +0100 Subject: [PATCH 2/8] Docker-compose remove gateway --- docker-compose.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index b18aad5..7069933 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,7 +16,6 @@ networks: driver: default config: - subnet: fd00:dead:beef::/48 - gateway: fd00:dead:beef::1 services: dokuwiki: -- GitLab From c067a298b5ef162bf134ca98dee53f1e63283f21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Mon, 3 Jan 2022 16:36:38 +0100 Subject: [PATCH 3/8] Enable headers Apache module --- content/opt/dokuwiki-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/opt/dokuwiki-entrypoint.sh b/content/opt/dokuwiki-entrypoint.sh index b04d0bf..257975a 100755 --- a/content/opt/dokuwiki-entrypoint.sh +++ b/content/opt/dokuwiki-entrypoint.sh @@ -53,7 +53,7 @@ if [ -f /etc/apache2/ssl/dokuwiki.crt ] && [ -f /etc/apache2/ssl/dokuwiki.key ]; if [ ! -f /etc/apache2/ssl/dokuwiki.chain ]; then echo > /etc/apache2/ssl/dokuwiki.chain fi - a2enmod -q ssl >/dev/null 2>&1 + a2enmod -q ssl headers >/dev/null 2>&1 a2ensite -q dokuwiki-ssl >/dev/null 2>&1 chown www-data:www-data /etc/apache2/ssl/dokuwiki.{crt,key} || true -- GitLab From 02d509ab8a3d8ad42d9b00fe5409751037051d2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Mon, 3 Jan 2022 16:39:50 +0100 Subject: [PATCH 4/8] Add CSP and FQDN options for plain HTTP --- content/etc/apache2/sites-available/000-default.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 content/etc/apache2/sites-available/000-default.conf diff --git a/content/etc/apache2/sites-available/000-default.conf b/content/etc/apache2/sites-available/000-default.conf new file mode 100644 index 0000000..ad7f1b4 --- /dev/null +++ b/content/etc/apache2/sites-available/000-default.conf @@ -0,0 +1,9 @@ +<VirtualHost *:80> + DocumentRoot /var/www/html + + ErrorLog /dev/stderr + CustomLog /dev/stdout combined + + IncludeOptional /etc/apache2/conf-available/fqdn.conf + IncludeOptional /etc/apache2/conf-available/dokuwiki_csp.conf +</VirtualHost> -- GitLab From b8f44c946949c2794d07cd75dbcad7278b396c37 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Mon, 3 Jan 2022 16:45:23 +0100 Subject: [PATCH 5/8] New version --- .gitlab-ci.yml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9534533..e896ccc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,7 +10,7 @@ before_script: build-stable: stage: build script: - - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-1 + - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-2 only: - stable diff --git a/Dockerfile b/Dockerfile index d33a0e4..9beb9db 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ RUN printf "Running on ${BUILDPLATFORM:-linux/amd64}, building for ${TARGETPLATF # Basic info ARG NAME ARG BUILD_DATE -ARG VERSION=20180422.a-2.1 +ARG VERSION=20180422.a-2.1-2 ARG VCS_REF ARG VCS_URL -- GitLab From 62c1b5f657263a407d56758bafb6089612c97e7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Sun, 17 Apr 2022 00:16:19 +0200 Subject: [PATCH 6/8] Resolve "Avoid HTTPS redirect for server-status endpoint" --- content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf b/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf index 4e3dc20..cb8d2f4 100644 --- a/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf +++ b/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf @@ -2,6 +2,6 @@ DocumentRoot /var/www RewriteEngine On - RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge + RewriteCond %{REQUEST_URI} !(\.well-known/acme-challenge|server-status) RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L] </VirtualHost> -- GitLab From ff3c9cafe67a4abfb64f4a48a3ffb007633d41ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Sun, 17 Apr 2022 00:17:54 +0200 Subject: [PATCH 7/8] New version (Closes: #6) --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e896ccc..4494d7c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,7 +10,7 @@ before_script: build-stable: stage: build script: - - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-2 + - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-3 only: - stable -- GitLab From 5e055566dbd9d88ef7779cbc8b2316decce7e0a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz> Date: Sun, 17 Apr 2022 00:24:17 +0200 Subject: [PATCH 8/8] Dockerfile bump version --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9beb9db..912b4b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ RUN printf "Running on ${BUILDPLATFORM:-linux/amd64}, building for ${TARGETPLATF # Basic info ARG NAME ARG BUILD_DATE -ARG VERSION=20180422.a-2.1-2 +ARG VERSION=20180422.a-2.1-3 ARG VCS_REF ARG VCS_URL -- GitLab