From a70286d29f4d14482d8f59f0d87bf31d6ea8ca07 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Mon, 3 Jan 2022 16:24:12 +0100
Subject: [PATCH 1/8] Log Shibboleth and FPM output

---
 Dockerfile                                 |   2 +-
 content/etc/shibboleth.dist/shibd.logger   | 108 +++++++++++++++++++++
 content/etc/supervisor/conf.d/php-fpm.conf |   2 +-
 3 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 content/etc/shibboleth.dist/shibd.logger

diff --git a/Dockerfile b/Dockerfile
index 69973d8..d33a0e4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -67,7 +67,7 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 	&& a2enmod setenvif \
 	&& usermod -aG tty www-data \
 	&& chmod o+w /dev/std* \
-	&& mv /etc/dokuwiki /etc/dokuwiki.dist \
+	&& mv -n /etc/dokuwiki /etc/dokuwiki.dist \
 	&& mv /etc/shibboleth /etc/shibboleth.dist \
 	&& mv /var/lib/dokuwiki /var/lib/dokuwiki.dist \
 	&& mkdir -p /run/shibboleth && chown _shibd /run/shibboleth \
diff --git a/content/etc/shibboleth.dist/shibd.logger b/content/etc/shibboleth.dist/shibd.logger
new file mode 100644
index 0000000..6401dd6
--- /dev/null
+++ b/content/etc/shibboleth.dist/shibd.logger
@@ -0,0 +1,108 @@
+# set overall behavior
+log4j.rootCategory=INFO, console
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.XMLObjectBuilder=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+log4j.ownAppenders.XMLTooling.Signature.Debugger=true
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+log4j.ownAppenders.Shibboleth-TRANSACTION=true
+
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+#log4j.appender.shibd_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.shibd_log.fileName=/var/log/shibboleth/shibd.log
+#log4j.appender.shibd_log.maxFileSize=1000000
+#log4j.appender.shibd_log.maxBackupIndex=10
+#log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.shibd_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#
+#log4j.appender.warn_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.warn_log.fileName=/var/log/shibboleth/shibd_warn.log
+#log4j.appender.warn_log.maxFileSize=1000000
+#log4j.appender.warn_log.maxBackupIndex=10
+#log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.warn_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+#log4j.appender.warn_log.threshold=WARN
+#
+#log4j.appender.tran_log=org.apache.log4j.RollingFileAppender
+#log4j.appender.tran_log.fileName=/var/log/shibboleth/transaction.log
+#log4j.appender.tran_log.maxFileSize=1000000
+#log4j.appender.tran_log.maxBackupIndex=20
+#log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.tran_log.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S}|%c|%m%n
+#
+#log4j.appender.sig_log=org.apache.log4j.FileAppender
+#log4j.appender.sig_log.fileName=/var/log/shibboleth/signature.log
+#log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+#log4j.appender.sig_log.layout.ConversionPattern=%m
+
+
+log4j.rootCategory=WARN, console
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.XMLObjectBuilder=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+#log4j.appender.console.layout=org.apache.log4j.BasicLayout
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
diff --git a/content/etc/supervisor/conf.d/php-fpm.conf b/content/etc/supervisor/conf.d/php-fpm.conf
index 612eeea..b2d473d 100644
--- a/content/etc/supervisor/conf.d/php-fpm.conf
+++ b/content/etc/supervisor/conf.d/php-fpm.conf
@@ -1,5 +1,5 @@
 [program:php-fpm]
-command      = /usr/sbin/php-fpm7.4 -F
+command      = /usr/sbin/php-fpm7.4 -F -O
 user         = www-data
 autorestart  = true
 startretries = 3
-- 
GitLab


From 294babb42a6cb239687a9bdf5f6a9e2a24825aa5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Mon, 3 Jan 2022 16:30:50 +0100
Subject: [PATCH 2/8] Docker-compose remove gateway

---
 docker-compose.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b18aad5..7069933 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -16,7 +16,6 @@ networks:
       driver: default
       config:
       - subnet: fd00:dead:beef::/48
-        gateway: fd00:dead:beef::1
 
 services:
   dokuwiki:
-- 
GitLab


From c067a298b5ef162bf134ca98dee53f1e63283f21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Mon, 3 Jan 2022 16:36:38 +0100
Subject: [PATCH 3/8] Enable headers Apache module

---
 content/opt/dokuwiki-entrypoint.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/opt/dokuwiki-entrypoint.sh b/content/opt/dokuwiki-entrypoint.sh
index b04d0bf..257975a 100755
--- a/content/opt/dokuwiki-entrypoint.sh
+++ b/content/opt/dokuwiki-entrypoint.sh
@@ -53,7 +53,7 @@ if [ -f /etc/apache2/ssl/dokuwiki.crt ] && [ -f /etc/apache2/ssl/dokuwiki.key ];
 		if [ ! -f /etc/apache2/ssl/dokuwiki.chain ]; then
 		echo > /etc/apache2/ssl/dokuwiki.chain
 	fi
-	a2enmod -q ssl >/dev/null 2>&1
+	a2enmod -q ssl headers >/dev/null 2>&1
 	a2ensite -q dokuwiki-ssl >/dev/null 2>&1
 	chown www-data:www-data /etc/apache2/ssl/dokuwiki.{crt,key} || true
 
-- 
GitLab


From 02d509ab8a3d8ad42d9b00fe5409751037051d2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Mon, 3 Jan 2022 16:39:50 +0100
Subject: [PATCH 4/8] Add CSP and FQDN options for plain HTTP

---
 content/etc/apache2/sites-available/000-default.conf | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 content/etc/apache2/sites-available/000-default.conf

diff --git a/content/etc/apache2/sites-available/000-default.conf b/content/etc/apache2/sites-available/000-default.conf
new file mode 100644
index 0000000..ad7f1b4
--- /dev/null
+++ b/content/etc/apache2/sites-available/000-default.conf
@@ -0,0 +1,9 @@
+<VirtualHost *:80>
+	DocumentRoot /var/www/html
+
+	ErrorLog /dev/stderr
+	CustomLog /dev/stdout combined
+
+	IncludeOptional /etc/apache2/conf-available/fqdn.conf
+	IncludeOptional /etc/apache2/conf-available/dokuwiki_csp.conf
+</VirtualHost>
-- 
GitLab


From b8f44c946949c2794d07cd75dbcad7278b396c37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Mon, 3 Jan 2022 16:45:23 +0100
Subject: [PATCH 5/8] New version

---
 .gitlab-ci.yml | 2 +-
 Dockerfile     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 9534533..e896ccc 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ before_script:
 build-stable:
   stage: build
   script:
-    - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-1
+    - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-2
   only:
     - stable
 
diff --git a/Dockerfile b/Dockerfile
index d33a0e4..9beb9db 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ RUN printf "Running on ${BUILDPLATFORM:-linux/amd64}, building for ${TARGETPLATF
 # Basic info
 ARG NAME
 ARG BUILD_DATE
-ARG VERSION=20180422.a-2.1
+ARG VERSION=20180422.a-2.1-2
 ARG VCS_REF
 ARG VCS_URL
 
-- 
GitLab


From 62c1b5f657263a407d56758bafb6089612c97e7c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Sun, 17 Apr 2022 00:16:19 +0200
Subject: [PATCH 6/8] Resolve "Avoid HTTPS redirect for server-status endpoint"

---
 content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf b/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf
index 4e3dc20..cb8d2f4 100644
--- a/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf
+++ b/content/etc/apache2/sites-available/dokuwiki-ssl-redirect.conf
@@ -2,6 +2,6 @@
 	DocumentRoot /var/www
 
 	RewriteEngine On
-	RewriteCond %{REQUEST_URI} !\.well-known/acme-challenge
+	RewriteCond %{REQUEST_URI} !(\.well-known/acme-challenge|server-status)
 	RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [L]
 </VirtualHost>
-- 
GitLab


From ff3c9cafe67a4abfb64f4a48a3ffb007633d41ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Sun, 17 Apr 2022 00:17:54 +0200
Subject: [PATCH 7/8] New version (Closes: #6)

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e896ccc..4494d7c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ before_script:
 build-stable:
   stage: build
   script:
-    - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-2
+    - /kaniko/executor --cache=true --cache-copy-layers --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --build-arg NAME=$CI_PROJECT_NAME --build-arg BUILD_DATE=`date -u +"%d-%m-%Y-T%H:%M:%S%Z"` --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA --build-arg VCS_URL=$CI_PROJECT_URL --destination $CI_REGISTRY_IMAGE:stable --destination $CI_REGISTRY_IMAGE:20180422 --destination $CI_REGISTRY_IMAGE:20180422-3
   only:
     - stable
 
-- 
GitLab


From 5e055566dbd9d88ef7779cbc8b2316decce7e0a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Jaro=C5=A1?= <jaros@ics.muni.cz>
Date: Sun, 17 Apr 2022 00:24:17 +0200
Subject: [PATCH 8/8] Dockerfile bump version

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9beb9db..912b4b6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ RUN printf "Running on ${BUILDPLATFORM:-linux/amd64}, building for ${TARGETPLATF
 # Basic info
 ARG NAME
 ARG BUILD_DATE
-ARG VERSION=20180422.a-2.1-2
+ARG VERSION=20180422.a-2.1-3
 ARG VCS_REF
 ARG VCS_URL
 
-- 
GitLab