From 4afa513dced3b9ef024bc366b4fc884802730d50 Mon Sep 17 00:00:00 2001 From: Toby Jaffey Date: Mon, 12 Dec 2022 10:26:38 +0000 Subject: [PATCH] Add docker-compose support, so a working development server with HTTPS can be started with: docker-compose build && docker-compose up --- Dockerfile | 12 +++ README.md | 13 +++ docker-compose.yaml | 27 ++++++ examples/docker-entrypoint.sh | 6 ++ examples/nginx-alpine-ssl/Dockerfile | 13 +++ examples/nginx-alpine-ssl/default.conf | 89 +++++++++++++++++++ examples/nginx-alpine-ssl/entrypoint.sh | 15 ++++ .../nginx-alpine-ssl/nginx-selfsigned.crt | 21 +++++ .../nginx-alpine-ssl/nginx-selfsigned.key | 28 ++++++ 9 files changed, 224 insertions(+) create mode 100644 Dockerfile create mode 100644 docker-compose.yaml create mode 100755 examples/docker-entrypoint.sh create mode 100644 examples/nginx-alpine-ssl/Dockerfile create mode 100644 examples/nginx-alpine-ssl/default.conf create mode 100755 examples/nginx-alpine-ssl/entrypoint.sh create mode 100644 examples/nginx-alpine-ssl/nginx-selfsigned.crt create mode 100644 examples/nginx-alpine-ssl/nginx-selfsigned.key diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..05ae1fe --- /dev/null +++ b/Dockerfile @@ -0,0 +1,12 @@ +FROM alpine +ENV LANG C.UTF-8 +ENV LC_ALL C.UTF-8 +RUN apk add --no-cache curl-dev build-base +COPY . /build +WORKDIR /build +RUN make +COPY examples/docker-entrypoint.sh /usr/local/bin/entrypoint.sh +RUN chmod +x /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/bin/sh", "/usr/local/bin/entrypoint.sh"] +EXPOSE 8001 +CMD /build/snac diff --git a/README.md b/README.md index 1b7dc50..7b63d7b 100644 --- a/README.md +++ b/README.md @@ -43,6 +43,19 @@ Run `make` and then `make install` as root. See the administrator manual on how to proceed from here. +# Testing via Docker + +A `docker-compose` file is provided for development and testing. To start snac with an nginx HTTPS frontend, run: + + docker-compose build && docker-compose up + +This will: + +- Start snac, storing data in `data/` +- Configure snac to listen on port 8001 with a server name of `localhost` (see `examples/docker-entrypoint.sh`) +- Create a new user `testuser` and print the user's generated password on the console (see `examples/docker-entrypoint.sh`) +- Start nginx to handle HTTPS, using the certificate pair from `nginx-alpine-ssl/nginx-selfsigned.*` (see `examples/nginx-alpine-ssl/entrypoint.sh`) + # License See the LICENSE file for details. diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..bc4abf7 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,27 @@ +--- +version: '3' + +services: + snac: + build: . + image: snac + container_name: snac + restart: unless-stopped + security_opt: + - no-new-privileges:true + volumes: + - ./data:/data + ports: + - "8001:8001" + + nginx-alpine-ssl: + build: examples/nginx-alpine-ssl + image: examples/nginx-alpine-ssl + container_name: nginx-alpine-ssl + restart: unless-stopped + security_opt: + - no-new-privileges:true + ports: + - "443:443" + - "80:80" + diff --git a/examples/docker-entrypoint.sh b/examples/docker-entrypoint.sh new file mode 100755 index 0000000..b64e039 --- /dev/null +++ b/examples/docker-entrypoint.sh @@ -0,0 +1,6 @@ +if [ ! -e /data/data/server.json ] +then + echo -ne "0.0.0.0\r\n8001\r\nlocalhost\r\n\r\n" | /build/snac init /data/data + /build/snac adduser /data/data testuser +fi +SSLKEYLOGFILE=/data/key /build/snac httpd /data/data diff --git a/examples/nginx-alpine-ssl/Dockerfile b/examples/nginx-alpine-ssl/Dockerfile new file mode 100644 index 0000000..845405d --- /dev/null +++ b/examples/nginx-alpine-ssl/Dockerfile @@ -0,0 +1,13 @@ +FROM alpine +RUN apk add nginx +RUN mkdir -p /run/nginx +ADD default.conf /etc/nginx/http.d/default.conf +ADD *.key /etc/ssl/private/ +ADD *.crt /etc/ssl/certs/ +WORKDIR /var/www/localhost/htdocs +COPY entrypoint.sh /usr/local/bin +RUN chmod +x /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/bin/sh", "/usr/local/bin/entrypoint.sh"] +#EXPOSE 80 +EXPOSE 443 +CMD ["/bin/sh", "-c", "nginx -g 'daemon off;'; nginx -s reload;"] diff --git a/examples/nginx-alpine-ssl/default.conf b/examples/nginx-alpine-ssl/default.conf new file mode 100644 index 0000000..22db0df --- /dev/null +++ b/examples/nginx-alpine-ssl/default.conf @@ -0,0 +1,89 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; + ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; + + location /.well-known/webfinger { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_buffering on; + tcp_nodelay on; + proxy_pass http://snac:8001; + proxy_set_header Host $http_host; + } + + location /.well-known/nodeinfo { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_buffering on; + tcp_nodelay on; + proxy_pass http://snac:8001; + proxy_set_header Host $http_host; + } + + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_buffering on; + tcp_nodelay on; + proxy_pass http://snac:8001; + proxy_set_header Host $http_host; + } + + location /fedi/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Proxy ""; + proxy_pass_header Server; + proxy_buffering on; + tcp_nodelay on; + proxy_pass http://snac:8001; + proxy_set_header Host $http_host; + } +} + diff --git a/examples/nginx-alpine-ssl/entrypoint.sh b/examples/nginx-alpine-ssl/entrypoint.sh new file mode 100755 index 0000000..5432d46 --- /dev/null +++ b/examples/nginx-alpine-ssl/entrypoint.sh @@ -0,0 +1,15 @@ +cd /etc/nginx/http.d; +export CRT="${CRT:=nginx-selfsigned.crt}"; +if [ -f "/etc/ssl/certs/$CRT" ] +then + # set crt file in the default.conf file + sed -i "/ssl_certificate \//c\\\tssl_certificate \/etc\/ssl\/certs\/$CRT;" default.conf; +fi +export KEY="${KEY:=nginx-selfsigned.key}"; +if [ -f "/etc/ssl/private/$KEY" ] +then + # set key file in the default.conf file + sed -i "/ssl_certificate_key \//c\\\tssl_certificate_key \/etc\/ssl\/private\/$KEY;" default.conf; +fi +nginx -g 'daemon off;'; nginx -s reload; + diff --git a/examples/nginx-alpine-ssl/nginx-selfsigned.crt b/examples/nginx-alpine-ssl/nginx-selfsigned.crt new file mode 100644 index 0000000..ac607a1 --- /dev/null +++ b/examples/nginx-alpine-ssl/nginx-selfsigned.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDjDCCAnSgAwIBAgIUCCSqvSfnCK67C4JNfoiXUXyTIK4wDQYJKoZIhvcNAQEL +BQAwSTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAlFDMRYwFAYDVQQKDA1Db21wYW55 +LCBJbmMuMRUwEwYDVQQDDAxteWRvbWFpbi5jb20wHhcNMjIxMjEyMTAwNzU1WhcN +MjMxMjEyMTAwNzU1WjBJMQswCQYDVQQGEwJDQTELMAkGA1UECAwCUUMxFjAUBgNV +BAoMDUNvbXBhbnksIEluYy4xFTATBgNVBAMMDG15ZG9tYWluLmNvbTCCASIwDQYJ +KoZIhvcNAQEBBQADggEPADCCAQoCggEBANss2w/GUwKcoUxHsWDfnldEuJzwx3Jr +oRvTZY7ZcEM8vsVW8Xi61jpo2H/Uqv+3jl6+R6UFL1IKQUY0jn9KatYkfrHdHcYx +RwH8yLKWfCY9/qrPE8NzYQMkeNUqu5oGWDMFoCcGAuHOzB+v6JR2/0zaEavi96dZ +ZwjijdZtZAB9BuqD5R5dmVBV1fYSWM/X0/KN2RPpoBRak+HmpoZfimut9rMAPjay +WjVxQCR/kCL6OlfLL5CFp6e6u9pczRNTLr0QODmyQGIBd4Rjh1JQD2K1c1QN4ztw +ExGW+gqe7CGuwVfPSjlUsE1kiC11KreAWadLiovOp4Th6lygeaYg4R8CAwEAAaNs +MGowHQYDVR0OBBYEFE/ykxo/J5z2IT9Zuk3uwk+NAb4eMB8GA1UdIwQYMBaAFE/y +kxo/J5z2IT9Zuk3uwk+NAb4eMA8GA1UdEwEB/wQFMAMBAf8wFwYDVR0RBBAwDoIM +bXlkb21haW4uY29tMA0GCSqGSIb3DQEBCwUAA4IBAQA/8ptI9ncISkYBDz8hUmWE +WkBsSFs2BTBvUQ4bsdXmV3AkC1BFw0meW3kNL/4ptkSsOvVj4imBjG906UfyXw5l +TyegRn2pA13IqBgl0Fs0+qlg5a/a+UgMZHmJeCsOZ3gJCG/mqJ0MyE8vUCUcD1oZ +XGsUgOUkiK/eMN6r4kW6SsBs7iapDpascvmGz4VuzYpBy+qOGayfCOt4h/hS9VEC +ErZo1L6jJFBApM1Jxmd7yYWJeQAkN1/LjdYJltSZ4dNlw6ewzK/Px0hGeEzr60M7 ++JgGuAuxIdp3pTYZwB5TqZ5v/bvapzPgK4A7COBOj1N3uqJiTmYErKwx201AP3BQ +-----END CERTIFICATE----- diff --git a/examples/nginx-alpine-ssl/nginx-selfsigned.key b/examples/nginx-alpine-ssl/nginx-selfsigned.key new file mode 100644 index 0000000..f26cf84 --- /dev/null +++ b/examples/nginx-alpine-ssl/nginx-selfsigned.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDbLNsPxlMCnKFM +R7Fg355XRLic8Mdya6Eb02WO2XBDPL7FVvF4utY6aNh/1Kr/t45evkelBS9SCkFG +NI5/SmrWJH6x3R3GMUcB/MiylnwmPf6qzxPDc2EDJHjVKruaBlgzBaAnBgLhzswf +r+iUdv9M2hGr4venWWcI4o3WbWQAfQbqg+UeXZlQVdX2EljP19PyjdkT6aAUWpPh +5qaGX4prrfazAD42slo1cUAkf5Ai+jpXyy+QhaenurvaXM0TUy69EDg5skBiAXeE +Y4dSUA9itXNUDeM7cBMRlvoKnuwhrsFXz0o5VLBNZIgtdSq3gFmnS4qLzqeE4epc +oHmmIOEfAgMBAAECggEBAJDckN1YQ71SMPnt2LsikdE0RqDUM77YjF+L1XAZHy4R +lDVyRZ96PeXVLmMu+OaTN7I/KbNUPfaHeKUiT5yqXvqynFqKvwcjwr75iN0gwWW1 +TAExZOql89TT4lliKSSgVONEMJoaSwVcXWYEKkEWdZ8h8tQc63rciFFDDGRRYOtA +fmMb3tOmnJqGu4PDq4vnVv7YiCXvNZiVOz99AsW0Y1ptSMyQrxyLjdr+wxClh0UV +uGFcFIJJwsvBGDNb6G3Wy3vJHkkqMEhPwfP/AkHZMdQKdZ15V/WAOP8xKXW205jY +Lu0mCbv2Udaait+fjZhM/JoemPLApwLNVRpwV5QfGwECgYEA9X/fjVPhJZ42LrP0 +Z4j2tj47DLtHLktrd84OA4BV4I+JjTvddJfXCtEk1m59vpzutJEYpy/bII84JWuE +H1cMv8epS4Yfi/2RoB8ADO7E0L/BPAND7zjCHIqryiZY7ubp/71/jaOF0ZCugqbi +YK7sl9H7qj1u+cC4+pab9ue/IyECgYEA5Iy90M7f7bI+6tS2/k4eroLxGWAJqRSj +D2DjYTd/gPgm8jCDhnmbicquP2YBTIIdaNiREh19pvQs/JRo+tbsGKgSQbjLdM8Z +8WzmhrNJH/fF/Vmi8DYSg4VScZgyjJX5T1FsRup8r53hxVpyRtTEJLOzSfJDEE1L +eb09EeHrvD8CgYAOKdt25uD1b6RGm4E9O+yn5P05JdDcfeNsXQn3776EnyNbb5m+ +MUhpylkqueMtTRaEel6Gvr8QqNKfbg2IVVhZ9CXzQoCtbeqp5z/0fw4B0R5P3Qxd +T9P7G5D/r6iv18imRYOHY2jEB2naBdDHrS/fLnEriDHP3OuPIYNMAmDHoQKBgQCQ +Py/yIQ9+Axjot7aDTKTaubQXsuCGAYtkwl7gVdm4eWaDRxFMB2aekfhl9ShutFSB +fuYYy9opTEU0aSrU3l8GtNVI+6wVnjyefoAElhVaAtTIMRHAkDAhKD0/irKkvmcq +o5Y2L/rgEEKVf59Oiyz8iRpoWmnvWQmA3Wo05iUVmwKBgHTh1q1PTUzgvL0uNNZ3 +Kttp/U81I0C0TEyLFt/WfAD6ZrsG3GMq5IqN2CkOvPSDCrdxAxiDuxK7l3/gWU6s +9EtoG2gZb5SyU6hZ0isuokaeAyuueDEco38AFXSvmt/jxvdzilYW/n5+HNoV2XL1 +CBv1Y6Ouy7rA3Q9C7WPb43m4 +-----END PRIVATE KEY-----