diff options
author | Johan Lundberg <lundberg@nordu.net> | 2015-04-09 18:53:06 +0200 |
---|---|---|
committer | Johan Lundberg <lundberg@nordu.net> | 2015-04-09 18:53:06 +0200 |
commit | eadb0ebe5eb0d1e5fcff88e8322f5e3a44d6c93f (patch) | |
tree | a917ff3b3bf2aaa89e1c388f61a8de3c6a4dce17 | |
parent | a865ae975c75b1ce321c4e56c9fbd0625623c4a7 (diff) |
Added Jetty configuration and start command.
-rw-r--r-- | Dockerfile | 12 | ||||
-rw-r--r-- | README | 5 | ||||
-rw-r--r-- | jetty_conf/idp.xml | 10 | ||||
-rw-r--r-- | jetty_conf/jetty-https.xml | 66 | ||||
-rw-r--r-- | jetty_conf/jetty-ssl.xml | 64 | ||||
-rw-r--r-- | jetty_conf/ssl.mod | 34 | ||||
-rw-r--r-- | jetty_conf/start.ini | 28 | ||||
-rw-r--r-- | start.sh | 8 |
8 files changed, 223 insertions, 4 deletions
@@ -7,8 +7,8 @@ RUN apt-get update && \ apt-get install -y wget # Download and install jetty -ENV JETTY_VERSION 9.2.7 -ENV RELEASE_DATE v20150116 +ENV JETTY_VERSION 9.2.10 +ENV RELEASE_DATE v20150310 RUN wget http://download.eclipse.org/jetty/stable-9/dist/jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \ tar -xzvf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \ rm -rf jetty-distribution-${JETTY_VERSION}.${RELEASE_DATE}.tar.gz && \ @@ -19,6 +19,14 @@ RUN useradd jetty && \ chown -R jetty:jetty /opt/jetty && \ rm -rf /opt/jetty/webapps.demo +# Add configuration files +ADD jetty_conf /jetty_conf +RUN mv /jetty_conf/start.ini /opt/jetty/start.ini && \ + mv /jetty_conf/jetty-ssl.xml /opt/jetty/etc/jetty-ssl.xml && \ + mv /jetty_conf/jetty-https.xml /opt/jetty/etc/jetty-https.xml && \ + mv /jetty_conf/ssl.mod /opt/jetty/modules/ssl.mod && \ + mv /jetty_conf/idp.xml /opt/jetty/webapps/idp.xml + # Download shibboleth-idp ENV IDP_VERSION 3.0.0 RUN wget https://shibboleth.net/downloads/identity-provider/${IDP_VERSION}/shibboleth-identity-provider-${IDP_VERSION}.tar.gz && \ @@ -0,0 +1,5 @@ +How to run: + +docker run -it -e ENTITY_ID=entityid -e HOSTNAME=hostname -e SCOPE=scope -e COOKIE_PASSWORD=cookiepass -e TLS_PASSWORD=tlspass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ shibidp install + +docker run -d -e PKCS12_PASSWORD=pkcs12pass -v docker-shibboleth-idp/conf/:/opt/shibboleth-idp/conf/ -v docker-shibboleth-idp/credentials/:/opt/shibboleth-idp/credentials/ -v docker-shibboleth-idp/edit-webapp/:/opt/shibboleth-idp/edit-webapp/ -v docker-shibboleth-idp/logs/:/opt/jetty/logs/ -p 443:8443 shibidp diff --git a/jetty_conf/idp.xml b/jetty_conf/idp.xml new file mode 100644 index 0000000..cdeed1e --- /dev/null +++ b/jetty_conf/idp.xml @@ -0,0 +1,10 @@ +<Configure class="org.eclipse.jetty.webapp.WebAppContext"> + <Set name="war"> + <SystemProperty name="idp.home" /> + /war/idp.war + </Set> + <Set name="contextPath">/idp</Set> + <Set name="extractWAR">false</Set> + <Set name="copyWebDir">false</Set> + <Set name="copyWebInf">true</Set> +</Configure> diff --git a/jetty_conf/jetty-https.xml b/jetty_conf/jetty-https.xml new file mode 100644 index 0000000..8078f9b --- /dev/null +++ b/jetty_conf/jetty-https.xml @@ -0,0 +1,66 @@ +<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<!-- ============================================================= -->
+<!-- Configure HTTPS connectors. -->
+<!-- This configuration must be used in conjunction with jetty.xml -->
+<!-- and jetty-ssl.xml. -->
+<!-- ============================================================= -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+ <!-- ============================================================= -->
+ <!-- Anonymous (no client TLS) HTTPS connector -->
+ <!-- ============================================================= -->
+ <Call id="httpsConnector" name="addConnector">
+ <Arg>
+ <New class="org.eclipse.jetty.server.ServerConnector">
+ <Arg name="server">
+ <Ref refid="Server" />
+ </Arg>
+ <Arg name="acceptors" type="int">
+ <Property name="ssl.acceptors" default="-1" />
+ </Arg>
+ <Arg name="selectors" type="int">
+ <Property name="ssl.selectors" default="-1" />
+ </Arg>
+ <Arg name="factories">
+ <Array type="org.eclipse.jetty.server.ConnectionFactory">
+ <Item>
+ <New class="org.eclipse.jetty.server.SslConnectionFactory">
+ <Arg name="next">http/1.1</Arg>
+ <Arg name="sslContextFactory">
+ <Ref refid="sslContextFactory" />
+ </Arg>
+ </New>
+ </Item>
+ <Item>
+ <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+ <Arg name="config">
+ <Ref refid="sslHttpConfig" />
+ </Arg>
+ </New>
+ </Item>
+ </Array>
+ </Arg>
+ <Set name="host">
+ <Property name="jetty.host" />
+ </Set>
+ <Set name="port">
+ <Property name="https.port" />
+ </Set>
+ <Set name="idleTimeout">
+ <Property name="https.timeout" default="30000" />
+ </Set>
+ <Set name="soLingerTime">
+ <Property name="https.soLingerTime" default="-1" />
+ </Set>
+ <Set name="acceptorPriorityDelta">
+ <Property name="ssl.acceptorPriorityDelta" default="0" />
+ </Set>
+ <Set name="selectorPriorityDelta">
+ <Property name="ssl.selectorPriorityDelta" default="0" />
+ </Set>
+ <Set name="acceptQueueSize">
+ <Property name="https.acceptQueueSize" default="0" />
+ </Set>
+ </New>
+ </Arg>
+ </Call>
+</Configure> diff --git a/jetty_conf/jetty-ssl.xml b/jetty_conf/jetty-ssl.xml new file mode 100644 index 0000000..b822ae5 --- /dev/null +++ b/jetty_conf/jetty-ssl.xml @@ -0,0 +1,64 @@ +<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd" >
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+ <!-- ============================================================= -->
+ <!-- TLS context factory without client auth -->
+ <!-- ============================================================= -->
+ <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+ <Set name="KeyStorePath">
+ <Property name="jetty.keystore" />
+ </Set>
+ <Set name="KeyStoreType">
+ <Property name="jetty.keystore.type" />
+ </Set>
+ <Set name="KeyStorePassword">
+ <Property name="jetty.keystore.password" />
+ </Set>
+ <Set name="EndpointIdentificationAlgorithm" />
+ <Set name="NeedClientAuth">false</Set>
+ <Set name="WantClientAuth">false</Set>
+ <Set name="excludeProtocols">
+ <Array type="String">
+ <Item>SSLv3</Item>
+ </Array>
+ </Set>
+ <Set name="IncludeCipherSuites">
+ <Array type="String">
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
+ <Item>TLS_RSA_WITH_AES_128_GCM_SHA256</Item>
+ <Item>TLS_RSA_WITH_AES_256_GCM_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</Item>
+ <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
+ <Item>TLS_RSA_WITH_AES_256_CBC_SHA384</Item>
+ <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
+ <Item>TLS_RSA_WITH_AES_256_CBC_SHA</Item>
+ </Array>
+ </Set>
+ </New>
+ <!-- =========================================================== -->
+ <!-- Create a TLS specific HttpConfiguration based on the -->
+ <!-- common HttpConfiguration defined in jetty.xml -->
+ <!-- Add a SecureRequestCustomizer to extract certificate and -->
+ <!-- session information -->
+ <!-- =========================================================== -->
+ <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+ <Arg>
+ <Ref refid="httpConfig" />
+ </Arg>
+ <Call name="addCustomizer">
+ <Arg>
+ <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
+ </Arg>
+ </Call>
+ </New>
+</Configure> diff --git a/jetty_conf/ssl.mod b/jetty_conf/ssl.mod new file mode 100644 index 0000000..77ceb76 --- /dev/null +++ b/jetty_conf/ssl.mod @@ -0,0 +1,34 @@ +# +# SSL Keystore module +# + +[depend] +server + +[xml] +etc/jetty-ssl.xml + +[ini-template] +### SSL Keystore Configuration +# define the port to use for secure redirection +jetty.secure.port=8443 + +## Setup a demonstration keystore and truststore +jetty.keystore=/opt/shibboleth-idp/credentials/idp-browser.p12 + +## Set the demonstration passwords. +## Note that OBF passwords are not secure, just protected from casual observation +## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html +jetty.keystore.password= + +### Set the client auth behavior +## Set to true if client certificate authentication is required +# jetty.ssl.needClientAuth=true +## Set to true if client certificate authentication is desired +# jetty.ssl.wantClientAuth=true + +## Parameters to control the number and priority of acceptors and selectors +# ssl.selectors=1 +# ssl.acceptors=1 +# ssl.selectorPriorityDelta=0 +# ssl.acceptorPriorityDelta=0 diff --git a/jetty_conf/start.ini b/jetty_conf/start.ini new file mode 100644 index 0000000..460dd32 --- /dev/null +++ b/jetty_conf/start.ini @@ -0,0 +1,28 @@ +# Required Jetty modules +--module=server +--module=deploy +--module=annotations +--module=resources +--module=logging +--module=requestlog +--module=https +--module=ssl +--module=servlets +--module=jsp +--module=jstl +--module=ext +--module=plus + +# Allows setting Java system properties (-Dname=value) +# and JVM flags (-X, -XX) in this file +# NOTE: spawns child Java process +--exec + +# IDP home +-Didp.home=/opt/shibboleth-idp + +# Maximum amount of memory that Jetty may use, at least 512M is recommended +-Xmx512m +# Maximum amount of memory allowed for the JVM permanent generation +-XX:MaxPermSize=128m + @@ -7,13 +7,17 @@ case "$*" in start) # Upgrade/Recreate war ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp + # Set Jetty tls cert password + sed -i "/jetty.keystore.password=/c\jetty.keystore.password=$PKCS12_PASSWORD" /opt/jetty/modules/ssl.mod + # Start Jetty + cd /opt/jetty/ && /usr/bin/java -jar start.jar ;; install) -# Fresh install + # Fresh install cat>/tmp/entity_id<<EOF idp.entityID= ${ENTITY_ID} EOF - ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt + ./bin/install.sh -Didp.src.dir /opt/shibboleth-identity-provider-${IDP_VERSION}/ -Didp.target.dir /opt/shibboleth-idp -Didp.host.name ${HOSTNAME} -Didp.scope ${SCOPE} -Didp.sealer.password ${COOKIE_PASSWORD} -Didp.keystore.password ${TLS_PASSWORD} -Didp.merge.properties /tmp/entity_id -Didp.noprompt ;; debug) /bin/bash |