From ea97e4e0542f13506277ebb3cfcc5c1d5e5fd912 Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Fri, 7 Jul 2017 14:15:04 +0200 Subject: remove mac file --- jetty_base/start.d/.DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 jetty_base/start.d/.DS_Store diff --git a/jetty_base/start.d/.DS_Store b/jetty_base/start.d/.DS_Store deleted file mode 100644 index 5008ddf..0000000 Binary files a/jetty_base/start.d/.DS_Store and /dev/null differ -- cgit v1.1 From 57b57805b3e3f60557e8659d7608e32da9c1a419 Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Fri, 7 Jul 2017 14:57:41 +0200 Subject: Use env var --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c8ec340..5f36e54 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,6 +21,6 @@ RUN chown -R jetty:jetty /opt/shibboleth-idp #RUN mkdir -p persistent-id && sqlite3 persistent-id/shibboleth.db < /tmp/shibboleth.db.ddl && rm -f /tmp/shibboleth.db.ddl -COPY jetty_base /var/lib/jetty +COPY jetty_base $JETTY_BASE WORKDIR $JETTY_BASE -- cgit v1.1 From 6f4cfe32c9513dda74829217f272d98a936b62fe Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Fri, 7 Jul 2017 14:58:12 +0200 Subject: Add sp --- apache-sp/Dockerfile | 16 ++++++++++++ apache-sp/apache-conf/sp.conf | 57 +++++++++++++++++++++++++++++++++++++++++ apache-sp/entrypoint.sh | 40 +++++++++++++++++++++++++++++ apache-sp/secure/index.haml | 10 ++++++++ apache-sp/secure/index.shtml | 12 +++++++++ apache-sp/shibd/shibboleth2.xml | 38 +++++++++++++++++++++++++++ 6 files changed, 173 insertions(+) create mode 100644 apache-sp/Dockerfile create mode 100644 apache-sp/apache-conf/sp.conf create mode 100644 apache-sp/entrypoint.sh create mode 100644 apache-sp/secure/index.haml create mode 100644 apache-sp/secure/index.shtml create mode 100644 apache-sp/shibd/shibboleth2.xml diff --git a/apache-sp/Dockerfile b/apache-sp/Dockerfile new file mode 100644 index 0000000..51cc408 --- /dev/null +++ b/apache-sp/Dockerfile @@ -0,0 +1,16 @@ +FROM debian:jessie +MAINTAINER Markus Krogh + +RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections +RUN apt-get update && apt-get -y install apache2 libapache2-mod-shib2 ssl-cert curl +RUN a2enmod shib2 headers ssl + +RUN rm -f /etc/apache2/sites-available/* /etc/apache2/sites-enabled/* +ADD apache-conf/*.conf /etc/apache2/sites-available/ +ADD shibd/shibboleth2.xml /etc/shibboleth/ +ADD secure /var/www/secure +ADD entrypoint.sh /entrypoint.sh +RUN chmod a+rx /entrypoint.sh +EXPOSE 443 +EXPOSE 80 +ENTRYPOINT ["/entrypoint.sh"] diff --git a/apache-sp/apache-conf/sp.conf b/apache-sp/apache-conf/sp.conf new file mode 100644 index 0000000..3de6bf4 --- /dev/null +++ b/apache-sp/apache-conf/sp.conf @@ -0,0 +1,57 @@ +ServerName __SP_HOSTNAME__ +SSLProtocol all -SSLv2 -SSLv3 +SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS +SSLHonorCipherOrder on + + + ServerName __SP_HOSTNAME__ + DocumentRoot /var/www/ + + + ServerName idp.nordu.dev + SSLEngine On + SSLCertificateFile __KEYDIR__/certs/__SP_HOSTNAME__.crt + SSLCertificateKeyFile __KEYDIR__/private/__SP_HOSTNAME__.key + ProxyPass / http://shibboleth-docker:8080/ + + + ServerName __SP_HOSTNAME__ + SSLEngine On + SSLCertificateFile __KEYDIR__/certs/__SP_HOSTNAME__.crt + SSLCertificateKeyFile __KEYDIR__/private/__SP_HOSTNAME__.key + DocumentRoot /var/www/ + + Alias /shibboleth-sp/ /usr/share/shibboleth/ + AddDefaultCharset utf-8 + + HostnameLookups Off + ErrorLog /proc/self/fd/2 + LogLevel warn + LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined + LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %O" common + LogFormat "%{Referer}i -> %U" referer + LogFormat "%{User-agent}i" agent + CustomLog /proc/self/fd/1 combined + ServerSignature off + + + + AuthType shibboleth + ShibRequireSession On + require valid-user + Options +Includes + Header set X_REMOTE_USER %{eppn}e + Header set EPPN %{eppn}e + Header set GIVENNAME %{givenName}e + Header set DISPLAYNAME %{displayName}e + Header set SN %{sn}e + Header set MAIL %{mail}e + Header set AFFILIATION %{affiliation}e + Header set UNSCOPED_AFFILIATION %{unscoped_affiliation}e + Header set UID %{uid}e + + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml + + diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh new file mode 100644 index 0000000..30714c4 --- /dev/null +++ b/apache-sp/entrypoint.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Setup ssl keys +KEYDIR=/etc/ssl +export KEYDIR +if [ ! -f "$KEYDIR/private/shibsp.key" -o ! -f "$KEYDIR/certs/shibsp.crt" ]; then + shib-keygen -o /tmp -h $SP_HOSTNAME #2>/dev/null + mv /tmp/sp-key.pem "$KEYDIR/private/shibsp.key" + mv /tmp/sp-cert.pem "$KEYDIR/certs/shibsp.crt" +fi + +if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTNAME}.crt" ]; then + make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/private/ssl-cert-snakeoil.key "$KEYDIR/private/${SP_HOSTNAME}.key" + cp /etc/ssl/certs/ssl-cert-snakeoil.pem "$KEYDIR/certs/${SP_HOSTNAME}.crt" +fi + + +# Setup shibd +sed -i -e "s/__SP_HOSTNAME__/$SP_HOSTNAME/g" -e "s%__KEYDIR__%$KEYDIR%g" /etc/shibboleth/shibboleth2.xml + +adduser -- _shibd ssl-cert +mkdir -p /var/log/shibboleth +mkdir -p /var/log/apache2 /var/lock/apache2 + + +# Setup apache + +sed -i -e "s/__SP_HOSTNAME__/$SP_HOSTNAME/g" -e "s%__KEYDIR__%$KEYDIR%g" /etc/apache2/sites-available/*.conf + +a2enmod proxy +a2enmod proxy_http +a2ensite sp + +service shibd start +rm -f /var/run/apache2/apache2.pid + +curl http://idp.nordu.dev/idp/shibboleth -o /var/www/metadata.xml +chown www-data:www-data /var/www/metadata.xml && chmod a+r /var/www/metadata.xml + +env APACHE_LOCK_DIR=/var/lock/apache2 APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_LOG_DIR=/var/log/apache2 apache2 -DFOREGROUND diff --git a/apache-sp/secure/index.haml b/apache-sp/secure/index.haml new file mode 100644 index 0000000..856d379 --- /dev/null +++ b/apache-sp/secure/index.haml @@ -0,0 +1,10 @@ +!!! +%html + %head + %title Secure site!!!!1 + %body + .wrapper + %h1 Enviornment + %pre + + diff --git a/apache-sp/secure/index.shtml b/apache-sp/secure/index.shtml new file mode 100644 index 0000000..4ead79a --- /dev/null +++ b/apache-sp/secure/index.shtml @@ -0,0 +1,12 @@ + + + + Secure site!!!!1 + + +

Enviornment

+ + diff --git a/apache-sp/shibd/shibboleth2.xml b/apache-sp/shibd/shibboleth2.xml new file mode 100644 index 0000000..2bc8b7a --- /dev/null +++ b/apache-sp/shibd/shibboleth2.xml @@ -0,0 +1,38 @@ + + + + SAML2 Local + + + + + + + + + + + + + + + + + + + + + + + -- cgit v1.1 From cef764eca8d826b246f026861d44653aabdd3da9 Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Fri, 7 Jul 2017 15:24:21 +0200 Subject: Make metadata available before shibd is started --- apache-sp/entrypoint.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apache-sp/entrypoint.sh b/apache-sp/entrypoint.sh index 30714c4..dc16803 100644 --- a/apache-sp/entrypoint.sh +++ b/apache-sp/entrypoint.sh @@ -14,6 +14,10 @@ if [ ! -f "$KEYDIR/private/${SP_HOSTNAME}.key" -o ! -f "$KEYDIR/certs/${SP_HOSTN cp /etc/ssl/certs/ssl-cert-snakeoil.pem "$KEYDIR/certs/${SP_HOSTNAME}.crt" fi +# Fetch metadata +curl http://shibboleth-docker:8080/idp/shibboleth -o /var/www/metadata.xml +chown -R www-data:www-data /var/www/ +chmod -R a+r /var/www/ # Setup shibd sed -i -e "s/__SP_HOSTNAME__/$SP_HOSTNAME/g" -e "s%__KEYDIR__%$KEYDIR%g" /etc/shibboleth/shibboleth2.xml @@ -34,7 +38,4 @@ a2ensite sp service shibd start rm -f /var/run/apache2/apache2.pid -curl http://idp.nordu.dev/idp/shibboleth -o /var/www/metadata.xml -chown www-data:www-data /var/www/metadata.xml && chmod a+r /var/www/metadata.xml - env APACHE_LOCK_DIR=/var/lock/apache2 APACHE_RUN_DIR=/var/run/apache2 APACHE_PID_FILE=/var/run/apache2/apache2.pid APACHE_RUN_USER=www-data APACHE_RUN_GROUP=www-data APACHE_LOG_DIR=/var/log/apache2 apache2 -DFOREGROUND -- cgit v1.1 From 07d7b2e0f88f38b1916a95b3d450ae34a652f338 Mon Sep 17 00:00:00 2001 From: Jesper Brix Rosenkilde Date: Fri, 7 Jul 2017 15:25:04 +0200 Subject: Simple build script --- build.sh | 4 ++++ 1 file changed, 4 insertions(+) create mode 100755 build.sh diff --git a/build.sh b/build.sh new file mode 100755 index 0000000..a377070 --- /dev/null +++ b/build.sh @@ -0,0 +1,4 @@ +#!/bin/sh +docker build -t shibboleth-docker . +docker build -t apache-sp ./apache-sp/ + -- cgit v1.1