Created
November 10, 2023 18:04
-
-
Save matobaa/928eb030dcd0a64a6d9fbd55bd250394 to your computer and use it in GitHub Desktop.
クライアント証明ありのユーザ、クライアント証明書なしのユーザを混在したい、、そんな要件どう対応するんだろうか。
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# クライアント証明ありのユーザ、クライアント証明書なしのユーザを混在したい、、そんな要件どう対応するんだろうか。 | |
FROM httpd:2.4.58-bookworm | |
RUN apt-get update && apt-get install -y vim | |
# generate Certificate Authority | |
RUN <<EOR1 | |
mkdir -p demoCA/private | |
openssl genrsa -out demoCA/private/cakey.pem 2048 | |
openssl req -new -days 365 -key demoCA/private/cakey.pem -out demoCA/ca.csr <<EOF | |
JP | |
Kanagawa | |
Fujisawa | |
demoCA Ltd | |
demoCA OU | |
demoCA | |
ca@example.com | |
password | |
company | |
EOF | |
mkdir -p demoCA/newcerts demoCA/certs demoCA/crl demoCA/private | |
touch demoCA/index.txt | |
echo 00 > demoCA/serial | |
yes | openssl ca -in demoCA/ca.csr -out demoCA/cacert.pem -selfsign -days 365 -extensions v3_ca <<EOF | |
y | |
y | |
EOF | |
EOR1 | |
# generate server certificate | |
RUN <<EOR2 | |
openssl genrsa -out conf/server.key 2048 | |
openssl req -new -days 3650 -key conf/server.key -out conf/server.csr <<EOF | |
JP | |
Kanagawa | |
Fujisawa | |
demoServer Ltd. | |
demoServer OU | |
www.example.com | |
server_manager@example.com | |
password | |
company | |
EOF | |
openssl ca -in conf/server.csr -out conf/server.crt -extensions usr_cert -policy policy_anything <<EOF | |
y | |
y | |
EOF | |
EOR2 | |
# generate client certificate | |
RUN <<EOR3 | |
openssl genrsa -out conf/client.key 2048 | |
openssl req -new -days 3650 -key conf/client.key -out conf/client.csr <<EOF | |
JP | |
Kanagawa | |
Fujisawa | |
demoUser Ltd. | |
demoUser OU | |
demoUser | |
server_manager@example.com | |
password | |
company | |
EOF | |
openssl ca -in conf/client.csr -out conf/client.crt -extensions usr_cert -policy policy_anything <<EOF | |
y | |
y | |
EOF | |
openssl pkcs12 -export -inkey conf/client.key -in conf/client.crt -out htdocs/client.pfx -password pass:P@ssw0rd | |
chmod 644 htdocs/client.pfx | |
EOR3 | |
RUN sed -i \ | |
-e 's/^#\(Include .*httpd-ssl.conf\)/\1/' \ | |
-e 's/^#\(LoadModule .*mod_ssl.so\)/\1/' \ | |
-e 's/^#\(LoadModule .*mod_socache_shmcb.so\)/\1/' \ | |
-e 's/^#\(ServerName .*\)/\1/' \ | |
-e 's/#\(LoadModule cgid_module .*\)/\1/' \ | |
-e '$a Include location.conf' \ | |
conf/httpd.conf | |
RUN sed -i \ | |
-e 's/^SSLProtocol.*/& -TLSv1.3/' \ | |
conf/extra/httpd-ssl.conf | |
RUN <<EOR4 | |
cat > location.conf <<EOF | |
SSLCACertificateFile demoCA/cacert.pem | |
<location /cert/*> | |
SSLVerifyClient require | |
AddHandler cgi-script .cgi | |
Options ExecCGI | |
</location> | |
<Location /member/*> | |
AuthType Basic | |
AuthName "Members Only" | |
AuthUserFile .htpasswd | |
Require valid-user | |
AddHandler cgi-script .cgi | |
Options ExecCGI | |
</Location> | |
<Location /common/*> | |
AuthType Basic | |
AuthName "Members Only" | |
AuthUserFile .htpasswd | |
<RequireAny> | |
Require valid-user | |
Require ssl-verify-client | |
</RequireAny> | |
AddHandler cgi-script .cgi | |
Options ExecCGI | |
</Location> | |
EOF | |
htpasswd -b -c .htpasswd theUser P@ssw0rd | |
mkdir -p htdocs/cert | |
cat <<EOF >htdocs/cert/printenv.cgi && chmod 755 htdocs/cert/printenv.cgi | |
#!/bin/bash | |
echo Content-type: text/plain | |
echo | |
echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN | |
echo ---- | |
env | sort | grep SSL_ | |
EOF | |
mkdir -p htdocs/member | |
cat <<EOF >htdocs/member/printenv.cgi && chmod 755 htdocs/member/printenv.cgi | |
#!/bin/bash | |
echo Content-type: text/plain | |
echo | |
echo your identifier: [\$REMOTE_USER] from REMOTE_USER | |
echo ---- | |
env | sort | |
EOF | |
mkdir -p htdocs/common | |
cat <<EOF >htdocs/common/printenv.cgi && chmod 755 htdocs/common/printenv.cgi | |
#!/bin/bash | |
echo Content-type: text/plain | |
echo | |
echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN | |
echo your identifier: [\$REMOTE_USER] from REMOTE_USER | |
echo ---- | |
env | sort | |
EOF | |
cat > htdocs/index.html <<EOF | |
<html><body> | |
<h1>It works!</h1> | |
<ul> | |
<li><a href="cert/printenv.cgi">login with client certificate</a> (<a href="client.pfx">download</a> and import with <tt>P@ssw0rd</tt>)</li> | |
<li><a href="member/printenv.cgi">login with id/pw as theUser:P@ssw0rd</a></li> | |
<li><a href="common/printenv.cgi">common zone</a></li> | |
</ul></body></html> | |
EOF | |
EOR4 | |
EXPOSE 443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment