matobaa/Dockerfile

## Dockerfile

# クライアント証明ありのユーザ、クライアント証明書なしのユーザを混在したい、、そんな要件どう対応するんだろうか。

FROM httpd:2.4.58-bookworm

RUN apt-get update && apt-get install -y vim

# generate Certificate Authority
RUN <<EOR1
    mkdir -p demoCA/private
    openssl genrsa -out demoCA/private/cakey.pem 2048
    openssl req -new -days 365 -key demoCA/private/cakey.pem -out demoCA/ca.csr <<EOF
JP
Kanagawa
Fujisawa
demoCA Ltd
demoCA OU
demoCA
ca@example.com
password
company
EOF
    mkdir -p demoCA/newcerts demoCA/certs demoCA/crl demoCA/private
    touch demoCA/index.txt
    echo 00 > demoCA/serial
    yes | openssl ca -in demoCA/ca.csr -out demoCA/cacert.pem -selfsign -days 365 -extensions v3_ca <<EOF
y
y
EOF
EOR1

# generate server certificate
RUN <<EOR2
    openssl genrsa -out conf/server.key 2048
    openssl req -new -days 3650 -key conf/server.key -out conf/server.csr <<EOF
JP
Kanagawa
Fujisawa
demoServer Ltd.
demoServer OU
www.example.com
server_manager@example.com
password
company
EOF
    openssl ca -in conf/server.csr -out conf/server.crt -extensions usr_cert -policy policy_anything <<EOF
y
y
EOF
EOR2

# generate client certificate
RUN <<EOR3
    openssl genrsa -out conf/client.key 2048
    openssl req -new -days 3650 -key conf/client.key -out conf/client.csr <<EOF
JP
Kanagawa
Fujisawa
demoUser Ltd.
demoUser OU
demoUser
server_manager@example.com
password
company
EOF
    openssl ca -in conf/client.csr -out conf/client.crt -extensions usr_cert -policy policy_anything <<EOF
y
y
EOF
    openssl pkcs12 -export -inkey conf/client.key -in conf/client.crt -out htdocs/client.pfx -password pass:P@ssw0rd
    chmod 644 htdocs/client.pfx
EOR3

RUN sed -i \
		-e 's/^#\(Include .*httpd-ssl.conf\)/\1/' \
		-e 's/^#\(LoadModule .*mod_ssl.so\)/\1/' \
		-e 's/^#\(LoadModule .*mod_socache_shmcb.so\)/\1/' \
		-e 's/^#\(ServerName .*\)/\1/' \
        -e 's/#\(LoadModule cgid_module .*\)/\1/' \
        -e '$a Include location.conf' \
		conf/httpd.conf

RUN sed -i \
        -e 's/^SSLProtocol.*/& -TLSv1.3/' \
        conf/extra/httpd-ssl.conf

RUN <<EOR4
    cat > location.conf <<EOF
SSLCACertificateFile demoCA/cacert.pem
<location /cert/*>
    SSLVerifyClient require
    AddHandler cgi-script .cgi
    Options ExecCGI
</location>
<Location /member/*>
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile .htpasswd
    Require valid-user
    AddHandler cgi-script .cgi
    Options ExecCGI
</Location>
<Location /common/*>
    AuthType Basic
    AuthName "Members Only"
    AuthUserFile .htpasswd
    <RequireAny>
        Require valid-user
        Require ssl-verify-client
    </RequireAny>
    AddHandler cgi-script .cgi
    Options ExecCGI
</Location>
EOF
    htpasswd -b -c .htpasswd theUser P@ssw0rd
    mkdir -p htdocs/cert
    cat <<EOF >htdocs/cert/printenv.cgi && chmod 755 htdocs/cert/printenv.cgi
#!/bin/bash
echo Content-type: text/plain
echo
echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN
echo ----
env | sort | grep SSL_
EOF
    mkdir -p htdocs/member
    cat <<EOF >htdocs/member/printenv.cgi && chmod 755 htdocs/member/printenv.cgi
#!/bin/bash
echo Content-type: text/plain
echo
echo your identifier: [\$REMOTE_USER] from REMOTE_USER
echo ----
env | sort
EOF
    mkdir -p htdocs/common
    cat <<EOF >htdocs/common/printenv.cgi && chmod 755 htdocs/common/printenv.cgi
#!/bin/bash
echo Content-type: text/plain
echo
echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN
echo your identifier: [\$REMOTE_USER] from REMOTE_USER
echo ----
env | sort
EOF
    cat > htdocs/index.html <<EOF
<html><body>
<h1>It works!</h1>
<ul>
<li><a href="cert/printenv.cgi">login with client certificate</a> (<a href="client.pfx">download</a> and import with <tt>P@ssw0rd</tt>)</li>
<li><a href="member/printenv.cgi">login with id/pw as theUser:P@ssw0rd</a></li>
<li><a href="common/printenv.cgi">common zone</a></li>
</ul></body></html>
EOF
EOR4

EXPOSE 443

	# クライアント証明ありのユーザ、クライアント証明書なしのユーザを混在したい、、そんな要件どう対応するんだろうか。

	FROM httpd:2.4.58-bookworm

	RUN apt-get update && apt-get install -y vim

	# generate Certificate Authority
	RUN <<EOR1
	mkdir -p demoCA/private
	openssl genrsa -out demoCA/private/cakey.pem 2048
	openssl req -new -days 365 -key demoCA/private/cakey.pem -out demoCA/ca.csr <<EOF
	JP
	Kanagawa
	Fujisawa
	demoCA Ltd
	demoCA OU
	demoCA
	ca@example.com
	password
	company
	EOF
	mkdir -p demoCA/newcerts demoCA/certs demoCA/crl demoCA/private
	touch demoCA/index.txt
	echo 00 > demoCA/serial
	yes \| openssl ca -in demoCA/ca.csr -out demoCA/cacert.pem -selfsign -days 365 -extensions v3_ca <<EOF
	y
	y
	EOF
	EOR1

	# generate server certificate
	RUN <<EOR2
	openssl genrsa -out conf/server.key 2048
	openssl req -new -days 3650 -key conf/server.key -out conf/server.csr <<EOF
	JP
	Kanagawa
	Fujisawa
	demoServer Ltd.
	demoServer OU
	www.example.com
	server_manager@example.com
	password
	company
	EOF
	openssl ca -in conf/server.csr -out conf/server.crt -extensions usr_cert -policy policy_anything <<EOF
	y
	y
	EOF
	EOR2

	# generate client certificate
	RUN <<EOR3
	openssl genrsa -out conf/client.key 2048
	openssl req -new -days 3650 -key conf/client.key -out conf/client.csr <<EOF
	JP
	Kanagawa
	Fujisawa
	demoUser Ltd.
	demoUser OU
	demoUser
	server_manager@example.com
	password
	company
	EOF
	openssl ca -in conf/client.csr -out conf/client.crt -extensions usr_cert -policy policy_anything <<EOF
	y
	y
	EOF
	openssl pkcs12 -export -inkey conf/client.key -in conf/client.crt -out htdocs/client.pfx -password pass:P@ssw0rd
	chmod 644 htdocs/client.pfx
	EOR3

	RUN sed -i \
	-e 's/^#\(Include .*httpd-ssl.conf\)/\1/' \
	-e 's/^#\(LoadModule .*mod_ssl.so\)/\1/' \
	-e 's/^#\(LoadModule .*mod_socache_shmcb.so\)/\1/' \
	-e 's/^#\(ServerName .*\)/\1/' \
	-e 's/#\(LoadModule cgid_module .*\)/\1/' \
	-e '$a Include location.conf' \
	conf/httpd.conf

	RUN sed -i \
	-e 's/^SSLProtocol.*/& -TLSv1.3/' \
	conf/extra/httpd-ssl.conf

	RUN <<EOR4
	cat > location.conf <<EOF
	SSLCACertificateFile demoCA/cacert.pem
	<location /cert/*>
	SSLVerifyClient require
	AddHandler cgi-script .cgi
	Options ExecCGI
	</location>
	<Location /member/*>
	AuthType Basic
	AuthName "Members Only"
	AuthUserFile .htpasswd
	Require valid-user
	AddHandler cgi-script .cgi
	Options ExecCGI
	</Location>
	<Location /common/*>
	AuthType Basic
	AuthName "Members Only"
	AuthUserFile .htpasswd
	<RequireAny>
	Require valid-user
	Require ssl-verify-client
	</RequireAny>
	AddHandler cgi-script .cgi
	Options ExecCGI
	</Location>
	EOF
	htpasswd -b -c .htpasswd theUser P@ssw0rd
	mkdir -p htdocs/cert
	cat <<EOF >htdocs/cert/printenv.cgi && chmod 755 htdocs/cert/printenv.cgi
	#!/bin/bash
	echo Content-type: text/plain
	echo
	echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN
	echo ----
	env \| sort \| grep SSL_
	EOF
	mkdir -p htdocs/member
	cat <<EOF >htdocs/member/printenv.cgi && chmod 755 htdocs/member/printenv.cgi
	#!/bin/bash
	echo Content-type: text/plain
	echo
	echo your identifier: [\$REMOTE_USER] from REMOTE_USER
	echo ----
	env \| sort
	EOF
	mkdir -p htdocs/common
	cat <<EOF >htdocs/common/printenv.cgi && chmod 755 htdocs/common/printenv.cgi
	#!/bin/bash
	echo Content-type: text/plain
	echo
	echo your identifier: [\$SSL_CLIENT_S_DN_CN] from SSL_CLIENT_S_DN_CN
	echo your identifier: [\$REMOTE_USER] from REMOTE_USER
	echo ----
	env \| sort
	EOF
	cat > htdocs/index.html <<EOF
	<html><body>
	<h1>It works!</h1>
	<ul>
	<li><a href="cert/printenv.cgi">login with client certificate</a> (<a href="client.pfx">download</a> and import with <tt>P@ssw0rd</tt>)</li>
	<li><a href="member/printenv.cgi">login with id/pw as theUser:P@ssw0rd</a></li>
	<li><a href="common/printenv.cgi">common zone</a></li>
	</ul></body></html>
	EOF
	EOR4

	EXPOSE 443