Add DEFAULT_WEBSITE and PROTECTION env var

guimard · Apr 8, 2024 · 92dce58 · 92dce58
1 parent 7d7a761
commit 92dce58
Show file tree

Hide file tree

Showing 16 changed files with 86 additions and 6 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -4,7 +4,7 @@ env:
   VERSION: 2.18.2
   PGVERSION: 15
   DEBIANRELEASE: bookworm
-  DOCKERREVISION: 7
+  DOCKERREVISION: 8
 
 on:
   push:

diff --git a/Changes.md b/Changes.md
@@ -1,5 +1,6 @@
 # Changes
 
+* 2024-04-08: add `DEFAULT_WEBSITE` and `PROTECTION` env var
 * 2024-04-04: add docker revision in version string
 * 2024-04-03: fix cache patch
 * 2024-03-27: add missing Jitsi/logout method
@@ -9,7 +10,7 @@
 * 2024-03-03: Add Jitsi support
 * 2024-02-19: OIDC Auth PKCE
 * 2024-02-12: 2.18.2
-* 2024-01-31: Add SERVERNAME
+* 2024-01-31: Add `SERVERNAME`
 * 2024-01-11: Add patch to provide applications scope
 * 2024-01-11: Add patch to fix OIDC logout when any relyong party failed
 * 2024-01-08: Add fix-dropcsp.patch

diff --git a/base-no-s6/install/etc/cont-init.d/update-llng-conf b/base-no-s6/install/etc/cont-init.d/update-llng-conf
@@ -15,6 +15,11 @@ if test "$USERLOGGER" = "stderr"; then
     perl -i -ne 'print unless /^userLogger\s*=/;print "userLogger = Lemonldap::NG::Common::Logger::Std\n" if/^\[\s*all\s*\]/;' /etc/lemonldap-ng/lemonldap-ng.ini;
 fi
 
+if test "$DEFAULT_WEBSITE" = "yes"; then
+    echo "Drop Nginx default website"
+    rm -f /etc/nginx/sites-enabled/default
+fi
+
 # OPTIONAL DATABASE FOR CONFIGURATION
 #
 # 1 - Check for PostgreSQL server
@@ -83,8 +88,10 @@ elif [ "$LDAP_URL" != "" ]; then
    fi
 fi
 
+PORTALURL=`portalUrl "$PORTAL"`
+
 /usr/share/docker-llng/updateConf "setDomain" "$SSODOMAIN"
-/usr/share/docker-llng/updateConf "set" portal "$PORTAL"
+/usr/share/docker-llng/updateConf "set" portal "$PORTALURL"
 
 if test "$CROWDSEC_SERVER" != ""; then
     echo "Configure LLNG to use $CROWDSEC_SERVER as Crowdsec server"

diff --git a/base-no-s6/install/usr/bin/portalHost b/base-no-s6/install/usr/bin/portalHost
@@ -0,0 +1 @@
+portalUrl
diff --git a/base-no-s6/install/usr/bin/portalUrl b/base-no-s6/install/usr/bin/portalUrl
@@ -0,0 +1,14 @@
+#!/usr/bin/perl
+
+use strict;
+
+my $arg = $ARGV[0] or die 'Missing arg';
+my $wantUrl = ($0 =~ /url/i);
+my $prefix = 'https://';
+
+$prefix = $1 if $arg =~ s#^(https?://)##;
+
+$arg =~ s#/.*$##;
+warn 'Maybe bas PORTAL value' unless $arg =~ /^\w[\w\.-]*\w$/;
+
+print $wantUrl ? "$prefix$arg/" : $arg;
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -65,6 +65,7 @@ ENV SSODOMAIN=example.com \
     PORTAL_CRON=yes \
     FORCE_KEY_REGENERATION=no \
     DEBIAN_FRONTEND=noninteractive \
+    DEFAULT_WEBSITE=no \
     PGSSLCERT=/tmp/postgres.crt
 
 COPY *.patch /

diff --git a/base/install/etc/cont-init.d/update-llng-conf b/base/install/etc/cont-init.d/update-llng-conf
@@ -15,6 +15,11 @@ if test "$USERLOGGER" = "stderr"; then
     perl -i -ne 'print unless /^userLogger\s*=/;print "userLogger = Lemonldap::NG::Common::Logger::Std\n" if/^\[\s*all\s*\]/;' /etc/lemonldap-ng/lemonldap-ng.ini;
 fi
 
+if test "$DEFAULT_WEBSITE" = "yes"; then
+    echo "Drop Nginx default website"
+    rm -f /etc/nginx/sites-enabled/default
+fi
+
 # OPTIONAL DATABASE FOR CONFIGURATION
 #
 # 1 - Check for PostgreSQL server
@@ -83,8 +88,10 @@ elif [ "$LDAP_URL" != "" ]; then
    fi
 fi
 
+PORTALURL=`portalUrl "$PORTAL"`
+
 /usr/share/docker-llng/updateConf "setDomain" "$SSODOMAIN"
-/usr/share/docker-llng/updateConf "set" portal "$PORTAL"
+/usr/share/docker-llng/updateConf "set" portal "$PORTALURL"
 
 if test "$CROWDSEC_SERVER" != ""; then
     echo "Configure LLNG to use $CROWDSEC_SERVER as Crowdsec server"

diff --git a/base/install/usr/bin/portalHost b/base/install/usr/bin/portalHost
@@ -0,0 +1 @@
+portalUrl
diff --git a/base/install/usr/bin/portalUrl b/base/install/usr/bin/portalUrl
@@ -0,0 +1,14 @@
+#!/usr/bin/perl
+
+use strict;
+
+my $arg = $ARGV[0] or die 'Missing arg';
+my $wantUrl = ($0 =~ /url/i);
+my $prefix = 'https://';
+
+$prefix = $1 if $arg =~ s#^(https?://)##;
+
+$arg =~ s#/.*$##;
+warn 'Maybe bas PORTAL value' unless $arg =~ /^\w[\w\.-]*\w$/;
+
+print $wantUrl ? "$prefix$arg/" : $arg;
diff --git a/full/Dockerfile b/full/Dockerfile
@@ -4,6 +4,8 @@ LABEL maintainer="Yadd [email protected]>" \
       name="yadd/lemonldap-ng-full" \
       version="v1.0"
 
+ENV PROTECTION=manager
+
 RUN echo "# Install nginx and portal and manager libs" && \
     apt -y update && \
     apt -y dist-upgrade && \

diff --git a/full/README.md b/full/README.md
@@ -28,6 +28,12 @@ docker-compose example to see how to do this using redis and
 
 See [yadd/lemonldap-ng-base](https://github.com/guimard/llng-docker/blob/master/base/README.md#readme)
 
+* Other:
+  * `DEFAULT_WEBSITE` = `no`, if set to `yes` the default Nginx website is
+    deleted
+  * `PROTECTION` = `manager`, set it to `none` if you don't want to protect
+    the manager by LemonLDAP-NG itself
+
 ## Docker-compose example
 
 Example with Crowdsec enabled, Postgres database and Redis to share sessions.

diff --git a/full/install/etc/cont-init.d/update-nginx-conf b/full/install/etc/cont-init.d/update-nginx-conf
@@ -1,7 +1,15 @@
 #!/command/with-contenv sh
 
+PORTAL=${PORTAL:-auth.example.com}
+PORTALHOST=`portalHost "$PORTAL"`
+SSODOMAIN=${SSODOMAIN:-example.com}
+SERVERNAME=${SERVERNAME:-${PORTALHOST}}
+SERVERNAME=${SERVERNAME%/*}
+export SERVERNAME
+
 perl -i -pe 's#__FASTCGISOCKDIR__#/run/llng-fastcgi-server#g;
 s#__PORT__#80#g;
+s#__SERVERNAME__#$ENV{SERVERNAME}#g;
 s#__DNSDOMAIN__#$ENV{SSODOMAIN}#g;
 s#__PORTALSITEDIR__#/usr/share/lemonldap-ng/portal/htdocs/#g;
 s#__PORTALSTATICDIR__#/usr/share/lemonldap-ng/portal/htdocs/static/#g;
@@ -12,5 +20,10 @@ s#__PORT__#80#g;
 s#__DNSDOMAIN__#$ENV{SSODOMAIN}#g;
 s#__MANAGERSITEDIR__#/usr/share/lemonldap-ng/manager/htdocs/#g;
 s#__MANAGERSTATICDIR__#/usr/share/lemonldap-ng/manager/htdocs/static/#g;
-s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng-doc/#g;
+s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng/#g;
 ' /etc/lemonldap-ng/manager-nginx.conf
+
+if test "$PROTECTION" != ""; then
+  echo "Set manager protection to $PROTECTION"
+  perl -i -pe 's/^protection\s*=.*$/protection='$PROTECTION'/' /etc/lemonldap-ng/lemonldap-ng.ini
+fi
diff --git a/manager/Dockerfile b/manager/Dockerfile
@@ -4,6 +4,7 @@ LABEL maintainer="Yadd [email protected]>" \
       name="yadd/lemonldap-ng-manager" \
       version="v1.0"
 
+ENV PROTECTION=manager
 
 RUN echo "# Install nginx and manager libs" && \
     apt -y update && \

diff --git a/manager/README.md b/manager/README.md
@@ -28,6 +28,12 @@ docker-compose example to see how to do this using redis and
 
 See [yadd/lemonldap-ng-base](https://github.com/guimard/llng-docker/blob/master/base/README.md#readme)
 
+* Other:
+  * `DEFAULT_WEBSITE` = `no`, if set to `yes` the default Nginx website is
+    deleted
+  * `PROTECTION` = `manager`, set it to `none` if you don't want to protect
+    the manager by LemonLDAP-NG itself
+
 ## Docker-compose example
 
 Example with Crowdsec enabled, Postgres database and Redis to share sessions.

diff --git a/manager/install/etc/cont-init.d/update-nginx-manager-conf b/manager/install/etc/cont-init.d/update-nginx-manager-conf
@@ -7,3 +7,8 @@ s#__MANAGERSITEDIR__#/usr/share/lemonldap-ng/manager/htdocs/#g;
 s#__MANAGERSTATICDIR__#/usr/share/lemonldap-ng/manager/htdocs/static/#g;
 s#__DEFDOCDIR__#/usr/share/doc/lemonldap-ng/#g;
 ' /etc/lemonldap-ng/manager-nginx.conf
+
+if test "$PROTECTION" != ""; then
+  echo "Set manager protection to $PROTECTION"
+  perl -i -pe 's/^protection\s*=.*$/protection='$PROTECTION'/' /etc/lemonldap-ng/lemonldap-ng.ini
+fi
diff --git a/portal/install/etc/cont-init.d/update-nginx-portal-conf b/portal/install/etc/cont-init.d/update-nginx-portal-conf
@@ -1,8 +1,9 @@
 #!/command/with-contenv sh
 
 PORTAL=${PORTAL:-auth.example.com}
+PORTALHOST=`portalHost "$PORTAL"`
 SSODOMAIN=${SSODOMAIN:-example.com}
-SERVERNAME=${SERVERNAME:-${PORTAL#*://}}
+SERVERNAME=${SERVERNAME:-${PORTALHOST}}
 SERVERNAME=${SERVERNAME%/*}
 export SERVERNAME