From b1cffb6047163708ba83f92abb852db73d2fe93a Mon Sep 17 00:00:00 2001 From: Adam W Zheng Date: Wed, 10 Jul 2019 16:00:44 -0500 Subject: [PATCH] Documentation and example files for systemd --- 1.17.2/README.md | 22 +- examples/README.md | 210 +++++++++++++++++++- examples/docker-compose/docker-compose.yml | 77 +++---- examples/haproxy/haproxy.cfg | 5 +- examples/systemd/some-haproxy.service | 24 +++ examples/systemd/some-letsencrypt.service | 28 +++ examples/systemd/some-memcacheda01.service | 18 ++ examples/systemd/some-memcacheda02.service | 18 ++ examples/systemd/some-memcachedb01.service | 18 ++ examples/systemd/some-memcachedb02.service | 18 ++ examples/systemd/some-simplesamlphp.service | 46 +++++ 11 files changed, 411 insertions(+), 73 deletions(-) create mode 100644 examples/systemd/some-haproxy.service create mode 100644 examples/systemd/some-letsencrypt.service create mode 100644 examples/systemd/some-memcacheda01.service create mode 100644 examples/systemd/some-memcacheda02.service create mode 100644 examples/systemd/some-memcachedb01.service create mode 100644 examples/systemd/some-memcachedb02.service create mode 100644 examples/systemd/some-simplesamlphp.service diff --git a/1.17.2/README.md b/1.17.2/README.md index f900766..a94ab2c 100644 --- a/1.17.2/README.md +++ b/1.17.2/README.md @@ -92,19 +92,18 @@ It is recommended to set them properly and not use default values. | Variable | Default Value | Description | | ------ | ------ | ------ | | CONFIG_BASEURLPATH | simplesaml/ | If using SSL behind a proxy enter the base URL here, otherwise IdP metadata will use http://. Format is [(https)://(hostname)[:port]]/[path/to/simplesaml/]. | -| DOCKER_REDIRECTLOGS | false | Redirect logs written to the log file by SimpleSAMLphp to `/dev/console`. Please run with -t as a TTY will need allocated for this to work. | | CONFIG_AUTHADMINPASSWORD | SSHA256 hash of '123' | Plain text works as well. Use PWGen to generate a hash for this variable. Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7. | | CONFIG_SECRETSALT | defaultsecretsalt | Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7 if help is needed for generating one. | | CONFIG_TECHNICALCONTACT_NAME | Administrator | Name of the Admin of Rainy Clouds, 42nd of Their Name, Breaker of Sanity, and ~~Destroyer~~ Protector of the Federation | -| CONFIG_TECHNICALCONTACT_EMAIL | na@example.org | Address of hate mail and applicaton exception logs to send to. Mail support is not yet supported in this container, it is coming soon. Best to turn off mail error reporting option and direct users to the proper email until its implemented. | +| CONFIG_TECHNICALCONTACT_EMAIL | na@example.org | Address of hate mail and applicaton exception logs to send to. | | CONFIG_LANGUAGEDEFAULT | en | -- | | CONFIG_TIMEZONE | America/Chicago | Visit the [php.net man pages](http://php.net/manual/en/timezones.america.php) for the options, the one linked is for 'Murica. | | CONFIG_TEMPDIR | /tmp/simplesaml | -- | | CONFIG_SHOWERRORS | true | Shows detailed errors to the user if one occurs. | -| CONFIG_ERRORREPORTING | true | Allow users to send reports from SimpleSAMLphp to the technicalcontact. Not yet working. | -| CONFIG_ADMINPROTECTINDEXPAGE | false | Require admin password to access frontpage_federation index | -| CONFIG_ADMINPROTECTMETADATA | false | Require admin password to access public IdP metadata | -| CONFIG_DEBUG | false | Enable debugging to logs, requires CONFIG_LOGGINGLEVEL be set to DEBUG | +| CONFIG_ERRORREPORTING | true | Allow users to send reports from SimpleSAMLphp to the technicalcontact. | +| CONFIG_ADMINPROTECTINDEXPAGE | false | Require admin password to access frontpage_federation index. | +| CONFIG_ADMINPROTECTMETADATA | false | Require admin password to access public IdP metadata. | +| CONFIG_DEBUG | false | Enable debugging to logs, requires CONFIG_LOGGINGLEVEL be set to DEBUG. | | CONFIG_LOGGINGLEVEL | NOTICE | Options are ERR, WARNING, NOTICE, INFO, DEBUG | | CONFIG_LOGGINGHANDLER | file | Default different from official default of syslog due to systemd not running in containers. | | CONFIG_LOGFILE | simplesamlphp.log | -- | @@ -129,11 +128,12 @@ It is recommended to set them properly and not use default values. | WWW_INDEX | core/frontpage_welcome.php | Page to direct to if a user accesses the IdP/SP directly. Can be set to an authentication test for example. | | OPENLDAP_TLS_REQCERT | demand | As per ldap man pages, Options are `never` `allow` `try` `demand`. If using Active Directory or OpenLDAP with TLS, logins will be rejected if the directory certificate is self-signed with the default `demand` value. This can be set to `never` for testing purposes. Refer to ldap.conf man page section 5 for more details. | | MTA_NULLCLIENT | false | Set to true to configure null client for sending e-mails. Visit the [Postfix Standard Configuration Examples](http://www.postfix.org/STANDARD_CONFIGURATION_README.html) for explaination of a null client. If this is set to false, postfix will be purged from the container. | -| POSTFIX_MYHOSTNAME| host.domain.tld | Set to the FQDN of your host. ie `auth.example.com` | -| POSTFIX_MYORIGIN | $myhostname | Set to `$mydomain` as per postfix docs for null client | -| POSTFIX_RELAYHOST | $mydomain | Set to `$mydomain` again as per postfix docs for null client | -| POSTFIX_INETINTERFACES | localhost | Set to loopback-only as per postfix docs for null client | -| POSTFIX_MYDESTINATION | | Leave as empty string as per postfix docs for null client | +| POSTFIX_MYHOSTNAME| host.domain.tld | Set to the FQDN of your host. ie `auth.example.com`. | +| POSTFIX_MYORIGIN | $myhostname | Set to `$mydomain` as per postfix docs for null client. | +| POSTFIX_RELAYHOST | $mydomain | Set to `$mydomain` again as per postfix docs for null client. | +| POSTFIX_INETINTERFACES | localhost | Set to loopback-only as per postfix docs for null client. | +| POSTFIX_MYDESTINATION | | Leave as empty string as per postfix docs for null client. | +| DOCKER_REDIRECTLOGS | false | Redirect logs written to the log file by SimpleSAMLphp to `/dev/console`. Please run with -t as a TTY will need allocated for this to work. | Default CONFIG_MEMCACHESTORESERVERS format, 2 pair of 2 example. Use this template and replace the hostnames. Check compose file for usage example: ```console diff --git a/examples/README.md b/examples/README.md index b9fee96..f41b938 100644 --- a/examples/README.md +++ b/examples/README.md @@ -1,13 +1,13 @@ -[![](https://images.microbadger.com/badges/version/venatorfox/simplesamlphp:1.17.1.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/network "View Network") [![](https://images.microbadger.com/badges/image/venatorfox/simplesamlphp:1.17.1.svg)](https://microbadger.com/images/venatorfox/simplesamlphp:1.17.1 "View layer metadata on MicroBadger") [![Pulls on Docker Hub](https://img.shields.io/docker/pulls/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![Stars on Docker Hub](https://img.shields.io/docker/stars/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![GitHub Open Issues](https://img.shields.io/github/issues/Venator-Fox/docker-simplesamlphp.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/issues) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) +[![](https://images.microbadger.com/badges/version/venatorfox/simplesamlphp:1.17.2.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/network "View Network") [![](https://images.microbadger.com/badges/image/venatorfox/simplesamlphp:1.17.1.svg)](https://microbadger.com/images/venatorfox/simplesamlphp:1.17.1 "View layer metadata on MicroBadger") [![Pulls on Docker Hub](https://img.shields.io/docker/pulls/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![Stars on Docker Hub](https://img.shields.io/docker/stars/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![GitHub Open Issues](https://img.shields.io/github/issues/Venator-Fox/docker-simplesamlphp.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/issues) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) ### Examples This directory contains some example files in order to run the [venatorfox/simplesamlphp](https://hub.docker.com/r/venatorfox/simplesamlphp/) in a more complex manner. (ie. with SSL termination, HAProxy, etc...) These examples assume this is installed in a non-orchestrated manner on a host. The following examples are provided here: -- Super basic with all the default options -- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via docker-compose -- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd +- Super basic with all the default options (basically just to look at the application) +- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via docker-compose (for development) +- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd (for production) #### Super basic with all the default options > 1 liner, just to see how SimpleSAMLphp looks. @@ -40,13 +40,17 @@ Check SimpleSAMLphp's upgrade notes to see if updates occured in a specified dir Note that running this compose file will create files in `/srv/docker/volumes/` on your host. You can remove this after toying with the example. -Run the following two commands to generate a self-signed SSL certificate: +Run the following to generate a quick self-signed SSL certificate: ```console -mkdir -p /srv/docker/volumes/some-haproxy/ssl -docker run --rm -v /srv/docker/volumes/some-haproxy/ssl:/ssl -e HOST=localhost -e TYPE=pem project42/selfsignedcert +mkdir -p /srv/docker/volumes/some-haproxy/config/ssl +docker run --rm -v /srv/docker/volumes/some-haproxy/config/ssl:/ssl -e HOST=localhost -e TYPE=pem project42/selfsignedcert ``` -Save the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/haproxy.cfg` +Copy the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/config` + +~~~ +Be sure to modify haproxy.cfg to use the `localhost.pem` instead of `priv-fullchain-bundle.pem` +~~~ Compose version in this example is v3.5 Run `docker-compose -f docker-compose.yml up` to bring the stack up with your variables. @@ -54,7 +58,193 @@ After install, visit https://localhost. Use `docker-compose -f docker-compose.yml down` to destroy all containers. #### HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd -> This is recommended for production for non-orchestrated installs. These unit files will start containers utilizing, memcached, haproxy, and simplesaml +> This is recommended for production for non-orchestrated installs. These unit files will start containers utilizing, memcached, haproxy, simplesaml, and letsencrypt. -//TODO +This example will accomplish all items as done in the compose example, but also setup a container for a LetsEncrypt SSL certificate. The haproxy container will cat over the keys. +Note that running these will create files in `/srv/docker/volumes/` on your host. Use these example files to your preference. Some examples are below tested with CentOS/RHEL + +> Method 1 (Copy to local config dir `/etc/systemd/system/`) +> +```console +cp -rfv /some/location/docker-simplesamlphp/examples/systemd/*.service /etc/systemd/system/ +``` + +or + +> Method 2 (Symlink to vendor/pkg dir `/usr/lib/systemd/system/`) (use full paths) +> +```console +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-haproxy.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-letsencrypt.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcacheda01.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcacheda02.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcachedb01.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcachedb02.service /usr/lib/systemd/system/ +ln -s /some/location/docker-simplesamlphp/examples/systemd/some-simplesamlphp.service /usr/lib/systemd/system/ +``` + +or + +> Method 3 (Use the unit files directly) +> +```console +systemctl start /some/location/docker-simplesamlphp/examples/systemd/some-letsencrypt.service +``` + +Regardless of the method used above, start the letsencrypt container to obtain a certificate. The example provided uses http validation. Port 80 will need to be open to your server for DNS validation. Be sure to modify the unit file to your parameters (esp EMAIL and URL) and `systemctl daemon-reload`. The image used in this example is from [linuxserver/letsencrypt](https://hub.docker.com/r/linuxserver/letsencrypt/) + +~~~ +systemctl start some-letsencrypt +~~~ + +After it has completed key generation and obtained a certificate, stop the container + +~~~ +systemctl status some-letsencrypt + +~~~ + +~~~ +systemctl stop some-letsencrypt +~~~ + +Create persistant directory `ssl` for `some-haproxy` + +~~~ +mkdir -p /srv/docker/volumes/some-haproxy/haproxy/ssl +~~~ + +Copy the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/haproxy` + +~~~ +cp -v /some/location/docker-simplesamlphp/examples/haproxy/haproxy.cfg /srv/docker/volumes/some-haproxy/haproxy/ +~~~ + +Enable and start `some-haproxy`, this will bring up the rest of the containers + +~~~ +systemctl enable --now some-haproxy +~~~ + +Verify: + +~~~ +systemctl status some-haproxy + +● some-haproxy.service - SimpleSAMLphp HAProxy Container (some-haproxy) + Loaded: loaded (/etc/systemd/system/some-haproxy.service; enabled; vendor preset: disabled) + Active: active (running) since Wed 2019-07-10 15:50:25 CDT; 21s ago + Process: 17047 ExecStartPre=/usr/bin/docker pull million12/haproxy:latest (code=exited, status=0/SUCCESS) + Process: 17043 ExecStartPre=/bin/bash -c /bin/cat /srv/docker/volumes/some-letsencrypt/config/keys/letsencrypt/priv-fullchain-bundle.pem > /srv/docker/volumes/%N/haproxy/ssl/priv-fullchain-bundle.pem (code=exited, status=0/SUCCESS) + Process: 17035 ExecStartPre=/usr/bin/docker rm %N (code=exited, status=1/FAILURE) + Process: 17023 ExecStartPre=/usr/bin/docker stop %N (code=exited, status=1/FAILURE) + Main PID: 17429 (docker-current) + Tasks: 7 + Memory: 5.1M + CGroup: /system.slice/some-haproxy.service + └─17429 /usr/bin/docker-current run --rm --name some-haproxy --network simplesamlphp-network --cap-add NET_ADMIN --publish 80:80 --publish 443:443 --volume /srv/docker/volumes/some-haproxy/haproxy/:/etc/haproxy/:Z million12/haproxy:latest + +Jul 10 15:50:26 e10-devidp docker[17429]: frontend https-in +Jul 10 15:50:26 e10-devidp docker[17429]: bind *:443 ssl crt /etc/haproxy/ssl/priv-fullchain-bundle.pem +Jul 10 15:50:26 e10-devidp docker[17429]: reqadd X-Forwarded-Proto:\ https +Jul 10 15:50:26 e10-devidp docker[17429]: default_backend nodes-http +Jul 10 15:50:26 e10-devidp docker[17429]: backend nodes-http +Jul 10 15:50:26 e10-devidp docker[17429]: redirect scheme https if !{ ssl_fc } +Jul 10 15:50:26 e10-devidp docker[17429]: server node1 some-simplesamlphp:80 check +Jul 10 15:50:26 e10-devidp docker[17429]: ==================================================================================================== +Jul 10 15:50:26 e10-devidp docker[17429]: Configuration file is valid +Jul 10 15:50:26 e10-devidp docker[17429]: [2019-07-10 20:50:26] HAProxy started with /etc/haproxy/haproxy.cfg config, pid 13. +~~~ + +~~~ +docker ps -a + +7a1e3550d2ad million12/haproxy:latest "/bootstrap.sh" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp some-haproxy +94054daae650 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcacheda01 +1bc3a7c8fba6 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcachedb02 +f1a5ad49bfd4 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcacheda02 +5ef6b9c104f2 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcachedb01 +bf58f84a21e6 venatorfox/simplesamlphp:development "/init" About a minute ago Up About a minute some-simplesamlphp +~~~ + +##### Other Notes + +When translating docker run into systemd unit files, be sure to use `systemd-escape` when needed. (ie spaces or special characters): + +~~~ +systemd-escape "CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ]," + +CONFIG_MEMCACHESTORESERVERS\x3d\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c +~~~ + +For Example: + +~~~ +docker run -t --name some-simplesamlphp --network simplesamlphp-network \ +-e CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \ +-e CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \ +-e CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \ +-e CONFIG_TECHNICALCONTACT_NAME="Adam W Zheng" \ +-e CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \ +-e CONFIG_SHOWERRORS=true \ +-e CONFIG_ERRORREPORTING=true \ +-e CONFIG_ADMINPROTECTINDEXPAGE=true \ +-e CONFIG_LOGGINGLEVEL=INFO \ +-e CONFIG_ENABLESAML20IDP=true \ +-e CONFIG_STORETYPE=memcache \ +-e CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \ +-e CONFIG_MEMCACHESTORESERVERS=" 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ]," \ +-e OPENLDAP_TLS_REQCERT=allow \ +-e MTA_NULLCLIENT=true \ +-e POSTFIX_MYHOSTNAME=auth.example.com \ +-e POSTFIX_MYORIGIN=$mydomain \ +-e POSTFIX_INETINTERFACES=loopback-only \ +-e DOCKER_REDIRECTLOGS=true \ +-v /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z \ +-v /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z \ +venatorfox/simplesamlphp:development +~~~ + +Would look like this in a unit file + +~~~ +ExecStart=/usr/bin/docker run -t --name some-simplesamlphp \ + --network simplesamlphp-network \ + -e CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \ + -e CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \ + -e CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \ + -e CONFIG_TECHNICALCONTACT_NAME=Adam\x20W\x20Zheng \ + -e CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \ + -e CONFIG_SHOWERRORS=true \ + -e CONFIG_ERRORREPORTING=true \ + -e CONFIG_ADMINPROTECTINDEXPAGE=true \ + -e CONFIG_LOGGINGLEVEL=INFO \ + -e CONFIG_ENABLESAML20IDP=true \ + -e CONFIG_STORETYPE=memcache \ + -e CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \ + -e CONFIG_MEMCACHESTORESERVERS=\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c + -e OPENLDAP_TLS_REQCERT=allow \ + -e MTA_NULLCLIENT=true \ + -e POSTFIX_MYHOSTNAME=auth.example.com \ + -e POSTFIX_MYORIGIN=$mydomain \ + -e POSTFIX_INETINTERFACES=loopback-only \ + -e DOCKER_REDIRECTLOGS=true \ + -v /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z \ + -v /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z \ + venatorfox/simplesamlphp:development +~~~ diff --git a/examples/docker-compose/docker-compose.yml b/examples/docker-compose/docker-compose.yml index 5787bab..c45df27 100644 --- a/examples/docker-compose/docker-compose.yml +++ b/examples/docker-compose/docker-compose.yml @@ -1,109 +1,88 @@ version: '3.5' -services: +networks: + simplesamlphp-network: + name: simplesamlphp-network + driver: bridge - some-simplesamlphp01: - container_name: some-simplesamlphp01 - image: venatorfox/simplesamlphp:1.17.1 +services: + some-simplesamlphp: + container_name: some-simplesamlphp + image: venatorfox/simplesamlphp:1.17.2 environment: - - CONFIG_BASEURLPATH=https://localhost/simplesaml/ -# To login to this example setup, use 123 for the password. + - CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ - CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== - CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy - CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng - CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com - - CONFIG_LANGUAGEDEFAULT=en - - CONFIG_TIMEZONE=America/Chicago - CONFIG_SHOWERRORS=true - CONFIG_ERRORREPORTING=true - CONFIG_ADMINPROTECTINDEXPAGE=true - - CONFIG_ADMINPROTECTMETADATA=false - - CONFIG_DEBUG=FALSE - CONFIG_LOGGINGLEVEL=INFO - - CONFIG_LOGGINGHANDLER=file - - CONFIG_LOGFILE=simplesamlphp.log - CONFIG_ENABLESAML20IDP=true - - CONFIG_SESSIONCOOKIESECURE=false - - CONFIG_ENABLEHTTPPOST=false - CONFIG_STORETYPE=memcache - CONFIG_MEMCACHESTOREPREFIX=simplesamlphp - CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ], -# - WWW_INDEX=core/authenticate.php?as=admin - - OPENLDAP_TLS_REQCERT=always + - OPENLDAP_TLS_REQCERT=allow - MTA_NULLCLIENT=true - POSTFIX_MYHOSTNAME=auth.example.com - POSTFIX_MYORIGIN=$$mydomain - - POSTFIX_RELAYHOST=$$mydomain - POSTFIX_INETINTERFACES=loopback-only - - POSTFIX_MYDESTINATION= + - DOCKER_REDIRECTLOGS=true volumes: -# - /srv/docker/volumes/some-simplesamlphp01/cache/:/var/simplesamlphp/cache/:Z -# - /srv/docker/volumes/some-simplesamlphp01/config/authsources.php:/var/simplesamlphp/config/authsources.php:Z - - /srv/docker/volumes/some-simplesamlphp01/cert/:/var/simplesamlphp/cert/:Z - - /srv/docker/volumes/some-simplesamlphp01/locales/:/var/simplesamlphp/locales/:Z - - /srv/docker/volumes/some-simplesamlphp01/log/:/var/simplesamlphp/log/:Z - - /srv/docker/volumes/some-simplesamlphp01/metadata/:/var/simplesamlphp/metadata/:Z - - /srv/docker/volumes/some-simplesamlphp01/modules/:/var/simplesamlphp/modules/:Z - - /srv/docker/volumes/some-simplesamlphp01/templates/:/var/simplesamlphp/templates/:Z - - /srv/docker/volumes/some-simplesamlphp01/www/:/var/simplesamlphp/www/:Z + - /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z + - /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z + - /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z + - /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z + - /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z + - /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z + - /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z + - /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z + - /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z restart: always networks: - backend: - ipv4_address: 172.20.31.10 + - simplesamlphp-network some-memcacheda01: container_name: some-memcacheda01 image: memcached:latest restart: always networks: - backend: - ipv4_address: 172.20.31.20 + - simplesamlphp-network some-memcacheda02: container_name: some-memcacheda02 image: memcached:latest restart: always networks: - backend: - ipv4_address: 172.20.31.21 + - simplesamlphp-network some-memcachedb01: container_name: some-memcachedb01 image: memcached:latest restart: always networks: - backend: - ipv4_address: 172.20.31.30 + - simplesamlphp-network some-memcachedb02: container_name: some-memcachedb02 image: memcached:latest restart: always networks: - backend: - ipv4_address: 172.20.31.31 + - simplesamlphp-network some-haproxy: container_name: some-haproxy image: million12/haproxy:latest depends_on: - - some-simplesamlphp01 + - some-simplesamlphp ports: - 80:80 - 443:443 volumes: - - /srv/docker/volumes/some-haproxy:/etc/haproxy/:Z + - /srv/docker/volumes/some-haproxy/haproxy/:/etc/haproxy/:Z restart: always cap_add: - NET_ADMIN networks: - backend: - ipv4_address: 172.20.31.40 - -networks: - backend: - name: backend - driver: bridge - ipam: - config: - - subnet: 172.20.31.0/26 + - simplesamlphp-network diff --git a/examples/haproxy/haproxy.cfg b/examples/haproxy/haproxy.cfg index 59e10a5..da4db3a 100644 --- a/examples/haproxy/haproxy.cfg +++ b/examples/haproxy/haproxy.cfg @@ -39,11 +39,10 @@ frontend http-in default_backend nodes-http frontend https-in - bind *:443 ssl crt /etc/haproxy/ssl/localhost.pem + bind *:443 ssl crt /etc/haproxy/ssl/priv-fullchain-bundle.pem reqadd X-Forwarded-Proto:\ https default_backend nodes-http backend nodes-http redirect scheme https if !{ ssl_fc } - server node1 some-simplesamlphp01:80 check - # server node2 some-simplesamlphp02:80 check + server node1 some-simplesamlphp:80 check diff --git a/examples/systemd/some-haproxy.service b/examples/systemd/some-haproxy.service new file mode 100644 index 0000000..ced28f0 --- /dev/null +++ b/examples/systemd/some-haproxy.service @@ -0,0 +1,24 @@ +[Unit] +Description=SimpleSAMLphp HAProxy Container (some-haproxy) +Requires=docker.service some-simplesamlphp.service +After=docker.service some-simplesamlphp.service +Conflicts=some-letsencrypt.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/bin/bash -c '/bin/cat /srv/docker/volumes/some-letsencrypt/config/keys/letsencrypt/priv-fullchain-bundle.pem > /srv/docker/volumes/%N/haproxy/ssl/priv-fullchain-bundle.pem' +ExecStartPre=/usr/bin/docker pull million12/haproxy:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --network simplesamlphp-network \ + --cap-add NET_ADMIN \ + --publish 80:80 \ + --publish 443:443 \ + --volume /srv/docker/volumes/%N/haproxy/:/etc/haproxy/:Z \ + million12/haproxy:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-letsencrypt.service b/examples/systemd/some-letsencrypt.service new file mode 100644 index 0000000..83a67a4 --- /dev/null +++ b/examples/systemd/some-letsencrypt.service @@ -0,0 +1,28 @@ +[Unit] +Description=Some LetsEncrypt Container (some-letsencrypt) +Requires=docker.service +After=docker.service +Conflicts=some-haproxy.service + +[Service] +Restart=never +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull linuxserver/letsencrypt:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --cap-add=NET_ADMIN \ + --publish 80:80 \ + --publish 443:443 \ + --env PGID=1000 \ + --env PUID=1000 \ + --env EMAIL=adam.w.zheng@icloud.com \ + --env URL=auth.example.com \ + --env SUBDOMAINS= \ + --env VALIDATION=http \ + --env TZ=America/Chicago \ + --volume /srv/docker/volumes/%N/config/:/config/:Z \ + linuxserver/letsencrypt:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-memcacheda01.service b/examples/systemd/some-memcacheda01.service new file mode 100644 index 0000000..af2221c --- /dev/null +++ b/examples/systemd/some-memcacheda01.service @@ -0,0 +1,18 @@ +[Unit] +Description=Memcached Container A01 (some-memcacheda01) +Requires=docker.service +After=docker.service + +[Service] +Restart=on-failure +RestartSec=5 +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull memcached:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --network simplesamlphp-network \ + memcached:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-memcacheda02.service b/examples/systemd/some-memcacheda02.service new file mode 100644 index 0000000..580ce3c --- /dev/null +++ b/examples/systemd/some-memcacheda02.service @@ -0,0 +1,18 @@ +[Unit] +Description=Memcached Container A02 (some-memcacheda02) +Requires=docker.service +After=docker.service + +[Service] +Restart=on-failure +RestartSec=5 +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull memcached:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --network simplesamlphp-network \ + memcached:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-memcachedb01.service b/examples/systemd/some-memcachedb01.service new file mode 100644 index 0000000..492b984 --- /dev/null +++ b/examples/systemd/some-memcachedb01.service @@ -0,0 +1,18 @@ +[Unit] +Description=Memcached Container B01 (some-memcachedb01) +Requires=docker.service +After=docker.service + +[Service] +Restart=on-failure +RestartSec=5 +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull memcached:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --network simplesamlphp-network \ + memcached:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-memcachedb02.service b/examples/systemd/some-memcachedb02.service new file mode 100644 index 0000000..ae36e57 --- /dev/null +++ b/examples/systemd/some-memcachedb02.service @@ -0,0 +1,18 @@ +[Unit] +Description=Memcached Container B02 (some-memcachedb02) +Requires=docker.service +After=docker.service + +[Service] +Restart=on-failure +RestartSec=5 +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull memcached:latest +ExecStart=/usr/bin/docker run --rm --name %N \ + --network simplesamlphp-network \ + memcached:latest +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target diff --git a/examples/systemd/some-simplesamlphp.service b/examples/systemd/some-simplesamlphp.service new file mode 100644 index 0000000..161b54c --- /dev/null +++ b/examples/systemd/some-simplesamlphp.service @@ -0,0 +1,46 @@ +[Unit] +Description=Some SimpleSAMLphp Container (some-simplesamlphp.service) +Requires=docker.service some-memcacheda01.service some-memcacheda02.service some-memcachedb01.service some-memcachedb02.service +After=docker.service + +[Service] +TimeoutStartSec=0 +Restart=always +ExecStartPre=-/usr/bin/docker stop %N +ExecStartPre=-/usr/bin/docker rm %N +ExecStartPre=/usr/bin/docker pull venatorfox/simplesamlphp:1.17.2 +ExecStart=/usr/bin/docker run -t --rm --name %N \ + --network simplesamlphp-network \ + --env CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \ + --env CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \ + --env CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \ + --env CONFIG_TECHNICALCONTACT_NAME=Adam\x20W\x20Zheng \ + --env CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \ + --env CONFIG_SHOWERRORS=true \ + --env CONFIG_ERRORREPORTING=true \ + --env CONFIG_ADMINPROTECTINDEXPAGE=true \ + --env CONFIG_LOGGINGLEVEL=INFO \ + --env CONFIG_ENABLESAML20IDP=true \ + --env CONFIG_STORETYPE=memcache \ + --env CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \ + --env CONFIG_MEMCACHESTORESERVERS=\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c \ + --env OPENLDAP_TLS_REQCERT=allow \ + --env MTA_NULLCLIENT=true \ + --env POSTFIX_MYHOSTNAME=auth.example.com \ + --env POSTFIX_MYORIGIN=$mydomain \ + --env POSTFIX_INETINTERFACES=loopback-only \ + --env DOCKER_REDIRECTLOGS=true \ + --volume /srv/docker/volumes/%N/cache/:/var/simplesamlphp/cache/:Z \ + --volume /srv/docker/volumes/%N/config/:/var/simplesamlphp/config/:Z \ + --volume /srv/docker/volumes/%N/cert/:/var/simplesamlphp/cert/:Z \ + --volume /srv/docker/volumes/%N/locales/:/var/simplesamlphp/locales/:Z \ + --volume /srv/docker/volumes/%N/log/:/var/simplesamlphp/log/:Z \ + --volume /srv/docker/volumes/%N/metadata/:/var/simplesamlphp/metadata/:Z \ + --volume /srv/docker/volumes/%N/modules/:/var/simplesamlphp/modules/:Z \ + --volume /srv/docker/volumes/%N/templates/:/var/simplesamlphp/templates/:Z \ + --volume /srv/docker/volumes/%N/www/:/var/simplesamlphp/www/:Z \ + venatorfox/simplesamlphp:1.17.2 +ExecStop=/usr/bin/docker stop %N + +[Install] +WantedBy=multi-user.target