coop-cloud-chaos-patchs
/
docker-simplesamlphp
mirror of https://github.com/3-w-c/docker-simplesamlphp.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Inital commit

This commit is contained in:
Adam W Zheng 2017-09-06 15:21:34 -05:00
commit 43fcc30ace
8 changed files with 737 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.DS_Store

64
1.14.15/Dockerfile Normal file
View File

@ -0,0 +1,64 @@
FROM centos:7
MAINTAINER Adam Zheng adam.w.zheng@icloud.com
ENV S6_RELEASE 1.19.1.1
ENV SIMPLESAMLPHP_RELEASE 1.14.15
#Add S6 Overlay (Build via Docker 1.12)
ADD https://github.com/just-containers/s6-overlay/releases/download/v$S6_RELEASE/s6-overlay-amd64.tar.gz /tmp/
RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C / --exclude="./bin" \
&& tar xzf /tmp/s6-overlay-amd64.tar.gz -C /usr ./bin
#Add S6 Overlay (Build via Docker CE 17)
#ADD https://github.com/just-containers/s6-overlay/releases/download/v$S6_RELEASE/s6-overlay-amd64.tar.gz /tmp/
#RUN mv /tmp/bin/* /usr/bin/ \
# && mv /tmp/etc/* /etc/ \
# && mv /tmp/init / \
# && mv /tmp/libexec/ / \
# && rm -v /tmp/usr/bin/execlineb \
# && mv /tmp/usr/bin/* /usr/bin/ \
# && rm -rfv /tmp/*
#Install SimpleSAMLphp Requirements
RUN yum -y install epel-release
RUN rpm -Uvh https://centos7.iuscommunity.org/ius-release.rpm
RUN echo -e '[nginx]\nname=nginx repo\nbaseurl=http://nginx.org/packages/centos/7/$basearch/\ngpgcheck=0\nenabled=1' > /etc/yum.repos.d/nginx.repo
RUN yum -y install nginx php56u-fpm php56u-fpm-nginx php56u-dom php56u-mbstring php56u-mcrypt php56u-pdo php56u-pecl-memcache php56u-ldap sendmail
RUN sed -i 's/user = apache/user = nginx/' /etc/php-fpm.d/www.conf \
&& sed -i 's/group = apache/group = nginx/' /etc/php-fpm.d/www.conf
#Configure webserver
RUN echo -e 'server {\n listen 80 default_server;\n listen [::]:80 default_server;\n server_name _;\n root /var/simplesamlphp/www/;\n index index.php;\n\n location /simplesaml {\n alias /var/simplesamlphp/www/;\n location ~ ^(?<prefix>/simplesaml)(?<phpfile>.+?.php)(?<pathinfo>/.*)?$ {\n include fastcgi_params;\n fastcgi_pass 127.0.0.1:9000;\n fastcgi_split_path_info ^(.+?.php)(/.+)$;\n fastcgi_param SCRIPT_FILENAME $document_root$phpfile;\n fastcgi_param PATH_INFO $pathinfo if_not_empty;\n }\n }\n\n location ~ .php$ {\n fastcgi_split_path_info ^(.+.php)(/.+)$;\n fastcgi_pass 127.0.0.1:9000;\n fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\n include fastcgi_params;\n add_header Cache-control no-cache;\n }\n}' > /etc/nginx/conf.d/default.conf \
&& mkdir -p /var/lib/php/session/ \
&& chown -Rv nginx:nginx /var/lib/php/session/
#Download SimpleSAMLphp, Archive must remain present for seeding post install.
RUN curl -Lo /var/simplesamlphp.tar.gz https://github.com/simplesamlphp/simplesamlphp/releases/download/v$SIMPLESAMLPHP_RELEASE/simplesamlphp-$SIMPLESAMLPHP_RELEASE.tar.gz \
&& tar xzf /var/simplesamlphp.tar.gz --directory /var \
&& mv /var/simplesamlphp-* /var/simplesamlphp \
&& touch /var/simplesamlphp/cert/breadcrumb \
&& touch /var/simplesamlphp/log/breadcrumb
#Redirect NGINX Logs
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
#Add Service NGINX to be Monitored by S6
RUN mkdir -p /etc/services.d/nginx/ \
&& touch /etc/services.d/nginx/run \
&& echo '#!/usr/bin/execlineb -P' > /etc/services.d/nginx/run \
&& echo 'nginx -g "daemon off;"' >> /etc/services.d/nginx/run
#Add Service PHP-FPM to be Monitored by S6
RUN mkdir -p /etc/services.d/php-fpm/ \
&& touch /etc/services.d/php-fpm/run \
&& echo '#!/usr/bin/execlineb -P' > /etc/services.d/php-fpm/run \
&& echo '/usr/sbin/php-fpm' >> /etc/services.d/php-fpm/run --nodaemonize
#Copy the SimpleSAMLphp CLI Install Script into the Container to be executed on startup
COPY install-simplesamlphp.sh /etc/cont-init.d/
RUN chmod u+x /etc/cont-init.d/install-simplesamlphp.sh
RUN yum -y update && yum clean all && > /var/log/yum.log
ENTRYPOINT ["/init"]

291
1.14.15/README.md Normal file
View File

@ -0,0 +1,291 @@
### Supported tags and respective `Dockerfile` links
- [`1.14.15`, `latest` (*1.14.15/Dockerfile*)](https://github.com/Venator-Fox/docker-simplesamlphp/blob/master/1.14.15/Dockerfile)
### How to use this image
Useless Simple Example: To startup an unconfigured local install with default values, no ssl:
Start a `venatorfox/simplesamlphp` instance, expose port 80.
```console
$ docker run --name some-simplesamlphp venatorfox/simplesamlphp:latest
```
Visit the site at http://localhost, default unconfigured username is "admin" and password is "123". #superSecure
See below for available runtime environment variables for a more specific configuration.
> The config.php will be created at run and baked into the SimpleSAMLphp Core Install.
> This will allow easy future upgrades, as you can simply destroy the container and bring it up with a new version.
> The docker environment variables configured at runtime will be applied to the default config, pulled from SimpleSAMLphp.
> The purpose of this image is to store as much ephemeral data inside the container as possible for easy upgrades.
> This is controlled by how you mount docker volumes. Examples are presented below.
### Supported Volume Mount Options for Pre-Seeding
The following directories will pre-seed if they are mounted.
If attempting to mount an subdirectory, it will not pre-seed and therefore must pre-exist.
If the directory is not mounted, it will use its ephemeral counterpart in the container which is ideal, explained below.
Note that once a directory is mounted, it will need to be upgraded manually for future SimpleSAMLphp releases if applicable.
If a mounted directory disappears from the host, it will pre-seed again with defaults from the SimpleSAMLphp install on restart.
If reverting to a default directory is desired, remove the host directory and adjust the docker run command to exclude the mount.
Some directories will probably never need manually updated as SimpleSAMLphp will not update them in new versions.
`/cert` and `/metadata` are examples of directories that should always be volume mounted, as it contains data that must persist, is very organization specific, and will probably never or rarely be changed by SimpleSAMLphp releases.
Something like `/bin` should never be volume mounted unless it's for development purposes, as it will likley be upgraded by SimpleSAMLphp in new versions.
Be sure to check new SimpleSAMLphp releases to see if manual upgrades need done to a directory that was mounted.
Check [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install) installation section 5 for specifics.
Individual files can also be mounted, but will not pre-seed content. It must pre-exist before starting the container.
Mounting the `authsources.php` file is a good example, as `/config` will probably not be mounted.
Another example, if using composer, the `composer.json` and `composer.lock` files will need mounted.
This will vary greatly depending on use. A compose file similar to a production instance as is at the end of this README.
| Directory | Opinion |
| ------ | ------ |
| /var/simplesamlphp/attributemap | -- |
| /var/simplesamlphp/bin | Probably should not be volume mounted. |
| /var/simplesamlphp/cert | Should always be volume mounted. |
| /var/simplesamlphp/config | Should probably not be volume mounted as its mostly configured by docker. |
| /var/simplesamlphp/config-templates | -- |
| /var/simplesamlphp/dictionaries | Can be mounted for customized user messages. |
| /var/simplesamlphp/docs | -- |
| /var/simplesamlphp/extra | -- |
| /var/simplesamlphp/lib | -- |
| /var/simplesamlphp/log | If using docker log redirection (not working yet), this cannot be volume mounted. If docker logs write to a file, this should be volume mounted so logs do not grow inside the container. |
| /var/simplesamlphp/metadata | Should always be volume mounted, very specific to organization. |
| /var/simplesamlphp/metadata-templates | -- |
| /var/simplesamlphp/modules | Can be volume mounted for easier module customization |
| /var/simplesamlphp/schemas | -- |
| /var/simplesamlphp/templates | -- |
| /var/simplesamlphp/tests | -- |
| /var/simplesamlphp/tools | -- |
| /var/simplesamlphp/vendor | -- |
| /var/simplesamlphp/www | Can be volume mounted for easier www customization |
### Runtime Environment Variables
The following variables can be overridden at run or in docker-compose.
It is recommended to set them properly and not use default values.
(Unless you want an authentication service with no SSL, with your admin password being 123 (Can you not, kthx)).
| Variable | Default Value | Description |
| ------ | ------ | ------ |
| DOCKER_REDIRECTLOGS | false | Redirect logs written to the log file by SimpleSAMLphp to `/proc/1/fd/1`. This does not work yet due to permissions issues. If someone knows how to resolve this please let me know or contribute a fix to the Git repository. Thanks! |
| CONFIG_AUTHADMINPASSWORD | SSHA256 hash of '123' | Plain text works as well. Use PWGen to generate a hash for this variable. Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7. |
| CONFIG_SECRETSALT | defaultsecretsalt | Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7 if help is needed for generating one. |
| CONFIG_TECHNICALCONTACT_NAME | Administrator | Name of the Admin of Rainy Clouds, 42nd of Their Name, Breaker of Sanity, and ~~Destroyer~~ Protector of the Federation |
| CONFIG_TECHNICALCONTACT_EMAIL | na@example.org | Address of hate mail and applicaton exception logs to send to. Mail support is not yet supported in this container, it is coming soon. Best to turn off mail error reporting option and direct users to the proper email until its implemented. |
| CONFIG_LANGUAGEDEFAULT | en | -- |
| CONFIG_TIMEZONE | America/Chicago | Visit the [php.net man pages](http://php.net/manual/en/timezones.america.php) for the options, the one linked is for 'Murica. |
| CONFIG_TEMPDIR | /tmp/simplesaml | -- |
| CONFIG_SHOWERRORS | true | Shows detailed errors to the user if one occurs. |
| CONFIG_ERRORREPORTING | true | Allow users to send reports from SimpleSAMLphp to the technicalcontact. Not yet working. |
| CONFIG_ADMINPROTECTINDEXPAGE | false | Require admin password to access frontpage_federation index |
| CONFIG_ADMINPROTECTMETADATA | false | Require admin password to access public IdP metadata |
| CONFIG_DEBUG | false | Enable debugging to logs, requires CONFIG_LOGGINGLEVEL be set to DEBUG |
| CONFIG_LOGGINGLEVEL | NOTICE | Options are ERR, WARNING, NOTICE, INFO, DEBUG |
| CONFIG_LOGGINGHANDLER | file | Default different from official default of syslog due to systemd not running in containers. |
| CONFIG_LOGFILE | simplesamlphp.log | -- |
| CONFIG_ENABLESAML20IDP | false | Enable SAML20 IdP |
| CONFIG_ENABLESHIB13IDP | false | Enable Shibboleth13 IdP |
| CONFIG_SESSIONDURATION | 8 * (60 * 60) | -- |
| CONFIG_SESSIONDATASTORETIMEOUT | (4 * 60 * 60) | -- |
| CONFIG_SESSIONSTATETIMEOUT | (60 * 60) | -- |
| CONFIG_SESSIONCOOKIELIFETIME | 0 | -- |
| CONFIG_SESSIONREMEMBERMEENABLE | false | -- |
| CONFIG_SESSIONREMEMBERMECHECKED | false | -- |
| CONFIG_SESSIONREMEMBERMELIFETIME | (14 * 86400) | -- |
| CONFIG_SESSIONCOOKIESECURE | false | -- |
| CONFIG_ENABLEHTTPPOST | false | -- |
| CONFIG_THEMEUSE | default | -- |
| CONFIG_STORETYPE | phpsession | If using `memcache` option, CONFIG_MEMCACHESTORESERVERS and CONFIG_MEMCACHESTOREPREFIX will need to be set. |
| CONFIG_MEMCACHESTORESERVERS | See Format Below* | Was unable to make this an easy variable, the format of the array is given below in a 2x2 example. Keep the format but replace the hostnames. |
| CONFIG_MEMCACHESTOREPREFIX | null | `simplesamlphp` can be used in most cases. |
| WWW_INDEX | core/frontpage_welcome.php | Page to direct to if a user accesses the IdP/SP directly. Can be set to an authentication test for example. |
| OPENLDAP_TLS_REQCERT | demand | As per ldap man pages, Options are `never` `allow` `try` `demand`. If using Active Directory or OpenLDAP with TLS, logins will be rejected if the directory certificate is self-signed with the default `demand` value. This can be set to `never` for testing purposes. Refer to ldap.conf man page section 5 for more details. |
Default CONFIG_MEMCACHESTORESERVERS format, 2 pair of 2 example. Use this template and replace the hostnames. Check compose file for usage example:
```console
'memcache_store.servers' => array(\n array(\n array('hostname' => 'mc_a1'),\n array('hostname' => 'mc_a2'),\n ),\n array(\n array('hostname' => 'mc_b1'),\n array('hostname' => 'mc_b2'),\n ),
```
### Maintenance
This is being actively maintained and is running in production.
Please [create an issue](https://github.com/Venator-Fox/docker-simpleasmlphp/issues) if needed or if additional variables/features are desired.
### Todos
- Figure out logging to docker stdio
- Add support for mail to be sent during exceptions
- Add ability for stats to be sent to docker stdio or to mounted file
### More Complex/Practical Compose Example, IdP SSL Termination with HAProxy
This example will run HAProxy with snakeoil SSL termination for https://localhost.
It will also bring up 4 memcached containers, 2 pairs of 2, for php session.
This is useful for running a SimpleSAMLphp cluster via some orchestration service such as Rancher.
Since SimpleSAMLphp will not care about the webroot, an entry to the hosts file can be added to whatever for testing.
Be sure to adjust the HOST environment variable below for whatever localhost self-signed certificate desired.
Of course in production use a real CA, like LetsEncrypt.
This will be more in line with what would be seen in a production environment. (minus the demo 123 password, salt, etc)
Note the choices of volume mounts of what to keep ephemeral, and what to keep persistant.
The more volumes, the more manual upgrades might be.
Check SimpleSAMLphp's upgrade notes to see if updates occured in a specified directory.
Note that running this compose file will create files in `/opt/docker/volumes/` on your host.
You can remove this after toying with the example.
Run the following two commands:
```console
mkdir -p /opt/docker/volumes/simplesamlphp-haproxy/ssl
docker run --rm -v /opt/docker/volumes/simplesamlphp-haproxy/ssl:/ssl -e HOST=localhost -e TYPE=pem project42/selfsignedcert
```
Then, create this `haproxy.cfg` at `/opt/docker/volumes/simplesamlphp-haproxy/haproxy.cfg`
```console
global
#debug
chroot /var/lib/haproxy
user haproxy
group haproxy
pidfile /var/run/haproxy.pid
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
spread-checks 4
tune.maxrewrite 1024
tune.ssl.default-dh-param 2048
defaults
mode http
balance roundrobin
option dontlognull
option dontlog-normal
option redispatch
maxconn 5000
timeout connect 5s
timeout client 20s
timeout server 20s
timeout queue 30s
timeout http-request 5s
timeout http-keep-alive 15s
frontend http-in
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend nodes-http
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl/localhost.pem
reqadd X-Forwarded-Proto:\ https
default_backend nodes-http
backend nodes-http
redirect scheme https if !{ ssl_fc }
server node1 simplesamlphp:80 check
```
Finally, save this v2 compose file as `docker-compose-example.yml` somewhere.
Run `docker-compose -f docker-compose-example.yml up` to bring the stack up.
After install, visit https://localhost (or whatever URL you chose)
Use `docker-compose -f docker-compose-example.yml down` to destroy containers after playing.
```console
version: '2'
services:
simplesamlphp:
container_name: simplesamlphp
image: venatorfox/simplesamlphp
environment:
# To login to this example setup, use 123 for the password.
- CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
- CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
- CONFIG_TECHNICALCONTACT_NAME=Adam Zheng
- CONFIG_TECHNICALCONTACT_EMAIL=adam.zheng@esu10.org
- CONFIG_LANGUAGEDEFAULT=en
- CONFIG_TIMEZONE=America/Chicago
- CONFIG_SHOWERRORS=true
- CONFIG_ERRORREPORTING=true
- CONFIG_ADMINPROTECTINDEXPAGE=true
- CONFIG_ADMINPROTECTMETADATA=false
- CONFIG_DEBUG=FALSE
- CONFIG_LOGGINGLEVEL=INFO
- CONFIG_LOGGINGHANDLER=file
- CONFIG_LOGFILE=simplesamlphp.log
- CONFIG_ENABLESAML20IDP=true
- CONFIG_SESSIONCOOKIESECURE=false
- CONFIG_ENABLEHTTPPOST=false
# - CONFIG_THEMEUSE=nebraskacloudAuth:nebraskaCloud
- CONFIG_STORETYPE=memcache
- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => array(\n array(\n array('hostname' => 'idp-mc-a01'),\n array('hostname' => 'idp-mc-a02'),\n ),\n array(\n array('hostname' => 'idp-mc-b01'),\n array('hostname' => 'idp-mc-b02'),\n ),
# - WWW_INDEX=core/authenticate.php?as=admin
- OPENLDAP_TLS_REQCERT=always
volumes:
# - /opt/docker/volumes/simplesamlphp/config/authsources.php:/var/simplesamlphp/config/authsources.php
- /opt/docker/volumes/simplesamlphp/cert/:/var/simplesamlphp/cert/
- /opt/docker/volumes/simplesamlphp/dictionaries/:/var/simplesamlphp/dictionaries/
- /opt/docker/volumes/simplesamlphp/log/:/var/simplesamlphp/log
- /opt/docker/volumes/simplesamlphp/metadata/:/var/simplesamlphp/metadata
- /opt/docker/volumes/simplesamlphp/modules/:/var/simplesamlphp/modules
- /opt/docker/volumes/simplesamlphp/templates/:/var/simplesamlphp/templates
- /opt/docker/volumes/simplesamlphp/www/:/var/simplesamlphp/www
restart: always
idp-mc-a01:
container_name: idp-mc-a01
image: memcached
restart: always
idp-mc-a02:
container_name: idp-mc-a02
image: memcached
restart: always
idp-mc-b01:
container_name: idp-mc-b01
image: memcached
restart: always
idp-mc-b02:
container_name: idp-mc-b02
image: memcached
restart: always
simplesamlphp-haproxy:
container_name: simplesamlphp-haproxy
image: million12/haproxy:1.7.8
depends_on:
- simplesamlphp
links:
- simplesamlphp
ports:
- 80:80
- 443:443
volumes:
- /opt/docker/volumes/simplesamlphp-haproxy:/etc/haproxy
restart: always
cap_add:
- NET_ADMIN
```
License
----
MIT

78
1.14.15/docker-compose.yml Normal file
View File

@ -0,0 +1,78 @@
version: '2'
services:
simplesamlphp:
container_name: simplesamlphp
image: venatorfox/simplesamlphp
environment:
# To login to this example setup, use 123 for the password.
- CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
- CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
- CONFIG_TECHNICALCONTACT_NAME=Adam Zheng
- CONFIG_TECHNICALCONTACT_EMAIL=adam.zheng@esu10.org
- CONFIG_LANGUAGEDEFAULT=en
- CONFIG_TIMEZONE=America/Chicago
- CONFIG_SHOWERRORS=true
- CONFIG_ERRORREPORTING=true
- CONFIG_ADMINPROTECTINDEXPAGE=true
- CONFIG_ADMINPROTECTMETADATA=false
- CONFIG_DEBUG=FALSE
- CONFIG_LOGGINGLEVEL=INFO
- CONFIG_LOGGINGHANDLER=file
- CONFIG_LOGFILE=simplesamlphp.log
- CONFIG_ENABLESAML20IDP=true
- CONFIG_SESSIONCOOKIESECURE=false
- CONFIG_ENABLEHTTPPOST=false
# - CONFIG_THEMEUSE=nebraskacloudAuth:nebraskaCloud
- CONFIG_STORETYPE=memcache
- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => array(\n array(\n array('hostname' => 'idp-mc-a01'),\n array('hostname' => 'idp-mc-a02'),\n ),\n array(\n array('hostname' => 'idp-mc-b01'),\n array('hostname' => 'idp-mc-b02'),\n ),
# - WWW_INDEX=core/authenticate.php?as=admin
- OPENLDAP_TLS_REQCERT=always
volumes:
# - /opt/docker/volumes/simplesamlphp/config/authsources.php:/var/simplesamlphp/config/authsources.php
- /opt/docker/volumes/simplesamlphp/cert/:/var/simplesamlphp/cert/
- /opt/docker/volumes/simplesamlphp/dictionaries/:/var/simplesamlphp/dictionaries/
- /opt/docker/volumes/simplesamlphp/log/:/var/simplesamlphp/log
- /opt/docker/volumes/simplesamlphp/metadata/:/var/simplesamlphp/metadata
- /opt/docker/volumes/simplesamlphp/modules/:/var/simplesamlphp/modules
- /opt/docker/volumes/simplesamlphp/templates/:/var/simplesamlphp/templates
- /opt/docker/volumes/simplesamlphp/www/:/var/simplesamlphp/www
restart: always
idp-mc-a01:
container_name: idp-mc-a01
image: memcached
restart: always
idp-mc-a02:
container_name: idp-mc-a02
image: memcached
restart: always
idp-mc-b01:
container_name: idp-mc-b01
image: memcached
restart: always
idp-mc-b02:
container_name: idp-mc-b02
image: memcached
restart: always
simplesamlphp-haproxy:
container_name: simplesamlphp-haproxy
image: million12/haproxy:1.7.8
depends_on:
- simplesamlphp
links:
- simplesamlphp
ports:
- 80:80
- 443:443
volumes:
- /opt/docker/volumes/simplesamlphp-haproxy:/etc/haproxy
restart: always
cap_add:
- NET_ADMIN

276
1.14.15/install-simplesamlphp.sh Normal file
View File

@ -0,0 +1,276 @@
#!/usr/bin/with-contenv /bin/bash
#Default runtime variables if none are supplied at Docker container creation
DOCKER_REDIRECTLOGS=${DOCKER_REDIRECTLOGS:=false}
#This SSHA256 hash is '123' for the default password.
CONFIG_AUTHADMINPASSWORD=${CONFIG_AUTHADMINPASSWORD:=\{SSHA256\}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==}
CONFIG_SECRETSALT=${CONFIG_SECRETSALT:=defaultsecretsalt}
CONFIG_TECHNICALCONTACT_NAME=${CONFIG_TECHNICALCONTACT_NAME:=Administrator}
CONFIG_TECHNICALCONTACT_EMAIL=${CONFIG_TECHNICALCONTACT_EMAIL:=na@example.org}
CONFIG_LANGUAGEDEFAULT=${CONFIG_LANGUAGEDEFAULT:=en}
CONFIG_TIMEZONE=${CONFIG_TIMEZONE:=America/Chicago}
CONFIG_TEMPDIR=${CONFIG_TEMPDIR:=/tmp/simplesaml}
CONFIG_SHOWERRORS=${CONFIG_SHOWERRORS:=true}
CONFIG_ERRORREPORTING=${CONFIG_ERRORREPORTING:=true}
CONFIG_ADMINPROTECTINDEXPAGE=${CONFIG_ADMINPROTECTINDEXPAGE:=false}
CONFIG_ADMINPROTECTMETADATA=${CONFIG_ADMINPROTECTMETADATA:=false}
CONFIG_DEBUG=${CONFIG_DEBUG:=false}
CONFIG_LOGGINGLEVEL=${CONFIG_LOGGINGLEVEL:=NOTICE}
CONFIG_LOGGINGHANDLER=${CONFIG_LOGGINGLHANDLER:=file}
CONFIG_LOGFILE=${CONFIG_LOGFILE:='simplesamlphp.log'}
CONFIG_ENABLESAML20IDP=${CONFIG_ENABLESAML20IDP:=false}
CONFIG_ENABLESHIB13IDP=${CONFIG_ENABLESHIB13IDP:=false}
CONFIG_ENABLEADFSIDP=${CONFIG_ENABLEADFSIDP:=false}
CONFIG_ENABLEWSFEDSP=${CONFIG_ENABLEWSFEDSP:=false}
CONFIG_ENABLEAUTHMEMCOOKIE=${CONFIG_ENABLEAUTHMEMCOOKIE:=false}
CONFIG_SESSIONDURATION=${CONFIG_SESSIONDURATION:=8 * (60 * 60)}
CONFIG_SESSIONDATASTORETIMEOUT=${CONFIG_SESSIONDATASTORETIMEOUT:=(4 * 60 * 60)}
CONFIG_SESSIONSTATETIMEOUT=${CONFIG_SESSIONSTATETIMEOUT:=(60 * 60)}
CONFIG_SESSIONCOOKIELIFETIME=${CONFIG_SESSIONCOOKIELIFETIME:=0}
CONFIG_SESSIONREMEMBERMEENABLE=${CONFIG_SESSIONREMEMBERMEENABLE:=false}
CONFIG_SESSIONREMEMBERMECHECKED=${CONFIG_SESSIONREMEMBERMECHECKED:=false}
CONFIG_SESSIONREMEMBERMELIFETIME=${CONFIG_SESSIONREMEMBERMELIFETIME:=(14 * 86400)}
CONFIG_SESSIONCOOKIESECURE=${CONFIG_SESSIONCOOKIESECURE:=false}
CONFIG_ENABLEHTTPPOST=${CONFIG_ENABLEHTTPPOST:=false}
CONFIG_THEMEUSE=${CONFIG_THEMEUSE:=default}
CONFIG_STORETYPE=${CONFIG_STORETYPE:=phpsession}
WWW_INDEX=${WWW_INDEX:=core/frontpage_welcome.php}
OPENLDAP_TLS_REQCERT=${OPENLDAP_TLS_REQCERT:=demand}
if [ "$DOCKER_REDIRECTLOGS" = "true" ]; then
echo "[$0] DOCKER_REDIRECTLOGS was set to 'true', so setting CONFIG_LOGGINGHANDLER to 'file'"
CONFIG_LOGGINGHANDLER=file
if [ "$CONFIG_LOGFILE" != "simplesamlphp.log" ]; then
echo "[$0] [WARN] DOCKER_REDIRECTLOGS was set to true, but CONFIG_LOGFILE was set away from the default. It makes no sense to do this as logs are redirected to a pipe."
echo "[$0] If a simplesamlphp logfile is desired instead of docker logs, set DOCKER_REDIRECTLOGS to 'false' and volume mount the logs directory to the host."
echo "[$0] Pausing 5 seconds due to above warning."
sleep 5
fi
if [ -z "$(ls -A /var/simplesamlphp/log/)" ]; then
if [ "$DOCKER_REDIRECTLOGS" = "true" ]; then
echo "[$0] [WARN] DOCKER_REDIRECTLOGS is set to true but the log directory is volume mounted. It makes no sense to do this as logs are redirected to a pipe."
echo "[$0] If a simplesamlphp logfile is desired instead of docker logs, set DOCKER_REDIRECTLOGS to 'false'."
echo "[$0] Pausing 5 seconds due to above warning."
sleep 5
fi
else
if [ "$CONFIG_LOGGINGHANDLER" = "file" ]; then
echo "[$0] [WARN] CONFIG_LOGGINGHANDLER is set to 'file' but the log directory is not volume mounted."
echo "[$0] [WARN] This will cause the container to grow with a logfile and is in most cases very undesirable."
echo "[$0] Pausing 5 seconds due to above warning."
fi
fi
ln -sf /proc/1/fd/1 /var/simplesamlphp/log/$CONFIG_LOGFILE
fi
#Only set memcache vars if storetype is memcache
if [ "$CONFIG_STORETYPE" == "memcache" ]; then
CONFIG_MEMCACHESTORESERVERS=${CONFIG_MEMCACHESTORESERVERS:=" 'memcache_store.servers' => array(\n array(\n array('hostname' => 'mc_a1'),\n array('hostname' => 'mc_a2'),\n ),\n array(\n array('hostname' => 'mc_b1'),\n array('hostname' => 'mc_b2'),\n ),"}
CONFIG_MEMCACHESTOREPREFIX=${CONFIG_MEMCACHESTOREPREFIX:=null}
fi
#Check to see what directories were volume mounted
if [ -z "$(ls -A /var/simplesamlphp/)" ]; then
echo "[$0] [WARN] New install, The entire SimpleSAMLphp directory seems to be Docker volume mounted as it is empty. This is fine for testing but highly not recommended in production. Please see the Dockerfile README for more info." >&2
tar xf /var/simplesamlphp.tar.gz -C /var/ > /dev/null
mv /var/simplesamlphp-*/* /var/simplesamlphp/ > /dev/null
rm -rf /var/simplesamlphp-* > /dev/null
echo "[$0] [WARN] Install Complete. Nothing is ephemeral in the SimpleSAMLphp install so updates need done manually from the host volume this point forward." >&2
else
if [ -z "$(ls -A /var/simplesamlphp/attributemap/)" ]; then
echo "[$0] attributemap directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/attributemap > /dev/null
mv /simplesamlphp-1.*/attributemap/* /var/simplesamlphp/attributemap/
echo "[$0] Seed complete. Directory attributemap will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/bin/)" ]; then
echo "[$0] bin directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/bin > /dev/null
mv /simplesamlphp-1.*/bin/* /var/simplesamlphp/bin/
echo "[$0] Seed complete. Directory bin will not be part of future upgrades and will need upgraded manually."
fi
ls -A /var/simplesamlphp/cert/breadcrumb &> /dev/null
if ! [ $? -ne 0 ]; then
echo "[$0] [WARN] cert directory is not volume mounted and probably should be."
echo "[$0] Pausing 3 seconds due to above warning."
sleep 3
fi
if [ -z "$(ls -A /var/simplesamlphp/config/)" ]; then
echo "[$0] config directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/config > /dev/null
mv /simplesamlphp-1.*/config/* /var/simplesamlphp/config/
echo "[$0] Seed complete. Directory config will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/config-templates/)" ]; then
echo "[$0] config-templates directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/config-templates > /dev/null
mv /simplesamlphp-1.*/config-templates/* /var/simplesamlphp/config-templates/
echo "[$0] Seed complete. Directory config-templates will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/dictionaries/)" ]; then
echo "[$0] dictionaries directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/dictionaries > /dev/null
mv /simplesamlphp-1.*/dictionaries/* /var/simplesamlphp/dictionaries/
echo "[$0] Seed complete. Directory dictionaries will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/docs/)" ]; then
echo "[$0] docs directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/docs > /dev/null
mv /simplesamlphp-1.*/docs/* /var/simplesamlphp/docs/
echo "[$0] Seed complete. Directory docs will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/extra/)" ]; then
echo "[$0] extra directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/extra > /dev/null
mv /simplesamlphp-1.*/extra/* /var/simplesamlphp/extra/
echo "[$0] Seed complete. Directory extra will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/lib/)" ]; then
echo "[$0] lib directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/lib > /dev/null
mv /simplesamlphp-1.*/lib/* /var/simplesamlphp/lib/
echo "[$0] Seed complete. Directory lib will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/metadata/)" ]; then
echo "[$0] metadata directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/metadata > /dev/null
mv /simplesamlphp-1.*/metadata/* /var/simplesamlphp/metadata/
echo "[$0] Seed complete. Directory metadata will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/metadata-templates/)" ]; then
echo "[$0] metadata-templates directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/metadata-templates > /dev/null
mv /simplesamlphp-1.*/metadata-templates/* /var/simplesamlphp/metadata-templates/
echo "[$0] Seed complete. Directory metadata-templates will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/modules/)" ]; then
echo "[$0] modules directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/modules > /dev/null
mv /simplesamlphp-1.*/modules/* /var/simplesamlphp/modules/
echo "[$0] Seed complete. Directory modules will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/schemas/)" ]; then
echo "[$0] schemas directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/schemas > /dev/null
mv /simplesamlphp-1.*/schemas/* /var/simplesamlphp/schemas/
echo "[$0] Seed complete. Directory schemas will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/templates/)" ]; then
echo "[$0] templates directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/templates > /dev/null
mv /simplesamlphp-1.*/templates/* /var/simplesamlphp/templates/
echo "[$0] Seed complete. Directory templates will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/tests/)" ]; then
echo "[$0] tests directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/tests > /dev/null
mv /simplesamlphp-1.*/tests/* /var/simplesamlphp/tests/
echo "[$0] Seed complete. Directory tests will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/tools/)" ]; then
echo "[$0] tools directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/tools > /dev/null
mv /simplesamlphp-1.*/tools/* /var/simplesamlphp/tools/
echo "[$0] Seed complete. Directory tools will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/vendor/)" ]; then
echo "[$0] vendor directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/vendor > /dev/null
mv /simplesamlphp-1.*/vendor/* /var/simplesamlphp/vendor/
echo "[$0] Seed complete. Directory vendor will not be part of future upgrades and will need upgraded manually."
fi
if [ -z "$(ls -A /var/simplesamlphp/www/)" ]; then
echo "[$0] www directory seems to be Docker volume mounted as it is empty. Seeding."
tar xzvf /var/simplesamlphp.tar.gz simplesamlphp*/www > /dev/null
mv /simplesamlphp-1.*/www/* /var/simplesamlphp/www/
echo "[$0] Seed complete. Directory www will not be part of future upgrades and will need upgraded manually."
fi
rm -rf /simplesamlphp-*/
fi
ls -A /var/simplesamlphp/config/.dockersetupdone &> /dev/null
if ! [ $? -ne 0 ]; then
echo "[$0] Breadcrumb located, skipping firstime config."
echo "[$0] Done"
exit 0
fi
#Apply server certificate check in a TLS session
echo "TLS_REQCERT=$OPENLDAP_TLS_REQCERT" >> /etc/openldap/ldap.conf
#Configure SimpleSAMLphp from runtime variables.
echo "[$0] Apply Configuration to config.php..."
#Apply Configurations
sed -i "s|'auth.adminpassword' => '123'|'auth.adminpassword' => '$CONFIG_AUTHADMINPASSWORD'|g" /var/simplesamlphp/config/config.php
sed -i "s|'secretsalt' => 'defaultsecretsalt'|'secretsalt' => '$CONFIG_SECRETSALT'|g" /var/simplesamlphp/config/config.php
sed -i "s|'technicalcontact_name' => 'Administrator'|'technicalcontact_name' => '$CONFIG_TECHNICALCONTACT_NAME'|g" /var/simplesamlphp/config/config.php
sed -i "s|'technicalcontact_email' => 'na@example.org'|'technicalcontact_email' => '$CONFIG_TECHNICALCONTACT_EMAIL'|g" /var/simplesamlphp/config/config.php
sed -i "s|'language.default' => 'en'|'language.default' => '$CONFIG_LANGUAGEDEFAULT'|g" /var/simplesamlphp/config/config.php
sed -i "s|'timezone' => null|'timezone' => '$CONFIG_TIMEZONE'|g" /var/simplesamlphp/config/config.php
sed -i "s|'tempdir' => '/tmp/simplesaml'|'tempdir' => '$CONFIG_TEMPDIR'|g" /var/simplesamlphp/config/config.php
sed -i "s|'showerrors' => true|'showerrors' => $CONFIG_SHOWERRORS|g" /var/simplesamlphp/config/config.php
sed -i "s|'errorreporting' => true|'errorreporting' => $CONFIG_ERRORREPORTING|g" /var/simplesamlphp/config/config.php
sed -i "s|'admin.protectindexpage' => false|'admin.protectindexpage' => $CONFIG_ADMINPROTECTINDEXPAGE|g" /var/simplesamlphp/config/config.php
sed -i "s|'admin.protectmetadata' => false|'admin.protectmetadata' => $CONFIG_ADMINPROTECTMETADATA|g" /var/simplesamlphp/config/config.php
sed -i "s|'debug' => false|'debug' => $CONFIG_DEBUG|g" /var/simplesamlphp/config/config.php
sed -i "s|'logging.level' => SimpleSAML_Logger::NOTICE|'logging.level' => SimpleSAML_Logger::$CONFIG_LOGGINGLEVEL|g" /var/simplesamlphp/config/config.php
sed -i "s|'logging.handler' => 'syslog'|'logging.handler' => '$CONFIG_LOGGINGHANDLER'|g" /var/simplesamlphp/config/config.php
sed -i "s|'logging.logfile' => 'simplesamlphp.log'|'logging.logfile' => '$CONFIG_LOGFILE'|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.saml20-idp' => false|'enable.saml20-idp' => $CONFIG_ENABLESAML20IDP|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.shib13-idp' => false|'enable.shib13-idp' => $CONFIG_ENABLESHIB13IDP|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.adfs-idp' => false|'enable.adfs-idp' => $CONFIG_ENABLEADFSIDP|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.wsfed-sp' => false|'enable.wsfed-sp' => $CONFIG_ENABLEWSFEDSP|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.authmemcookie' => false|'enable.authmemcookie' => $CONFIG_ENABLEAUTHMEMCOOKIE|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.duration' => 8 \* (60 \* 60)|'session.duration' => $CONFIG_SESSIONDURATION|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.datastore.timeout' => (4 \* 60 \* 60)|'session.datastore.timeout' => $CONFIG_SESSIONDATASTORETIMEOUT|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.state.timeout' => (60 \* 60)|'session.state.timeout' => $CONFIG_SESSIONSTATETIMEOUT|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.cookie.lifetime' => 0|'session.cookie.lifetime' => $CONFIG_SESSIONCOOKIELIFETIME|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.rememberme.enable' => false|'session.rememberme.enable' => $CONFIG_SESSIONREMEMBERMEENABLE|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.rememberme.checked' => false|'session.rememberme.checked' => $CONFIG_SESSIONREMEMBERMECHECKED|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.rememberme.lifetime' => (14 \* 86400)|'session.rememberme.lifetime' => $CONFIG_SESSIONREMEMBERMELIFETIME|g" /var/simplesamlphp/config/config.php
sed -i "s|'session.cookie.secure' => false|'session.cookie.secure' => $CONFIG_SESSIONCOOKIESECURE|g" /var/simplesamlphp/config/config.php
sed -i "s|'enable.http_post' => false|'enable.http_post' => $CONFIG_ENABLEHTTPPOST|g" /var/simplesamlphp/config/config.php
sed -i "s|'theme.use' => 'default'|'theme.use' => '$CONFIG_THEMEUSE'|g" /var/simplesamlphp/config/config.php
sed -i "s|'store.type' => 'phpsession',|'store.type' => '$CONFIG_STORETYPE',|g" /var/simplesamlphp/config/config.php
sed -i "s|'core/frontpage_welcome.php'|'$WWW_INDEX'|g" /var/simplesamlphp/www/index.php
#Only configure redundant memcache if storetype is set to memcache
if [ "$CONFIG_STORETYPE" == "memcache" ]; then
sed -i "/ 'memcache_store.servers' => array(/{n;N;N;d}" /var/simplesamlphp/config/config.php
sed -i "s| 'memcache_store.servers' => array(|$CONFIG_MEMCACHESTORESERVERS|g" /var/simplesamlphp/config/config.php
sed -i "s|'memcache_store.prefix' => null|'memcache_store.prefix' => '$CONFIG_MEMCACHESTOREPREFIX'|g" /var/simplesamlphp/config/config.php
if [ "$CONFIG_MEMCACHESTOREPREFIX" == "null" ]; then
echo "[$0] [WARN] CONFIG_STORETYPE was set to 'memcache', but CONFIG_MEMCACHESTOREPREFIX was not set from null. This will not work. Setting CONFIG_MEMCACHESTOREPREFIX to 'simpleSAMLphp'."
echo "[$0] To avoid this warning in the future, set CONFIG_MEMCACHESTOREPREFIX to something, 'simpleSAMLphp' is the suggested default if memcache is enabled."
echo "[$0] Pausing 5 seconds due to above warning."
sleep 5
CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
sed -i "s|'memcache_store.prefix' => null|'memcache_store.prefix' => $CONFIG_MEMCACHESTOREPREFIX|g" /var/simplesamlphp/config/config.php
fi
fi
chown nginx:nginx /var/simplesamlphp/log
touch /var/simplesamlphp/config/.dockersetupdone
echo "[$0] Configuration Complete. Saved .dockersetupdone breadcrumb to config directory to prevent config rerun."

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2017 Adam W Zheng
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

5
README.md Normal file
View File

@ -0,0 +1,5 @@
### About this Repo
This is the Git repo for the Docker image [venatorfox/simplesamlphp](https://hub.docker.com/r/venatorfox/simplesamlphp/). Please view the [Docker Hub Page](https://hub.docker.com/r/venatorfox/simplesamlphp/) for the full readme on how to use this Docker image.
The full readme pushed there is located in the [latest Dockerfile directory](https://github.com/Venator-Fox/docker-simplesamlphp/tree/master/1.14.15).

1
latest Symbolic link
View File

@ -0,0 +1 @@
1.14.15