coop-cloud-chaos-patchs
/
docker-simplesamlphp
mirror of https://github.com/3-w-c/docker-simplesamlphp.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Documentation and example files for systemd

This commit is contained in:
Adam W Zheng 2019-07-10 16:00:44 -05:00
parent 062e707121
commit b1cffb6047
11 changed files with 411 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
1.17.2/README.md
View File

@ -92,19 +92,18 @@ It is recommended to set them properly and not use default values.
| Variable | Default Value | Description |
| ------ | ------ | ------ |
| CONFIG_BASEURLPATH | simplesaml/ | If using SSL behind a proxy enter the base URL here, otherwise IdP metadata will use http://. Format is [(https)://(hostname)[:port]]/[path/to/simplesaml/]. |
| DOCKER_REDIRECTLOGS | false | Redirect logs written to the log file by SimpleSAMLphp to `/dev/console`. Please run with -t as a TTY will need allocated for this to work. |
| CONFIG_AUTHADMINPASSWORD | SSHA256 hash of '123' | Plain text works as well. Use PWGen to generate a hash for this variable. Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7. |
| CONFIG_SECRETSALT | defaultsecretsalt | Refer to [SimpleSAMLphp docs](https://simplesamlphp.org/docs/stable/simplesamlphp-install), installation guide section 7 if help is needed for generating one. |
| CONFIG_TECHNICALCONTACT_NAME | Administrator | Name of the Admin of Rainy Clouds, 42nd of Their Name, Breaker of Sanity, and ~~Destroyer~~ Protector of the Federation |
| CONFIG_TECHNICALCONTACT_EMAIL | na@example.org | Address of hate mail and applicaton exception logs to send to. Mail support is not yet supported in this container, it is coming soon. Best to turn off mail error reporting option and direct users to the proper email until its implemented. |
| CONFIG_TECHNICALCONTACT_EMAIL | na@example.org | Address of hate mail and applicaton exception logs to send to. |
| CONFIG_LANGUAGEDEFAULT | en | -- |
| CONFIG_TIMEZONE | America/Chicago | Visit the [php.net man pages](http://php.net/manual/en/timezones.america.php) for the options, the one linked is for 'Murica. |
| CONFIG_TEMPDIR | /tmp/simplesaml | -- |
| CONFIG_SHOWERRORS | true | Shows detailed errors to the user if one occurs. |
| CONFIG_ERRORREPORTING | true | Allow users to send reports from SimpleSAMLphp to the technicalcontact. Not yet working. |
| CONFIG_ADMINPROTECTINDEXPAGE | false | Require admin password to access frontpage_federation index |
| CONFIG_ADMINPROTECTMETADATA | false | Require admin password to access public IdP metadata |
| CONFIG_DEBUG | false | Enable debugging to logs, requires CONFIG_LOGGINGLEVEL be set to DEBUG |
| CONFIG_ERRORREPORTING | true | Allow users to send reports from SimpleSAMLphp to the technicalcontact. |
| CONFIG_ADMINPROTECTINDEXPAGE | false | Require admin password to access frontpage_federation index. |
| CONFIG_ADMINPROTECTMETADATA | false | Require admin password to access public IdP metadata. |
| CONFIG_DEBUG | false | Enable debugging to logs, requires CONFIG_LOGGINGLEVEL be set to DEBUG. |
| CONFIG_LOGGINGLEVEL | NOTICE | Options are ERR, WARNING, NOTICE, INFO, DEBUG |
| CONFIG_LOGGINGHANDLER | file | Default different from official default of syslog due to systemd not running in containers. |
| CONFIG_LOGFILE | simplesamlphp.log | -- |
@ -129,11 +128,12 @@ It is recommended to set them properly and not use default values.
| WWW_INDEX | core/frontpage_welcome.php | Page to direct to if a user accesses the IdP/SP directly. Can be set to an authentication test for example. |
| OPENLDAP_TLS_REQCERT | demand | As per ldap man pages, Options are `never` `allow` `try` `demand`. If using Active Directory or OpenLDAP with TLS, logins will be rejected if the directory certificate is self-signed with the default `demand` value. This can be set to `never` for testing purposes. Refer to ldap.conf man page section 5 for more details. |
| MTA_NULLCLIENT | false | Set to true to configure null client for sending e-mails. Visit the [Postfix Standard Configuration Examples](http://www.postfix.org/STANDARD_CONFIGURATION_README.html) for explaination of a null client. If this is set to false, postfix will be purged from the container. |
| POSTFIX_MYHOSTNAME| host.domain.tld | Set to the FQDN of your host. ie `auth.example.com` |
| POSTFIX_MYORIGIN | $myhostname | Set to `$mydomain` as per postfix docs for null client |
| POSTFIX_RELAYHOST | $mydomain | Set to `$mydomain` again as per postfix docs for null client |
| POSTFIX_INETINTERFACES | localhost | Set to loopback-only as per postfix docs for null client |
| POSTFIX_MYDESTINATION | | Leave as empty string as per postfix docs for null client |
| POSTFIX_MYHOSTNAME| host.domain.tld | Set to the FQDN of your host. ie `auth.example.com`. |
| POSTFIX_MYORIGIN | $myhostname | Set to `$mydomain` as per postfix docs for null client. |
| POSTFIX_RELAYHOST | $mydomain | Set to `$mydomain` again as per postfix docs for null client. |
| POSTFIX_INETINTERFACES | localhost | Set to loopback-only as per postfix docs for null client. |
| POSTFIX_MYDESTINATION | | Leave as empty string as per postfix docs for null client. |
| DOCKER_REDIRECTLOGS | false | Redirect logs written to the log file by SimpleSAMLphp to `/dev/console`. Please run with -t as a TTY will need allocated for this to work. |
Default CONFIG_MEMCACHESTORESERVERS format, 2 pair of 2 example. Use this template and replace the hostnames. Check compose file for usage example:
```console

210
examples/README.md
View File

@ -1,13 +1,13 @@
[![](https://images.microbadger.com/badges/version/venatorfox/simplesamlphp:1.17.1.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/network "View Network") [![](https://images.microbadger.com/badges/image/venatorfox/simplesamlphp:1.17.1.svg)](https://microbadger.com/images/venatorfox/simplesamlphp:1.17.1 "View layer metadata on MicroBadger") [![Pulls on Docker Hub](https://img.shields.io/docker/pulls/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![Stars on Docker Hub](https://img.shields.io/docker/stars/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![GitHub Open Issues](https://img.shields.io/github/issues/Venator-Fox/docker-simplesamlphp.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/issues) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![](https://images.microbadger.com/badges/version/venatorfox/simplesamlphp:1.17.2.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/network "View Network") [![](https://images.microbadger.com/badges/image/venatorfox/simplesamlphp:1.17.1.svg)](https://microbadger.com/images/venatorfox/simplesamlphp:1.17.1 "View layer metadata on MicroBadger") [![Pulls on Docker Hub](https://img.shields.io/docker/pulls/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![Stars on Docker Hub](https://img.shields.io/docker/stars/venatorfox/simplesamlphp.svg)](https://hub.docker.com/r/venatorfox/simplesamlphp) [![GitHub Open Issues](https://img.shields.io/github/issues/Venator-Fox/docker-simplesamlphp.svg)](https://github.com/Venator-Fox/docker-simplesamlphp/issues) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
### Examples
This directory contains some example files in order to run the [venatorfox/simplesamlphp](https://hub.docker.com/r/venatorfox/simplesamlphp/) in a more complex manner. (ie. with SSL termination, HAProxy, etc...) These examples assume this is installed in a non-orchestrated manner on a host.
The following examples are provided here:
- Super basic with all the default options
- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via docker-compose
- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd
- Super basic with all the default options (basically just to look at the application)
- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via docker-compose (for development)
- HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd (for production)
#### Super basic with all the default options
> 1 liner, just to see how SimpleSAMLphp looks.
@ -40,13 +40,17 @@ Check SimpleSAMLphp's upgrade notes to see if updates occured in a specified dir
Note that running this compose file will create files in `/srv/docker/volumes/` on your host.
You can remove this after toying with the example.
Run the following two commands to generate a self-signed SSL certificate:
Run the following to generate a quick self-signed SSL certificate:
```console
mkdir -p /srv/docker/volumes/some-haproxy/ssl
docker run --rm -v /srv/docker/volumes/some-haproxy/ssl:/ssl -e HOST=localhost -e TYPE=pem project42/selfsignedcert
mkdir -p /srv/docker/volumes/some-haproxy/config/ssl
docker run --rm -v /srv/docker/volumes/some-haproxy/config/ssl:/ssl -e HOST=localhost -e TYPE=pem project42/selfsignedcert
```
Save the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/haproxy.cfg`
Copy the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/config`
~~~
Be sure to modify haproxy.cfg to use the `localhost.pem` instead of `priv-fullchain-bundle.pem`
~~~
Compose version in this example is v3.5
Run `docker-compose -f docker-compose.yml up` to bring the stack up with your variables.
@ -54,7 +58,193 @@ After install, visit https://localhost.
Use `docker-compose -f docker-compose.yml down` to destroy all containers.
#### HAProxy SSL Termination, Let's Encrypt CA, and common configurations via systemd
> This is recommended for production for non-orchestrated installs. These unit files will start containers utilizing, memcached, haproxy, and simplesaml
> This is recommended for production for non-orchestrated installs. These unit files will start containers utilizing, memcached, haproxy, simplesaml, and letsencrypt.
//TODO
This example will accomplish all items as done in the compose example, but also setup a container for a LetsEncrypt SSL certificate. The haproxy container will cat over the keys.
Note that running these will create files in `/srv/docker/volumes/` on your host. Use these example files to your preference. Some examples are below tested with CentOS/RHEL
> Method 1 (Copy to local config dir `/etc/systemd/system/`)
>
```console
cp -rfv /some/location/docker-simplesamlphp/examples/systemd/*.service /etc/systemd/system/
```
or
> Method 2 (Symlink to vendor/pkg dir `/usr/lib/systemd/system/`) (use full paths)
>
```console
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-haproxy.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-letsencrypt.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcacheda01.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcacheda02.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcachedb01.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-memcachedb02.service /usr/lib/systemd/system/
ln -s /some/location/docker-simplesamlphp/examples/systemd/some-simplesamlphp.service /usr/lib/systemd/system/
```
or
> Method 3 (Use the unit files directly)
>
```console
systemctl start /some/location/docker-simplesamlphp/examples/systemd/some-letsencrypt.service
```
Regardless of the method used above, start the letsencrypt container to obtain a certificate. The example provided uses http validation. Port 80 will need to be open to your server for DNS validation. Be sure to modify the unit file to your parameters (esp EMAIL and URL) and `systemctl daemon-reload`. The image used in this example is from [linuxserver/letsencrypt](https://hub.docker.com/r/linuxserver/letsencrypt/)
~~~
systemctl start some-letsencrypt
~~~
After it has completed key generation and obtained a certificate, stop the container
~~~
systemctl status some-letsencrypt
~~~
~~~
systemctl stop some-letsencrypt
~~~
Create persistant directory `ssl` for `some-haproxy`
~~~
mkdir -p /srv/docker/volumes/some-haproxy/haproxy/ssl
~~~
Copy the `haproxy.cfg` to `/srv/docker/volumes/some-haproxy/haproxy`
~~~
cp -v /some/location/docker-simplesamlphp/examples/haproxy/haproxy.cfg /srv/docker/volumes/some-haproxy/haproxy/
~~~
Enable and start `some-haproxy`, this will bring up the rest of the containers
~~~
systemctl enable --now some-haproxy
~~~
Verify:
~~~
systemctl status some-haproxy
● some-haproxy.service - SimpleSAMLphp HAProxy Container (some-haproxy)
Loaded: loaded (/etc/systemd/system/some-haproxy.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2019-07-10 15:50:25 CDT; 21s ago
Process: 17047 ExecStartPre=/usr/bin/docker pull million12/haproxy:latest (code=exited, status=0/SUCCESS)
Process: 17043 ExecStartPre=/bin/bash -c /bin/cat /srv/docker/volumes/some-letsencrypt/config/keys/letsencrypt/priv-fullchain-bundle.pem > /srv/docker/volumes/%N/haproxy/ssl/priv-fullchain-bundle.pem (code=exited, status=0/SUCCESS)
Process: 17035 ExecStartPre=/usr/bin/docker rm %N (code=exited, status=1/FAILURE)
Process: 17023 ExecStartPre=/usr/bin/docker stop %N (code=exited, status=1/FAILURE)
Main PID: 17429 (docker-current)
Tasks: 7
Memory: 5.1M
CGroup: /system.slice/some-haproxy.service
└─17429 /usr/bin/docker-current run --rm --name some-haproxy --network simplesamlphp-network --cap-add NET_ADMIN --publish 80:80 --publish 443:443 --volume /srv/docker/volumes/some-haproxy/haproxy/:/etc/haproxy/:Z million12/haproxy:latest
Jul 10 15:50:26 e10-devidp docker[17429]: frontend https-in
Jul 10 15:50:26 e10-devidp docker[17429]: bind *:443 ssl crt /etc/haproxy/ssl/priv-fullchain-bundle.pem
Jul 10 15:50:26 e10-devidp docker[17429]: reqadd X-Forwarded-Proto:\ https
Jul 10 15:50:26 e10-devidp docker[17429]: default_backend nodes-http
Jul 10 15:50:26 e10-devidp docker[17429]: backend nodes-http
Jul 10 15:50:26 e10-devidp docker[17429]: redirect scheme https if !{ ssl_fc }
Jul 10 15:50:26 e10-devidp docker[17429]: server node1 some-simplesamlphp:80 check
Jul 10 15:50:26 e10-devidp docker[17429]: ====================================================================================================
Jul 10 15:50:26 e10-devidp docker[17429]: Configuration file is valid
Jul 10 15:50:26 e10-devidp docker[17429]: [2019-07-10 20:50:26] HAProxy started with /etc/haproxy/haproxy.cfg config, pid 13.
~~~
~~~
docker ps -a
7a1e3550d2ad million12/haproxy:latest "/bootstrap.sh" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp some-haproxy
94054daae650 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcacheda01
1bc3a7c8fba6 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcachedb02
f1a5ad49bfd4 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcacheda02
5ef6b9c104f2 memcached:latest "docker-entrypoint..." About a minute ago Up About a minute 11211/tcp some-memcachedb01
bf58f84a21e6 venatorfox/simplesamlphp:development "/init" About a minute ago Up About a minute some-simplesamlphp
~~~
##### Other Notes
When translating docker run into systemd unit files, be sure to use `systemd-escape` when needed. (ie spaces or special characters):
~~~
systemd-escape "CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ],"
CONFIG_MEMCACHESTORESERVERS\x3d\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c
~~~
For Example:
~~~
docker run -t --name some-simplesamlphp --network simplesamlphp-network \
-e CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \
-e CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \
-e CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \
-e CONFIG_TECHNICALCONTACT_NAME="Adam W Zheng" \
-e CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \
-e CONFIG_SHOWERRORS=true \
-e CONFIG_ERRORREPORTING=true \
-e CONFIG_ADMINPROTECTINDEXPAGE=true \
-e CONFIG_LOGGINGLEVEL=INFO \
-e CONFIG_ENABLESAML20IDP=true \
-e CONFIG_STORETYPE=memcache \
-e CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \
-e CONFIG_MEMCACHESTORESERVERS=" 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ]," \
-e OPENLDAP_TLS_REQCERT=allow \
-e MTA_NULLCLIENT=true \
-e POSTFIX_MYHOSTNAME=auth.example.com \
-e POSTFIX_MYORIGIN=$mydomain \
-e POSTFIX_INETINTERFACES=loopback-only \
-e DOCKER_REDIRECTLOGS=true \
-v /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z \
-v /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z \
-v /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z \
-v /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z \
-v /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z \
-v /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z \
-v /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z \
-v /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z \
-v /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z \
venatorfox/simplesamlphp:development
~~~
Would look like this in a unit file
~~~
ExecStart=/usr/bin/docker run -t --name some-simplesamlphp \
--network simplesamlphp-network \
-e CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \
-e CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \
-e CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \
-e CONFIG_TECHNICALCONTACT_NAME=Adam\x20W\x20Zheng \
-e CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \
-e CONFIG_SHOWERRORS=true \
-e CONFIG_ERRORREPORTING=true \
-e CONFIG_ADMINPROTECTINDEXPAGE=true \
-e CONFIG_LOGGINGLEVEL=INFO \
-e CONFIG_ENABLESAML20IDP=true \
-e CONFIG_STORETYPE=memcache \
-e CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \
-e CONFIG_MEMCACHESTORESERVERS=\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c
-e OPENLDAP_TLS_REQCERT=allow \
-e MTA_NULLCLIENT=true \
-e POSTFIX_MYHOSTNAME=auth.example.com \
-e POSTFIX_MYORIGIN=$mydomain \
-e POSTFIX_INETINTERFACES=loopback-only \
-e DOCKER_REDIRECTLOGS=true \
-v /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z \
-v /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z \
-v /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z \
-v /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z \
-v /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z \
-v /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z \
-v /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z \
-v /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z \
-v /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z \
venatorfox/simplesamlphp:development
~~~

77
examples/docker-compose/docker-compose.yml
View File

@ -1,109 +1,88 @@
version: '3.5'
services:
networks:
simplesamlphp-network:
name: simplesamlphp-network
driver: bridge
some-simplesamlphp01:
container_name: some-simplesamlphp01
image: venatorfox/simplesamlphp:1.17.1
services:
some-simplesamlphp:
container_name: some-simplesamlphp
image: venatorfox/simplesamlphp:1.17.2
environment:
- CONFIG_BASEURLPATH=https://localhost/simplesaml/
# To login to this example setup, use 123 for the password.
- CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/
- CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw==
- CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy
- CONFIG_TECHNICALCONTACT_NAME=Adam W Zheng
- CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com
- CONFIG_LANGUAGEDEFAULT=en
- CONFIG_TIMEZONE=America/Chicago
- CONFIG_SHOWERRORS=true
- CONFIG_ERRORREPORTING=true
- CONFIG_ADMINPROTECTINDEXPAGE=true
- CONFIG_ADMINPROTECTMETADATA=false
- CONFIG_DEBUG=FALSE
- CONFIG_LOGGINGLEVEL=INFO
- CONFIG_LOGGINGHANDLER=file
- CONFIG_LOGFILE=simplesamlphp.log
- CONFIG_ENABLESAML20IDP=true
- CONFIG_SESSIONCOOKIESECURE=false
- CONFIG_ENABLEHTTPPOST=false
- CONFIG_STORETYPE=memcache
- CONFIG_MEMCACHESTOREPREFIX=simplesamlphp
- CONFIG_MEMCACHESTORESERVERS= 'memcache_store.servers' => [\n [\n ['hostname' => 'some-memcacheda01'],\n ['hostname' => 'some-memcacheda02'],\n ],\n [\n ['hostname' => 'some-memcachedb01'],\n ['hostname' => 'some-memcachedb02'],\n ],
# - WWW_INDEX=core/authenticate.php?as=admin
- OPENLDAP_TLS_REQCERT=always
- OPENLDAP_TLS_REQCERT=allow
- MTA_NULLCLIENT=true
- POSTFIX_MYHOSTNAME=auth.example.com
- POSTFIX_MYORIGIN=$$mydomain
- POSTFIX_RELAYHOST=$$mydomain
- POSTFIX_INETINTERFACES=loopback-only
- POSTFIX_MYDESTINATION=
- DOCKER_REDIRECTLOGS=true
volumes:
# - /srv/docker/volumes/some-simplesamlphp01/cache/:/var/simplesamlphp/cache/:Z
# - /srv/docker/volumes/some-simplesamlphp01/config/authsources.php:/var/simplesamlphp/config/authsources.php:Z
- /srv/docker/volumes/some-simplesamlphp01/cert/:/var/simplesamlphp/cert/:Z
- /srv/docker/volumes/some-simplesamlphp01/locales/:/var/simplesamlphp/locales/:Z
- /srv/docker/volumes/some-simplesamlphp01/log/:/var/simplesamlphp/log/:Z
- /srv/docker/volumes/some-simplesamlphp01/metadata/:/var/simplesamlphp/metadata/:Z
- /srv/docker/volumes/some-simplesamlphp01/modules/:/var/simplesamlphp/modules/:Z
- /srv/docker/volumes/some-simplesamlphp01/templates/:/var/simplesamlphp/templates/:Z
- /srv/docker/volumes/some-simplesamlphp01/www/:/var/simplesamlphp/www/:Z
- /srv/docker/volumes/some-simplesamlphp/cache/:/var/simplesamlphp/cache/:Z
- /srv/docker/volumes/some-simplesamlphp/config/:/var/simplesamlphp/config/:Z
- /srv/docker/volumes/some-simplesamlphp/cert/:/var/simplesamlphp/cert/:Z
- /srv/docker/volumes/some-simplesamlphp/locales/:/var/simplesamlphp/locales/:Z
- /srv/docker/volumes/some-simplesamlphp/log/:/var/simplesamlphp/log/:Z
- /srv/docker/volumes/some-simplesamlphp/metadata/:/var/simplesamlphp/metadata/:Z
- /srv/docker/volumes/some-simplesamlphp/modules/:/var/simplesamlphp/modules/:Z
- /srv/docker/volumes/some-simplesamlphp/templates/:/var/simplesamlphp/templates/:Z
- /srv/docker/volumes/some-simplesamlphp/www/:/var/simplesamlphp/www/:Z
restart: always
networks:
backend:
ipv4_address: 172.20.31.10
- simplesamlphp-network
some-memcacheda01:
container_name: some-memcacheda01
image: memcached:latest
restart: always
networks:
backend:
ipv4_address: 172.20.31.20
- simplesamlphp-network
some-memcacheda02:
container_name: some-memcacheda02
image: memcached:latest
restart: always
networks:
backend:
ipv4_address: 172.20.31.21
- simplesamlphp-network
some-memcachedb01:
container_name: some-memcachedb01
image: memcached:latest
restart: always
networks:
backend:
ipv4_address: 172.20.31.30
- simplesamlphp-network
some-memcachedb02:
container_name: some-memcachedb02
image: memcached:latest
restart: always
networks:
backend:
ipv4_address: 172.20.31.31
- simplesamlphp-network
some-haproxy:
container_name: some-haproxy
image: million12/haproxy:latest
depends_on:
- some-simplesamlphp01
- some-simplesamlphp
ports:
- 80:80
- 443:443
volumes:
- /srv/docker/volumes/some-haproxy:/etc/haproxy/:Z
- /srv/docker/volumes/some-haproxy/haproxy/:/etc/haproxy/:Z
restart: always
cap_add:
- NET_ADMIN
networks:
backend:
ipv4_address: 172.20.31.40
networks:
backend:
name: backend
driver: bridge
ipam:
config:
- subnet: 172.20.31.0/26
- simplesamlphp-network

5
examples/haproxy/haproxy.cfg
View File

@ -39,11 +39,10 @@ frontend http-in
default_backend nodes-http
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl/localhost.pem
bind *:443 ssl crt /etc/haproxy/ssl/priv-fullchain-bundle.pem
reqadd X-Forwarded-Proto:\ https
default_backend nodes-http
backend nodes-http
redirect scheme https if !{ ssl_fc }
server node1 some-simplesamlphp01:80 check
# server node2 some-simplesamlphp02:80 check
server node1 some-simplesamlphp:80 check

24
examples/systemd/some-haproxy.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=SimpleSAMLphp HAProxy Container (some-haproxy)
Requires=docker.service some-simplesamlphp.service
After=docker.service some-simplesamlphp.service
Conflicts=some-letsencrypt.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/bin/bash -c '/bin/cat /srv/docker/volumes/some-letsencrypt/config/keys/letsencrypt/priv-fullchain-bundle.pem > /srv/docker/volumes/%N/haproxy/ssl/priv-fullchain-bundle.pem'
ExecStartPre=/usr/bin/docker pull million12/haproxy:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--network simplesamlphp-network \
--cap-add NET_ADMIN \
--publish 80:80 \
--publish 443:443 \
--volume /srv/docker/volumes/%N/haproxy/:/etc/haproxy/:Z \
million12/haproxy:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

28
examples/systemd/some-letsencrypt.service Normal file
View File

@ -0,0 +1,28 @@
[Unit]
Description=Some LetsEncrypt Container (some-letsencrypt)
Requires=docker.service
After=docker.service
Conflicts=some-haproxy.service
[Service]
Restart=never
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull linuxserver/letsencrypt:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--cap-add=NET_ADMIN \
--publish 80:80 \
--publish 443:443 \
--env PGID=1000 \
--env PUID=1000 \
--env EMAIL=adam.w.zheng@icloud.com \
--env URL=auth.example.com \
--env SUBDOMAINS= \
--env VALIDATION=http \
--env TZ=America/Chicago \
--volume /srv/docker/volumes/%N/config/:/config/:Z \
linuxserver/letsencrypt:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

18
examples/systemd/some-memcacheda01.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Memcached Container A01 (some-memcacheda01)
Requires=docker.service
After=docker.service
[Service]
Restart=on-failure
RestartSec=5
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull memcached:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--network simplesamlphp-network \
memcached:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

18
examples/systemd/some-memcacheda02.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Memcached Container A02 (some-memcacheda02)
Requires=docker.service
After=docker.service
[Service]
Restart=on-failure
RestartSec=5
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull memcached:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--network simplesamlphp-network \
memcached:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

18
examples/systemd/some-memcachedb01.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Memcached Container B01 (some-memcachedb01)
Requires=docker.service
After=docker.service
[Service]
Restart=on-failure
RestartSec=5
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull memcached:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--network simplesamlphp-network \
memcached:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

18
examples/systemd/some-memcachedb02.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Memcached Container B02 (some-memcachedb02)
Requires=docker.service
After=docker.service
[Service]
Restart=on-failure
RestartSec=5
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull memcached:latest
ExecStart=/usr/bin/docker run --rm --name %N \
--network simplesamlphp-network \
memcached:latest
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target

46
examples/systemd/some-simplesamlphp.service Normal file
View File

@ -0,0 +1,46 @@
[Unit]
Description=Some SimpleSAMLphp Container (some-simplesamlphp.service)
Requires=docker.service some-memcacheda01.service some-memcacheda02.service some-memcachedb01.service some-memcachedb02.service
After=docker.service
[Service]
TimeoutStartSec=0
Restart=always
ExecStartPre=-/usr/bin/docker stop %N
ExecStartPre=-/usr/bin/docker rm %N
ExecStartPre=/usr/bin/docker pull venatorfox/simplesamlphp:1.17.2
ExecStart=/usr/bin/docker run -t --rm --name %N \
--network simplesamlphp-network \
--env CONFIG_BASEURLPATH=https://auth.example.com/simplesaml/ \
--env CONFIG_AUTHADMINPASSWORD={SSHA256}MjJSiMlkQLa+fqI+CmQ1x1oUJ7OGucYpznKxBBHpgfC+Oh+7B9vgGw== \
--env CONFIG_SECRETSALT=exampleabcdefghijklmnopqrstuvwxy \
--env CONFIG_TECHNICALCONTACT_NAME=Adam\x20W\x20Zheng \
--env CONFIG_TECHNICALCONTACT_EMAIL=adam.w.zheng@icloud.com \
--env CONFIG_SHOWERRORS=true \
--env CONFIG_ERRORREPORTING=true \
--env CONFIG_ADMINPROTECTINDEXPAGE=true \
--env CONFIG_LOGGINGLEVEL=INFO \
--env CONFIG_ENABLESAML20IDP=true \
--env CONFIG_STORETYPE=memcache \
--env CONFIG_MEMCACHESTOREPREFIX=simplesamlphp \
--env CONFIG_MEMCACHESTORESERVERS=\x20\x20\x20\x20\x27memcache_store.servers\x27\x20\x3d\x3e\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcacheda02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb01\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5b\x27hostname\x27\x20\x3d\x3e\x20\x27some\x2dmemcachedb02\x27\x5d\x2c\x5cn\x20\x20\x20\x20\x20\x20\x20\x20\x5d\x2c \
--env OPENLDAP_TLS_REQCERT=allow \
--env MTA_NULLCLIENT=true \
--env POSTFIX_MYHOSTNAME=auth.example.com \
--env POSTFIX_MYORIGIN=$mydomain \
--env POSTFIX_INETINTERFACES=loopback-only \
--env DOCKER_REDIRECTLOGS=true \
--volume /srv/docker/volumes/%N/cache/:/var/simplesamlphp/cache/:Z \
--volume /srv/docker/volumes/%N/config/:/var/simplesamlphp/config/:Z \
--volume /srv/docker/volumes/%N/cert/:/var/simplesamlphp/cert/:Z \
--volume /srv/docker/volumes/%N/locales/:/var/simplesamlphp/locales/:Z \
--volume /srv/docker/volumes/%N/log/:/var/simplesamlphp/log/:Z \
--volume /srv/docker/volumes/%N/metadata/:/var/simplesamlphp/metadata/:Z \
--volume /srv/docker/volumes/%N/modules/:/var/simplesamlphp/modules/:Z \
--volume /srv/docker/volumes/%N/templates/:/var/simplesamlphp/templates/:Z \
--volume /srv/docker/volumes/%N/www/:/var/simplesamlphp/www/:Z \
venatorfox/simplesamlphp:1.17.2
ExecStop=/usr/bin/docker stop %N
[Install]
WantedBy=multi-user.target