forked from RotherOSS/otobo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathotobo.nginx.dockerfile
166 lines (137 loc) · 6.8 KB
/
otobo.nginx.dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# This is the build file for the OTOBO nginx Docker image.
# This Dockerfile provide the build targets otobo-nginx and otobo-nginx-kerberos.
# See bin/docker/build_docker_images.sh for how to create local builds.
# See also https://doc.otobo.org/manual/installation/10.1/en/content/installation-docker.html
# The stage builder-for-kerberos is only needed for otobo-nginx-kerberos
#
# I have found no better way than to first compile NGINX in a BUILDER container and then copy the
# finished ngx_http_auth_spnego_module.so into the NGINX container.
# If anyone knows a nicer way, please share.
#
# builder-for-kerberos used to create a dynamic spnego auth module
# https://gist.github.com/hermanbanken/96f0ff298c162a522ddbba44cad31081
FROM nginx:mainline AS builder-for-kerberos
ENV SPNEGO_AUTH_COMMIT_ID=v1.1.1
ENV SPNEGO_AUTH_COMMIT_ID_FILE=1.1.1
RUN apt-get update\
&& DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install\
gcc \
libc-dev \
make \
libpcre3-dev \
zlib1g-dev \
libkrb5-dev \
wget
WORKDIR /usr/src
RUN set -x && \
NGINX_VERSION="$( nginx -v 2>&1 | awk -F/ '{print $2}' )" && \
NGINX_CONFIG="$( nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p' )" && \
wget "http://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O nginx.tar.gz && \
wget https://github.com/stnoonan/spnego-http-auth-nginx-module/archive/${SPNEGO_AUTH_COMMIT_ID}.tar.gz -O spnego-http-auth.tar.gz
RUN NGINX_CONFIG="$( nginx -V 2>&1 | sed -n -e 's/^.*arguments: //p' )" && \
tar -xzC /usr/src -f nginx.tar.gz && \
tar -xzvf spnego-http-auth.tar.gz && \
SPNEGO_AUTH_DIR="$( pwd )/spnego-http-auth-nginx-module-${SPNEGO_AUTH_COMMIT_ID_FILE}" && \
cd "/usr/src/nginx-${NGINX_VERSION}" && \
./configure --with-compat "${NGINX_CONFIG}" --add-dynamic-module="${SPNEGO_AUTH_DIR}" && \
make modules && \
cp objs/ngx_*_module.so /usr/lib/nginx/modules/
# Use the latest nginx.
# This image is based on Debian 10 (Buster). The User is root.
FROM nginx:mainline AS base
# install some required and optional Debian packages
# hadolint ignore=DL3008
RUN apt-get update\
&& DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install\
"less"\
"nano"\
"screen"\
"tree"\
"vim"\
"certbot"\
"python3-certbot-nginx"\
&& rm -rf /var/lib/apt/lists/*
# No need to run on the low ports 80 and 443,
# even though this would be possible as the master process runs as root.
EXPOSE 8080/tcp
EXPOSE 8443/tcp
# We want an UTF-8 console
ENV LC_ALL=C.UTF-8
ENV LANG=C.UTF-8
# This setting works in the devel environment.
# In the general case OTOBO_NGINX_WEB_HOST can be set when starting the container:
# docker run -e OTOBO_NGINX_WEB_HOST=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+') -p 443:443 otobo_nginx
# Attention: specify OTOBO_WEB_PORT to 5000 in .env when
# starting HTTP with 'docker-compose -f docker-compose.yml up'
ENV OTOBO_NGINX_WEB_HOST=172.17.0.1
ENV OTOBO_NGINX_WEB_PORT=5000
ENV OTOBO_WEB_HTTPS_PORT=443
# Not that these file need to be copied into a container.
# Alternatively /etc/ssl can be exported as a volume to the host.
ENV OTOBO_NGINX_SSL_CERTIFICATE=/etc/nginx/ssl/otobo_nginx-selfsigned.crt
ENV OTOBO_NGINX_SSL_CERTIFICATE_KEY=/etc/nginx/ssl/otobo_nginx-selfsigned.key
WORKDIR /etc/nginx
# move the old config out of the way
RUN mv conf.d/default.conf conf.d/default.conf.hidden
# The new nginx config, will be modified by /docker-entrypoint.d/20-envsubst-on-templates.sh.
# See 'Using environment variables in nginx configuration' in https://hub.docker.com/_/nginx .
COPY templates/ templates
COPY snippets/ snippets
# docker-entrypoint.d is only needed for Kerberos
# Add some additional meta info to the image.
# This done at the end of the Dockerfile as changed labels and changed args invalidate the layer cache.
# The labels are compliant with https://github.com/opencontainers/image-spec/blob/master/annotations.md .
# For the standard build args passed by hub.docker.com see https://docs.docker.com/docker-hub/builds/advanced/.
LABEL maintainer='Team OTOBO <[email protected]>'
LABEL org.opencontainers.image.authors='Team OTOBO <[email protected]>'
LABEL org.opencontainers.image.description='OTOBO is the new open source ticket system with strong functionality AND a great look'
LABEL org.opencontainers.image.documentation='https://otobo.org'
LABEL org.opencontainers.image.licenses='GNU General Public License v3.0 or later'
LABEL org.opencontainers.image.url='https://github.com/RotherOSS/otobo'
LABEL org.opencontainers.image.vendor='Rother OSS GmbH'
FROM base AS otobo-nginx-webproxy
# Actually there are two config templates in the directory 'templates'. One for plain Nginx and one for Nginx with
# Kerberos support. The not needed template is moved out of the way.
RUN mv templates/otobo_nginx-kerberos.conf.template templates/otobo_nginx-kerberos.conf.template.hidden
LABEL org.opencontainers.image.title='OTOBO nginx'
# These labels change with every build
ARG BUILD_DATE=unspecified
LABEL org.opencontainers.image.created=$BUILD_DATE
ARG GIT_COMMIT=unspecified
LABEL org.opencontainers.image.revision=$GIT_COMMIT
ARG GIT_REPO=unspecified
LABEL org.opencontainers.image.source=$GIT_REPO
ARG DOCKER_TAG=unspecified
LABEL org.opencontainers.image.version=$DOCKER_TAG
# Build target with Kerboros support.
FROM base AS otobo-nginx-kerberos-webproxy
# Copy the nginx module ngx_http_auth_spnego_module.so to the official nginx container
COPY --from=builder-for-kerberos /usr/lib/nginx/modules/ngx_http_auth_spnego_module.so /usr/lib/nginx/modules
# more Debian modules for Kerberos support
RUN apt-get update\
&& DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install\
"krb5-user"\
"libpam-krb5"\
"libpam-ccreds"\
"krb5-multidev"\
"libkrb5-dev"\
&& rm -rf /var/lib/apt/lists/*
# Actually there are two config templates in the directory 'templates'. One for plain Nginx and one for Nginx with
# Kerberos support. The not needed template is moved out of the way.
RUN mv templates/otobo_nginx.conf.template templates/otobo_nginx.conf.template.hidden
# When Kerberos is active we also generate /etc/krb5.conf from the template in templates/kerberos
COPY kerberos/templates/ kerberos/templates
COPY docker-entrypoint.d/21-envsubst-on-krb5-conf.sh /docker-entrypoint.d/
# Copy text to line 4 - load Kerberos module in nginx.conf
RUN sed '4 i\load_module modules/ngx_http_auth_spnego_module.so;' -i /etc/nginx/nginx.conf
# Titel is specific for the build target
LABEL org.opencontainers.image.title='OTOBO nginx Kerberos SSO'
# These labels change with every build
ARG BUILD_DATE=unspecified
LABEL org.opencontainers.image.created=$BUILD_DATE
ARG GIT_COMMIT=unspecified
LABEL org.opencontainers.image.revision=$GIT_COMMIT
ARG GIT_REPO=unspecified
LABEL org.opencontainers.image.source=$GIT_REPO
ARG DOCKER_TAG=unspecified
LABEL org.opencontainers.image.version=$DOCKER_TAG