ServerName for Apache HTTP Server

The ServerName for Apache HTTP Server may now be injected using the environment variable SERVER_NAME. If not injected then the entrypoint scripts will attempt to determine the value for ServerName from the X.509 certificate for HTTPS.
docker · Jun 12, 2017 · ff8b582 · ff8b582
1 parent 1e28ad3
commit ff8b582
Showing 9 changed files with 121 additions and 0 deletions.
diff --git a/comanage-registry-basic-auth/000-comanage.conf b/comanage-registry-basic-auth/000-comanage.conf
@@ -18,12 +18,14 @@
 # limitations under the License.
 
 <VirtualHost *:80>
+  ServerName http://%%SERVER_NAME%%:80
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
 </VirtualHost>
 
 <VirtualHost *:443>
+  ServerName https://%%SERVER_NAME%%:443
 
   DocumentRoot /var/www/html
 

diff --git a/comanage-registry-basic-auth/docker-comanage-entrypoint b/comanage-registry-basic-auth/docker-comanage-entrypoint
@@ -45,6 +45,7 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
+    SERVER_NAME
 )
 
 # If the file associated with a configuration variable is present then 
@@ -237,6 +238,24 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+    SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+    if [ -z "$SERVER_NAME" ]; then
+        SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+    fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf
+
+cat > /etc/apache2/conf-available/server-name.conf <<EOF
+ServerName ${SERVER_NAME:-unknown}
+EOF
+
+a2enconf server-name.conf > "$OUTPUT" 2>&1
+
 # If the basic auth password file does not exist create a simple version to
 # aid people evaluating the tool.
 if [ ! -f "/etc/apache2/passwords" ]; then

diff --git a/comanage-registry-mod-auth-openidc/000-comanage.conf b/comanage-registry-mod-auth-openidc/000-comanage.conf
@@ -18,12 +18,14 @@
 # limitations under the License.
 
 <VirtualHost *:80>
+  ServerName http://%%SERVER_NAME%%:80
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
 </VirtualHost>
 
 <VirtualHost *:443>
+  ServerName https://%%SERVER_NAME%%:443
 
   DocumentRoot /var/www/html
 

diff --git a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint
@@ -45,6 +45,7 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
+    SERVER_NAME
 )
 
 # If the file associated with a configuration variable is present then 
@@ -237,6 +238,24 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+    SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+    if [ -z "$SERVER_NAME" ]; then
+        SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+    fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf
+
+cat > /etc/apache2/conf-available/server-name.conf <<EOF
+ServerName ${SERVER_NAME:-unknown}
+EOF
+
+a2enconf server-name.conf > "$OUTPUT" 2>&1
+
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

diff --git a/comanage-registry-shibboleth-sp/000-comanage.conf b/comanage-registry-shibboleth-sp/000-comanage.conf
@@ -18,12 +18,14 @@
 # limitations under the License.
 
 <VirtualHost *:80>
+  ServerName http://%%SERVER_NAME%%:80
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
 </VirtualHost>
 
 <VirtualHost *:443>
+  ServerName https://%%SERVER_NAME%%:443
 
   DocumentRoot /var/www/html
 

diff --git a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint
@@ -45,6 +45,7 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
+    SERVER_NAME
 )
 
 # If the file associated with a configuration variable is present then 
@@ -237,6 +238,24 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+    SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+    if [ -z "$SERVER_NAME" ]; then
+        SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+    fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf
+
+cat > /etc/apache2/conf-available/server-name.conf <<EOF
+ServerName ${SERVER_NAME:-unknown}
+EOF
+
+a2enconf server-name.conf > "$OUTPUT" 2>&1
+
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

diff --git a/comanage-registry/000-comanage.conf b/comanage-registry/000-comanage.conf
@@ -18,12 +18,14 @@
 # limitations under the License.
 
 <VirtualHost *:80>
+  ServerName http://%%SERVER_NAME%%:80
   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
 </VirtualHost>
 
 <VirtualHost *:443>
+  ServerName https://%%SERVER_NAME%%:443
 
   DocumentRoot /var/www/html
 

diff --git a/comanage-registry/docker-comanage-entrypoint b/comanage-registry/docker-comanage-entrypoint
@@ -45,6 +45,7 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
+    SERVER_NAME
 )
 
 # If the file associated with a configuration variable is present then 
@@ -237,6 +238,24 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
+# If SERVER_NAME has not been injected try to determine
+# it from the HTTPS_CERT_FILE.
+if [ -z "$SERVER_NAME" ]; then
+    SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
+    if [ -z "$SERVER_NAME" ]; then
+        SERVER_NAME=`openssl x509 -in /etc/apache2/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
+    fi
+fi
+
+# Configure Apache HTTP Server with the server name.
+sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@ /etc/apache2/sites-available/000-comanage.conf
+
+cat > /etc/apache2/conf-available/server-name.conf <<EOF
+ServerName ${SERVER_NAME:-unknown}
+EOF
+
+a2enconf server-name.conf > "$OUTPUT" 2>&1
+
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

diff --git a/docs/advanced-configuration.md b/docs/advanced-configuration.md
@@ -28,6 +28,7 @@ configured in a number of different ways.
 ##### Table of Contents
 * [Environment Variables](#environ)
 * [Secrets](#secrets)
+* [Apache HTTP ServerName](#servername)
 * [Full Control](#full)
 
 ## Environment Variables <a name="environ"></a>
@@ -290,6 +291,42 @@ services:
             - "80:80"
             - "443:443"
 ```
+## ServerName <a name="servername"></a>
+
+The entrypoint scripts will attempt to parse the appropriate value for the
+Apache HTTP Server configuration option `ServerName` from the X.509 certificate
+provided for HTTPS.
+
+To override the parsing a deployer may explicitly set the environment variable
+`SERVER_NAME`. For example
+
+```
+version: '3.1'
+
+services:
+
+    comanage-registry-database:
+        image: mariadb
+        volumes:
+            - /docker/var/lib/mysql:/var/lib/mysql
+        environment:
+            - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
+            - MYSQL_DATABASE=registry
+            - MYSQL_USER=registry_user
+            - MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
+
+    comanage-registry:
+        image: comanage-registry:hotfix-2.0.x-basic-auth
+        environment:
+            - COMANAGE_REGISTRY_DATASOURCE=Database/Mysql
+            - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password
+            - HTTPS_CERT_FILE=/run/secrets/https_cert_file
+            - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
+            - SERVER_NAME=registry.my.org
+        ports:
+            - "80:80"
+            - "443:443"
+```
 
 ## Full control <a name="full"></a>