Skip to content
Permalink
Browse files

Back-porting much of the appliance work to this repo

  • Loading branch information
Jim Van Fleet
Jim Van Fleet committed Sep 6, 2016
1 parent 103551f commit b4835c1e2bcfbe23a5f005c47588c25acac74dc7
Showing with 273 additions and 2 deletions.
  1. +4 −0 Dockerfile
  2. +23 −0 certs/gencert.sh
  3. +22 −0 certs/server.crt
  4. +18 −0 certs/server.csr
  5. +27 −0 certs/server.key
  6. +49 −0 certs/server.pem
  7. +2 −2 common.bash
  8. +26 −0 conf/server.xml
  9. +56 −0 docker-compose.yml
  10. +13 −0 haproxy/Dockerfile
  11. +33 −0 haproxy/conf/haproxy.cfg
@@ -36,6 +36,10 @@ RUN chown -R root:root /opt/shibboleth/shibboleth-identity-provider-$version &&
touch /usr/local/tomcat/logs/voltest && \
touch /opt/shibboleth/shibboleth-identity-provider-$version/logs/voltest

COPY ./conf/ /usr/local/tomcat/conf/
COPY ./certs/gencert.sh /opt/certs/
RUN chmod +x /opt/certs/gencert.sh && /opt/certs/gencert.sh

VOLUME ["/usr/local/tomcat/logs", "/opt/shibboleth/shibboleth-identity-provider-$VERSION/logs"]

EXPOSE 8080
@@ -0,0 +1,23 @@
#!/bin/bash
#
# Generate a self signed certificate
#


# Self-signed certificate for development laptops
# -----------------------------------------------

cat > data.conf << EOF
IT
IT
IT
IT
IT
IT
yes
EOF

# Everything in one line
$JAVA_HOME/bin/keytool -genkey -keyalg RSA -alias selfsigned -keystore /opt/certs/keystore.jks -storepass password -validity 360 -keysize 2048 < data.conf
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDrDCCApQCCQCqx2/xzYm5ejANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC
VVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRIwEAYDVQQHEwlDaGFybG90dGUx
DzANBgNVBAoTBkxldnZlbDEPMA0GA1UECxMGRG9ja2VyMREwDwYDVQQDEwhiaWdm
bGVldDEmMCQGCSqGSIb3DQEJARYXamltLnZhbi5mbGVldEBsZXZ2ZWwuaW8wHhcN
MTYwODEyMTY0MTMyWhcNMTcwODEyMTY0MTMyWjCBlzELMAkGA1UEBhMCVVMxFzAV
BgNVBAgTDk5vcnRoIENhcm9saW5hMRIwEAYDVQQHEwlDaGFybG90dGUxDzANBgNV
BAoTBkxldnZlbDEPMA0GA1UECxMGRG9ja2VyMREwDwYDVQQDEwhiaWdmbGVldDEm
MCQGCSqGSIb3DQEJARYXamltLnZhbi5mbGVldEBsZXZ2ZWwuaW8wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe3SNdeVXz0QEvwI8WSKp3XjF1Z6baCbhK
tlxwCexvt1CbtUmvBM6ztDmYwqdMwKvQB/UfVdilgUR8Ywo6VQTQ4pv+xYVAaVTo
AWNR/UD2/F+MriV+kVDLRfeql4os0C96c6yNthe1bQbrT4BZR0eOT7vBi3ozN38G
acUH2+owv2TnzVp27dGW2WIrWxL8G49w+Jy8K/nVdrEr48F/6349NHXizBdycpVG
MIdD62qmBb3SdWezKXmczOlHTLtXhKSZO+bQaYA81sGPkDB7NsUkHV1t8kMBt8sC
MPP4K5BAqIJdigg6nBINIuoa0mdMI37W7phUcLnjg5FsZUn95DMvAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAGhWie1wkXg8V3rG4nGvDLVCFi8V4fPLF5dL5HCULGde
i9Xz+v412qt1kxgDDwlSZ3oRP1z/tKIywRgLD0NcBJYHqzJN+5gg+ZJMHLEn/bOf
CS6H91dWD93vlcdBMhyh/rz1PafBWc+TyaNuvihSz4V7kpUdUQ7ovXwv3yeSJelT
OFzQbjx+roSfFOK7CuIEOee42MAcaqD5LpnGCIujPQgAje3OdyDeofoFA0XehY/Y
QzooAqSqYhomN6G4RFRAiYwXVkhKbeLBdOOs3rjdymcrFSvwWUJKx7EtpUegucEw
krFR4hpkGmKABuhVZp/g1zxzeodkwRyJFrQEecFQIN4=
-----END CERTIFICATE-----
@@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIC3TCCAcUCAQAwgZcxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJv
bGluYTESMBAGA1UEBxMJQ2hhcmxvdHRlMQ8wDQYDVQQKEwZMZXZ2ZWwxDzANBgNV
BAsTBkRvY2tlcjERMA8GA1UEAxMIYmlnZmxlZXQxJjAkBgkqhkiG9w0BCQEWF2pp
bS52YW4uZmxlZXRAbGV2dmVsLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA3t0jXXlV89EBL8CPFkiqd14xdWem2gm4SrZccAnsb7dQm7VJrwTOs7Q5
mMKnTMCr0Af1H1XYpYFEfGMKOlUE0OKb/sWFQGlU6AFjUf1A9vxfjK4lfpFQy0X3
qpeKLNAvenOsjbYXtW0G60+AWUdHjk+7wYt6Mzd/BmnFB9vqML9k581adu3Rltli
K1sS/BuPcPicvCv51XaxK+PBf+t+PTR14swXcnKVRjCHQ+tqpgW90nVnsyl5nMzp
R0y7V4SkmTvm0GmAPNbBj5AwezbFJB1dbfJDAbfLAjDz+CuQQKiCXYoIOpwSDSLq
GtJnTCN+1u6YVHC544ORbGVJ/eQzLwIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEB
AJ6hDOof0VueZkGT9wIz/5pKJgoTe9kTNnnHfnXitROwxEEF5gyFPICXkALbJkC7
HqNl+wd/cG010CoeAI5rcoYDvfY5WAmIOXQF2Zo4EV6XgfBwnk/Jz1T6TvryB14o
Pp/jwJzurEi90bCHmxELIJwHQPGxbLdF5ScNTg26xXkt6FI4w9utTzh85Pgmxir6
7niVc3MvR9eyWVXF3NiakQw9oM8FsfRY2i3c87ugcuH0LDrVUFkz4GqS8vC6N1Ao
L/KAmBvfz25bq+GaXSKb2OQyvNHcM8lquP0vQKsvrs1ecUY4YILBy1yCEGUSxDGM
kH3F2FuaT22hbNM1JxrLo2Q=
-----END CERTIFICATE REQUEST-----
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3t0jXXlV89EBL8CPFkiqd14xdWem2gm4SrZccAnsb7dQm7VJ
rwTOs7Q5mMKnTMCr0Af1H1XYpYFEfGMKOlUE0OKb/sWFQGlU6AFjUf1A9vxfjK4l
fpFQy0X3qpeKLNAvenOsjbYXtW0G60+AWUdHjk+7wYt6Mzd/BmnFB9vqML9k581a
du3RltliK1sS/BuPcPicvCv51XaxK+PBf+t+PTR14swXcnKVRjCHQ+tqpgW90nVn
syl5nMzpR0y7V4SkmTvm0GmAPNbBj5AwezbFJB1dbfJDAbfLAjDz+CuQQKiCXYoI
OpwSDSLqGtJnTCN+1u6YVHC544ORbGVJ/eQzLwIDAQABAoIBAEDDmLRgP1ckRKkA
11QNd+RKbisFHRq9ul2T0xcH+zqX1gf5zdjbl8nnNNmsr3uBfixtM5GQm+20vBc9
nMpIzKZ7RAPsmIWYVoE5bgh0hT2BJ681KFY4mncH9SoQ8amGMlXuaZWg9hDWBy24
o77OFQBJMXHUO4XIudQ+RnC7OrpBSZDIRq9pF4CIAOZ5muWTeK8IHF7CYfMlcz9z
F2y+MbUHYwVstQZlnhHA8zB2jAdy58PhCf44niGSI/ny9ww/ntSpqM/qM6pqv0H6
GMV/ZA4UhJ7rbDzfUrTVfuJJDZr0X00RjKQBwLYqGA+vegwgyQU0RX0uL+vKHNYz
z5Uba1ECgYEA9BK4Y/ofxZTiXVEc1JM3NsCTPJgySzsgcmvtLh9Md4tXHd9kliW2
4I2e/Alt6dwXwEOxUV1drc6B+A4Y09KMaAWQRxAsVY5khotChPAIhYXXDir9srEW
nR1Y5pBdMw89PQgIDKBHK9gp+Fo3InxsHN+QdfJmyXDzOvFBRLOgkdkCgYEA6cEY
konEDB7Kd4S7lYKuk1euvFp1XUk5MSXmz2JR6uvB5RaJJNvXBuZB0i60jeUHgA3V
mouwjuX1zsVSRQEtQ37eiQ2p7ivd1j86SlMBRzFxFempGV00IZevXiBxtfnx38Lw
mYYOWMXdX0CsV/HHvUpTrkC1F8rIP1tXj0IhwEcCgYEAq1q1P+OsCLBlWDSJNCkC
+5qqBEGqFa02M37YLqhkrA0UpXFgEhX6VZ63/qS0GRqfRimAROpyyYKRNtDW12gb
kTBOwcV2Cr8Ejn0Yv3Ix2WREvrqqEJlJkha3gm/aLu3FBaMs24hvTzXdCXJ1AO4v
jPncVyJOzaBR85DLTOt7kMkCgYAHoRjHN53hc2PSUM+6ioBeKL94QE+SUuB9/Smy
XRglXbp/WqPxQweanwtI6+NSukXrZQgyuhpyH4lNTV1pCSfMCykCOiLwthfQdVHW
uSzSgQea2nx9anBYJFZB8Tck5FqDnh4yNJDlTtfx0u+NE0Qcpn9isZP3idPNVZLf
Bx6I4wKBgQDagUD7YJ3oX/4mbBmWJ/z7fAWcUqdRC2kwVfOn2qdeRgVNXQD97u0f
ZUw7fH6MSKHkuQsM0UWxex2dxxfJaFH5aF5EqXzlT/9by4Ela9p6GtecyuNPDnm+
jReIeDTO73BnM0LJNPPyd/CSHvaVEgvVmjjNTkuBYpyk8HVXf/Cd/A==
-----END RSA PRIVATE KEY-----
@@ -0,0 +1,49 @@
-----BEGIN CERTIFICATE-----
MIIDrDCCApQCCQCqx2/xzYm5ejANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMC
VVMxFzAVBgNVBAgTDk5vcnRoIENhcm9saW5hMRIwEAYDVQQHEwlDaGFybG90dGUx
DzANBgNVBAoTBkxldnZlbDEPMA0GA1UECxMGRG9ja2VyMREwDwYDVQQDEwhiaWdm
bGVldDEmMCQGCSqGSIb3DQEJARYXamltLnZhbi5mbGVldEBsZXZ2ZWwuaW8wHhcN
MTYwODEyMTY0MTMyWhcNMTcwODEyMTY0MTMyWjCBlzELMAkGA1UEBhMCVVMxFzAV
BgNVBAgTDk5vcnRoIENhcm9saW5hMRIwEAYDVQQHEwlDaGFybG90dGUxDzANBgNV
BAoTBkxldnZlbDEPMA0GA1UECxMGRG9ja2VyMREwDwYDVQQDEwhiaWdmbGVldDEm
MCQGCSqGSIb3DQEJARYXamltLnZhbi5mbGVldEBsZXZ2ZWwuaW8wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe3SNdeVXz0QEvwI8WSKp3XjF1Z6baCbhK
tlxwCexvt1CbtUmvBM6ztDmYwqdMwKvQB/UfVdilgUR8Ywo6VQTQ4pv+xYVAaVTo
AWNR/UD2/F+MriV+kVDLRfeql4os0C96c6yNthe1bQbrT4BZR0eOT7vBi3ozN38G
acUH2+owv2TnzVp27dGW2WIrWxL8G49w+Jy8K/nVdrEr48F/6349NHXizBdycpVG
MIdD62qmBb3SdWezKXmczOlHTLtXhKSZO+bQaYA81sGPkDB7NsUkHV1t8kMBt8sC
MPP4K5BAqIJdigg6nBINIuoa0mdMI37W7phUcLnjg5FsZUn95DMvAgMBAAEwDQYJ
KoZIhvcNAQELBQADggEBAGhWie1wkXg8V3rG4nGvDLVCFi8V4fPLF5dL5HCULGde
i9Xz+v412qt1kxgDDwlSZ3oRP1z/tKIywRgLD0NcBJYHqzJN+5gg+ZJMHLEn/bOf
CS6H91dWD93vlcdBMhyh/rz1PafBWc+TyaNuvihSz4V7kpUdUQ7ovXwv3yeSJelT
OFzQbjx+roSfFOK7CuIEOee42MAcaqD5LpnGCIujPQgAje3OdyDeofoFA0XehY/Y
QzooAqSqYhomN6G4RFRAiYwXVkhKbeLBdOOs3rjdymcrFSvwWUJKx7EtpUegucEw
krFR4hpkGmKABuhVZp/g1zxzeodkwRyJFrQEecFQIN4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3t0jXXlV89EBL8CPFkiqd14xdWem2gm4SrZccAnsb7dQm7VJ
rwTOs7Q5mMKnTMCr0Af1H1XYpYFEfGMKOlUE0OKb/sWFQGlU6AFjUf1A9vxfjK4l
fpFQy0X3qpeKLNAvenOsjbYXtW0G60+AWUdHjk+7wYt6Mzd/BmnFB9vqML9k581a
du3RltliK1sS/BuPcPicvCv51XaxK+PBf+t+PTR14swXcnKVRjCHQ+tqpgW90nVn
syl5nMzpR0y7V4SkmTvm0GmAPNbBj5AwezbFJB1dbfJDAbfLAjDz+CuQQKiCXYoI
OpwSDSLqGtJnTCN+1u6YVHC544ORbGVJ/eQzLwIDAQABAoIBAEDDmLRgP1ckRKkA
11QNd+RKbisFHRq9ul2T0xcH+zqX1gf5zdjbl8nnNNmsr3uBfixtM5GQm+20vBc9
nMpIzKZ7RAPsmIWYVoE5bgh0hT2BJ681KFY4mncH9SoQ8amGMlXuaZWg9hDWBy24
o77OFQBJMXHUO4XIudQ+RnC7OrpBSZDIRq9pF4CIAOZ5muWTeK8IHF7CYfMlcz9z
F2y+MbUHYwVstQZlnhHA8zB2jAdy58PhCf44niGSI/ny9ww/ntSpqM/qM6pqv0H6
GMV/ZA4UhJ7rbDzfUrTVfuJJDZr0X00RjKQBwLYqGA+vegwgyQU0RX0uL+vKHNYz
z5Uba1ECgYEA9BK4Y/ofxZTiXVEc1JM3NsCTPJgySzsgcmvtLh9Md4tXHd9kliW2
4I2e/Alt6dwXwEOxUV1drc6B+A4Y09KMaAWQRxAsVY5khotChPAIhYXXDir9srEW
nR1Y5pBdMw89PQgIDKBHK9gp+Fo3InxsHN+QdfJmyXDzOvFBRLOgkdkCgYEA6cEY
konEDB7Kd4S7lYKuk1euvFp1XUk5MSXmz2JR6uvB5RaJJNvXBuZB0i60jeUHgA3V
mouwjuX1zsVSRQEtQ37eiQ2p7ivd1j86SlMBRzFxFempGV00IZevXiBxtfnx38Lw
mYYOWMXdX0CsV/HHvUpTrkC1F8rIP1tXj0IhwEcCgYEAq1q1P+OsCLBlWDSJNCkC
+5qqBEGqFa02M37YLqhkrA0UpXFgEhX6VZ63/qS0GRqfRimAROpyyYKRNtDW12gb
kTBOwcV2Cr8Ejn0Yv3Ix2WREvrqqEJlJkha3gm/aLu3FBaMs24hvTzXdCXJ1AO4v
jPncVyJOzaBR85DLTOt7kMkCgYAHoRjHN53hc2PSUM+6ioBeKL94QE+SUuB9/Smy
XRglXbp/WqPxQweanwtI6+NSukXrZQgyuhpyH4lNTV1pCSfMCykCOiLwthfQdVHW
uSzSgQea2nx9anBYJFZB8Tck5FqDnh4yNJDlTtfx0u+NE0Qcpn9isZP3idPNVZLf
Bx6I4wKBgQDagUD7YJ3oX/4mbBmWJ/z7fAWcUqdRC2kwVfOn2qdeRgVNXQD97u0f
ZUw7fH6MSKHkuQsM0UWxex2dxxfJaFH5aF5EqXzlT/9by4Ela9p6GtecyuNPDnm+
jReIeDTO73BnM0LJNPPyd/CSHvaVEgvVmjjNTkuBYpyk8HVXf/Cd/A==
-----END RSA PRIVATE KEY-----
@@ -1,3 +1,3 @@
maintainer="bigfleet"
imagename="shibboleth_idp_runtime"
maintainer="my"
imagename="shibboleth_idp"
version="3.2.1"
@@ -0,0 +1,26 @@
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />

<Service name="Catalina">
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/certs/keystore.jks" keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>
<Engine name="Catalina" defaultHost="localhost">

<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">

<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t &quot;%r&quot; %s %b" />

</Host>
</Engine>
</Service>
</Server>
@@ -0,0 +1,56 @@
version: '2'

services:
shibboleth_idp_0:
image: my/shibboleth_idp
container_name: shibboleth_idp_0
hostname: shibboleth_idp_0
networks:
- i2network
cap_add:
- ALL
- NET_ADMIN
- SYS_ADMIN
volumes:
- shibboleth_idp_credentials:/tmp/credentials
- ./logs/tomcat:/usr/local/tomcat/logs:rw
- ./logs/shibboleth_idp:/opt/shibboleth/shibboleth-identity-provider-3.2.1/logs:rw
ports:
- "8080:8443"
shibboleth_idp_1:
image: my/shibboleth_idp
container_name: shibboleth_idp_1
hostname: shibboleth_idp_1
networks:
- i2network
cap_add:
- ALL
- NET_ADMIN
- SYS_ADMIN
volumes:
- shibboleth_idp_credentials:/tmp/credentials
- ./logs/tomcat:/usr/local/tomcat/logs:rw
- ./logs/shibboleth_idp:/opt/shibboleth/shibboleth-identity-provider-3.2.1/logs:rw
ports:
- "8081:8443"
haproxy:
image: my/haproxy
container_name: haproxy
hostname: haproxy
networks:
- i2network
depends_on:
- shibboleth_idp_1
- shibboleth_idp_0
ports:
- "80:80"
- "5533:5533"
- "443:443"

networks:
i2network:
driver: bridge

volumes:
shibboleth_idp_credentials:
driver: local
@@ -0,0 +1,13 @@
FROM haproxy

ARG maintainer=my
ARG imagename=haproxy
ARG version=1.0

MAINTAINER $maintainer
LABEL Vendor="Internet2"
LABEL ImageType="haproxy"
LABEL ImageName=$imagename
LABEL ImageOS=centos7
LABEL Version=$version
copy conf/haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
@@ -0,0 +1,33 @@
#Example with SSL PASSTHROUGH
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice

defaults
log global
option httplog
option dontlognull
timeout connect 5000
timeout client 10000
timeout server 10000

listen stats
bind *:5533
stats enable
stats uri /


frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend shibboleth_idp

backend shibboleth_idp
#Define the correct status check
mode tcp
balance roundrobin
option ssl-hello-chk
server shibboleth_idp_0 shibboleth_idp_0:8443 check
server shibboleth_idp_1 shibboleth_idp_1:8443 check

0 comments on commit b4835c1

Please sign in to comment.
You can’t perform that action at this time.