From 936ac32bf6d3ee26c6ec544bb21c9b63b56187f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Lhomme?= <papylhomme@gmail.com>
Date: Wed, 2 Dec 2020 15:21:53 +0100
Subject: [PATCH] Add simple SSL support

---
 Dockerfile         |  6 ++++++
 docker-compose.yml |  7 ++++++-
 glpi-start.sh      | 20 ++++++++++++++++++--
 site.conf          | 13 +++++++++++++
 site_redirect.conf |  8 ++++++++
 site_ssl.conf      | 18 ++++++++++++++++++
 6 files changed, 69 insertions(+), 3 deletions(-)
 create mode 100644 site.conf
 create mode 100644 site_redirect.conf
 create mode 100644 site_ssl.conf

diff --git a/Dockerfile b/Dockerfile
index 0c37521e..e1b1e11e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -31,6 +31,12 @@ ca-certificates \
 jq \
 && rm -rf /var/lib/apt/lists/*
 
+#Preparation des vhost apache
+RUN rm -f /etc/apache2/sites-available/000-default.conf
+COPY site.conf /etc/apache2/sites-available
+COPY site_redirect.conf /etc/apache2/sites-available
+COPY site_ssl.conf /etc/apache2/sites-available
+
 #Copie et execution du script pour l'installation et l'initialisation de GLPI
 COPY glpi-start.sh /opt/
 RUN chmod +x /opt/glpi-start.sh
diff --git a/docker-compose.yml b/docker-compose.yml
index d620157d..ff8eafd6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,10 +19,15 @@ services:
     hostname: glpi
     ports:
       - "80:80"
+      #- "443:443"
     volumes:
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
       - /var/www/html/glpi/:/var/www/html/glpi
+      # For SSL support, needs glpi.crt and glpi.key files in 'certs' directory
+      #- ./certs:/etc/certs
     environment:
       - TIMEZONE=Europe/Brussels
-    restart: always
\ No newline at end of file
+      # Support to force redirecting HTTP to HTTPS
+      #- SSL_REDIRECT=https://MY_SITE_HTTPS_URL/
+    restart: always
diff --git a/glpi-start.sh b/glpi-start.sh
index dd044cc5..44e19e0b 100644
--- a/glpi-start.sh
+++ b/glpi-start.sh
@@ -12,6 +12,7 @@ SRC_GLPI=$(curl -s https://api.github.com/repos/glpi-project/glpi/releases/tags/
 TAR_GLPI=$(basename ${SRC_GLPI})
 FOLDER_GLPI=glpi/
 FOLDER_WEB=/var/www/html/
+APACHE=/etc/apache2
 
 #check if TLS_REQCERT is present
 if !(grep -q "TLS_REQCERT" /etc/ldap/ldap.conf)
@@ -31,8 +32,23 @@ else
 	chown -R www-data:www-data ${FOLDER_WEB}${FOLDER_GLPI}
 fi
 
-#Modification du vhost par défaut
-echo -e "<VirtualHost *:80>\n\tDocumentRoot /var/www/html/glpi\n\n\t<Directory /var/www/html/glpi>\n\t\tAllowOverride All\n\t\tOrder Allow,Deny\n\t\tAllow from all\n\t</Directory>\n\n\tErrorLog /var/log/apache2/error-glpi.log\n\tLogLevel warn\n\tCustomLog /var/log/apache2/access-glpi.log combined\n</VirtualHost>" > /etc/apache2/sites-available/000-default.conf
+#Activation du vhost HTTP
+if [ "$SSL_REDIRECT" != "" ];
+then
+	sed -e "s#SSL_URL#$SSL_REDIRECT#" -i $APACHE/sites-available/site_redirect.conf
+	ln -s $APACHE/sites-available/site_redirect.conf $APACHE/sites-enabled/
+else
+	ln -s $APACHE/sites-available/site.conf $APACHE/sites-enabled/
+fi
+
+#Activation du vhost HTTPS
+if [ -e "/etc/certs/glpi.crt" ];
+then
+	ln -s $APACHE/mods-available/ssl.load $APACHE/mods-enabled/
+	ln -s $APACHE/mods-available/ssl.conf $APACHE/mods-enabled/
+	ln -s $APACHE/mods-available/socache_shmcb.load $APACHE/mods-enabled/
+	ln -s $APACHE/sites-available/site_ssl.conf $APACHE/sites-enabled/
+fi
 
 #Add scheduled task by cron and enable
 echo "*/2 * * * * www-data /usr/bin/php /var/www/html/glpi/front/cron.php &>/dev/null" >> /etc/cron.d/glpi
diff --git a/site.conf b/site.conf
new file mode 100644
index 00000000..88da965b
--- /dev/null
+++ b/site.conf
@@ -0,0 +1,13 @@
+<VirtualHost *:80>
+	DocumentRoot /var/www/html/glpi
+
+	<Directory /var/www/html/glpi>
+		AllowOverride All
+		Order Allow,Deny
+		Allow from all
+	</Directory>
+
+	ErrorLog /var/log/apache2/error-glpi.log
+	LogLevel warn
+	CustomLog /var/log/apache2/access-glpi.log combined
+</VirtualHost>
diff --git a/site_redirect.conf b/site_redirect.conf
new file mode 100644
index 00000000..208b3854
--- /dev/null
+++ b/site_redirect.conf
@@ -0,0 +1,8 @@
+<VirtualHost *:80>
+	DocumentRoot /var/www/html/glpi
+	Redirect permanent / SSL_URL
+
+	ErrorLog /var/log/apache2/error-glpi.log
+	LogLevel warn
+	CustomLog /var/log/apache2/access-glpi.log combined
+</VirtualHost>
diff --git a/site_ssl.conf b/site_ssl.conf
new file mode 100644
index 00000000..ab6dc375
--- /dev/null
+++ b/site_ssl.conf
@@ -0,0 +1,18 @@
+<VirtualHost *:443>
+	DocumentRoot /var/www/html/glpi
+
+	SSLEngine on
+	SSLCertificateFile	/etc/certs/glpi.crt
+	SSLCertificateKeyFile	/etc/certs/glpi.key
+
+	<Directory /var/www/html/glpi>
+		AllowOverride All
+		Order Allow,Deny
+		Allow from all
+	</Directory>
+
+	ErrorLog /var/log/apache2/error-glpi-ssl.log
+	LogLevel warn
+	CustomLog /var/log/apache2/access-glpi-ssl.log combined
+</VirtualHost>
+