Pre-release: v0.3.0

docker/Dockerfile

@@ -21,9 +21,8 @@ RUN mkdir -p /var/log/cert/ /run/php/ /sca/ && \
             rsync \
             ssmtp \
             sudo && \
-    sed -i -e '/listen =/ s/= .*/= 0.0.0.0:9000/' /etc/php7/php-fpm.d/www.conf && \
+    sed -i -e '/listen =/ s/= .*/= 9000/' /etc/php7/php-fpm.d/www.conf && \
     sed -i -e '/;pid =/ s/.*/pid = \/var\/run\/php-fpm.pid/' /etc/php7/php-fpm.conf && \
-    echo "" >> /etc/php7/php-fpm.conf && \
     chmod +x /entrypoint.sh /healthcheck.sh && \
     ln -sf /dev/stderr /var/log/php7/error.log
 RUN apk add git && \

examples/httpd-local/README.md

@@ -1,6 +1,6 @@
 # Example: httpd + htpasswd
 
-This Example shows how to use sca with httpd and ldap using docker.
+This Example shows how to use sca with httpd and htpasswd using docker.
 
 ## Prepare setup
 

examples/nginx-client-cert/README.md

@@ -0,0 +1,58 @@
+# Example: nginx + client certificate
+
+This Example shows how to use sca with nginx and client certificate using docker.
+
+## Prepare setup
+
+1. Start system using `docker-compose up -d`
+1. Add pfx [certificates](../shared/config-client-cert/) to your browser
+1. Visit https://localhost
+1. Login using one of the following credentials (Only cert-sync account exists at first):
+
+|Username|Type|
+|---|---|
+|cert-sync|admin|
+|rainbow|admin|
+|proceme|user|
+
+If something goes wrong, check the log using:
+```
+docker logs -f nginx-client-cert_sca_1
+```
+
+## Using sca
+
+_The `cert-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._
+
+1. Login using the admin account `cert-sync`.
+1. Create user `rainbow` as admin and user `proceme` as user at https://localhost/users#add
+1. Add the server `nginx.example.com` and `httpd.example.com` at https://localhost/servers#add
+1. Sca should be able to connect to both systems. You can verify this by checking whether there is an `Synced successfully` next to the servers. 
+1. Add the scripts [check_loport.sh](../scripts/check_loport.sh), [restart_httpd.sh](../scripts/httpd/restart_httpd.sh), [restart_nginx.sh](../scripts/nginx/restart_nginx.sh) and [status_pidfile.sh](../scripts/status_pidfile.sh)
+1. Add two services called `nginx_8443` and `httpd_8444`. Both should use `check_loport.sh`, `status_pidfile.sh` and their respective restart script
+1. Add the following two variables to both services.
+   * nginx_8443:
+      * Name: `PID_FILE`
+      * Value: `/run/nginx/nginx.pid`
+      * Name: `PORT`
+      * Value: `8443`
+   * httpd_8444:
+      * Name: `PID_FILE`
+      * Value: `/var/run/apache2/httpd.pid`
+      * Name: `PORT`
+      * Value: `8444`
+1. Add the certificates from [certificates](../certificates)
+1. Add two profiles. `nginx_demo` with `nginx.example.com` and `nginx_8443` as well as `httpd_demo` with `httpd.example.com` and `httpd_8444`. Both with certifcate `test1`.
+1. Go to https://localhost/servers#list and use `Sync listed servers now`. After the confirmation it should only take a few seconds until both servers should be set to `Synced successfully`.
+1. Visit https://localhost:8443/ and https://localhost:8444/ and take a look at the certificate it should be valid till 2020-01-01. Now visit [certificate test1](https://localhost/certificates/test1#migrate) and migrate it to `test2`. Afterwards synchronise the servers again. After reloading both pages, the certificate should now be valid till 2021-01-01.
+
+## Add access for new users
+
+1. Generate private key: `openssl genrsa -out <username>.key 2048`
+1. Generate certificate signing request: `openssl req -new -key <username>.key -out <username>.csr -subj "/CN=<username>"`
+1. Generate certificate using the ca: `openssl x509 -req -in <username>.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out <username>.pem -days 36500 -sha256`
+1. Generate pfx: `openssl pkcs12 -export -out <username>.pfx -inkey <username>.key -in <username>.pem -certfile ca.pem`
+
+## View synchronisation logs
+
+The Web UI only shows very rudimentary error messages. For more information connect to the php container using `docker exec -it nginx-client-cert_sca-php_1 /bin/ash`. In there, you can use the this command to follow the log file of the synchronisation daemon: `tail -f /var/log/cert/sync.log`.

examples/nginx-client-cert/docker-compose.yml

@@ -0,0 +1,97 @@
+version: '2.2'
+services:
+  test-nginx:
+    image: alpine
+    command: /bin/ash -c "(id cert-sync || adduser -h /var/local/cert-sync -S -D -s /bin/sh cert-sync) && mkdir -p /var/run/nginx/ && chmod 711 /var/local/cert-sync && cp /key /var/local/cert-sync/cert-sync && chown cert-sync:nogroup /var/local/cert-sync/cert-sync && chmod 644 /var/local/cert-sync/cert-sync && apk add openssh openssl nginx sudo && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes no/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/cert-sync\/%u/' /etc/ssh/sshd_config && passwd cert-sync -d test && passwd root -d test && echo 'cert-sync ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && /usr/sbin/sshd -D"
+    restart: always
+    expose:
+      - "22"
+    ports:
+      - "8443:8443"
+    depends_on:
+      - sca-php
+    volumes:
+      - ../shared/config-client-cert/cert-sync.pub:/key:ro
+      - ../shared/nginx-demo.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      net:
+        aliases:
+         - nginx.example.com
+
+  test-httpd:
+    image: alpine
+    command: /bin/ash -c "(id cert-sync || adduser -h /var/local/cert-sync -S -D -s /bin/sh cert-sync) && chmod 711 /var/local/cert-sync && cp /key /var/local/cert-sync/cert-sync && chown cert-sync:nogroup /var/local/cert-sync/cert-sync && chmod 644 /var/local/cert-sync/cert-sync && apk add openssh openssl apache2 apache2-ssl sudo && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes no/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/cert-sync\/%u/' /etc/ssh/sshd_config && passwd cert-sync -d test && passwd root -d test && echo 'cert-sync ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers && /usr/sbin/sshd -D"
+    restart: always
+    expose:
+      - "22"
+    ports:
+      - "8444:8444"
+    depends_on:
+      - sca-php
+    volumes:
+      - ../shared/config-client-cert/cert-sync.pub:/key:ro
+      - ../shared/httpd-demo.conf:/etc/apache2/conf.d/demo.conf:ro
+    networks:
+      net:
+        aliases:
+         - httpd.example.com
+
+  mail:
+    image: mwader/postfix-relay
+    restart: always
+    environment:
+    - POSTFIX_myhostname=sca.example.de
+    - POSTFIX_mynetworks=0.0.0.0/0
+    expose:
+      - "25"
+    networks:
+      - net
+
+  sca-db:
+    image: mariadb
+    restart: always
+    environment:
+    - MYSQL_ROOT_PASSWORD=root-password
+    - MYSQL_DATABASE=sca-db
+    - MYSQL_USER=sca-user
+    - MYSQL_PASSWORD=password
+    volumes:
+      - db:/var/lib/mysql:rw
+    networks:
+      - net
+
+  sca-php:
+    build:
+      context: ../../docker
+    restart: always
+    depends_on:
+      - sca-db
+      - mail
+    volumes:
+      - ../../:/sca/:rw
+      - ../shared/config-client-cert/:/sca/config/:rw
+      - ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
+      - html:/public_html:rw
+    networks:
+      - net
+
+  sca:
+    image: nginx:alpine
+    restart: always
+    ports:
+      - "443:443"
+    depends_on:
+      - sca-php
+    volumes:
+      - html:/sca/public_html:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+      - ../shared/config-client-cert/ca.pem:/ca.pem:ro
+      - ../shared/config-client-cert/ca.key:/ca.key:ro
+    networks:
+      - net
+
+networks:
+  net:
+volumes:
+  html:
+  db:

examples/nginx-client-cert/nginx.conf

@@ -0,0 +1,38 @@
+
+server {
+	listen 443 ssl;
+	server_name sca.example.com;
+
+	root /sca/public_html;
+	index init.php;
+
+    ssl_certificate /ca.pem;
+    ssl_certificate_key /ca.key;
+
+	ssl_client_certificate /ca.pem;
+	ssl_verify_client optional;
+
+	if ($ssl_client_verify != SUCCESS) {
+		return 403;
+	}
+
+	location / {
+		try_files $uri $uri/ @php;
+	}
+
+	location @php {
+		rewrite ^/(.*)$ /init.php/$1 last;
+	}
+
+	location /init.php {
+		# Mitigate https://httpoxy.org/ vulnerabilities
+		fastcgi_param HTTP_PROXY "";
+		fastcgi_pass sca-php:9000;
+
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param HTTPS on;
+        fastcgi_param X-SSL-CERT-DN $ssl_client_s_dn;
+	}
+}

examples/nginx-local/README.md

@@ -1,6 +1,6 @@
 # Example: nginx + htpasswd
 
-This Example shows how to use sca with nginx and ldap using docker.
+This Example shows how to use sca with nginx and htpasswd using docker.
 
 ## Prepare setup
 

examples/shared/config-client-cert/ca.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAw/KvOhxTDfj/4qKpWciY3ER+d9XW91tDj6OMWLGKP7bUjpnW
+yJ2MiuINhM5FvCmS1C7G2hew0G735Dklo9ubjqih/VoodFZOH7C/ZV2WZcX5yfqL
+w2eA1mT6a/XdtXc9AkNYjXQTv3HAW0nDHQjpoNYvz2Mzk7ricVtzNpn2H5YKQrDi
+6O36185kLqz/MUq5uMlDZL8+Qc2uEUwJ5PUgRt2SiEtbUocKaqlwzl3Fw1bfuTsg
+mPpuMszxQ3ZcVB/a4yNst08Gt6N5SQg9V/ZtHxwKhVDF/YxYXD3/jXaeWmPA+My5
+Z3SfvBPi35KAw66nett7tFea0tUkuLPchRks7wIDAQABAoIBACl1LVHUMFZienFP
+DRmr8XuZGlDsc4D+VDsN1WHmnmOAoVRShDkJ7HRuA4I3ylVXTnOKOhRmsshG0jf9
+R1N14WG7mBpseuayY/EcikI+HNYHnyP22J9NRNsXnkw9Rt1gDw5thUzYZF07CgHG
+h3ubKSMYbiEo0f7NqZ9mQ+gnhwWDcH3/l9DW6E1XHqtnnh3tda1YzUKu4hUutVrg
+7CyHt+sAiVoipwBgRJvucSAKd/Z11E3/OLczLPdjizcYYtb6h+sWictC+sncUJo+
+scM1LKrGI5pfMXggwGb2Blxoxk8bg0FHGeeBRsVjkRzE4/tzY3vfBWi9dsT0wxcH
+dygyjeECgYEA4FczEeTDlbPDJUkFLkMR2bYIcL/uftBF9bY+2Kv42/WrIAxa6CpU
+ZAu207kDVODb1m+GGcI7SkebuxArWcfflobNx6HlbyU9N8PK4P2Ab+Aw29IE23RJ
+6s0qXjI08pBWBc7eecSTUKVLtmfNc/zA4m5tufcuY8eP38erNB7WSUkCgYEA35m8
+/5IN8R5LWNh30pm+9NvAcT7c/iQCog+I+1v9/nqeTFQPchqo8F1XLWnrL7H3FvQM
+25eR+meem+Et84f6uJH6Wa/RYwyZrwd8k3Jx2yDPXv0YOWuRXQ8M4rSX/PPIMeZH
+GtkQYg5bWM7zAeo0IZiMmjJhm7r3uexe/BPQPHcCgYBp/Wi4dH9fU/3HuNcEw1VE
+qbcVJejU6yuSahcJIT7DFS9TReMROyaB2fL31rpXOKFEj44oz1ZZwrk1yO7iTQc6
+w9enELsoJszkctGAOOScdqw+vtvinu9pSqNQu6G+VCkAN3tuxkvfVykNNb+go/Kx
+SAD5UmoNZDR6QoiFaGhPWQKBgGwErRUZzbpp1CR7joci1ukbMACFSeVMKCl6L8ae
+TjmdqtNc2Ila77oOnYrG3GMSKjfgdkWvF0pMvIa5ZaV8T1bSzop9MT4UXDn99+ST
+KQWe+A7/XbB/kp3OI39xlusQKepRQJBrxEpafS6N6z9FkSGZvHLRW+4LiJk84zYL
+rFFJAoGAGgUN9V/sy+u+JgKJHC8/nChDjCJvarh1Gv62Gq4M2JqKz7TQz1QI3oxa
+pNqkUt4VeLVLPqxRU3mTIQymcD/A27AxKlSiCqFnpuLpRRsZA8UwlxxwbOylW/ZS
+NwatYZ/4WT9lFKaBfa+vfdbzH8wTk65mLI9zy/G/UeWtU4ngpoA=
+-----END RSA PRIVATE KEY-----

examples/shared/config-client-cert/ca.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFTCCAf2gAwIBAgIUYOdgcuAxbSmgsOVGuAGje+IZSHQwDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wIBcNMTkwNTEyMDgyMjEwWhgP
+MjExOTA0MTgwODIyMTBaMBkxFzAVBgNVBAMMDmNhLmV4YW1wbGUuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/KvOhxTDfj/4qKpWciY3ER+d9XW
+91tDj6OMWLGKP7bUjpnWyJ2MiuINhM5FvCmS1C7G2hew0G735Dklo9ubjqih/Voo
+dFZOH7C/ZV2WZcX5yfqLw2eA1mT6a/XdtXc9AkNYjXQTv3HAW0nDHQjpoNYvz2Mz
+k7ricVtzNpn2H5YKQrDi6O36185kLqz/MUq5uMlDZL8+Qc2uEUwJ5PUgRt2SiEtb
+UocKaqlwzl3Fw1bfuTsgmPpuMszxQ3ZcVB/a4yNst08Gt6N5SQg9V/ZtHxwKhVDF
+/YxYXD3/jXaeWmPA+My5Z3SfvBPi35KAw66nett7tFea0tUkuLPchRks7wIDAQAB
+o1MwUTAdBgNVHQ4EFgQUMm+/8ikUlL2AScmi026LjQ6RX2MwHwYDVR0jBBgwFoAU
+Mm+/8ikUlL2AScmi026LjQ6RX2MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B
+AQsFAAOCAQEACvjKjDk8bw0OuzKxyL+aWNcIIZdEj91uVad0k2U69NQ9Oq2TLf8X
+hDNTSQzpx3ddMzV2H0qribCbOKMfgTiy3HJrsbFWpwnH0NhDNI75wQRyJzclxnKb
+jMtbXKH/DooY9Znk01lcfnDVQ7xbk3hhDBH6YFubf5LGNO/B6SzUGnkV772YpA1k
+LbW5lMpNRuwbPNooDBOyaNqPg0OqqACG3LPcrz0bGC9+OsNf0yF3hZyUjvhL9ZR0
+Zglle/a+kMORJ0LCSUJh3Nac8lb0pY1SxrRiUh0Y5TYsiIU82xNKwxQHRo9H/aIU
+GDCpiPFJTF2Ulu1IJpAnci0MyT1vzOaErA==
+-----END CERTIFICATE-----

examples/shared/config-client-cert/ca.srl

@@ -0,0 +1 @@
+26A3FAE83BED0F4CC887B0C103E6067F534A8BC2

examples/shared/config-client-cert/cert-sync

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqatsYGwteC4X+aIsNThluXZlh9SbdQTB3Zy8EoRcgKSEQdvw
+sn56e3SLCTtLVGYCD7l5bTvjuJIG0VGKGG8ZYiESHQRBqm6t0zWEJMiOC0mUt3xW
+4YJcVFhsk54WhVMWW7Irjx+wk9VbX4OellU0FZSjAs+hSernAOnVoSNXnSaC5hoq
+98QWdlUwI+pOkKfyII4YYcSaPByNA/dx4Hy4cVqIaVIvDf4SiYHnqbCCZbSZcrQD
+W/pLnq6s4e3LvYNaB2BWLlbad8YuJRBRSp9C3thV1EmYIDQdlk6sg0fkFGYi+jWF
+WKatA0u7Krt5Dh3BeeNgFqegfsb3E1P8+gUp6QIDAQABAoIBADdzCIYylGGUXs18
+jIoQFl6YLPJJL0z88waj9GrwyvJX0clcQbtzzj+OhOnNcP7yH3ZYHTDvw6pMPuIl
+jcYSeO8y86J8A6HZbgF6mecTjChwMaQNhK9KVTZTd5h+r8l+r+3juoyZxLFrpuL+
+NtPWoKD05JlEled8V2ZbBTAWRsnahepwwIdVK9kroK/Z/O91YXHxsKkW8tr0BPAR
+mJNFOZnMxKymyXZ05J9pEq+q054nDHdpOcKF6z1dNuVVpPvtPlJ+BfNZqLcQ87/3
+4AiX7hFEyiRQw6v5JXUXH1IkNuD3BpjFMAr5/g1damsWXw+rkeYk5uS44Em46LeU
+hk2J8ykCgYEA1B9eZEI/xpejcXDLTR7NihF2kk3YmiHjnqvVRPV97/JlMw1kmulb
+ga1Y4y7YLv0TT2lWTZ9U5d+aIGTLqDd2fFvUYwAojeibf8TIPxWj47IK1sG7K7/4
+fwtxzuYJ6TmehwKFLMqxW/RN8bxmXZOQyc0vdbWdc30filRpdJfkyMMCgYEAzMQG
+NIc3WObmaNzT1qlC7svba0VWpE7Tve9yUlfQUzqiEPMWKxCxoxiSdjxKh3ZeFaGM
+vb+EvvHryZVwO6Ym8YO3c7Or96/38dlpzR2USPPsE/z7q4Ai7p8s2OnpUdTN+Sbz
+rUvWFZD+aTTzYaPHiknGGE4oTt90ksXhsHKR9+MCgYBZchzIZBMmd7zI0go4K9v5
+82EvUjoazF2CA+07VdVT/79ipqwckngul10a9x7buYWR/9YPhzcyc3Y3YKlr9m81
+Azfswx1WsZYYa28RAtwH4ISniCuXyCxNzhKgbuoQ+WX6gjqL57CgGMVhQNNddCMi
+pS31Ea8iCsno9608J+ymJwKBgAupDgFnwcsaOvy1top+0QTwLuqI5EovAvfJ7uSp
+g39500jLzvNc3ADBoXWCMWxNXUY2EOGtSk3lUNwF2oJLD+So74VzMdPE/YWUL+Yy
+TQNqgIMS4PH/Nf4IqnEfwN2cFK6ffTjdHK/Vtecf0Mw6m15QnSs9KCZ1qxnAkv2N
+SKqpAoGBAKb7H7PEoBlC0SfrdQIoqKcHX62IEVSS/bzeKRgOF8dNGeJkMLJeOzgK
+uAdi8XYReKp6xkMz2KArfR55nkqGmqPHa9czxLcRh0afdccjK4kEgiCA3sGz80Hp
+2r7EBnR6AK5aBTNDnpv2TQdOCTed5QBwHUWUWlD36xDayW/+cehH
+-----END RSA PRIVATE KEY-----

examples/shared/config-client-cert/cert-sync.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpq2xgbC14Lhf5oiw1OGW5dmWH1Jt1BMHdnLwShFyApIRB2/Cyfnp7dIsJO0tUZgIPuXltO+O4kgbRUYoYbxliIRIdBEGqbq3TNYQkyI4LSZS3fFbhglxUWGyTnhaFUxZbsiuPH7CT1Vtfg56WVTQVlKMCz6FJ6ucA6dWhI1edJoLmGir3xBZ2VTAj6k6Qp/IgjhhhxJo8HI0D93HgfLhxWohpUi8N/hKJgeepsIJltJlytANb+kuerqzh7cu9g1oHYFYuVtp3xi4lEFFKn0Le2FXUSZggNB2WTqyDR+QUZiL6NYVYpq0DS7squ3kOHcF542AWp6B+xvcTU/z6BSnp [email protected]