From 8365ea1739f52874cb611ef12ecd9a4b57b583d8 Mon Sep 17 00:00:00 2001
From: Osiloke Emoekpere <osi@progwebtech.com>
Date: Tue, 24 Oct 2017 20:34:25 +0100
Subject: [PATCH] Add docker image * Adds customizable docker image for running
 tunneld

---
 docker/Dockerfile    |  45 +++++++++++++++++
 docker/README.md     |  42 ++++++++++++++++
 docker/entrypoint.sh | 117 +++++++++++++++++++++++++++++++++++++++++++
 docker/issuer.ext    |   2 +
 docker/public.ext    |   1 +
 docker/tunneld.sh    |  18 +++++++
 6 files changed, 225 insertions(+)
 create mode 100644 docker/Dockerfile
 create mode 100644 docker/README.md
 create mode 100644 docker/entrypoint.sh
 create mode 100644 docker/issuer.ext
 create mode 100644 docker/public.ext
 create mode 100644 docker/tunneld.sh

diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..612fdbe
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,45 @@
+FROM golang:alpine AS builder
+
+MAINTAINER Osiloke Emoekpere ( me@osiloke.com ) 
+
+RUN apk update \
+	&& apk add -U git \
+	&& apk add ca-certificates \
+	&& go get -v github.com/mmatczuk/go-http-tunnel/cmd/tunneld \
+	&& rm -rf /var/cache/apk/* 
+
+# final stage
+FROM alpine
+
+WORKDIR /
+
+RUN apk update && apk add openssl \
+	&& apk add ca-certificates \
+	&& rm -rf /var/cache/apk/* 
+
+COPY --from=builder /go/bin/tunneld .
+
+# default variables
+ENV COUNTY "US"
+ENV STATE "New Jersey"
+ENV LOCATION "Piscataway"
+ENV ORGANISATION "Ecample"
+ENV ROOT_CN "Root"
+ENV ISSUER_CN "Example Ltd"
+ENV PUBLIC_CN "example.com"
+ENV ROOT_NAME "root"
+ENV ISSUER_NAME "example"
+ENV PUBLIC_NAME "public"
+ENV RSA_KEY_NUMBITS "2048"
+ENV DAYS "365"
+
+# certificate directories
+ENV CERT_DIR "/etc/ssl/certs"
+
+VOLUME ["$CERT_DIR"]
+
+COPY *.ext /
+COPY entrypoint.sh / 
+COPY tunneld.sh / 
+
+ENTRYPOINT [ "/entrypoint.sh" ]
\ No newline at end of file
diff --git a/docker/README.md b/docker/README.md
new file mode 100644
index 0000000..c9de632
--- /dev/null
+++ b/docker/README.md
@@ -0,0 +1,42 @@
+# docker-tunneld
+
+## Introduction
+
+> A docker image for running [mmatczuk/go-http-tunnel](https://github.com/mmatczuk/go-http-tunnel "Tunnel"). This will always build the master repo.
+
+
+## Usage
+
+> docker run -v /etc/ssl/certs:/etc/ssl/certs -p 4443:4443 tunneld/tunneld 
+
+
+## Docker run env options
+
+This image can be run using a couple of environment variables that configures the image.
+
+TunnelD config
+----
+
+| VARIABLE | DESCRIPTION | DEFAULT |
+| :------- | :---------- | :------ |
+| DEBUG | turn on debugging | false |
+| CLIENTS | Specify comma separated client ID's that should recognize | empty |
+| DISABLE_HTTPS | Disables https | false | 
+
+TLS Cert
+----
+
+| VARIABLE | DESCRIPTION | DEFAULT |
+| :------- | :---------- | :------ |
+| COUNTY | Certificate subject country string | US |
+| STATE | Certificate subject state string | New Jersey |
+| LOCATION | Certificate subject location string | Piscataway |
+| ORGANISATION | Certificate subject organisation string | Example |
+| ROOT_CN | Root certificate common name | Root |
+| ISSUER_CN | Intermediate issuer certificate common name | Example Ltd |
+| PUBLIC_CN | Public certificate common name | *.example.com |
+| ROOT_NAME | Root certificate filename | root |
+| ISSUER_NAME | Intermediate issuer certificate filename | example |
+| PUBLIC_NAME | Public certificate filename | public |
+| RSA_KEY_NUMBITS | The size of the rsa keys to generate in bits | 2048 |
+| DAYS | The number of days to certify the certificates for | 365 |
\ No newline at end of file
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100644
index 0000000..bca6503
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,117 @@
+#!/bin/sh
+# docker entrypoint script
+# generate three tier certificate chain
+
+
+echo "[i] Start OpenSSL, cert file save path: $CERT_DIR"
+SUBJ="/C=$COUNTY/ST=$STATE/L=$LOCATION/O=$ORGANISATION"
+
+if [ ! -d $CERT_DIR ]; then
+  echo "[i] Make directory: $CERT_DIR"
+  mkdir -p "$CERT_DIR"
+fi
+
+if [ ! -f "$CERT_DIR/$ROOT_NAME.crt" ]
+then
+  echo "[i] Generate $ROOT_NAME.crt"
+
+  # generate root certificate
+  ROOT_SUBJ="$SUBJ/CN=$ROOT_CN"
+
+  openssl genrsa \
+    -out "$ROOT_NAME.key" \
+    "$RSA_KEY_NUMBITS"
+
+  openssl req \
+    -new \
+    -key "$ROOT_NAME.key" \
+    -out "$ROOT_NAME.csr" \
+    -subj "$ROOT_SUBJ"
+
+  openssl req \
+    -x509 \
+    -key "$ROOT_NAME.key" \
+    -in "$ROOT_NAME.csr" \
+    -out "$ROOT_NAME.crt" \
+    -days "$DAYS" \
+    -subj "$ROOT_SUBJ"
+
+  # copy certificate to volume
+  cp "$ROOT_NAME.crt" "$CERT_DIR"
+fi
+
+if [ ! -f "$CERT_DIR/$ISSUER_NAME.crt" ]
+then
+  echo "[i] Generate $ISSUER_NAME.crt"
+  # generate issuer certificate
+  ISSUER_SUBJ="$SUBJ/CN=$ISSUER_CN"
+
+  openssl genrsa \
+    -out "$ISSUER_NAME.key" \
+    "$RSA_KEY_NUMBITS"
+
+  openssl req \
+    -new \
+    -key "$ISSUER_NAME.key" \
+    -out "$ISSUER_NAME.csr" \
+    -subj "$ISSUER_SUBJ"
+
+  openssl x509 \
+    -req \
+    -in "$ISSUER_NAME.csr" \
+    -CA "$ROOT_NAME.crt" \
+    -CAkey "$ROOT_NAME.key" \
+    -out "$ISSUER_NAME.crt" \
+    -CAcreateserial \
+    -extfile issuer.ext \
+    -days "$DAYS"
+
+  # copy certificate to volume
+  cp "$ISSUER_NAME.crt" "$CERT_DIR"
+fi
+
+if [ ! -f "$CERT_DIR/$PUBLIC_NAME.key" ]
+then
+  echo "[i] Generate $PUBLIC_NAME.key"
+  # generate public rsa key
+  openssl genrsa \
+    -out "$PUBLIC_NAME.key" \
+    "$RSA_KEY_NUMBITS"
+
+  # copy public rsa key to volume
+  cp "$PUBLIC_NAME.key" "$CERT_DIR"
+fi
+
+if [ ! -f "$CERT_DIR/$PUBLIC_NAME.crt" ]
+then
+  echo "[i] Generate $PUBLIC_NAME.crt"
+  # generate public certificate
+  PUBLIC_SUBJ="$SUBJ/CN=$PUBLIC_CN"
+  openssl req \
+    -new \
+    -key "$PUBLIC_NAME.key" \
+    -out "$PUBLIC_NAME.csr" \
+    -subj "$PUBLIC_SUBJ"
+
+  openssl x509 \
+    -req \
+    -in "$PUBLIC_NAME.csr" \
+    -CA "$ISSUER_NAME.crt" \
+    -CAkey "$ISSUER_NAME.key" \
+    -out "$PUBLIC_NAME.crt" \
+    -CAcreateserial \
+    -extfile public.ext \
+    -days "$DAYS"
+
+  # copy certificate to volume
+  cp "$PUBLIC_NAME.crt" "$CERT_DIR"
+fi
+
+if [ ! -f "$CERT_DIR/ca.pem" ]
+then
+  echo "[i] Make combined root and issuer ca.pem"
+  # make combined root and issuer ca.pem
+  cat "$CERT_DIR/$ISSUER_NAME.crt" "$CERT_DIR/$ROOT_NAME.crt" > "$CERT_DIR/ca.pem"
+fi
+
+sh /tunneld.sh
\ No newline at end of file
diff --git a/docker/issuer.ext b/docker/issuer.ext
new file mode 100644
index 0000000..13220d7
--- /dev/null
+++ b/docker/issuer.ext
@@ -0,0 +1,2 @@
+basicConstraints=critical,CA:true
+keyUsage=critical,keyCertSign
\ No newline at end of file
diff --git a/docker/public.ext b/docker/public.ext
new file mode 100644
index 0000000..2a0c10f
--- /dev/null
+++ b/docker/public.ext
@@ -0,0 +1 @@
+extendedKeyUsage=serverAuth,clientAuth
\ No newline at end of file
diff --git a/docker/tunneld.sh b/docker/tunneld.sh
new file mode 100644
index 0000000..5ea34bc
--- /dev/null
+++ b/docker/tunneld.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+CMD="/tunneld --tlsCrt "$CERT_DIR/$PUBLIC_NAME.crt" --tlsKey "$CERT_DIR/$PUBLIC_NAME.key""  
+if [[ -z "${CLIENTS}" ]]; then
+  echo "no clients were specified"
+else
+  CMD="${CMD} --clients="$CLIENTS"" 
+fi
+if [[ "${DEBUG}" == 'true' ]]; then 
+  CMD="${CMD} --debug"
+  echo "debug on"
+fi
+if [[ "${DISABLE_HTTPS}" == 'true' ]]; then
+  CMD="${CMD} --httpsAddr="" "
+  echo "disabled https" 
+fi
+# run command passed to docker run
+echo "$CMD"
+$CMD
\ No newline at end of file