rework current front facing proxy (#40)

* replace previous caddy construct with kopano kweb
* add kweb to makefile
* greatly simplifies setup, if user wants to tweak config of kweb he could do so in git and make a local build. Fixes #22 
* ping kweb version
* update readme
* remove build argument from docker-compose for web and ldap-demo
* fix certificate handling in kweb. fixes #38

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "caddy"]
-	path = caddy
-	url = https://github.com/fbartels/caddy-gen.git

Makefile

@@ -53,6 +53,12 @@ build-zpush:
 build-ssl:
 	docker build -t $(docker_repo)/kopano_ssl ssl/
 
+build-kweb:
+	docker build -t $(docker_repo)/kopano_web kweb/
+
+build-ldap-demo:
+	docker build -t $(docker_repo)/kopano_ldap_demo ldap-demo/
+
 tag: component ?= base
 tag:
 	@echo 'create tag $($(component)_version)'
@@ -103,6 +109,9 @@ publish-zpush: build-zpush tag-zpush
 publish-ssl: build-ssl
 	docker push $(docker_repo)/kopano_ssl:latest
 
+publish-kweb: build-kweb
+	docker push $(docker_repo)/kopano_web:latest
+
 test:
 	sudo rm -rf data/
 	make build-all

README.md

@@ -6,16 +6,13 @@ This repository contains an easy to replicate recipe to spin up a [Kopano](https
 
 - make sure that you are running a recent enought version of Docker and [Docker Compose](https://docs.docker.com/compose/install/)
 - clone this repository to your local disk
-- run `git submodule update --init --recursive` from within the checkout to also clone submodules
 - run `setup.sh`
   - this script will ask you a few questions about your environment.
   - If you are just interested in the demo environment you can accept the default values by pressing `Enter` on each question
-  - afterwards it builds a local image for the demo LDAP and the reverse proxy
+  - afterwards it builds a local image for the demo LDAP
 - now run `docker-compose up` and you will see how the remaining Docker images are pulled and then everything is started
-- after startup has succeeded you can access the Kopano WebApp by going to `https://webapp.kopano.demo` (if you have given a differing LDAP Domain name then it will be `https://webapp.your.domain`).
-- you can also access phpLDAPadmin by going to `https://ldap.kopano.demo`
-
-**Note:** For the reverse proxy to work you need to make sure that the given domain resolves to the reverse proxy.
+- after startup has succeeded you can access the Kopano WebApp by going to `https://kopano.demo/webapp`
+- you can also access phpLDAPadmin by going to `https://kopano.demo/ldap-admin`
 
 **Note:** There have been reports about the ldap demo not starting up on MacOS. It is recommended to use a Linux OS if you want to use the bundled LDAP image. 
 
@@ -23,7 +20,7 @@ The `docker-compose.yml` file by default pulls Docker containers from https://hu
 
 ### Need to adjust any values after the initial run of `setup.sh`?
 
-If you want to modify some of the values from the `setup.sh` run you can simply edit `.env` in your favourite editor. Repeated runs of `setup.sh` will neither modify `docker-compose.yml` nor `.env`. In that file you will also find some given defaults like ldap query filters and the local ports for the Caddy reverse proxy.
+If you want to modify some of the values from the `setup.sh` run you can simply edit `.env` in your favourite editor. Repeated runs of `setup.sh` will neither modify `docker-compose.yml` nor `.env`. In that file you will also find some given defaults like ldap query filters and the local ports for the reverse proxy.
 
 ### How to use a newer version than the one available from the Docker Hub?
 
@@ -55,6 +52,13 @@ If you are running a private Docker Registry then you may also change `docker_re
 
 The built image includes your subscription key! Do not push this image to any public registry like e.g. https://hub.docker.com!
 
+### What if I want to use a different front facing proxy than the one in docker-compose? Or just some part of the compose file?
+
+While using kweb is recommended, this is of course possible.
+
+- The `kopano_webapp` image is accessible on port 80 and serves the WebApp both on `/` and `/webapp`.
+- The `kopano_zpush` image is accessible on port 80 and serves Z-Push on `/Microsoft-Server-ActiveSync` (additional urls may be needed in the future see #39).
+
 ### I want to use these Docker images outside of an evaluation environment. What do I need to adjust to make this possible?
 
 To get a quick impression of Kopano this git repository bundles a locally build ldap image with some example users. When using the docker-compose.yml in a production environment make sure to:

caddy

@@ -1 +0,0 @@
-Subproject commit 90af1a372ff79ced472c646f12fc252b024ab7be

core/Dockerfile

@@ -10,7 +10,7 @@ ARG KOPANO_CORE_VERSION=newest
 ARG KOPANO_REPOSITORY_FLAGS="trusted=yes"
 ARG RELEASE_KEY_DOWNLOAD=0
 
-# install Kopano WebApp and refresh ca-certificates
+# install Kopano Core and refresh ca-certificates
 RUN \
     # community download and package as apt source repository
     . /kopano/helper/create-kopano-repo.sh && \

docker-compose.yml-example

@@ -2,27 +2,28 @@ version: "3"
 
 services:
   web:
-    build: caddy/
-    #image: abiosoft/caddy:0.10.4
+    image: ${docker_repo:?err}/kopano_web
     container_name: web
     restart: always
-    privileged: true
     links:
       - kopano_webapp
       - kopano_zpush
     ports:
       - "2015:2015"
-      - "${HTTP}:80"
-      - "${HTTPS}:443"
+      - "${HTTP}:8080"
+      - "${HTTPS}:8443"
+    environment:
+      - EMAIL=${EMAIL}
+      - FQDN=${FQDN}
+    command: wrapper.sh
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - web:/root/.caddy
+      - web:/.kweb
     networks:
       - web
 
   ldap:
-    build: ldap-demo/
-    #image: osixia/openldap:1.2.2
+    #build: ldap-demo/
+    image: ${docker_repo:?err}/kopano_ldap_demo
     container_name: ldap
     ports:
       - 389:389
@@ -48,10 +49,6 @@ services:
     environment:
       - PHPLDAPADMIN_LDAP_HOSTS=ldap
       - PHPLDAPADMIN_HTTPS=false
-      - CADDY_HOST=${LDAP_HOST}
-      - CADDY_PORT=80
-      - CADDY_PROXY_PARAMS=transparent
-      - CADDY_TLS_SELFSIGNED
     command: -l debug
     links:
       - ldap
@@ -189,9 +186,6 @@ services:
       - kopanosocket/:/run/kopano
     environment:
       - TZ=${TZ}
-      - CADDY_HOST=${WEBAPP_HOST}
-      - CADDY_PROXY_PARAMS=transparent
-      - CADDY_TLS_SELFSIGNED
     networks:
       - web
       - kopanonet
@@ -208,9 +202,6 @@ services:
       - zpushstates/:/var/lib/z-push/
     environment:
       - TZ=${TZ}
-      - CADDY_HOST=${ZPUSH_HOST}
-      - CADDY_PROXY_PARAMS=transparent
-      - CADDY_TLS_SELFSIGNED
     networks:
       - web
       - kopanonet

kweb/Dockerfile

@@ -0,0 +1,4 @@
+FROM kopano/kwebd:0.4.2
+COPY wrapper.sh /usr/local/bin
+COPY kweb.cfg /etc/kweb.cfg
+

kweb/kweb.cfg

@@ -0,0 +1,29 @@
+:8080 {
+    redir / https://{host}{uri}
+}
+
+*, :8443 {
+    gzip
+
+    tls {%EMAIL%}
+
+    redir 302 {
+        if {path} is /
+        / /webapp/
+    }
+
+    proxy /webapp/ kopano_webapp:80 {
+        transparent
+    }
+    redir /webapp /webapp/
+
+    proxy /Microsoft-Server-ActiveSync kopano_zpush:80 {
+        transparent
+    }
+
+    proxy /ldap-admin/ ldap-admin:80 {
+        without /ldap-admin
+        transparent
+    }
+    redir /ldap-admin /ldap-admin/
+}

kweb/wrapper.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+if [ "$EMAIL" = "self_signed" ]; then
+	# do not use the '-host' option if using a self signed cert
+	exec kwebd caddy -conf /etc/kweb.cfg -agree
+else
+	exec kwebd caddy -conf /etc/kweb.cfg -agree -host "$FQDN"
+fi

setup.sh

@@ -1,4 +1,6 @@
-#!/bin/bash
+#!/bin/sh
+
+set -e
 
 if [ ! -e ./docker-compose.yml ]; then
 	echo "copying example compose file"
@@ -20,8 +22,12 @@ if [ ! -e ./.env ]; then
 	LDAP_ORGANISATION=${new_value:-$value_default}
 
 	value_default="kopano.demo"
-	read -p "Domain to be used (for LDAP and reverse proxy) [$value_default]: " new_value
-	LDAP_DOMAIN=${new_value:-$value_default}
+	read -p "FQDN to be used (for reverse proxy) [$value_default]: " new_value
+	FQDN=${new_value:-$value_default}
+
+	value_default="self_signed"
+	read -p "Email address to use for Lets Encrypt. Use 'self_signed' as your email to create self signed certificates [$value_default]: " new_value
+	EMAIL=${new_value:-$value_default}
 
 	value_default="dc=kopano,dc=demo"
 	read -p "Name of the BASE DN for LDAP [$value_default]: " new_value
@@ -83,7 +89,7 @@ CORE_VERSION=$CORE_VERSION
 WEBAPP_VERSION=$WEBAPP_VERSION
 
 LDAP_ORGANISATION="$LDAP_ORGANISATION"
-LDAP_DOMAIN=$LDAP_DOMAIN
+LDAP_DOMAIN=$FQDN
 LDAP_BASE_DN=$LDAP_BASE_DN
 LDAP_SERVER=$LDAP_SERVER
 LDAP_ADMIN_PASSWORD=$LDAP_ADMIN_PASSWORD
@@ -115,9 +121,8 @@ POSTMASTER_ADDRESS=$POSTMASTER_ADDRESS
 TZ=$TZ
 
 # Defines how Kopano can be accessed from the outside world
-WEBAPP_HOST=webapp.$LDAP_DOMAIN
-ZPUSH_HOST=zpush.$LDAP_DOMAIN
-LDAP_HOST=ldap.$LDAP_DOMAIN
+FQDN=$FQDN
+EMAIL=$EMAIL
 HTTP=80
 HTTPS=443
 
@@ -138,4 +143,4 @@ else
 fi
 
 # build the local docker containers. This has the benefit that it will warn about empty variables
-docker-compose build
+#docker-compose build

webapp/Dockerfile

@@ -82,7 +82,7 @@ RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
     sed -e 's,^ErrorLog.*,ErrorLog "|/bin/cat",' -i /etc/apache2/apache2.conf && \
     sed -e "s,MaxSpareServers[^:].*,MaxSpareServers 5," -i /etc/apache2/mods-available/mpm_prefork.conf && \
     a2disconf other-vhosts-access-log && \
-    a2ensite kopano && \
+    a2ensite kopano kopano-webapp && \
     echo "Listen 80" > /etc/apache2/ports.conf && \
     # configure mod_php
     a2enmod rewrite && \