From 7b05f1020645785ee10af67a685bf645355c2349 Mon Sep 17 00:00:00 2001
From: Felix Bartels <1257835+fbartels@users.noreply.github.com>
Date: Fri, 1 May 2020 14:32:37 +0200
Subject: [PATCH] add a switch to allow usage of specific ssl cert (#389)

* add a switch to allow usage of specific ssl cert
* add documentation how to specify own certificates and what to do when running web behind an existing proxy
---
 docker-compose.yml |  2 +-
 web/Dockerfile     | 12 ++++++++----
 web/README.md      | 29 +++++++++++++++++++++++++++++
 web/kweb.cfg       |  3 ++-
 web/tls_auto       |  1 +
 web/tls_custom     |  1 +
 web/tls_off        |  1 +
 web/tls_selfsigned |  1 +
 web/wrapper.sh     |  8 +++++---
 9 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100644 web/tls_auto
 create mode 100644 web/tls_custom
 create mode 100644 web/tls_off
 create mode 100644 web/tls_selfsigned

diff --git a/docker-compose.yml b/docker-compose.yml
index 89b5e88..52bbfef 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
       - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
       - EMAIL=${EMAIL:-off}
       - FQDN=${FQDNCLEANED?err}
-    command: wrapper.sh
+      - TLS_MODE=tls_auto
     volumes:
       - /etc/machine-id:/etc/machine-id
       - /etc/machine-id:/var/lib/dbus/machine-id
diff --git a/web/Dockerfile b/web/Dockerfile
index 9e4c2a6..d7019ba 100644
--- a/web/Dockerfile
+++ b/web/Dockerfile
@@ -12,9 +12,11 @@ LABEL maintainer=az@zok.xyz \
     org.label-schema.schema-version="1.0"
 
 ENV \
+    AUTOCONFIG=yes \
     CODE_VERSION="${CODE_VERSION}" \
     DEFAULTREDIRECT="/webapp" \
-    KONNECTPATH=kopanoid
+    KONNECTPATH=kopanoid \
+    TLS_MODE=tls_auto
 # FIXME Workaround to not break backwards compatibility,
 # since an underscore is not a valid char in a hostname.
 # This causes issues when using kweb in kubernetes.
@@ -37,8 +39,10 @@ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSI
     && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
     && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
 
-COPY wrapper.sh /usr/local/bin
-COPY kweb.cfg /etc/kweb.cfg
+COPY kweb.cfg tls_* /etc/
+COPY wrapper.sh /usr/local/bin/
+
+ENTRYPOINT ["wrapper.sh"]
 
 ARG VCS_REF
-LABEL org.label-schema.vcs-ref=$VCS_REF
\ No newline at end of file
+LABEL org.label-schema.vcs-ref=$VCS_REF
diff --git a/web/README.md b/web/README.md
index bc4af16..89682a8 100644
--- a/web/README.md
+++ b/web/README.md
@@ -17,6 +17,35 @@ DEFAULTREDIRECT=/meet
 
 Kweb in the Web container can easily be extended to serve static content. By default it will serve all content that has been copied into `/var/www/`. To extend the built in configuration file just add an additional file into `/etc/kweb-extras/`. Kweb is using the [Caddyfile syntax](https://caddyserver.com/v1/docs/caddyfile).
 
+## Using existing ssl certificates
+
+By default this container will use automatic tls certificates provided by Let's Encrypt. This can be influenced through the following environment variables:
+
+```bash
+# 1. Automatic certificate from Let's Encrypt
+TLS_MODE=tls_auto
+EMAIL=example@example.com
+
+# 2. Custom certificate and key
+TLS_MODE=tls_custom
+TLS_CERT=/src/ssl/cert.pem
+TLS_KEY=/src/ssl/key.pem
+
+# 3. Self signed certificate (FOR DEBUGGING)
+TLS_MODE=tls_selfsigned
+
+# 4. Disable TLS entirely
+TLS_MODE=tls_off
+```
+
+## Using a reverse proxy in front of this container
+
+In case there is already an ssl terminating proxy in the network this container can be switched to plain http by either setting `EMAIL=off` or `TLS_MODE=tls_off`.
+
+In addition to this the default docker-compose.yml has a tweak to [route all traffic for the configured domain through this container](https://github.com/zokradonh/kopano-docker/blob/3572fc74e7054c9774985e69aeed745f9e5d1a4f/docker-compose.yml#L19-L20). This route needs to be changed when this container is only offering http access by either putting another domain in `FQDNCLEANED` or removing this section altogether.
+
+When using an external reverse proxy it is recommended to proxy connections to port 2015 of this container. Additionally connections to `/api/kwm/v2/rtm/websocket` need to be upgraded to websocket connections.
+
 ## Information needed when not running your own reverse proxy
 
 The `kopano_webapp` container is accessible on port 9080 and serves the WebApp on `/webapp`.
diff --git a/web/kweb.cfg b/web/kweb.cfg
index 728bba7..15c4ca3 100644
--- a/web/kweb.cfg
+++ b/web/kweb.cfg
@@ -12,7 +12,8 @@
 	gzip
 	header / Server kweb
 
-	tls {%EMAIL%}
+	# tls settings. defaults to tls_auto
+	import /etc/{%TLS_MODE%}
 
 	limits {
 		header 1MB
diff --git a/web/tls_auto b/web/tls_auto
new file mode 100644
index 0000000..2951787
--- /dev/null
+++ b/web/tls_auto
@@ -0,0 +1 @@
+tls {%EMAIL%}
diff --git a/web/tls_custom b/web/tls_custom
new file mode 100644
index 0000000..a0a1020
--- /dev/null
+++ b/web/tls_custom
@@ -0,0 +1 @@
+tls {%TLS_CERT%} {%TLS_KEY%}
diff --git a/web/tls_off b/web/tls_off
new file mode 100644
index 0000000..d858964
--- /dev/null
+++ b/web/tls_off
@@ -0,0 +1 @@
+tls off
diff --git a/web/tls_selfsigned b/web/tls_selfsigned
new file mode 100644
index 0000000..3d2f78b
--- /dev/null
+++ b/web/tls_selfsigned
@@ -0,0 +1 @@
+tls self_signed
diff --git a/web/wrapper.sh b/web/wrapper.sh
index 46c2ad5..d48d5d7 100755
--- a/web/wrapper.sh
+++ b/web/wrapper.sh
@@ -3,8 +3,10 @@
 set -e
 
 # services need to be aware of the machine-id
-dockerize \
-	-wait file:///etc/machine-id \
-	-wait file:///var/lib/dbus/machine-id
+if [ "$AUTOCONFIG" = "yes" ]; then
+	dockerize \
+		-wait file:///etc/machine-id \
+		-wait file:///var/lib/dbus/machine-id
+fi
 
 exec kwebd caddy -conf /etc/kweb.cfg -agree