add a switch to allow usage of specific ssl cert (#389)

* add a switch to allow usage of specific ssl cert
* add documentation how to specify own certificates and what to do when running web behind an existing proxy

docker-compose.yml

@@ -9,7 +9,7 @@ services:
       - DEFAULTREDIRECT=${DEFAULTREDIRECT:-/webapp}
       - EMAIL=${EMAIL:-off}
       - FQDN=${FQDNCLEANED?err}
-    command: wrapper.sh
+      - TLS_MODE=tls_auto
     volumes:
       - /etc/machine-id:/etc/machine-id
       - /etc/machine-id:/var/lib/dbus/machine-id

web/Dockerfile

@@ -12,9 +12,11 @@ LABEL maintainer=az@zok.xyz \
     org.label-schema.schema-version="1.0"
 
 ENV \
+    AUTOCONFIG=yes \
     CODE_VERSION="${CODE_VERSION}" \
     DEFAULTREDIRECT="/webapp" \
-    KONNECTPATH=kopanoid
+    KONNECTPATH=kopanoid \
+    TLS_MODE=tls_auto
 # FIXME Workaround to not break backwards compatibility,
 # since an underscore is not a valid char in a hostname.
 # This causes issues when using kweb in kubernetes.
@@ -37,8 +39,10 @@ RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSI
     && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz \
     && rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz
 
-COPY wrapper.sh /usr/local/bin
+COPY kweb.cfg tls_* /etc/
-COPY kweb.cfg /etc/kweb.cfg
+COPY wrapper.sh /usr/local/bin/
+
+ENTRYPOINT ["wrapper.sh"]
 
 ARG VCS_REF
 LABEL org.label-schema.vcs-ref=$VCS_REF

web/README.md

@@ -17,6 +17,35 @@ DEFAULTREDIRECT=/meet
 
 Kweb in the Web container can easily be extended to serve static content. By default it will serve all content that has been copied into `/var/www/`. To extend the built in configuration file just add an additional file into `/etc/kweb-extras/`. Kweb is using the [Caddyfile syntax](https://caddyserver.com/v1/docs/caddyfile).
 
+## Using existing ssl certificates
+
+By default this container will use automatic tls certificates provided by Let's Encrypt. This can be influenced through the following environment variables:
+
+```bash
+# 1. Automatic certificate from Let's Encrypt
+TLS_MODE=tls_auto
+EMAIL=example@example.com
+
+# 2. Custom certificate and key
+TLS_MODE=tls_custom
+TLS_CERT=/src/ssl/cert.pem
+TLS_KEY=/src/ssl/key.pem
+
+# 3. Self signed certificate (FOR DEBUGGING)
+TLS_MODE=tls_selfsigned
+
+# 4. Disable TLS entirely
+TLS_MODE=tls_off
+```
+
+## Using a reverse proxy in front of this container
+
+In case there is already an ssl terminating proxy in the network this container can be switched to plain http by either setting `EMAIL=off` or `TLS_MODE=tls_off`.
+
+In addition to this the default docker-compose.yml has a tweak to [route all traffic for the configured domain through this container](https://github.com/zokradonh/kopano-docker/blob/3572fc74e7054c9774985e69aeed745f9e5d1a4f/docker-compose.yml#L19-L20). This route needs to be changed when this container is only offering http access by either putting another domain in `FQDNCLEANED` or removing this section altogether.
+
+When using an external reverse proxy it is recommended to proxy connections to port 2015 of this container. Additionally connections to `/api/kwm/v2/rtm/websocket` need to be upgraded to websocket connections.
+
 ## Information needed when not running your own reverse proxy
 
 The `kopano_webapp` container is accessible on port 9080 and serves the WebApp on `/webapp`.

web/kweb.cfg

@@ -12,7 +12,8 @@
 	gzip
 	header / Server kweb
 
-	tls {%EMAIL%}
+	# tls settings. defaults to tls_auto
+	import /etc/{%TLS_MODE%}
 
 	limits {
 		header 1MB

web/tls_auto

@@ -0,0 +1 @@
+tls {%EMAIL%}

web/tls_custom

@@ -0,0 +1 @@
+tls {%TLS_CERT%} {%TLS_KEY%}

web/tls_off

@@ -0,0 +1 @@
+tls off

web/tls_selfsigned

@@ -0,0 +1 @@
+tls self_signed

web/wrapper.sh

@@ -3,8 +3,10 @@
 set -e
 
 # services need to be aware of the machine-id
+if [ "$AUTOCONFIG" = "yes" ]; then
 	dockerize \
 		-wait file:///etc/machine-id \
 		-wait file:///var/lib/dbus/machine-id
+fi
 
 exec kwebd caddy -conf /etc/kweb.cfg -agree