diff --git a/.env b/.env deleted file mode 100644 index 5391359..0000000 --- a/.env +++ /dev/null @@ -1,16 +0,0 @@ -# # # # # # # # # # # # # # # # # # -# MySQL and ChurchCRM .env file # -# # # # # # # # # # # # # # # # # # - -# Database Host and Root Password. CHANGE THE PASSWORD. Make the Host the same as the database service. -MYSQL_DB_HOST=database -MYSQL_ROOT_PASSWORD=changeme - -# ChurchCRM Database Settings -MYSQL_DATABASE=churchcrm -MYSQL_USER=churchcrm -MYSQL_PASSWORD=changeme - -# ChurchCRM Admin Settings (Disabled for Now) -# CHURCHCRM_ADMIN: admin -# CHURCHCRM_PASSWORD: changeme diff --git a/.gitattributes b/.gitattributes index 4240d1b..0b1766d 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.jpg binary *.git binary *.png binary -*.xcf binary +*.xcf binary diff --git a/.gitignore b/.gitignore index 69a9988..e69de29 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +0,0 @@ -line-endings.sh diff --git a/README.md b/README.md index b28fd59..4dbe8fd 100644 --- a/README.md +++ b/README.md @@ -1,87 +1,45 @@ ## Docker ChurchCRM -This is the Docker Installation of ChurchCRM. This image is the latest release ChurchCRM for Docker. It is installed on Alpine Linux, Apache, PHP7 & is using MariaDB in a separate Alpine container. +This is the Docker Installation of ChurchCRM. This will build the latest release of ChurchCRM for Docker. It is made with Apache/PHP7/ChurchCRM and MariaDB in 2 separate containers and a third container (nginx working as a reverse proxy) that work together. ### How To Use -To use, first change your desired database info and **passwords** in the **``.env``** file. *(Download that file from the main ChurchCRM/Docker repository directory)* +It is necessary to have Docker installed on your system for this to work. See https://www.docker.com/community-edition#/download... -Once complete, Start ChurchCRM in Docker by using the Docker RUN command from the directory that your ``.env`` file resides or by building and starting with docker-compose. +* Clone this repository. +* Change your desired **database info** and **passwords** in the crm_secrets.json file. **PLEASE CHANGE** +* Change your desired SSL setup in the docker_compose.yml file under the nginx: args section. (Read commented lines to see your options) +* From the command line, navigate to the root folder of your local repository and use docker-compose to build and run ChurchCRM. Run the following commands. + - `docker-compose build` + - `docker-compose up` +* You can view your installation of ChurchCRM on Docker by going to https://localhost (or your server's IP address) in a browser. +* Enter the default login information: + - Username: `admin` + - Password: `changeme` +- Once in, you will be prompted to change your password to something more secure. -#### Starting with Docker Run +### SSL -For example, you can start MariaDB first with the following command. Make sure to **change the passwords** in the ``.env`` file first. +ChurchCRM for Docker is set to run by default using SSL encryption. There are 3 build options in regards to SSL. -``docker run --name database --env-file .env -d jaskipper/alpine-mariadb`` +* `build`: This option will create an SSL certificate for you. Please fill out your information in the docker_compose.yml file under the nginx: args section. +* `own`: With this option, you will need to provide your own SSL certificates. Please put your own "server.crt" and "server.key" files in the "buildnginx/conf.d folder. SSL will not work if chooseing this option and not adding the correctly named certificates there. +* `none`: This will run an installation of ChurchCRM without SSL. You will be able to access your installation at http://localhost (as opposed to https://localhost) -Then start the ChurchCRM container: +**NOTE** While using SSL on localhost, browsers will prompt with an error/warning that they don't recognize the Certificate Authority *(which is yourself in this case)*. When this occurs, allow the exception and continue to the site. -``docker run --name churchcrm -p 80:80 --link database --env-file .env -d churchcrm/crm`` +### Using a Domain Name instead of https://localhost -Visit your website and you will be up and running. Log in with the default username ``admin`` and password ``changeme`` and then change your admin password on the next screen. +In order to access ChurchCRM via a domain name other than localhost, set an entry in your local computer's `/etc/hosts` file. -#### Building and Starting with Docker-Compose +* See https://www.siteground.com/kb/how_to_use_the_hosts_file/ to see where your hosts file is located and how to update. +* Add an entry in your `hosts` file such as `127.0.0.1 local.churchcrm.io` +* Once saved you can access your installation by going to `https://local.churchcrm.io` or any domainname that you specified in the hosts file. -To build and run with Docker-Compose, you must have all of the files in the Github repo. Download the Github Docker repository and run ``docker-compose build`` and ``docker-compose up`` from the project folder. **Be SURE to Change Passwords in the .env file before starting your container**. +### Accessing ChurchCRM from another device -## Environment variables used in the container +While on the same local network, you can access ChurchCRM by visiting the IP address of the computer running Docker. For example, if your machine's local ip is 192.168.1.3, visiting that address (https://192.168.1.3) from another device will allow you to access ChurchCRM. -It is recommended that you use the .env file to add your passwords, but you may also add those ENV's with the -e flag with ``docker run -e ...``. +### DATA STORAGE -### MYSQL_DB_HOST -This variable defines the host in order for ChurchCRM to be able to connect to the database. - - -e MYSQL_DB_HOST=database *(This is default and recommended to stay that way unless you know what you are doing)* - -### MYSQL_ROOT_PASSWORD -This variable defines the password for the root user in the database, set it with - - -e MYSQL_ROOT_PASSWORD=secretpassword - -add quotes if there is spaces or other special character in the password - - -e MYSQL_ROOT_PASSWORD='password with spaces' - -### MYSQL_RANDOM_ROOT_PASSWORD -This variable generate a random password for the root user, add - - -e MYSQL_RANDOM_ROOT_PASSWORD=yes - -the password can then be found by looking at the logoutput - - docker logs - -### MYSQL_ALLOW_EMPTY_PASSWORD -This allows the root password to be blank, THIS IS A MAJOR SECURITY RISK, add - - -e MYSQL_ALLOW_EMPTY_PASSWORD=yes - -### MYSQL_REMOTE_ROOT -Normal the root user can only use localhost to access the databases adding - - -e MYSQL_REMOTE_ROOT=yes - -allows root access from any host - -### MYSQL_DATABASE -creates a database with the defined name - - -e MYSQL_DATABASE=databasename - -### MYSQL_USER -creates a user with password defined with MYSQL_PASSWORD and full access to the database defined by MYSQL_DATABASE - - -e MYSQL_USER=username - -### MYSQL_PASSWORD -The password for the user defined by MYSQL_USER - - -e MYSQL_PASSWORD=donottell - -### CHURCHCRM_ADMIN - -To come... - -### CHURCHCRM_PASSWORD - -To come... +Running the `docker-compose up` command will create 2 separate Docker data-volumes to store the database and ChurchCRM uploaded photos. When the database and ChurchCRM images and containers are destroyed, rebuilt or updated, the data-volumes will persist unless you remove those volumes. diff --git a/build-files/60-churchcrm b/build-files/60-churchcrm deleted file mode 100644 index 99daa8b..0000000 --- a/build-files/60-churchcrm +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -set +e - -# populate /web/html if empty -if [ ! -d /web/html ]; then - mkdir /web/html - chown -R apache.www-data /web/html -fi - -if [ ! -f /web/html/Include/Config.php ]; then - cd /tmp - # Latest Release Including RC - #curl -sOL "$(jq -r ".[0] | .assets[] | .browser_download_url" < <( curl -s "https://api.github.com/repos/churchCRM/CRM/releases" ))" - # Latest Full Release - curl -sOL "$(jq -r ".assets[] | .browser_download_url" < <( curl -s "https://api.github.com/repos/churchCRM/CRM/releases/latest" ))" - unzip -q *.zip - cp -Rp ./churchcrm/. /web/html - rm -R churchcrm - - # Since we've already set these passwords in the env file, lets just go ahead and put them in the database and skip the setup page. - cp /web/html/Include/Config.php.example /web/html/Include/Config.php - - sed -i "s/||DB_SERVER_NAME||/$MYSQL_DB_HOST/g" /web/html/Include/Config.php - sed -i "s/||DB_NAME||/$MYSQL_DATABASE/g" /web/html/Include/Config.php - sed -i "s/||DB_USER||/$MYSQL_USER/g" /web/html/Include/Config.php - sed -i "s/||DB_PASSWORD||/$MYSQL_PASSWORD/g" /web/html/Include/Config.php - sed -i "s/||URL||//g" /web/html/Include/Config.php - sed -i "s/||ROOT_PATH||//g" /web/html/Include/Config.php - - chown -R apache:www-data /web/html -fi diff --git a/build-files/Dockerfile b/build-files/Dockerfile deleted file mode 100644 index d79b02f..0000000 --- a/build-files/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -FROM jaskipper/alpine-apache-php7 -MAINTAINER ChurchCRM - -RUN apk update -RUN apk upgrade --repository http://dl-4.alpinelinux.org/alpine/edge/community \ - --repository https://nl.alpinelinux.org/alpine/edge/main - -RUN apk add --no-cache \ - jq \ - php7-session@community \ - php7-pdo@community \ - php7-xml@community \ - php7-exif@community \ - php7-pdo_mysql@community \ - php7-gettext@community \ - php7-iconv@community - -RUN mkdir /web/churchcrm - -COPY httpd.conf /etc/apache2 -COPY 60-churchcrm /etc/run_always - -RUN chmod +x /etc/run_always/60-churchcrm - -# Enable Terminal -ENV TERM xterm diff --git a/build-mysql/Dockerfile b/build-mysql/Dockerfile new file mode 100644 index 0000000..5bffa20 --- /dev/null +++ b/build-mysql/Dockerfile @@ -0,0 +1,20 @@ +FROM alpine:latest +MAINTAINER ChurchCRM + +RUN apk update && \ + apk upgrade && \ + apk add --no-cache \ + figlet \ + jq \ + mariadb \ + mariadb-client \ + ncurses && \ + addgroup mysql mysql && \ + mkdir /scripts + +COPY ./startup /scripts/startup +RUN chmod +x /scripts/startup + +EXPOSE 3306 + +ENTRYPOINT ["/scripts/startup"] diff --git a/build-mysql/startup b/build-mysql/startup new file mode 100644 index 0000000..a42647d --- /dev/null +++ b/build-mysql/startup @@ -0,0 +1,79 @@ +#!/bin/ash + +# parameters +MYSQL_DATADIR=${MYSQL_DATADIR:-"/var/lib/mysql"} + +MYSQL_ROOT_PWD=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_ROOT_PWD') +MYSQL_USER=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER') +MYSQL_USER_PWD=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER_PWD') +MYSQL_USER_DB=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER_DB') + +if [ $MYSQL_ROOT_PWD = "changeme" ]; then + figlet -f colossal "WARNING" + red=$(tput setaf 1) # Red + reset=$(tput sgr0) + echo "${red}*********************************************" + echo "${red}WARNING!!!" + echo "${red}YOU DID NOT CHANGE THE MYSQL_ROOT_PWD IN THE crm_secrets.json FILE!!!" + echo "${red}This is EXTREMELY insecure. Please go back and change the password to something more secure and re-build your images by running `docker-compose build`" + echo "${red}*********************************************" + ${reset} + echo "" +fi +if [ $MYSQL_USER_PWD = "changeme" ]; then + figlet -f colossal "WARNING" + red=$(tput setaf 1) # Red + reset=$(tput sgr0) + echo "${red}*********************************************" + echo "${red}WARNING!!!" + echo "${red}YOU DID NOT CHANGE THE MYSQL_USER_PWD IN THE crm_secrets.json FILE!!!" + echo "${red}This is EXTREMELY insecure. Please go back and change the password to something more secure and re-build your images by running `docker-compose build`" + echo "${red}*********************************************" + ${reset} +fi + +if [ -d "/run/mysqld" ]; then + echo "[i] MySQL directory already present, skipping creation" +else + echo "[i] mysqld not found, creating...." + mkdir -p /run/mysqld + chown -R mysql:mysql /run/mysqld + echo 'Initializing database' + mkdir -p "$MYSQL_DATADIR/mysql" + chown -R mysql:mysql $MYSQL_DATADIR + mysql_install_db --user=mysql --datadir="$MYSQL_DATADIR" --rpm + echo 'Database initialized' + + tfile=`mktemp` + if [ ! -f "$tfile" ]; then + return 1 + fi + + cat << EOF > $tfile +USE mysql; +SET @@SESSION.SQL_LOG_BIN=0 ; +FLUSH PRIVILEGES ; +CREATE USER 'root'@'%' IDENTIFIED BY '${MYSQL_ROOT_PWD}' ; +GRANT ALL ON *.* TO 'root'@'%' WITH GRANT OPTION ; +DROP DATABASE IF EXISTS test ; +CREATE USER '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_USER_PWD}' ; +CREATE USER '${MYSQL_USER}'@'localhost' IDENTIFIED BY '${MYSQL_USER_PWD}' ; +EOF + + if [ "$MYSQL_USER_DB" != "" ]; then + echo "[i] Creating database: $MYSQL_USER_DB" + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_USER_DB\` CHARACTER SET utf8 COLLATE utf8_general_ci;" >> $tfile + + if [ "$MYSQL_USER" != "" ]; then + #echo "[i] Creating user: $MYSQL_USER with password $MYSQL_USER_PWD" + echo "GRANT ALL PRIVILEGES ON \`$MYSQL_USER_DB\`.* to '$MYSQL_USER'@'%' identified by '${MYSQL_USER_PWD}' ;" >> $tfile + echo "GRANT ALL PRIVILEGES ON \`$MYSQL_USER_DB\`.* to '$MYSQL_USER'@'localhost' identified by '${MYSQL_USER_PWD}' ;" >> $tfile + echo "FLUSH PRIVILEGES ;" >> $tfile + fi + fi + + /usr/bin/mysqld --user=mysql --bootstrap --verbose=1 --datadir="$MYSQL_DATADIR" < $tfile + rm -f "$tfile" +fi + +exec /usr/bin/mysqld --user=mysql --console --datadir="$MYSQL_DATADIR" diff --git a/build/Dockerfile b/build/Dockerfile new file mode 100644 index 0000000..1ac1d4f --- /dev/null +++ b/build/Dockerfile @@ -0,0 +1,69 @@ +FROM httpd:2-alpine + +# Install neccessary packages +RUN echo "@edge http://dl-3.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories && \ + echo "@community http://dl-3.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories && \ + echo "@testing http://dl-3.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update --repository http://dl-3.alpinelinux.org/alpine/edge/main \ + --repository http://dl-3.alpinelinux.org/alpine/edge/community \ + --repository http://dl-3.alpinelinux.org/alpine/edge/testing && \ + apk add --upgrade apk-tools@edge && \ + apk upgrade && \ + apk add --no-cache \ + curl \ + figlet \ + jq \ + libressl \ + ncurses \ + php7 \ + php7-apache2 \ + php7-apcu \ + php7-curl \ + php7-exif \ + php7-fileinfo \ + php7-gd \ + php7-gettext \ + php7-iconv \ + php7-intl \ + php7-json \ + php7-mbstring \ + php7-mcrypt \ + php7-mysqli \ + php7-mysqlnd \ + php7-pdo \ + php7-pdo_mysql \ + php7-phar \ + php7-session \ + php7-sqlite3 \ + php7-xml && \ + ln -s /usr/lib/apache2/mod_php7.so /usr/local/apache2/modules + +# Copy Apache configurations +COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf + +# Download Latest Version of ChurchCRM +WORKDIR /usr/local/apache2/ + +RUN crmlatest=$(curl -s https://api.github.com/repos/churchCRM/CRM/releases/latest | grep "browser_download_url.*zip" | cut -d '"' -f 4); \ + wget $crmlatest && \ + unzip -q *.zip && \ + rm -R *.zip htdocs && \ + mv churchcrm htdocs + +# Copy CRM setup file into image +COPY ./configsetup /usr/local/bin + +# Set work directory to the web host path +WORKDIR /usr/local/apache2/htdocs/ + +# Modify php.ini and set config setup to be an executable +RUN sed -i "s/upload_max_filesize = 2M/upload_max_filesize = 16M/g" /etc/php7/php.ini && \ + sed -i "s/post_max_size = 8M/post_max_size = 32M/g" /etc/php7/php.ini && \ + sed -i "s/zlib.output_compression = Off/zlib.output_compression = On/g" /etc/php7/php.ini && \ + sed -i "s/;error_log = php_errors.log/error_log = \/proc\/self\/fd\/2/g" /etc/php7/php.ini && \ + sed -i '/;error_log = syslog/a error_log = \/usr\/local\/apache2\/logs\/php_errors.log' /etc/php7/php.ini && \ + chmod +x /usr/local/bin/configsetup + +# Run the configsetup file on container start +ENTRYPOINT ["/usr/local/bin/configsetup"] +CMD ["httpd-foreground"] diff --git a/build/configsetup b/build/configsetup new file mode 100644 index 0000000..c4539fb --- /dev/null +++ b/build/configsetup @@ -0,0 +1,34 @@ +#!/bin/ash +cp /usr/local/apache2/htdocs/Include/Config.php.example /usr/local/apache2/htdocs/Include/Config.php + +# Import Docker Secrets +MYSQL_USER=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER') +MYSQL_USER_PWD=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER_PWD') +MYSQL_USER_DB=$(cat /run/secrets/crm_secrets | jq -r '.mysql.MYSQL_USER_DB') + +if [ $MYSQL_USER_PWD = "changeme" ]; then + figlet -f colossal "WARNING" + red=$(tput setaf 1) # Red + reset=$(tput sgr0) + echo "${red}*********************************************" + echo "${red}WARNING!!!" + echo "${red}YOU DID NOT CHANGE THE MYSQL_USER_PWD IN THE crm_secrets.json FILE!!!" + echo "${red}This is EXTREMELY insecure. Please go back and change the password to something more secure and re-build your images by running `docker-compose build`" + echo "${red}*********************************************" + ${reset} + echo "" +fi + +#Add Server Name to HTTPD-SSL +sed -i "s/ServerName www.example.com:443/ServerName 0.0.0.0:443/g" /usr/local/apache2/conf/extra/httpd-ssl.conf + +# Create ChurchCRM Config File +sed -i "s/||DB_SERVER_NAME||/$MYSQL_DB_HOST/g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||DB_SERVER_PORT||/3306/g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||DB_NAME||/$MYSQL_USER_DB/g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||DB_USER||/$MYSQL_USER/g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||DB_PASSWORD||/$MYSQL_USER_PWD/g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||URL||//g" /usr/local/apache2/htdocs/Include/Config.php +sed -i "s/||ROOT_PATH||//g" /usr/local/apache2/htdocs/Include/Config.php + +exec "$@" diff --git a/build-files/httpd.conf b/build/httpd.conf similarity index 75% rename from build-files/httpd.conf rename to build/httpd.conf index 44c858c..800ebce 100644 --- a/build-files/httpd.conf +++ b/build/httpd.conf @@ -18,16 +18,6 @@ # server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" # will be interpreted as '/logs/access_log'. -# -# ServerTokens -# This directive configures what you return as the Server HTTP response -# Header. The default is 'Full' which sends information about the OS-Type -# and compiled in modules. -# Set to one of: Full | OS | Minor | Minimal | Major | Prod -# where Full conveys the most information, and Prod the least. -# -ServerTokens OS - # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. @@ -38,7 +28,7 @@ ServerTokens OS # same ServerRoot for multiple httpd daemons, you will need to change at # least PidFile. # -ServerRoot /web +ServerRoot "/usr/local/apache2" # # Mutex: Allows you to set the mutex mechanism and mutex file directory @@ -48,7 +38,7 @@ ServerRoot /web # mutex file directory is not on a local disk or is not appropriate for some # other reason. # -# Mutex default:/run/apache2 +# Mutex default:logs # # Listen: Allows you to bind Apache to specific IP addresses and/or @@ -59,7 +49,14 @@ ServerRoot /web # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 -Listen 80 +Listen 0.0.0.0:80 + +# +# ServerName localhost +# RewriteEngine On +# ErrorLog /usr/local/apache2/logs/churchcrm.log +# RewriteRule ^(.*)$ https://%{HTTP_HOST} +# # # Dynamic Shared Object (DSO) Support @@ -73,6 +70,9 @@ Listen 80 # Example: # LoadModule foo_module modules/mod_foo.so # +#LoadModule mpm_event_module modules/mod_mpm_event.so +LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +#LoadModule mpm_worker_module modules/mod_mpm_worker.so LoadModule authn_file_module modules/mod_authn_file.so #LoadModule authn_dbm_module modules/mod_authn_dbm.so #LoadModule authn_anon_module modules/mod_authn_anon.so @@ -86,23 +86,31 @@ LoadModule authz_user_module modules/mod_authz_user.so #LoadModule authz_owner_module modules/mod_authz_owner.so #LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_core_module modules/mod_authz_core.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so #LoadModule auth_form_module modules/mod_auth_form.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule allowmethods_module modules/mod_allowmethods.so +#LoadModule isapi_module modules/mod_isapi.so #LoadModule file_cache_module modules/mod_file_cache.so #LoadModule cache_module modules/mod_cache.so #LoadModule cache_disk_module modules/mod_cache_disk.so #LoadModule cache_socache_module modules/mod_cache_socache.so -#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #LoadModule socache_dbm_module modules/mod_socache_dbm.so #LoadModule socache_memcache_module modules/mod_socache_memcache.so #LoadModule watchdog_module modules/mod_watchdog.so #LoadModule macro_module modules/mod_macro.so #LoadModule dbd_module modules/mod_dbd.so +#LoadModule bucketeer_module modules/mod_bucketeer.so #LoadModule dumpio_module modules/mod_dumpio.so #LoadModule echo_module modules/mod_echo.so +#LoadModule example_hooks_module modules/mod_example_hooks.so +#LoadModule case_filter_module modules/mod_case_filter.so +#LoadModule case_filter_in_module modules/mod_case_filter_in.so +#LoadModule example_ipc_module modules/mod_example_ipc.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule data_module modules/mod_data.so #LoadModule ratelimit_module modules/mod_ratelimit.so @@ -116,32 +124,60 @@ LoadModule filter_module modules/mod_filter.so #LoadModule sed_module modules/mod_sed.so #LoadModule charset_lite_module modules/mod_charset_lite.so #LoadModule deflate_module modules/mod_deflate.so +#LoadModule xml2enc_module modules/mod_xml2enc.so +#LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule mime_module modules/mod_mime.so +#LoadModule ldap_module modules/mod_ldap.so LoadModule log_config_module modules/mod_log_config.so #LoadModule log_debug_module modules/mod_log_debug.so #LoadModule log_forensic_module modules/mod_log_forensic.so #LoadModule logio_module modules/mod_logio.so +#LoadModule lua_module modules/mod_lua.so LoadModule env_module modules/mod_env.so #LoadModule mime_magic_module modules/mod_mime_magic.so -#LoadModule expires_module modules/mod_expires.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so +#LoadModule ident_module modules/mod_ident.so #LoadModule usertrack_module modules/mod_usertrack.so #LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so #LoadModule remoteip_module modules/mod_remoteip.so +#LoadModule proxy_module modules/mod_proxy.so +#LoadModule proxy_connect_module modules/mod_proxy_connect.so +#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +#LoadModule proxy_http_module modules/mod_proxy_http.so +#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so +#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so +#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so +#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so +#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +#LoadModule proxy_express_module modules/mod_proxy_express.so +#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so #LoadModule session_module modules/mod_session.so #LoadModule session_cookie_module modules/mod_session_cookie.so +#LoadModule session_crypto_module modules/mod_session_crypto.so #LoadModule session_dbd_module modules/mod_session_dbd.so #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #LoadModule slotmem_plain_module modules/mod_slotmem_plain.so +#LoadModule ssl_module modules/mod_ssl.so +#LoadModule optional_hook_export_module modules/mod_optional_hook_export.so +#LoadModule optional_hook_import_module modules/mod_optional_hook_import.so +#LoadModule optional_fn_import_module modules/mod_optional_fn_import.so +#LoadModule optional_fn_export_module modules/mod_optional_fn_export.so #LoadModule dialup_module modules/mod_dialup.so -#LoadModule mpm_event_module modules/mod_mpm_event.so -LoadModule mpm_prefork_module modules/mod_mpm_prefork.so -#LoadModule mpm_worker_module modules/mod_mpm_worker.so +#LoadModule http2_module modules/mod_http2.so +#LoadModule proxy_http2_module modules/mod_proxy_http2.so +#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so +#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so +#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so +#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so LoadModule unixd_module modules/mod_unixd.so #LoadModule heartbeat_module modules/mod_heartbeat.so #LoadModule heartmonitor_module modules/mod_heartmonitor.so +#LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so #LoadModule asis_module modules/mod_asis.so @@ -153,17 +189,19 @@ LoadModule autoindex_module modules/mod_autoindex.so #LoadModule cgi_module modules/mod_cgi.so +#LoadModule dav_fs_module modules/mod_dav_fs.so +#LoadModule dav_lock_module modules/mod_dav_lock.so #LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so +LoadModule php7_module modules/mod_php7.so +#LoadModule imagemap_module modules/mod_imagemap.so #LoadModule actions_module modules/mod_actions.so #LoadModule speling_module modules/mod_speling.so #LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so -LoadModule negotiation_module modules/mod_negotiation.so - # # If you wish httpd to run as a different user or group, you must run @@ -197,16 +235,6 @@ Group www-data # ServerAdmin you@example.com -# -# Optionally add a line containing the server version and virtual host -# name to server-generated pages (internal error documents, FTP directory -# listings, mod_status and mod_info output etc., but not CGI generated -# documents or custom error documents). -# Set to "EMail" to also include a mailto: link to the ServerAdmin. -# Set to one of: On | Off | EMail -# -ServerSignature On - # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify @@ -214,7 +242,7 @@ ServerSignature On # # If your host doesn't have a registered DNS name, enter its IP address here. # -ServerName webproxy +ServerName 0.0.0.0:80 # # Deny access to the entirety of your server's filesystem. You must @@ -222,7 +250,7 @@ ServerName webproxy # blocks below. # - AllowOverride All + AllowOverride none Require all denied @@ -238,8 +266,8 @@ ServerName webproxy # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # -DocumentRoot "/web/html" - +DocumentRoot "/usr/local/apache2/htdocs" + # # Possible values for the Options directive are "None", "All", # or any combination of: @@ -252,14 +280,14 @@ DocumentRoot "/web/html" # http://httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # - Options FollowSymLinks + Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # AllowOverride FileInfo AuthConfig Limit # - AllowOverride All + AllowOverride ALL # # Controls who can get stuff from this server. @@ -290,7 +318,7 @@ DocumentRoot "/web/html" # logged here. If you *do* define an error logfile for a # container, that host's errors will be logged there and not here. # -ErrorLog logs/error.log +ErrorLog /proc/self/fd/2 # # LogLevel: Control the number of messages logged to the error_log. @@ -319,13 +347,13 @@ LogLevel warn # define per- access logfiles, transactions will be # logged therein and *not* in this file. # - #CustomLog logs/access.log common + CustomLog /proc/self/fd/1 common # # If you prefer a logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. # - CustomLog logs/access.log combined + #CustomLog "logs/access_log" combined @@ -355,7 +383,7 @@ LogLevel warn # client. The same rules about trailing "/" apply to ScriptAlias # directives as to Alias. # - ScriptAlias /cgi-bin/ "/var/www/localhost/cgi-bin/" + ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" @@ -368,21 +396,30 @@ LogLevel warn # -# "/var/www/localhost/cgi-bin" should be changed to whatever your ScriptAliased +# "/usr/local/apache2/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # - + AllowOverride None Options None Require all granted + + # + # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied + # backend servers which have lingering "httpoxy" defects. + # 'Proxy' request header is undefined by the IETF, not listed by IANA + # + RequestHeader unset Proxy early + + # # TypesConfig points to the file containing the list of mappings from # filename extension to MIME-type. # - TypesConfig /etc/apache2/mime.types + TypesConfig conf/mime.types # # AddType allows you to add to or override the MIME configuration @@ -401,7 +438,7 @@ LogLevel warn # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz - + AddType application/x-httpd-php .php # # AddHandler allows you to map certain file extensions to "handlers": # actions unrelated to filetype. These can be either built into the server @@ -430,9 +467,7 @@ LogLevel warn # contents of the file itself to determine its type. The MIMEMagicFile # directive tells the module where the hint definitions are located. # - - MIMEMagicFile /etc/apache2/magic - +#MIMEMagicFile conf/magic # # Customizable error responses come in three flavors: @@ -464,6 +499,56 @@ LogLevel warn #EnableMMAP off #EnableSendfile on -# Load config files from the config directory "/etc/apache2/conf.d". +# Supplemental configuration +# +# The configuration files in the conf/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +#Include conf/extra/httpd-mpm.conf + +# Multi-language error messages +#Include conf/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +#Include conf/extra/httpd-autoindex.conf + +# Language settings +#Include conf/extra/httpd-languages.conf + +# User home directories +#Include conf/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include conf/extra/httpd-info.conf + +# Virtual hosts +#Include conf/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include conf/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include conf/extra/httpd-dav.conf + +# Various default settings +#Include conf/extra/httpd-default.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include conf/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +#Include conf/extra/httpd-ssl.conf # -IncludeOptional /web/config/conf.d/*.conf +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + diff --git a/buildnginx/Dockerfile b/buildnginx/Dockerfile new file mode 100644 index 0000000..b84e457 --- /dev/null +++ b/buildnginx/Dockerfile @@ -0,0 +1,29 @@ +FROM nginx:alpine + +COPY ./conf.d/* /etc/nginx/conf.d/ + +RUN apk add --no-cache openssl + +# SSL Generation +WORKDIR /etc/nginx/conf.d + +ARG ssl +ARG country +ARG state +ARG locality +ARG organization +ARG organizationalunit +ARG email +ARG commonname + +RUN if [ "$ssl" = "build" ]; then \ + openssl genrsa -des3 -passout pass:xxxx -out rootCA.key 2048; \ + openssl req -x509 -passin pass:xxxx -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/emailAddress=$email/CN=$commonname"; \ + openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/emailAddress=$email/CN=$commonname"; \ + openssl x509 -req -passin pass:xxxx -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 3600 -sha256 -extfile v3.ext; \ + fi && \ + if [ "$ssl" = "none" ]; then \ + sed -i "s/listen 443 default_server ssl;/listen 80 default_server;/g" /etc/nginx/conf.d/churchcrm.conf; \ + sed -i "s/ssl_certificate \/etc\/nginx\/conf.d\/server.crt;//g" /etc/nginx/conf.d/churchcrm.conf; \ + sed -i "s/ssl_certificate_key \/etc\/nginx\/conf.d\/server.key;//g" /etc/nginx/conf.d/churchcrm.conf; \ + fi diff --git a/buildnginx/conf.d/churchcrm.conf b/buildnginx/conf.d/churchcrm.conf new file mode 100644 index 0000000..cdc334b --- /dev/null +++ b/buildnginx/conf.d/churchcrm.conf @@ -0,0 +1,18 @@ +server { + #return 301 https://$host$request_uri; + listen 443 default_server ssl; + server_name localhost; + ssl_certificate /etc/nginx/conf.d/server.crt; + ssl_certificate_key /etc/nginx/conf.d/server.key; + + location / { + + proxy_pass http://churchcrm; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + + } +} diff --git a/buildnginx/conf.d/v3.ext b/buildnginx/conf.d/v3.ext new file mode 100644 index 0000000..ab9de5f --- /dev/null +++ b/buildnginx/conf.d/v3.ext @@ -0,0 +1,7 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = localhost diff --git a/crm_secrets.json b/crm_secrets.json new file mode 100644 index 0000000..ba8621c --- /dev/null +++ b/crm_secrets.json @@ -0,0 +1,8 @@ +{ + "mysql": { + "MYSQL_ROOT_PWD": "changeme", + "MYSQL_USER_DB": "churchcrm", + "MYSQL_USER": "churchcrm", + "MYSQL_USER_PWD": "changeme" + } +} diff --git a/docker-compose.yml b/docker-compose.yml index 7ede1d1..f863737 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -2,20 +2,54 @@ # from this file by first filling in your password and db info in the .env # file and then running "docker-compose build", "docker-compose up" in terminal. -version: '2' +version: '3.5' services: database: #Name of DB Host container_name: database - image: jaskipper/alpine-mariadb - env_file: - - .env + build: ./build-mysql + volumes: + - db-volume:/var/lib/mysql + secrets: + - crm_secrets + tty: true churchcrm: container_name: churchcrm - build: ./build-files + build: + context: ./build + environment: + MYSQL_DB_HOST: database + volumes: + - img-volume:/usr/local/apache2/htdocs/Images + secrets: + - crm_secrets + tty: true + + nginx: + build: + context: ./buildnginx + args: + ssl: build # (none/own/build) + # If you would like for the build script to setup SSL on your server, uncomment the lines below and change the values. + # If you want to provide your own certificate, put the "server.crt" and "server.key" files in the "buildnginx/conf.d folder" + country: US # Country Name (2 letter code) + state: Tennessee # State or Province Name (full name) + locality: Nashville # Locality Name (eg, city) + organization: ChurchCRM # Organization Name (eg, company) + organizationalunit: IT # Organizational Unit Name (eg, section) + email: myemail@example.com # Your Email Address + commonname: localhost # Common Name (e.g. server FQDN or YOUR name) + container_name: crm-nginx ports: - "80:80" - env_file: - - .env + - "443:443" + +secrets: + crm_secrets: + file: ./crm_secrets.json + +volumes: + img-volume: + db-volume: diff --git a/images/Login.jpg b/images/Login.jpg deleted file mode 100644 index 0957c8c..0000000 Binary files a/images/Login.jpg and /dev/null differ