initial commit
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Steven Polley 2023-06-25 09:38:35 -06:00
parent 0cd8c26ffb
commit 496f9a554b
7 changed files with 261 additions and 1 deletions

13
.drone.yml Normal file
View File

@ -0,0 +1,13 @@
kind: pipeline
name: default
workspace:
base: /go
path: src/deadbeef.codes/steven/docker-webdav-apache
steps:
- name: docker build
image: plugins/docker
settings:
repo: registry.deadbeef.codes/docker-webdav-apache

55
Dockerfile Normal file
View File

@ -0,0 +1,55 @@
FROM httpd:alpine
# These variables are inherited from the httpd:alpine image:
# ENV HTTPD_PREFIX /usr/local/apache2
# WORKDIR "$HTTPD_PREFIX"
# Copy in our configuration files.
COPY conf/ conf/
RUN set -ex; \
# Create empty default DocumentRoot.
mkdir -p "/var/www/html"; \
# Create directories for Dav data and lock database.
mkdir -p "/var/lib/dav/data"; \
touch "/var/lib/dav/DavLock"; \
chown -R www-data:www-data "/var/lib/dav"; \
\
# Enable DAV modules.
for i in dav dav_fs; do \
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
done; \
\
# Make sure authentication modules are enabled.
for i in authn_core authn_file authz_core authz_user auth_basic auth_digest; do \
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
done; \
\
# Make sure other modules are enabled.
for i in alias headers mime setenvif; do \
sed -i -e "/^#LoadModule ${i}_module.*/s/^#//" "conf/httpd.conf"; \
done; \
\
# Run httpd as "www-data" (instead of "daemon").
for i in User Group; do \
sed -i -e "s|^$i .*|$i www-data|" "conf/httpd.conf"; \
done; \
\
# Include enabled configs and sites.
printf '%s\n' "Include conf/conf-enabled/*.conf" \
>> "conf/httpd.conf"; \
printf '%s\n' "Include conf/sites-enabled/*.conf" \
>> "conf/httpd.conf"; \
\
# Enable dav and default site.
mkdir -p "conf/conf-enabled"; \
mkdir -p "conf/sites-enabled"; \
ln -s ../conf-available/dav.conf "conf/conf-enabled"; \
ln -s ../sites-available/default.conf "conf/sites-enabled"; \
# Install openssl if we need to generate a self-signed certificate.
apk add --no-cache openssl
COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
EXPOSE 80/tcp 443/tcp
ENTRYPOINT [ "docker-entrypoint.sh" ]
CMD [ "httpd-foreground" ]

View File

@ -1,3 +1,35 @@
[![Build Status](https://drone.deadbeef.codes/api/badges/steven/docker-webdav-apache/status.svg)](https://drone.deadbeef.codes/steven/docker-webdav-apache)
# docker-webdav-apache
containerized webdav server with the OG apache server
#### Via Docker Compose:
```
version: '3'
services:
webdav:
image: registry.deadbeef.codes/docker-webdav-apache:latest
restart: always
ports:
- "80:80"
environment:
AUTH_TYPE: Digest
USERNAME: alice
PASSWORD: secret1234
volumes:
- /srv/dav:/var/lib/dav
```
### Environment variables
All environment variables are optional. You probably want to at least specify `USERNAME` and `PASSWORD` (or bind mount your own authentication file to `/user.passwd`) otherwise nobody will be able to access your WebDAV server!
* **`SERVER_NAMES`**: Comma-separated list of domains (eg, `example.com,www.example.com`). The first is set as the [ServerName](https://httpd.apache.org/docs/current/mod/core.html#servername), and the rest (if any) are set as [ServerAlias](https://httpd.apache.org/docs/current/mod/core.html#serveralias). The default is `localhost`.
* **`LOCATION`**: The URL path for WebDAV (eg, if set to `/webdav` then clients should connect to `example.com/webdav`). The default is `/`.
* **`AUTH_TYPE`**: Apache authentication type to use. This can be `Basic` (best choice for HTTPS) or `Digest` (best choice for HTTP). The default is `Basic`.
* **`REALM`**: Sets [AuthName](https://httpd.apache.org/docs/current/mod/mod_authn_core.html#authname), an identifier that is displayed to clients when they connect. The default is `WebDAV`.
* **`USERNAME`**: Authenticate with this username (and the password below). This is ignored if you bind mount your own authentication file to `/user.passwd`.
* **`PASSWORD`**: Authenticate with this password (and the username above). This is ignored if you bind mount your own authentication file to `/user.passwd`.
* **`ANONYMOUS_METHODS`**: Comma-separated list of HTTP request methods (eg, `GET,POST,OPTIONS,PROPFIND`). Clients can use any method you specify here without authentication. Set to `ALL` to disable authentication. The default is to disallow any anonymous access.
* **`SSL_CERT`**: Set to `selfsigned` to generate a self-signed certificate and enable Apache's SSL module. If you specify `SERVER_NAMES`, the first domain is set as the Common Name.

View File

@ -0,0 +1,25 @@
DavLockDB "/var/lib/dav/DavLock"
Alias / "/var/lib/dav/data/"
<Directory "/var/lib/dav/data/">
Dav On
Options Indexes FollowSymLinks
AuthType Basic
AuthName "WebDAV"
AuthUserFile "/user.passwd"
<RequireAny>
Require valid-user
</RequireAny>
</Directory>
# These disable redirects on non-GET requests for directories that
# don't include the trailing slash (for misbehaving clients).
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[01234]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
BrowserMatch " Konqueror/4" redirect-carefully
BrowserMatch "^gvfs" redirect-carefully

View File

@ -0,0 +1,18 @@
Listen 443
<VirtualHost *:443>
Protocols h2 http/1.1
ServerName localhost
DocumentRoot "/var/www/html/"
<Directory "/var/www/html/">
Require all denied
</Directory>
CustomLog /proc/self/fd/1 combined
ErrorLog /proc/self/fd/2
SSLEngine on
SSLCertificateFile /cert.pem
SSLCertificateKeyFile /privkey.pem
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLSessionTickets off
</VirtualHost>

View File

@ -0,0 +1,11 @@
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/var/www/html/"
<Directory "/var/www/html/">
Require all denied
</Directory>
CustomLog /proc/self/fd/1 combined
ErrorLog /proc/self/fd/2
# This lets certain DAV methods work behind an SSL reverse proxy.
RequestHeader edit Destination ^https http early
</VirtualHost>

106
docker-entrypoint.sh Normal file
View File

@ -0,0 +1,106 @@
#!/bin/sh
set -e
# Environment variables that are used if not empty:
# SERVER_NAMES
# LOCATION
# AUTH_TYPE
# REALM
# USERNAME
# PASSWORD
# ANONYMOUS_METHODS
# SSL_CERT
# Just in case this environment variable has gone missing.
HTTPD_PREFIX="${HTTPD_PREFIX:-/usr/local/apache2}"
# Configure vhosts.
if [ "x$SERVER_NAMES" != "x" ]; then
# Use first domain as Apache ServerName.
SERVER_NAME="${SERVER_NAMES%%,*}"
sed -e "s|ServerName .*|ServerName $SERVER_NAME|" \
-i "$HTTPD_PREFIX"/conf/sites-available/default*.conf
# Replace commas with spaces and set as Apache ServerAlias.
SERVER_ALIAS="`printf '%s\n' "$SERVER_NAMES" | tr ',' ' '`"
sed -e "/ServerName/a\ \ ServerAlias $SERVER_ALIAS" \
-i "$HTTPD_PREFIX"/conf/sites-available/default*.conf
fi
# Configure dav.conf
if [ "x$LOCATION" != "x" ]; then
sed -e "s|Alias .*|Alias $LOCATION /var/lib/dav/data/|" \
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
fi
if [ "x$REALM" != "x" ]; then
sed -e "s|AuthName .*|AuthName \"$REALM\"|" \
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
else
REALM="WebDAV"
fi
if [ "x$AUTH_TYPE" != "x" ]; then
# Only support "Basic" and "Digest".
if [ "$AUTH_TYPE" != "Basic" ] && [ "$AUTH_TYPE" != "Digest" ]; then
printf '%s\n' "$AUTH_TYPE: Unknown AuthType" 1>&2
exit 1
fi
sed -e "s|AuthType .*|AuthType $AUTH_TYPE|" \
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
fi
# Add password hash, unless "user.passwd" already exists (ie, bind mounted).
if [ ! -e "/user.passwd" ]; then
touch "/user.passwd"
# Only generate a password hash if both username and password given.
if [ "x$USERNAME" != "x" ] && [ "x$PASSWORD" != "x" ]; then
if [ "$AUTH_TYPE" = "Digest" ]; then
# Can't run `htdigest` non-interactively, so use other tools.
HASH="`printf '%s' "$USERNAME:$REALM:$PASSWORD" | md5sum | awk '{print $1}'`"
printf '%s\n' "$USERNAME:$REALM:$HASH" > /user.passwd
else
htpasswd -B -b -c "/user.passwd" $USERNAME $PASSWORD
fi
fi
fi
# If specified, allow anonymous access to specified methods.
if [ "x$ANONYMOUS_METHODS" != "x" ]; then
if [ "$ANONYMOUS_METHODS" = "ALL" ]; then
sed -e "s/Require valid-user/Require all granted/" \
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
else
ANONYMOUS_METHODS="`printf '%s\n' "$ANONYMOUS_METHODS" | tr ',' ' '`"
sed -e "/Require valid-user/a\ \ \ \ Require method $ANONYMOUS_METHODS" \
-i "$HTTPD_PREFIX/conf/conf-available/dav.conf"
fi
fi
# If specified, generate a selfsigned certificate.
if [ "${SSL_CERT:-none}" = "selfsigned" ]; then
# Generate self-signed SSL certificate.
# If SERVER_NAMES is given, use the first domain as the Common Name.
if [ ! -e /privkey.pem ] || [ ! -e /cert.pem ]; then
openssl req -x509 -newkey rsa:2048 -days 1000 -nodes \
-keyout /privkey.pem -out /cert.pem -subj "/CN=${SERVER_NAME:-selfsigned}"
fi
fi
# This will either be the self-signed certificate generated above or one that
# has been bind mounted in by the user.
if [ -e /privkey.pem ] && [ -e /cert.pem ]; then
# Enable SSL Apache modules.
for i in http2 ssl; do
sed -e "/^#LoadModule ${i}_module.*/s/^#//" \
-i "$HTTPD_PREFIX/conf/httpd.conf"
done
# Enable SSL vhost.
ln -sf ../sites-available/default-ssl.conf \
"$HTTPD_PREFIX/conf/sites-enabled"
fi
# Create directories for Dav data and lock database.
[ ! -d "/var/lib/dav/data" ] && mkdir -p "/var/lib/dav/data"
[ ! -e "/var/lib/dav/DavLock" ] && touch "/var/lib/dav/DavLock"
chown -R www-data:www-data "/var/lib/dav"
exec "$@"