Merge pull request #239 from cytopia/https

Add HTTPS support

.devilbox/www/config.php

@@ -13,8 +13,8 @@ error_reporting(-1);
 putenv('RES_OPTIONS=retrans:1 retry:1 timeout:1 attempts:1');
 
 
-$DEVILBOX_VERSION = 'v0.13.1';
-$DEVILBOX_DATE = '2018-04-28';
+$DEVILBOX_VERSION = 'v0.14';
+$DEVILBOX_DATE = '2018-05-05';
 $DEVILBOX_API_PAGE = 'devilbox-api/status.json';
 
 //

.devilbox/www/htdocs/index.php

@@ -584,8 +584,11 @@ $HEALTH_PERCENT = 100 - ceil(100 * $HEALTH_FAILS / $HEALTH_TOTAL);
 											</tr>
 											<tr>
 												<th>httpd</th>
-												<td><?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD');?></td>
-												<td>80</td>
+												<td>
+													<?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD');?><br/>
+													<?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD_SSL');?>
+												</td>
+												<td>80<br/>443</td>
 											</tr>
 											<?php if ($avail_mysql): ?>
 												<tr>

.devilbox/www/htdocs/vhosts.php

@@ -118,12 +118,12 @@
 						if (el_valid.innerHTML != 'WARN') {
 							el_valid.innerHTML = 'OK';
 						}
-						el_href.innerHTML = '<a target="_blank" href="http://'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>">'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?></a>' + el_href.innerHTML;
+						el_href.innerHTML = '<a target="_blank" href="//'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>">'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?></a>' + el_href.innerHTML;
 					} else {
 						//console.log(vhost);
 					}
 				}
-				xhttp.open('POST', 'http://'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>/devilbox-api/status.json', true);
+				xhttp.open('POST', '//'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>/devilbox-api/status.json', true);
 				xhttp.send();
 
 				// Timeout to abort in 1 second

.gitignore

@@ -19,6 +19,9 @@
 /data/*
 /backups/*
 
+# Ignore Certificate Authority
+/ca/*
+
 # Ignore compose override file
 docker-compose.override.yml
 

README.md

@@ -21,7 +21,9 @@
 [![type](https://img.shields.io/badge/type-Docker-orange.svg)](https://www.docker.com/)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-The devilbox is a modern and highly customisable **dockerized PHP stack** supporting full **LAMP** and **MEAN** and running on all major platforms. The main goal is to easily switch and combine any version required for local development. It supports an unlimited number of projects for which vhosts and DNS records are created automatically. Email catch-all and popular development tools will be at your service as well.  Configuration is not necessary, as everything is pre-setup with mass virtual hosting.
+<img width="200" style="width:200px;" src="docs/_static/img/global-configuration/https-ssl-address-bar.png" />
+
+The devilbox is a modern and highly customisable **dockerized PHP stack** supporting full **LAMP** and **MEAN** and running on all major platforms. The main goal is to easily switch and combine any version required for local development. It supports an **unlimited number of projects** for which vhosts, **SSL certificates** and **DNS records** are created automatically. Email catch-all and popular development tools will be at your service as well.  Configuration is not necessary, as everything is pre-setup with mass virtual hosting.
 
 **Requirements**
 
@@ -239,6 +241,10 @@ The devilbox has everything setup for you. The only thing you will have to insta
     <td width="220" style="width:220px;">:star: Auto virtual hosts</td>
     <td>New virtual hosts are created automatically and instantly whenever you add a project directory. This is done internally via <a href="https://travis-ci.org/devilbox/vhost-gen">vhost-gen</a> and <a href="https://github.com/devilbox/watcherd">watcherd</a>.</td>
   </tr>
+  <tr>
+    <td>:star: Automated SSL certificate generation</td>
+    <td>SSL certificates are automatically created for each vhost and signed by the Devilbox CA.</td>
+  </tr>
   <tr>
     <td>:star: Unlimited vhosts</td>
     <td>Run as many projects as you need with a single instance of the devilbox.</td>

docker-compose.yml

@@ -196,7 +196,7 @@ services:
   # Web Server
   # ------------------------------------------------------------
   httpd:
-    image: devilbox/${HTTPD_SERVER:-nginx-stable}:0.13
+    image: devilbox/${HTTPD_SERVER:-nginx-stable}:0.15
     restart: always
 
     environment:
@@ -222,9 +222,12 @@ services:
       ##
       ## Disable default vhost?
       ##
-      - MAIN_VHOST_DISABLE=${DEVILBOX_UI_DISABLE}
+      - MAIN_VHOST_ENABLE=${DEVILBOX_UI_ENABLE}
       - MAIN_VHOST_STATUS_ENABLE=1
       - MAIN_VHOST_STATUS_ALIAS=/devilbox-httpd-status
+      - MAIN_VHOST_SSL_TYPE=both
+      - MAIN_VHOST_SSL_GEN=1
+      - MAIN_VHOST_SSL_CN=${DEVILBOX_UI_SSL_CN:-localhost}
 
       ##
       ## Enable Mass Vhosts
@@ -233,6 +236,8 @@ services:
       - MASS_VHOST_TLD=.${TLD_SUFFIX}
       - MASS_VHOST_DOCROOT=${HTTPD_DOCROOT_DIR}
       - MASS_VHOST_TPL=${HTTPD_TEMPLATE_DIR}
+      - MASS_VHOST_SSL_TYPE=both
+      - MASS_VHOST_SSL_GEN=1
 
       ##
       ## PHP-FPM Remote Server
@@ -245,6 +250,7 @@ services:
       # ---- Format: ----
       # [HOST-ADDR : ] HOST-PORT : DOCKER-PORT
       - "${LOCAL_LISTEN_ADDR}${HOST_PORT_HTTPD}:80"
+      - "${LOCAL_LISTEN_ADDR}${HOST_PORT_HTTPD_SSL}:443"
 
     networks:
       app_net:
@@ -266,6 +272,9 @@ services:
       # Mount logs
       - ${DEVILBOX_PATH}/log/${HTTPD_SERVER}:/var/log/${HTTPD_SERVER}
 
+      # Certificate Authority public key
+      - ${DEVILBOX_PATH}/ca:/ca
+
     depends_on:
       - bind
       - php

docs/configuration-files/env-file.rst

@@ -423,6 +423,36 @@ and report as unsuccessful. The default is ``1`` second, wich should be fairly s
 +-----------------------+----------------+-------------------+
 
 
+.. _env_devilbox_ui_ssl_cn:
+
+DEVILBOX_UI_SSL_CN
+------------------
+
+When accessing the Devilbox intranet via ``https`` it will use an automatically created SSL certificate.
+Each SSL certificate requires a valid Common Name, which must match the virtual host name.
+
+This setting let's you specify by what **name** you are accessing the Devilbox intranet.
+The default is ``localhost``, but if you have created your own alias, you must change this value
+accordingly. Also note that multiple values are possible and must be separated with a comma.
+When you add an asterisk (``*.``) to the beginning, it means it will create a wildcard certificate for that
+hostname.
+
++-------------------------+------------------------------+-----------------------------------------------+
+| Name                    | Allowed values               | Default value                                 |
++=========================+==============================+===============================================+
+| ``DEVILBOX_UI_SSL_CN``  | comma separated list of CN's | ``localhost,*.localhost,devilbox,*.devilbox`` |
++-------------------------+------------------------------+-----------------------------------------------+
+
+**Examples**:
+
+* ``DEVILBOX_UI_SSL_CN=localhost``
+* ``DEVILBOX_UI_SSL_CN=localhost,*.localhost``
+* ``DEVILBOX_UI_SSL_CN=localhost,*.localhost,devilbox,*.devilbox``
+* ``DEVILBOX_UI_SSL_CN=intranet.example.com``
+
+.. seealso:: :ref:`configuration_https_ssl`
+
+
 .. _env_devilbox_ui_protect:
 
 DEVILBOX_UI_PROTECT
@@ -458,13 +488,13 @@ password by which it will be protected.
 +--------------------------+----------------+-------------------+
 
 
-.. _env_devilbox_ui_disable:
+.. _env_devilbox_ui_enable:
 
-DEVILBOX_UI_DISABLE
+DEVILBOX_UI_ENABLE
 -------------------
 
 In case you want to completely disable the Devilbox intranet, such as when running it on production,
-you need to set this variable to ``1``.
+you need to set this variable to ``0``.
 
 By disabling the intranet, the webserver will simply remove the default virtual host and redirect
 all IP-based requests to the first available virtual host, which will be you first project when
@@ -473,7 +503,7 @@ ordering their names alphabetically.
 +-------------------------+----------------+-------------------+
 | Name                    | Allowed values | Default value     |
 +=========================+================+===================+
-| ``DEVILBOX_UI_DISABLE`` | ``0`` or ``1`` | ``0``             |
+| ``DEVILBOX_UI_ENABLE``  | ``0`` or ``1`` | ``1``             |
 +-------------------------+----------------+-------------------+
 
 
@@ -990,6 +1020,19 @@ else if 80 is already in use on your host operating system.
 +----------------------+-------------------+------------------+
 
 
+HOST_PORT_HTTPD_SSL
+-------------------
+
+The port to expose for the web server (Apache or Nginx) for HTTPS (SSL) requests. This is usually
+443. Set it to something else if 443 is already in use on your host operating system.
+
++--------------------------+-------------------+------------------+
+| Name                     | Allowed values    | Default value    |
++==========================+===================+==================+
+| ``HOST_PORT_HTTPD_SSL``  | ``1`` - ``65535`` | ``443``           |
++--------------------------+-------------------+------------------+
+
+
 HOST_PORT_MYSQL
 ---------------
 

docs/configuration-global/bind.rst

@@ -0,0 +1,3 @@
+****
+BIND
+****

docs/configuration-global/devilbox-intranet.rst

@@ -0,0 +1,3 @@
+*****************
+Devilbox Intranet
+*****************

docs/configuration-global/https-ssl.rst

@@ -0,0 +1,132 @@
+.. _configuration_https_ssl:
+
+***********
+HTTPS (SSL)
+***********
+
+This page shows you how to use the Devilbox on https and how to import the Certificate Authority
+into your browser once, so that you always and automatically get valid SSL certificates for all new
+projects.
+
+SSL certificates are generated automatically and there is nothing to do from your side.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+**Table of Contents**
+
+.. contents:: :local:
+
+
+TL;DR
+=====
+
+Import the Certificate Authority into your browser and you are all set.
+
+
+How does it work
+================
+
+Certificate Authority
+---------------------
+
+When the Devilbox starts up for the first time, it will generate a
+`Certificate Authority <https://en.wikipedia.org/wiki/Certificate_authority>`_ and will store its
+public and private key in ``./ca/`` within the Devilbox git directory.
+
+The keys are only generated if they don't exist and kept permanently if you don't delete them
+manually, i.e. they are not overwritten.
+
+.. code-block:: bash
+
+    host> cd path/to/devilbox
+    host> ls -l ca/
+    -rw-r--r--  1 cytopia cytopia 1558 May  2 11:12 devilbox-ca.crt
+    -rw-------  1 cytopia cytopia 1675 May  2 11:12 devilbox-ca.key
+    -rw-r--r--  1 cytopia cytopia   17 May  4 08:35 devilbox-ca.srl
+
+
+SSL Certificates
+----------------
+
+Whenever you create a new project directory, multiple things happen in the background:
+
+1. A new virtual host is created
+2. DNS is provided via :ref:`global_configuration_auto_dns`
+3. A new SSL certificate is generated for that vhost
+4. **The SSL certificate is signed by the Devilbox Certificate Authority**
+
+By having a SSL certificates signed by the provided CA, you will only have to import the CA
+into your browser ones and all current projects and future projects will automatically have
+valid and trusted SSL certificates without any further work.
+
+.. important::
+    Importing the CA into the browser is also recommended and required for the Devilbox
+    intranet page to work properly.
+
+
+Import the CA into your browser
+===============================
+
+Chrome / Chromium
+-----------------
+
+Open Chrome settings, scroll down to the very bottom and click on ``Advanced`` to expand the
+advanced settings.
+
+.. image:: /_static/img/global-configuration/https-ssl-01-chrome-settings.png
+
+Find the setting ``Manage certificates`` and open it.
+
+.. image:: /_static/img/global-configuration/https-ssl-02-chrome-advanced-settings.png
+
+Navigate to the tab setting ``AUTHORITIES`` and click on ``IMPORT``.
+
+.. image:: /_static/img/global-configuration/https-ssl-03-chrome-authorities.png
+
+Select ``devilbox-ca.crt`` from within the Devilbox ``./ca`` directory:
+
+.. image:: /_static/img/global-configuration/https-ssl-04-import.png
+
+As the last step you are asked what permissions you want to grant the newly importat CA.
+To make sure it works everywhere, check all options and proceed with ``OK``.
+
+.. image:: /_static/img/global-configuration/https-ssl-05-chrome-set-trust.png
+
+Now you are all set and all generated SSL certificates will be valid from now on.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+
+Firefox
+-------
+
+Open Firefox settings and click on ``Privacy & Security``.
+
+.. image:: /_static/img/global-configuration/https-ssl-01-firefox-settings.png
+
+At the very bottom click on the button ``View Certificates``.
+
+.. image:: /_static/img/global-configuration/https-ssl-02-firefox-security-settings.png
+
+In the ``Authories`` tab, click on ``Import``.
+
+.. image:: /_static/img/global-configuration/https-ssl-03-firefox-authorities.png
+
+Select ``devilbox-ca.crt`` from within the Devilbox ``./ca`` directory:
+
+.. image:: /_static/img/global-configuration/https-ssl-04-import.png
+
+As the last step you are asked what permissions you want to grant the newly importat CA.
+To make sure it works everywhere, check all options and proceed with ``OK``.
+
+.. image:: /_static/img/global-configuration/https-ssl-05-firefox-set-trust.png
+
+Now you are all set and all generated SSL certificates will be valid from now on.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+
+Further Reading
+===============
+
+.. seealso:: ``.env`` variable: :ref:`env_devilbox_ui_ssl_cn`

docs/configuration-global/memcached.rst

@@ -0,0 +1,3 @@
+*********
+Memcached
+*********

docs/configuration-global/mongodb.rst

@@ -0,0 +1,3 @@
+*******
+MongoDB
+*******

docs/configuration-global/mysql.rst

@@ -0,0 +1,3 @@
+*****
+MySQL
+*****

docs/configuration-global/php.rst

@@ -0,0 +1,5 @@
+***
+PHP
+***
+
+Environment variables

docs/configuration-global/redis.rst

@@ -0,0 +1,3 @@
+*****
+Redis
+*****

docs/configuration-global/webserver.rst

@@ -0,0 +1,57 @@
+.. _configuration_webserver:
+
+**********
+Web server
+**********
+
+This page lists a general overview about the bundled web server - its features,
+where it comes from, how it is built and what configuration is possible.
+
+
+**Table of Contents**
+
+.. contents:: :local:
+
+
+Features
+========
+
+Auto-virtual hosts
+------------------
+
+File permission problem
+------------------------
+
+Custom global configuration
+---------------------------
+
+Custom vhost configuration
+--------------------------
+
+
+Information
+===========
+
+Dockerfile
+----------
+
+Github
+------
+
+Dockerhub
+---------
+
+Build process
+-------------
+
+Configuration
+=============
+
+.env file
+---------
+
+apache.conf / nginx.conf
+------------------------
+
+vhost-gen
+---------

docs/getting-started/the-intranet.rst

@@ -125,7 +125,7 @@ When the intranet is disabled, there is no way to access it.
 .. seealso::
     In order to do so, have a look at the following ``.env`` variable:
 
-    * :ref:`env_devilbox_ui_disable`
+    * :ref:`env_devilbox_ui_enable`
 
 
 Checklist

docs/index.rst

@@ -110,6 +110,7 @@ host is ready to be served with your custom domain.
    :caption: Global configuration
    :maxdepth: 2
 
+   configuration-global/https-ssl
    configuration-global/webserver
    configuration-global/php
    configuration-global/mysql

env-example

@@ -149,6 +149,22 @@ TIMEZONE=Europe/Berlin
 DNS_CHECK_TIMEOUT=1
 
 
+
+###
+### Devilbox UI SSL Certificate generation
+###
+### When using SSL each certificate requires names for which it is responsible:
+### Common Name as well as alternative names.
+###
+### Specify comma separated hostnames below by which you want to access the Devilbox.
+### Those hostnames will be included in the SSL certificate for the Devilbox intranet.
+### This has nothing to do for SSL certificates for projects, it is just for the intranet
+### itself.
+###
+DEVILBOX_UI_SSL_CN=localhost,*.localhost,devilbox,*.devilbox
+
+
+
 ###
 ### Devilbox UI Password protection enable/disable (1/0)
 ###
@@ -180,13 +196,13 @@ DEVILBOX_UI_PASSWORD=password
 
 
 ###
-### Disable the Devilbox Intranet?
+### Enable the Devilbox Intranet?
 ###
 ### Example:
-###   DEVILBOX_UI_DISABLE=1
-###   DEVILBOX_UI_DISABLE=0
+###   DEVILBOX_UI_ENABLE=1
+###   DEVILBOX_UI_ENABLE=0
 ###
-DEVILBOX_UI_DISABLE=0
+DEVILBOX_UI_ENABLE=1
 
 
 
@@ -410,6 +426,7 @@ HOST_PATH_MONGO_DATADIR=./data/mongo
 ### Expose HTTPD Port to Host
 ###
 HOST_PORT_HTTPD=80
+HOST_PORT_HTTPD_SSL=443
 
 ###
 ### Document Root Subdirectory

templates/vhost-gen/apache22.yml

@@ -51,6 +51,8 @@ vhost: |
       CustomLog  "__ACCESS_LOG__" combined
       ErrorLog   "__ERROR_LOG__"
 
+  __REDIRECT__
+  __SSL__
   __VHOST_DOCROOT__
   __VHOST_RPROXY__
   __PHP_FPM__
@@ -102,6 +104,19 @@ vhost_type:
 ###
 features:
 
+  # SSL Configuration
+  ssl: |
+    SSLEngine on
+    SSLCertificateFile    "__SSL_PATH_CRT__"
+    SSLCertificateKeyFile "__SSL_PATH_KEY__"
+    SSLProtocol           __SSL_PROTOCOLS__
+    SSLHonorCipherOrder   __SSL_HONOR_CIPHER_ORDER__
+    SSLCipherSuite        __SSL_CIPHERS__
+
+  # Redirect to SSL directive
+  redirect: |
+    RedirectMatch (.*) https://__VHOST_NAME__:__SSL_PORT__$1
+
   # PHP-FPM will not be applied to a reverse proxy!
   php_fpm: |
     # PHP-FPM Definition
@@ -135,7 +150,7 @@ features:
 
   xdomain_request: |
     # Allow cross domain request from these hosts
-    SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0$1
+    SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
     Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
     Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
     Header always set Access-Control-Max-Age "0"

templates/vhost-gen/apache24.yml

@@ -51,6 +51,8 @@ vhost: |
       CustomLog  "__ACCESS_LOG__" combined
       ErrorLog   "__ERROR_LOG__"
 
+  __REDIRECT__
+  __SSL__
   __VHOST_DOCROOT__
   __VHOST_RPROXY__
   __PHP_FPM__
@@ -103,6 +105,19 @@ vhost_type:
 ###
 features:
 
+  # SSL Configuration
+  ssl: |
+    SSLEngine on
+    SSLCertificateFile    "__SSL_PATH_CRT__"
+    SSLCertificateKeyFile "__SSL_PATH_KEY__"
+    SSLProtocol           __SSL_PROTOCOLS__
+    SSLHonorCipherOrder   __SSL_HONOR_CIPHER_ORDER__
+    SSLCipherSuite        __SSL_CIPHERS__
+
+  # Redirect to SSL directive
+  redirect: |
+    RedirectMatch (.*) https://__VHOST_NAME__:__SSL_PORT__$1
+
   # PHP-FPM will not be applied to a reverse proxy!
   php_fpm: |
     # PHP-FPM Definition
@@ -152,7 +167,7 @@ features:
 
   xdomain_request: |
     # Allow cross domain request from these hosts
-    SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0$1
+    SetEnvIf Origin "__REGEX__" AccessControlAllowOrigin=$0
     Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
     Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
     Header always set Access-Control-Max-Age "0"

templates/vhost-gen/nginx.yml

@@ -52,6 +52,8 @@ vhost: |
       access_log   "__ACCESS_LOG__" combined;
       error_log    "__ERROR_LOG__" warn;
 
+  __REDIRECT__
+  __SSL__
   __VHOST_DOCROOT__
   __VHOST_RPROXY__
   __PHP_FPM__
@@ -88,6 +90,18 @@ vhost_type:
 ###
 features:
 
+  # SSL Configuration
+  ssl: |
+    ssl_certificate           __SSL_PATH_CRT__;
+    ssl_certificate_key       __SSL_PATH_KEY__;
+    ssl_protocols             __SSL_PROTOCOLS__;
+    ssl_prefer_server_ciphers __SSL_HONOR_CIPHER_ORDER__;
+    ssl_ciphers               __SSL_CIPHERS__;
+
+  # Redirect to SSL directive
+  redirect: |
+    return 301 https://__VHOST_NAME__:__SSL_PORT__$request_uri;
+
   # PHP-FPM will not be applied to a reverse proxy!
   php_fpm: |
     # PHP-FPM Definition