kopia lustrzana https://github.com/kartoza/docker-postgis
Dominic Schaff
GitHub
commit
9f2a10ca42
20
env-data.sh
20
env-data.sh
|
|
@ -70,3 +70,23 @@ fi
|
|||
if [ -z "$EXTRA_CONF" ]; then
|
||||
EXTRA_CONF=""
|
||||
fi
|
||||
|
||||
if [ -z "${SSL_DIR}" ]; then
|
||||
SSL_DIR="/ssl_certificates"
|
||||
fi
|
||||
|
||||
if [ -z "${PGSSLMODE}" ]; then
|
||||
PGSSLMODE=require
|
||||
fi
|
||||
|
||||
if [ -z "${SSL_CERT_FILE}" ]; then
|
||||
SSL_CERT_FILE='/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
||||
fi
|
||||
|
||||
if [ -z "${SSL_KEY_FILE}" ]; then
|
||||
SSL_KEY_FILE='/etc/ssl/private/ssl-cert-snakeoil.key'
|
||||
fi
|
||||
|
||||
if [ -z "$PASSWORD_AUTHENTICATION" ]; then
|
||||
PASSWORD_AUTHENTICATION="md5"
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -2,16 +2,40 @@
|
|||
|
||||
source /env-data.sh
|
||||
|
||||
SETUP_LOCKFILE="${ROOT_CONF}/.pg_hba.conf.lock"
|
||||
if [ -f "${SETUP_LOCKFILE}" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# This script will setup pg_hba.conf
|
||||
|
||||
# Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
|
||||
# Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
|
||||
# Reconfigure pg_hba if environment settings changed
|
||||
# cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
|
||||
|
||||
|
||||
if [[ "${FORCE_SSL}" =~ [Ff][Aa][Ll][Ss][Ee] ]]; then
|
||||
PG_CONF_HOST='host'
|
||||
CERT_AUTH=${PASSWORD_AUTHENTICATION}
|
||||
CLIENT_VERIFY=
|
||||
else
|
||||
# If user has their own cert we default to force auth using cert method
|
||||
if [[ "${SSL_KEY_FILE}" != '/etc/ssl/private/ssl-cert-snakeoil.key' ]]; then
|
||||
PG_CONF_HOST='hostssl'
|
||||
CERT_AUTH='cert'
|
||||
CLIENT_VERIFY=
|
||||
else
|
||||
# Used when using the default ssl certs
|
||||
PG_CONF_HOST='hostssl'
|
||||
CERT_AUTH=${PASSWORD_AUTHENTICATION}
|
||||
CLIENT_VERIFY='clientcert=0'
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
# moved from setup.sh. Delete if unnecessary
|
||||
# Restrict subnet to docker private network
|
||||
echo "host all all 172.0.0.0/8 md5" >> $ROOT_CONF/pg_hba.conf
|
||||
# And allow access from DockerToolbox / Boottodocker on OSX or any other host in this range
|
||||
#echo "host all all 192.168.0.0/16 md5" >> $ROOT_CONF/pg_hba.conf
|
||||
echo "$PG_CONF_HOST all all 172.0.0.0/8 ${CERT_AUTH} $CLIENT_VERIFY" >> $ROOT_CONF/pg_hba.conf
|
||||
# And allow access from DockerToolbox / Boot to docker on OSX
|
||||
echo "$PG_CONF_HOST all all 192.168.0.0/16 ${CERT_AUTH} $CLIENT_VERIFY" >> $ROOT_CONF/pg_hba.conf
|
||||
|
||||
if [ "$ALLOW_IP_RANGE" ]
|
||||
then
|
||||
|
|
@ -23,7 +47,7 @@ fi
|
|||
# messes it up
|
||||
if [ "$POSTGRES_PASS" ]; then
|
||||
pass="PASSWORD '$POSTGRES_PASS'"
|
||||
authMethod=md5
|
||||
authMethod=${CERT_AUTH}
|
||||
else
|
||||
# The - option suppresses leading tabs but *not* spaces. :)
|
||||
cat >&2 <<-'EOWARN'
|
||||
|
|
|
|||
45
setup-ssl.sh
45
setup-ssl.sh
|
|
@ -1,23 +1,46 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
source /env-data.sh
|
||||
source /scripts/env-data.sh
|
||||
|
||||
SETUP_LOCKFILE="${ROOT_CONF}/.ssl.conf.lock"
|
||||
if [ -f "${SETUP_LOCKFILE}" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
# This script will setup default SSL config
|
||||
|
||||
# /etc/ssl/private can't be accessed from within container for some reason
|
||||
# (@andrewgodwin says it's something AUFS related) - taken from https://github.com/orchardup/docker-postgresql/blob/master/Dockerfile
|
||||
# (@andrewgodwin says it's something AUFS related) - taken from https://github.com/orchardup/docker-postgresql/blob/master/Dockerfile
|
||||
cp -r /etc/ssl /tmp/ssl-copy/
|
||||
chmod -R 0700 /etc/ssl
|
||||
chown -R postgres /tmp/ssl-copy
|
||||
rm -r /etc/ssl
|
||||
mv /tmp/ssl-copy /etc/ssl
|
||||
|
||||
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
|
||||
# Setup Permission for SSL Directory
|
||||
create_dir ${SSL_DIR}
|
||||
chmod -R 0700 ${SSL_DIR}
|
||||
chown -R postgres ${SSL_DIR}
|
||||
|
||||
# Needed under debian, wasnt needed under ubuntu
|
||||
# Docker secrets for certificates
|
||||
file_env 'SSL_CERT_FILE'
|
||||
file_env 'SSL_KEY_FILE'
|
||||
file_env 'SSL_CA_FILE'
|
||||
|
||||
# Needed under debian, wasn't needed under ubuntu
|
||||
mkdir -p ${PGSTAT_TMP}
|
||||
chmod 0777 ${PGSTAT_TMP}
|
||||
|
||||
# moved from setup.sh
|
||||
echo "ssl = true" >> $CONF
|
||||
#echo "ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' " >> $CONF
|
||||
#echo "ssl_renegotiation_limit = 512MB " >> $CONF
|
||||
echo "ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'" >> $CONF
|
||||
echo "ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'" >> $CONF
|
||||
#echo "ssl_ca_file = '' # (change requires restart)" >> $CONF
|
||||
#echo "ssl_crl_file = ''" >> $CONF
|
||||
cat > ${ROOT_CONF}/ssl.conf <<EOF
|
||||
ssl = true
|
||||
ssl_cert_file = '${SSL_CERT_FILE}'
|
||||
ssl_key_file = '${SSL_KEY_FILE}'
|
||||
EOF
|
||||
|
||||
if [ ! -z "${SSL_CA_FILE}" ]; then
|
||||
echo "ssl_ca_file = '${SSL_CA_FILE}' # (change requires restart)" >> ${ROOT_CONF}/ssl.conf
|
||||
fi
|
||||
echo "include 'ssl.conf'" >> $CONF
|
||||
# Put lock file to make sure conf was not reinitialized
|
||||
touch ${SETUP_LOCKFILE}
|
||||
|
|
|
|||
Ładowanie…
Reference in New Issue