diff --git a/docs/content/docs/5.customizing-the-image/4.configuring-ssl.md b/docs/content/docs/5.customizing-the-image/4.configuring-ssl.md
index b015b7f9d..86fee4362 100644
--- a/docs/content/docs/5.customizing-the-image/4.configuring-ssl.md
+++ b/docs/content/docs/5.customizing-the-image/4.configuring-ssl.md
@@ -34,6 +34,47 @@ services:
The above will generate a self-signed certificate and configure NGINX to listen on both HTTP (Port 80) and HTTPS (Port 443).
+## Customising The Self-signed Certificate
+
+If you want to customize the details of the generated self-signed certificate, you can set the following environment variables:
+
+- `SSL_SUBJECT_COUNTRY`: Specifies the country code for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_STATE`: Specifies the state or province for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_LOCALITY`: Specifies the city or locality for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_ORG`: Specifies the organization name for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_CN`: Specifies the common name(s) for the self-signed SSL certificate subject when generated automatically. Multiple domains can be specified separated by commas.
+- `SSL_KEY_ALGO`: Specifies the algorithm and size for generating the self-signed SSL private key if one is not provided.
+- `SSL_DAYS`: Defines the number of days the self-signed SSL certificate will be valid for when generated automatically.
+
+Example:
+
+::code-panel
+---
+label: Customizing self-signed certificate details
+---
+```yaml
+services:
+ php:
+ image: serversideup/php:8.4-fpm-nginx
+ ports:
+ - 80:8080
+ - 443:8443
+ environment:
+ SSL_MODE: "full"
+ SSL_SUBJECT_COUNTRY: "US"
+ SSL_SUBJECT_STATE: "Wisconsin"
+ SSL_SUBJECT_LOCALITY: "Milwaukee"
+ SSL_SUBJECT_ORG: "IT"
+ SSL_SUBJECT_CN: "*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io"
+ SSL_KEY_ALGO: "rsa:2046"
+ SSL_DAYS: "365"
+ volumes:
+ - .:/var/www/html
+```
+::
+
+These variables allow you to generate a self-signed certificate with more accurate information for your development or testing environment.
+
## Providing Your Own Certificate
In order to add your own certificate, you will need to mount the certificate files to the container. The following files are required:
diff --git a/docs/content/docs/7.reference/1.environment-variable-specification.md b/docs/content/docs/7.reference/1.environment-variable-specification.md
index 597464177..e1576aa4e 100644
--- a/docs/content/docs/7.reference/1.environment-variable-specification.md
+++ b/docs/content/docs/7.reference/1.environment-variable-specification.md
@@ -67,9 +67,16 @@ We like to customize our images on a per app basis using environment variables.
`S6_CMD_WAIT_FOR_SERVICES_MAXTIME`
*Default: "0"*|The maximum time (in milliseconds) the services could take to bring up before proceeding to CMD executing (Official docs)|fpm-nginx,
fpm-apache
`S6_VERBOSITY`
*Default: "1"*|Set the verbosity of "S6 Overlay" (the init system these images are based on). The default is "1" (print warnings and errors). The scale goes from 1 to 5, but the output will quickly become very noisy. If you're having issues, start here. You can also customize many other variables. (Official docs)|fpm-nginx,
fpm-apache
`SHOW_WELCOME_MESSAGE`
*Default: "true"*|Show a helpful welcome message showing container information when the container starts.|all
-`SSL_CERTIFICATE_FILE`
*Default: "/etc/ssl/private/self-signed-web.crt"*|Path to public certificate file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,
fpm-apache
`SSL_MODE`
*Default: "off"*|Configure how you would like to handle SSL. This can be "off" (HTTP only), "mixed" (HTTP + HTTPS), or "full" (HTTPS only). If you use HTTP, you may need to also change `PHP_SESSION_COOKIE_SECURE`.|fpm-nginx,
fpm-apache,
unit
+`SSL_CERTIFICATE_FILE`
*Default: "/etc/ssl/private/self-signed-web.crt"*|Path to public certificate file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,
fpm-apache
`SSL_PRIVATE_KEY_FILE`
*Default: "/etc/ssl/private/self-signed-web.key"*|Path to private key file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,
fpm-apache
+`SSL_SUBJECT_COUNTRY`
*Default: "US"*|Specifies the country code for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,
fpm-apache
+`SSL_SUBJECT_STATE`
*Default: "Wisconsin"*|Specifies the state or province for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,
fpm-apache
+`SSL_SUBJECT_LOCALITY`
*Default: "Milwaukee"*|Specifies the city or locality for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,
fpm-apache
+`SSL_SUBJECT_ORG`
*Default: "IT"*|Specifies the organization name for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,
fpm-apache
+`SSL_SUBJECT_CN`
*Default: "*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io"*|Specifies the common name(s) for the self-signed SSL certificate subject when generated automatically. Multiple domains can be specified separated by commas.|fpm-nginx,
fpm-apache
+`SSL_KEY_ALGO`
*Default: "rsa:2048"*|Specifies the algorithm and size for generating the self-signed SSL private key if one is not provided. Common values include "rsa:2048", "rsa:4096", or "ec:prime256v1".|fpm-nginx,
fpm-apache
+`SSL_DAYS`
*Default: "365"*|Defines the number of days the self-signed SSL certificate will be valid for when generated automatically.|fpm-nginx,
fpm-apache
`UNIT_CERTIFICATE_NAME`
*Default: "self-signed-web-bundle"*| Name of your certificate bundle. This is used to configure HTTPS. (Official Docs)| unit
`UNIT_CONFIG_DIRECTORY`
*Default: "/etc/unit/config.d"*|Path to the Unit configuration directory. Any *.json, *.js, and *.pem files will be loaded into Unit on initialization.| unit
`UNIT_CONFIG_FILE`
*Default: "/etc/unit/config.d/config.json"*|Path to the Unit configuration file. One will be generated automatically by default. (Official Docs)| unit
diff --git a/src/s6/etc/entrypoint.d/10-init-webserver-config.sh b/src/s6/etc/entrypoint.d/10-init-webserver-config.sh
index e501bc66e..2f6a0d9a7 100644
--- a/src/s6/etc/entrypoint.d/10-init-webserver-config.sh
+++ b/src/s6/etc/entrypoint.d/10-init-webserver-config.sh
@@ -90,7 +90,7 @@ enable_apache_conf() {
done
}
-enable_apache_site (){
+enable_apache_site() {
ssl_mode=$1
apache2_enabled_site_path="/etc/apache2/sites-enabled"
@@ -110,7 +110,7 @@ enable_apache_site (){
fi
}
-enable_nginx_site (){
+enable_nginx_site() {
ssl_mode=$1
default_nginx_site_config="/etc/nginx/conf.d/default.conf"
@@ -133,9 +133,22 @@ enable_nginx_site (){
fi
}
-validate_ssl(){
- if [ -z "$SSL_CERTIFICATE_FILE" ] || [ -z "$SSL_PRIVATE_KEY_FILE" ]; then
- echo "🛑 ERROR ($script_name): SSL_CERTIFICATE_FILE or SSL_PRIVATE_KEY_FILE is not set."
+validate_ssl() {
+ missing_vars=""
+
+ for var in SSL_CERTIFICATE_FILE SSL_PRIVATE_KEY_FILE SSL_SUBJECT_COUNTRY SSL_SUBJECT_STATE SSL_SUBJECT_LOCALITY SSL_SUBJECT_ORG SSL_SUBJECT_CN SSL_KEY_ALGO SSL_DAYS; do
+ eval val=\$$var
+ if [ -z "$val" ]; then
+ if [ -z "$missing_vars" ]; then
+ missing_vars="$var"
+ else
+ missing_vars="$missing_vars $var"
+ fi
+ fi
+ done
+
+ if [ -n "$missing_vars" ]; then
+ echo "🛑 ERROR ($script_name): The following required SSL variables are not set: $missing_vars"
return 1
fi
@@ -152,8 +165,16 @@ validate_ssl(){
return 0
fi
- echo "🔐 SSL Keypair not found. Generating self-signed SSL keypair..."
- openssl req -x509 -subj "/C=US/ST=Wisconsin/L=Milwaukee/O=IT/CN=*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" -nodes -newkey rsa:2048 -keyout "$SSL_PRIVATE_KEY_FILE" -out "$SSL_CERTIFICATE_FILE" -days 365 >/dev/null 2>&1
+ echo "🔐 SSL Keypair not found. Generating self-signed SSL keypair..."
+ SSL_SUBJECT="/C=$SSL_SUBJECT_COUNTRY/ST=$SSL_SUBJECT_STATE/L=$SSL_SUBJECT_LOCALITY/O=$SSL_SUBJECT_ORG/CN=$SSL_SUBJECT_CN"
+
+ openssl req -x509 \
+ -subj "$SSL_SUBJECT" \
+ -nodes \
+ -newkey "$SSL_KEY_ALGO" \
+ -keyout "$SSL_PRIVATE_KEY_FILE" \
+ -out "$SSL_CERTIFICATE_FILE" \
+ -days "$SSL_DAYS" >/dev/null 2>&1
}
##########
diff --git a/src/variations/fpm-apache/Dockerfile b/src/variations/fpm-apache/Dockerfile
index e6c4cdcf3..30c07a605 100644
--- a/src/variations/fpm-apache/Dockerfile
+++ b/src/variations/fpm-apache/Dockerfile
@@ -84,7 +84,14 @@ ENV APACHE_DOCUMENT_ROOT=/var/www/html/public \
SHOW_WELCOME_MESSAGE=true \
SSL_MODE=off \
SSL_CERTIFICATE_FILE=/etc/ssl/private/self-signed-web.crt \
- SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key
+ SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key \
+ SSL_SUBJECT_COUNTRY="US" \
+ SSL_SUBJECT_STATE="Wisconsin" \
+ SSL_SUBJECT_LOCALITY="Milwaukee" \
+ SSL_SUBJECT_ORG="IT" \
+ SSL_SUBJECT_CN="*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" \
+ SSL_KEY_ALGO="rsa:2048" \
+ SSL_DAYS="365"
# copy our scripts
COPY --chmod=755 src/common/ /
diff --git a/src/variations/fpm-nginx/Dockerfile b/src/variations/fpm-nginx/Dockerfile
index a8197b6df..6466d445c 100644
--- a/src/variations/fpm-nginx/Dockerfile
+++ b/src/variations/fpm-nginx/Dockerfile
@@ -108,7 +108,14 @@ ENV APP_BASE_DIR=/var/www/html \
SHOW_WELCOME_MESSAGE=true \
SSL_MODE=off \
SSL_CERTIFICATE_FILE=/etc/ssl/private/self-signed-web.crt \
- SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key
+ SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key \
+ SSL_SUBJECT_COUNTRY="US" \
+ SSL_SUBJECT_STATE="Wisconsin" \
+ SSL_SUBJECT_LOCALITY="Milwaukee" \
+ SSL_SUBJECT_ORG="IT" \
+ SSL_SUBJECT_CN="*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" \
+ SSL_KEY_ALGO="rsa:2048" \
+ SSL_DAYS="365"
# copy our scripts
COPY --chmod=755 src/common/ /