feat: env configurable self signed cert

docs/content/docs/5.customizing-the-image/4.configuring-ssl.md

@@ -34,6 +34,47 @@ services:
 
 The above will generate a self-signed certificate and configure NGINX to listen on both HTTP (Port 80) and HTTPS (Port 443).
 
+## Customising The Self-signed Certificate
+
+If you want to customize the details of the generated self-signed certificate, you can set the following environment variables:
+
+- `SSL_SUBJECT_COUNTRY`: Specifies the country code for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_STATE`: Specifies the state or province for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_LOCALITY`: Specifies the city or locality for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_ORG`: Specifies the organization name for the self-signed SSL certificate subject when generated automatically.
+- `SSL_SUBJECT_CN`: Specifies the common name(s) for the self-signed SSL certificate subject when generated automatically. Multiple domains can be specified separated by commas.
+- `SSL_KEY_ALGO`: Specifies the algorithm and size for generating the self-signed SSL private key if one is not provided.
+- `SSL_DAYS`: Defines the number of days the self-signed SSL certificate will be valid for when generated automatically.
+
+Example:
+
+::code-panel
+---
+label: Customizing self-signed certificate details
+---
+```yaml
+services:
+  php:
+    image: serversideup/php:8.4-fpm-nginx
+    ports:
+      - 80:8080
+      - 443:8443
+    environment:
+      SSL_MODE: "full"
+      SSL_SUBJECT_COUNTRY: "US"
+      SSL_SUBJECT_STATE: "Wisconsin"
+      SSL_SUBJECT_LOCALITY: "Milwaukee"
+      SSL_SUBJECT_ORG: "IT"
+      SSL_SUBJECT_CN: "*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io"
+      SSL_KEY_ALGO: "rsa:2046"
+      SSL_DAYS: "365"
+    volumes:
+      - .:/var/www/html
+```
+::
+
+These variables allow you to generate a self-signed certificate with more accurate information for your development or testing environment.
+
 ## Providing Your Own Certificate
 In order to add your own certificate, you will need to mount the certificate files to the container. The following files are required:
 

docs/content/docs/7.reference/1.environment-variable-specification.md

@@ -67,9 +67,16 @@ We like to customize our images on a per app basis using environment variables.
 `S6_CMD_WAIT_FOR_SERVICES_MAXTIME`<br />*Default: "0"*|The maximum time (in milliseconds) the services could take to bring up before proceeding to CMD executing (<a target="_blank" href="https://github.com/just-containers/s6-overlay#customizing-s6-overlay-behaviour">Official docs</a>)|fpm-nginx,<br />fpm-apache
 `S6_VERBOSITY`<br />*Default: "1"*|Set the verbosity of "S6 Overlay" (the init system these images are based on). The default is "1" (print warnings and errors). The scale goes from 1 to 5, but the output will quickly become very noisy. If you're having issues, start here. You can also customize many other variables. (<a target="_blank" href="https://github.com/just-containers/s6-overlay#customizing-s6-behaviour">Official docs</a>)|fpm-nginx,<br />fpm-apache
 `SHOW_WELCOME_MESSAGE`<br />*Default: "true"*|Show a helpful welcome message showing container information when the container starts.|all
-`SSL_CERTIFICATE_FILE`<br />*Default: "/etc/ssl/private/self-signed-web.crt"*|Path to public certificate file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,<br />fpm-apache
 `SSL_MODE`<br />*Default: "off"*|Configure how you would like to handle SSL. This can be "off" (HTTP only), "mixed" (HTTP + HTTPS), or "full" (HTTPS only). If you use HTTP, you may need to also change `PHP_SESSION_COOKIE_SECURE`.|fpm-nginx,<br />fpm-apache,<br />unit
+`SSL_CERTIFICATE_FILE`<br />*Default: "/etc/ssl/private/self-signed-web.crt"*|Path to public certificate file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,<br />fpm-apache
 `SSL_PRIVATE_KEY_FILE`<br />*Default: "/etc/ssl/private/self-signed-web.key"*|Path to private key file for HTTPS. You must provide this file otherwise a self-signed key pair will be generated for you.|fpm-nginx,<br />fpm-apache
+`SSL_SUBJECT_COUNTRY`<br />*Default: "US"*|Specifies the country code for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,<br />fpm-apache
+`SSL_SUBJECT_STATE`<br />*Default: "Wisconsin"*|Specifies the state or province for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,<br />fpm-apache
+`SSL_SUBJECT_LOCALITY`<br />*Default: "Milwaukee"*|Specifies the city or locality for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,<br />fpm-apache
+`SSL_SUBJECT_ORG`<br />*Default: "IT"*|Specifies the organization name for the self-signed SSL certificate subject when generated automatically.|fpm-nginx,<br />fpm-apache
+`SSL_SUBJECT_CN`<br />*Default: "*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io"*|Specifies the common name(s) for the self-signed SSL certificate subject when generated automatically. Multiple domains can be specified separated by commas.|fpm-nginx,<br />fpm-apache
+`SSL_KEY_ALGO`<br />*Default: "rsa:2048"*|Specifies the algorithm and size for generating the self-signed SSL private key if one is not provided. Common values include "rsa:2048", "rsa:4096", or "ec:prime256v1".|fpm-nginx,<br />fpm-apache
+`SSL_DAYS`<br />*Default: "365"*|Defines the number of days the self-signed SSL certificate will be valid for when generated automatically.|fpm-nginx,<br />fpm-apache
 `UNIT_CERTIFICATE_NAME`<br />*Default: "self-signed-web-bundle"*| Name of your certificate bundle. This is used to configure HTTPS. (<a target="_blank" href="https://unit.nginx.org/configuration/#ssl-tls-configuration">Official Docs</a>)| unit
 `UNIT_CONFIG_DIRECTORY`<br />*Default: "/etc/unit/config.d"*|Path to the Unit configuration directory. Any *.json, *.js, and *.pem files will be loaded into Unit on initialization.| unit
 `UNIT_CONFIG_FILE`<br />*Default: "/etc/unit/config.d/config.json"*|Path to the Unit configuration file. One will be generated automatically by default. (<a target="_blank" href="https://unit.nginx.org/configuration/#">Official Docs</a>)| unit

src/s6/etc/entrypoint.d/10-init-webserver-config.sh

@@ -90,7 +90,7 @@ enable_apache_conf() {
     done
 }
 
-enable_apache_site (){
+enable_apache_site() {
     ssl_mode=$1
     apache2_enabled_site_path="/etc/apache2/sites-enabled"
 
@@ -110,7 +110,7 @@ enable_apache_site (){
     fi
 }
 
-enable_nginx_site (){
+enable_nginx_site() {
     ssl_mode=$1
     default_nginx_site_config="/etc/nginx/conf.d/default.conf"
 
@@ -133,9 +133,22 @@ enable_nginx_site (){
     fi
 }
 
-validate_ssl(){
-    if [ -z "$SSL_CERTIFICATE_FILE" ] || [ -z "$SSL_PRIVATE_KEY_FILE" ]; then
-        echo "🛑 ERROR ($script_name): SSL_CERTIFICATE_FILE or SSL_PRIVATE_KEY_FILE is not set."
+validate_ssl() {
+    missing_vars=""
+
+    for var in SSL_CERTIFICATE_FILE SSL_PRIVATE_KEY_FILE SSL_SUBJECT_COUNTRY SSL_SUBJECT_STATE SSL_SUBJECT_LOCALITY SSL_SUBJECT_ORG SSL_SUBJECT_CN SSL_KEY_ALGO SSL_DAYS; do
+        eval val=\$$var
+        if [ -z "$val" ]; then
+            if [ -z "$missing_vars" ]; then
+                missing_vars="$var"
+            else
+                missing_vars="$missing_vars $var"
+            fi
+        fi
+    done
+
+    if [ -n "$missing_vars" ]; then
+        echo "🛑 ERROR ($script_name): The following required SSL variables are not set: $missing_vars"
         return 1
     fi
 
@@ -152,8 +165,16 @@ validate_ssl(){
         return 0
     fi
 
-    echo "🔐 SSL Keypair not found. Generating self-signed SSL keypair..."    
-    openssl req -x509 -subj "/C=US/ST=Wisconsin/L=Milwaukee/O=IT/CN=*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" -nodes -newkey rsa:2048 -keyout "$SSL_PRIVATE_KEY_FILE" -out "$SSL_CERTIFICATE_FILE" -days 365 >/dev/null 2>&1
+    echo "🔐 SSL Keypair not found. Generating self-signed SSL keypair..."
+    SSL_SUBJECT="/C=$SSL_SUBJECT_COUNTRY/ST=$SSL_SUBJECT_STATE/L=$SSL_SUBJECT_LOCALITY/O=$SSL_SUBJECT_ORG/CN=$SSL_SUBJECT_CN"
+
+    openssl req -x509 \
+        -subj "$SSL_SUBJECT" \
+        -nodes \
+        -newkey "$SSL_KEY_ALGO" \
+        -keyout "$SSL_PRIVATE_KEY_FILE" \
+        -out "$SSL_CERTIFICATE_FILE" \
+        -days "$SSL_DAYS" >/dev/null 2>&1
 }
 
 ##########

src/variations/fpm-apache/Dockerfile

@@ -84,7 +84,14 @@ ENV APACHE_DOCUMENT_ROOT=/var/www/html/public \
     SHOW_WELCOME_MESSAGE=true \
     SSL_MODE=off \
     SSL_CERTIFICATE_FILE=/etc/ssl/private/self-signed-web.crt \
-    SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key
+    SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key \
+    SSL_SUBJECT_COUNTRY="US" \
+    SSL_SUBJECT_STATE="Wisconsin" \
+    SSL_SUBJECT_LOCALITY="Milwaukee" \
+    SSL_SUBJECT_ORG="IT" \
+    SSL_SUBJECT_CN="*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" \
+    SSL_KEY_ALGO="rsa:2048" \
+    SSL_DAYS="365"
 
 # copy our scripts
 COPY --chmod=755 src/common/ /

src/variations/fpm-nginx/Dockerfile

@@ -108,7 +108,14 @@ ENV APP_BASE_DIR=/var/www/html \
     SHOW_WELCOME_MESSAGE=true \
     SSL_MODE=off \
     SSL_CERTIFICATE_FILE=/etc/ssl/private/self-signed-web.crt \
-    SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key
+    SSL_PRIVATE_KEY_FILE=/etc/ssl/private/self-signed-web.key \
+    SSL_SUBJECT_COUNTRY="US" \
+    SSL_SUBJECT_STATE="Wisconsin" \
+    SSL_SUBJECT_LOCALITY="Milwaukee" \
+    SSL_SUBJECT_ORG="IT" \
+    SSL_SUBJECT_CN="*.dev.test,*.gitpod.io,*.ngrok.io,*.nip.io" \
+    SSL_KEY_ALGO="rsa:2048" \
+    SSL_DAYS="365"
 
 # copy our scripts
 COPY --chmod=755 src/common/ /