Enabled HTTPS as default, and added HTPS related documentation

9 years ago · 16dfc49bfd
parent 6811158e1a
commit 16dfc49bfd
3 changed files with 60 additions and 3 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -18,6 +18,10 @@ WORKDIR /opt
 # - Compile with ant
 # - remove unnecessary and size consuming .git directory
 # - remove ant and git packages
+
+# Possible alternative : copy directly your current sources an remove git clone command from the following RUN
+# COPY . /opt/yacy_search_server/
+
 RUN apt-get update && \
 	apt-get install -yq ant git && \
 	git clone https://github.com/yacy/yacy_search_server.git && \
@ -30,6 +34,9 @@ RUN apt-get update && \
 # Set initial admin password : "docker" (encoded with custom yacy md5 function net.yacy.cora.order.Digest.encodeMD5Hex())
 RUN sed -i "/adminAccountBase64MD5=/c\adminAccountBase64MD5=MD5:e672161ffdce91be4678605f4f4e6786" /opt/yacy_search_server/defaults/yacy.init

+# Intially enable HTTPS : this is the most secure option for remote administrator authentication
+RUN sed -i "/server.https=false/c\server.https=true" /opt/yacy_search_server/defaults/yacy.init
+
 # Create user and group yacy : this user will be used to run YaCy main process
 RUN adduser --system --group --no-create-home --disabled-password yacy

--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@ -51,6 +51,10 @@ WORKDIR /opt
 # - compile with apache ant
 # - remove unnecessary and size consuming .git directory
 # - delete git package and ant binary install
+
+# Possible alternative : copy directly your current sources an remove git clone command from the following RUN
+# COPY . /opt/yacy_search_server/
+
 RUN apk update && \
 	apk add --no-cache git && \
 	git clone https://github.com/yacy/yacy_search_server.git && \
@ -62,6 +66,9 @@ RUN apk update && \
 # Set initial admin password : "docker" (encoded with custom yacy md5 function net.yacy.cora.order.Digest.encodeMD5Hex())
 RUN sed -i "/adminAccountBase64MD5=/c\adminAccountBase64MD5=MD5:e672161ffdce91be4678605f4f4e6786" /opt/yacy_search_server/defaults/yacy.init

+# Intially enable HTTPS : this is the most secure option for remote administrator authentication
+RUN sed -i "/server.https=false/c\server.https=true" /opt/yacy_search_server/defaults/yacy.init
+
 # Create user and group yacy : this user will be used to run YaCy main process
 RUN addgroup yacy && adduser -S -G yacy -H -D yacy

--- a/docker/Readme.md
+++ b/docker/Readme.md
@ -20,6 +20,11 @@ Using yacy_search_server/docker/Dockerfile :
 	cd yacy_search_server/docker
 	docker build .
 	
+To build the Alpine variant :
+
+	cd yacy_search_server/docker
+	docker build -f Dockerfile.alpine .
+	
 ## Image variants

 `luccioman/yacy:latest`
@ -51,12 +56,12 @@ You can retrieve the container IP address with `docker inspect`.

 #### Easier to handle

-	docker run --name yacy -p 8090:8090 --log-opt max-size=100m --log-opt max-file=2 luccioman/yacy
+	docker run --name yacy -p 8090:8090 -p 8443:8443 --log-opt max-size=200m --log-opt max-file=2 luccioman/yacy
 	
 ##### Options detail
 	
 * --name : allow easier management of your container (without it, docker automatically generate a new name at each startup).
-* -p : map host port and container port, allowing web interface access through the usual http://localhost:8090.
+* -p 8090:8090 -p 8443:8443 : map host ports to YaCy container ports, allowing web interface access through the usual http://localhost:8090 and https://localhost:8443 (you can set a different mapping, for example -p 443:8443 if you prefer to use the default HTTPS port on your host)
 * --log-opt max-size : limit maximum docker log file size for this container
 * --log-opt max-file : limit number of docker rotated log files for this container

@ -81,6 +86,44 @@ Note that you can list all docker volumes with :
 #### As background process

 	docker run -d luccioman/yacy
+	
+### HTTPS support
+
+This images are default configured with HTTPS enabled, and use a default certificate stored in defaults/freeworldKeystore. You should use your own certificated. In order to do it, you can proceed as follow.
+
+#### Self-signed certificate
+
+A self-signed certificate will provide encrypted communications with your YaCy server, but browsers will still complain about an invalid security certificate with the error "SEC_ERROR_UNKNOWN_ISSUER". If it is sufficient for you, you can add permanently add exception to your browser. 
+
+This kind of certificate can be generated and added to your YaCy Docker container with the following :
+
+	keytool -keystore /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacykeystore -genkey -keyalg RSA -alias yacycert
+	
+Then edit YaCy config file. For example with the nano text editor :
+
+	nano /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacy.conf
+
+And configure the keyStoreXXXX properties accordingly :
+
+	keyStore=/opt/yacy_search_server/DATA/SETTINGS/yacykeystore
+	keyStorePassword=yourpassword
+	
+#### Import an existing certificate:
+
+Importing a certificated validated by a certification authority (CA) will ensure you full HTTPS support with no security errors when accessing your YaCy peer. You can import an existing certificate in pkcs12 format.
+
+First copy it to the YaCy Docker container volume :
+
+	cp [yourStore].pkcs12 /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/[yourStore].pkcs12
+	
+Then edit YaCy config file. For example with the nano text editor :
+
+	nano /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacy.conf
+
+And configure the pkcs12XXX properties accordingly :
+
+	pkcs12ImportFile=/opt/yacy_search_server/DATA/SETTINGS/[yourStore].pkcs12
+	pkcs12ImportPwd=yourpassword

 ### Next starts

@ -111,7 +154,7 @@ OR
 	
 Create new container based on pulled image, using volume data from old container :
 	
-	docker create --name [tmp-container_name] -p 8090:8090 --volumes-from=[container_name] luccioman/yacy:latest
+	docker create --name [tmp-container_name] -p 8090:8090 -p 8443:8443 --volumes-from=[container_name] luccioman/yacy:latest
 	
 Stop old container :