Merge pull request #65 from luccioman/docker

Docker : enable HTTPS support
8 years ago · 43ba23335b
parent e310ec5f70 64fdf7e861
commit 43ba23335b
4 changed files with 66 additions and 8 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -18,6 +18,10 @@ WORKDIR /opt
 # - Compile with ant
 # - remove unnecessary and size consuming .git directory
 # - remove ant and git packages
+
+# Possible alternative : copy directly your current sources an remove git clone command from the following RUN
+# COPY . /opt/yacy_search_server/
+
 RUN apt-get update && \
 	apt-get install -yq ant git && \
 	git clone https://github.com/yacy/yacy_search_server.git && \
@ -30,14 +34,17 @@ RUN apt-get update && \
 # Set initial admin password : "docker" (encoded with custom yacy md5 function net.yacy.cora.order.Digest.encodeMD5Hex())
 RUN sed -i "/adminAccountBase64MD5=/c\adminAccountBase64MD5=MD5:e672161ffdce91be4678605f4f4e6786" /opt/yacy_search_server/defaults/yacy.init

+# Intially enable HTTPS : this is the most secure option for remote administrator authentication
+RUN sed -i "/server.https=false/c\server.https=true" /opt/yacy_search_server/defaults/yacy.init
+
 # Create user and group yacy : this user will be used to run YaCy main process
 RUN adduser --system --group --no-create-home --disabled-password yacy

 # Set ownership of yacy install directory to yacy user/group
 RUN chown yacy:yacy -R /opt/yacy_search_server

-# Expose port 8090
-EXPOSE 8090
+# Expose HTTP and HTTPS default ports
+EXPOSE 8090 8443

 # Set data volume : yacy data and configuration will persist aven after container stop or destruction
 VOLUME ["/opt/yacy_search_server/DATA"]
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@ -51,6 +51,10 @@ WORKDIR /opt
 # - compile with apache ant
 # - remove unnecessary and size consuming .git directory
 # - delete git package and ant binary install
+
+# Possible alternative : copy directly your current sources an remove git clone command from the following RUN
+# COPY . /opt/yacy_search_server/
+
 RUN apk update && \
 	apk add --no-cache git && \
 	git clone https://github.com/yacy/yacy_search_server.git && \
@ -62,14 +66,17 @@ RUN apk update && \
 # Set initial admin password : "docker" (encoded with custom yacy md5 function net.yacy.cora.order.Digest.encodeMD5Hex())
 RUN sed -i "/adminAccountBase64MD5=/c\adminAccountBase64MD5=MD5:e672161ffdce91be4678605f4f4e6786" /opt/yacy_search_server/defaults/yacy.init

+# Intially enable HTTPS : this is the most secure option for remote administrator authentication
+RUN sed -i "/server.https=false/c\server.https=true" /opt/yacy_search_server/defaults/yacy.init
+
 # Create user and group yacy : this user will be used to run YaCy main process
 RUN addgroup yacy && adduser -S -G yacy -H -D yacy

 # Set ownership of yacy install directory to yacy user/group
 RUN chown yacy:yacy -R /opt/yacy_search_server

-# Expose port 8090
-EXPOSE 8090
+# Expose HTTP and HTTPS default ports
+EXPOSE 8090 8443

 # Set data volume : yacy data and configuration will persist aven after container stop or destruction
 VOLUME ["/opt/yacy_search_server/DATA"]
--- a/docker/Readme.md
+++ b/docker/Readme.md
@ -18,6 +18,11 @@ Using yacy_search_server/docker/Dockerfile :
 	cd yacy_search_server/docker
 	docker build .
 	
+To build the Alpine variant :
+
+	cd yacy_search_server/docker
+	docker build -f Dockerfile.alpine .
+	
 ## Image variants

 `luccioman/yacy:latest`
@ -49,12 +54,12 @@ You can retrieve the container IP address with `docker inspect`.

 #### Easier to handle

-	docker run --name yacy -p 8090:8090 --log-opt max-size=100m --log-opt max-file=2 luccioman/yacy
+	docker run --name yacy -p 8090:8090 -p 8443:8443 --log-opt max-size=200m --log-opt max-file=2 luccioman/yacy
 	
 ##### Options detail
 	
 * --name : allow easier management of your container (without it, docker automatically generate a new name at each startup).
-* -p : map host port and container port, allowing web interface access through the usual http://localhost:8090.
+* -p 8090:8090 -p 8443:8443 : map host ports to YaCy container ports, allowing web interface access through the usual http://localhost:8090 and https://localhost:8443 (you can set a different mapping, for example -p 443:8443 if you prefer to use the default HTTPS port on your host)
 * --log-opt max-size : limit maximum docker log file size for this container
 * --log-opt max-file : limit number of docker rotated log files for this container

@ -76,9 +81,47 @@ Note that you can list all docker volumes with :

 	docker volume ls

-#### As background process
+#### Start as background process

 	docker run -d luccioman/yacy
+	
+### HTTPS support
+
+This images are default configured with HTTPS enabled, and use a default certificate stored in defaults/freeworldKeystore. You should use your own certificate. In order to do it, you can proceed as follow.
+
+#### Self-signed certificate
+
+A self-signed certificate will provide encrypted communications with your YaCy server, but browsers will still complain about an invalid security certificate with the error "SEC_ERROR_UNKNOWN_ISSUER". If it is sufficient for you, you can permanently add and exception to your browser.
+
+This kind of certificate can be generated and added to your YaCy Docker container with the following :
+
+	keytool -keystore /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacykeystore -genkey -keyalg RSA -alias yacycert
+	
+Then edit YaCy config file. For example with the nano text editor :
+
+	nano /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacy.conf
+
+And configure the keyStoreXXXX properties accordingly :
+
+	keyStore=/opt/yacy_search_server/DATA/SETTINGS/yacykeystore
+	keyStorePassword=yourpassword
+	
+#### Import an existing certificate:
+
+Importing a certificate validated by a certification authority (CA) will ensure you have full HTTPS support with no security errors when accessing your YaCy peer. You can import an existing certificate in pkcs12 format.
+
+First copy it to the YaCy Docker container volume :
+
+	cp [yourStore].pkcs12 /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/[yourStore].pkcs12
+	
+Then edit YaCy config file. For example with the nano text editor :
+
+	nano /var/lib/docker/volumes/[your_yacy_volume]/_data/SETTINGS/yacy.conf
+
+And configure the pkcs12XXX properties accordingly :
+
+	pkcs12ImportFile=/opt/yacy_search_server/DATA/SETTINGS/[yourStore].pkcs12
+	pkcs12ImportPwd=yourpassword

 ### Next starts

@ -109,7 +152,7 @@ OR
 	
 Create new container based on pulled image, using volume data from old container :
 	
-	docker create --name [tmp-container_name] -p 8090:8090 --volumes-from=[container_name] --log-opt max-size=100m --log-opt max-file=2 luccioman/yacy:latest
+	docker create --name [tmp-container_name] -p 8090:8090 -p 8443:8443 --volumes-from=[container_name] --log-opt max-size=100m --log-opt max-file=2 luccioman/yacy:latest
 	
 Stop old container :

--- a/docker/docker-cloud.yml
+++ b/docker/docker-cloud.yml
@ -2,5 +2,6 @@ yacy:
  image: 'luccioman/yacy:latest'
  ports:
    - '8090:8090'
+    - '8443:8443'
  restart: on-failure
  autoredeploy: true