diff --git a/README.md b/README.md index efa1e53..2295d75 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,8 @@ Image: anonaddy/anonaddy:latest * `DB_USERNAME`: MySQL user (default `anonaddy`) * `DB_PASSWORD`: MySQL password * `DB_TIMEOUT`: Time in seconds after which we stop trying to reach the MySQL server (useful for clusters, default `60`) +* `DB_SSL`: set this to `true` to connect to MySQL over TLS/SSL (default `false`) +* `MYSQL_ATTR_SSL_CA`: the certificate authority (CA) chain file that can verify MySQL server's certificate, when connecting over TLS/SSL. If `DB_SSL=true` this variable's default is `/etc/ssl/certs/ca-certificates.crt`, containing public CAs' roots of trust from the container image base; if `DB_SSL=false` this variable is empty by default. If MySQL server's certificate was generated using a private CA, mount the CA's certificate file in the container (e.g. `/host/path/to/ca.pem:/etc/certificates/my-ca.pem`) and point `MYSQL_ATTR_SSL_CA` to that file in the container (e.g. `MYSQL_ATTR_SSL_CA=/etc/certificates/my-ca.pem`). **Warning:** setting `MYSQL_ATTR_SSL_CA` to a custom value enforces connecting to MySQL over TLS/SSL regardless of the value of `DB_SSL`. > **Note** > diff --git a/rootfs/etc/cont-init.d/00-env b/rootfs/etc/cont-init.d/00-env index 7da2e79..f53d3a9 100755 --- a/rootfs/etc/cont-init.d/00-env +++ b/rootfs/etc/cont-init.d/00-env @@ -51,6 +51,16 @@ DB_DATABASE=${DB_DATABASE:-anonaddy} #DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword} DB_TIMEOUT=${DB_TIMEOUT:-60} +# Add support for DB connection over TLS +DB_SSL=${DB_SSL:-false} +if [ "$DB_SSL" = "true" ]; then + # if DB TLS connection is enabled, default MYSQL_ATTR_SSL_CA to /etc/ssl/certs/ca-certificates.crt + MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-/etc/ssl/certs/ca-certificates.crt} +else + # if DB TLS connection is disabled, default MYSQL_ATTR_SSL_CA to null + MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-} +fi + REDIS_HOST=${REDIS_HOST:-null} #REDIS_PASSWORD=${REDIS_PASSWORD:-null} REDIS_PORT=${REDIS_PORT:-6379} diff --git a/rootfs/etc/cont-init.d/10-config.sh b/rootfs/etc/cont-init.d/10-config.sh index c5f18ef..a7f17c3 100755 --- a/rootfs/etc/cont-init.d/10-config.sh +++ b/rootfs/etc/cont-init.d/10-config.sh @@ -45,7 +45,13 @@ if [ -z "$DB_PASSWORD" ]; then echo >&2 "ERROR: Either DB_PASSWORD or DB_PASSWORD_FILE must be defined" exit 1 fi -dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}"" + +# Add support for DB connection over TLS + +if [ -n "$MYSQL_ATTR_SSL_CA" ]; then + SSL_CA_OPTION="--ssl-ca=$MYSQL_ATTR_SSL_CA" +fi +dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}" ${SSL_CA_OPTION}" echo "Waiting ${DB_TIMEOUT}s for database to be ready..." counter=1 diff --git a/rootfs/etc/cont-init.d/13-config-anonaddy.sh b/rootfs/etc/cont-init.d/13-config-anonaddy.sh index f776294..9fd44e8 100755 --- a/rootfs/etc/cont-init.d/13-config-anonaddy.sh +++ b/rootfs/etc/cont-init.d/13-config-anonaddy.sh @@ -35,6 +35,8 @@ DB_DATABASE=${DB_DATABASE} DB_USERNAME=${DB_USERNAME} DB_PASSWORD=${DB_PASSWORD} +MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA} + BROADCAST_DRIVER=log CACHE_DRIVER=file QUEUE_CONNECTION=sync diff --git a/rootfs/etc/cont-init.d/15-config-postfix.sh b/rootfs/etc/cont-init.d/15-config-postfix.sh index 1b2b807..ad81661 100755 --- a/rootfs/etc/cont-init.d/15-config-postfix.sh +++ b/rootfs/etc/cont-init.d/15-config-postfix.sh @@ -209,6 +209,16 @@ hosts = ${DB_HOST}:${DB_PORT} dbname = ${DB_DATABASE} query = SELECT (SELECT 1 FROM usernames WHERE ${QUERY_USERNAMES}) AS usernames, (SELECT 1 FROM domains WHERE domain = '%s' AND domain_verified_at IS NOT NULL) AS domains LIMIT 1; EOL + +# Add support for DB connection over TLS +if [ -n "$MYSQL_ATTR_SSL_CA" ]; then + cat >>/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf <