DB connection over TLS/SSL

README.md

@@ -135,6 +135,8 @@ Image: anonaddy/anonaddy:latest
 * `DB_USERNAME`: MySQL user (default `anonaddy`)
 * `DB_PASSWORD`: MySQL password
 * `DB_TIMEOUT`: Time in seconds after which we stop trying to reach the MySQL server (useful for clusters, default `60`)
+* `DB_SSL`: set this to `true` to connect to MySQL over TLS/SSL (default `false`)
+* `MYSQL_ATTR_SSL_CA`: the certificate authority (CA) chain file that can verify MySQL server's certificate, when connecting over TLS/SSL. If `DB_SSL=true` this variable's default is `/etc/ssl/certs/ca-certificates.crt`, containing public CAs' roots of trust from the container image base; if `DB_SSL=false` this variable is empty by default. If MySQL server's certificate was generated using a private CA, mount the CA's certificate file in the container (e.g. `/host/path/to/ca.pem:/etc/certificates/my-ca.pem`) and point `MYSQL_ATTR_SSL_CA` to that file in the container (e.g. `MYSQL_ATTR_SSL_CA=/etc/certificates/my-ca.pem`). **Warning:** setting `MYSQL_ATTR_SSL_CA` to a custom value enforces connecting to MySQL over TLS/SSL regardless of the value of `DB_SSL`.
 
 > **Note**
 >

rootfs/etc/cont-init.d/00-env

@@ -51,6 +51,16 @@ DB_DATABASE=${DB_DATABASE:-anonaddy}
 #DB_PASSWORD=${DB_PASSWORD:-asupersecretpassword}
 DB_TIMEOUT=${DB_TIMEOUT:-60}
 
+# Add support for DB connection over TLS
+DB_SSL=${DB_SSL:-false}
+if [ "$DB_SSL" = "true" ]; then
+  # if DB TLS connection is enabled, default MYSQL_ATTR_SSL_CA to /etc/ssl/certs/ca-certificates.crt
+  MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-/etc/ssl/certs/ca-certificates.crt}
+else
+  # if DB TLS connection is disabled, default MYSQL_ATTR_SSL_CA to null
+  MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA:-}
+fi
+
 REDIS_HOST=${REDIS_HOST:-null}
 #REDIS_PASSWORD=${REDIS_PASSWORD:-null}
 REDIS_PORT=${REDIS_PORT:-6379}

rootfs/etc/cont-init.d/10-config.sh

@@ -45,7 +45,13 @@ if [ -z "$DB_PASSWORD" ]; then
   echo >&2 "ERROR: Either DB_PASSWORD or DB_PASSWORD_FILE must be defined"
   exit 1
 fi
-dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}""
+
+# Add support for DB connection over TLS
+
+if [ -n "$MYSQL_ATTR_SSL_CA" ]; then
+  SSL_CA_OPTION="--ssl-ca=$MYSQL_ATTR_SSL_CA"
+fi
+dbcmd="mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}" ${SSL_CA_OPTION}"
 
 echo "Waiting ${DB_TIMEOUT}s for database to be ready..."
 counter=1

rootfs/etc/cont-init.d/13-config-anonaddy.sh

@@ -35,6 +35,8 @@ DB_DATABASE=${DB_DATABASE}
 DB_USERNAME=${DB_USERNAME}
 DB_PASSWORD=${DB_PASSWORD}
 
+MYSQL_ATTR_SSL_CA=${MYSQL_ATTR_SSL_CA}
+
 BROADCAST_DRIVER=log
 CACHE_DRIVER=file
 QUEUE_CONNECTION=sync

rootfs/etc/cont-init.d/15-config-postfix.sh

@@ -209,6 +209,16 @@ hosts = ${DB_HOST}:${DB_PORT}
 dbname = ${DB_DATABASE}
 query = SELECT (SELECT 1 FROM usernames WHERE ${QUERY_USERNAMES}) AS usernames, (SELECT 1 FROM domains WHERE domain = '%s' AND domain_verified_at IS NOT NULL) AS domains LIMIT 1;
 EOL
+
+# Add support for DB connection over TLS
+if [ -n "$MYSQL_ATTR_SSL_CA" ]; then
+  cat >>/etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf <<EOL
+tls_ciphers = TLSv1.3, TLSv1.2
+tls_CAfile = ${MYSQL_ATTR_SSL_CA}
+tls_verify_cert = yes
+EOL
+fi
+
 chmod o= /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf
 chgrp postfix /etc/postfix/mysql-virtual-alias-domains-and-subdomains.cf