ory · terev · Nov 1, 2024 · Nov 1, 2024 · Nov 2, 2024
@@ -1,16 +1,19 @@
-FROM maven:3-jdk-11
+FROM maven:3-openjdk-17-slim
 
 WORKDIR /usr/src/mymaven
+RUN apt-get update && apt-get install -y \
+    unzip \
+    wget \
+    redir \
+    ca-certificates
 
-RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-v4.1.4/conformance-suite-release-v4.1.4.zip && \
-  unzip conformance-suite-release-v4.1.4.zip -d . && \
-  rm conformance-suite-release-v4.1.4.zip && \
-  find conformance-suite-release-v4.1.4 -maxdepth 1 -mindepth 1 -exec mv {} . \; && \
-  rmdir conformance-suite-release-v4.1.4
-
-RUN mvn -B clean package -DskipTests && \
-    apt-get update && apt-get install -y \
-    redir ca-certificates
+ARG CONFORMANCE_SUITE_VERSION=v5.1.24
+RUN wget https://gitlab.com/openid/conformance-suite/-/archive/release-${CONFORMANCE_SUITE_VERSION}/conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
+  unzip conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip -d . && \
+  rm conformance-suite-release-${CONFORMANCE_SUITE_VERSION}.zip && \
+  find conformance-suite-release-${CONFORMANCE_SUITE_VERSION} -maxdepth 1 -mindepth 1 -exec mv {} . \; && \
+  rmdir conformance-suite-release-${CONFORMANCE_SUITE_VERSION} && \
+  mvn -B -Dmaven.test.skip -Dpmd.skip clean package
 
 COPY ssl/ory-conformity.crt /etc/ssl/certs/
 COPY ssl/ory-conformity.key /etc/ssl/private/

@@ -21,7 +21,7 @@ services:
         target: /etc/config/hydra
 
   mongodb:
-    image: mongo:4.2
+    image: mongo:5.0
     networks:
       - intranet
     volumes:
@@ -33,12 +33,13 @@ services:
 
   httpd:
     image: oryd/hydra-oidc-httpd:latest
-    #    build:
-    #      # When running with `run.sh` the cwd is the project's root.
-    #      context: ./test/conformance
-    #      dockerfile: httpd/Dockerfile
+    build:
+      # When running with `run.sh` the cwd is the project's root.
+      context: ./test/conformance
+      dockerfile: httpd/Dockerfile
     ports:
       - "8443:8443"
+      - "8444:8444"
     depends_on:
       - server
     networks:
@@ -47,10 +48,10 @@ services:
 
   server:
     image: oryd/hydra-oidc-server:latest
-    #    build:
-    #      # When running with `run.sh` the cwd is the project's root.
-    #      context: ./test/conformance
-    #      dockerfile: Dockerfile
+    build:
+      # When running with `run.sh` the cwd is the project's root.
+      context: ./test/conformance
+      dockerfile: Dockerfile
     depends_on:
       - mongodb
     logging:

@@ -1,10 +1,10 @@
-FROM debian:stretch
+FROM debian:buster
 RUN apt-get update \
 	&& apt-get install -y apache2 ssl-cert ca-certificates \
 	&& apt-get clean
 RUN \
 	echo 'Listen 8443' > /etc/apache2/ports.conf \
-	&& a2enmod headers proxy proxy_ajp proxy_http rewrite ssl \
+	&& a2enmod headers proxy proxy_http rewrite ssl \
 	&& a2dissite 000-default.conf
 
 COPY httpd/server.conf /etc/apache2/sites-enabled

@@ -1,23 +1,58 @@
+LimitRequestLine 32768
+
 <VirtualHost *:8443>
-	ServerName localhost
-	ErrorLog /dev/stderr
-	CustomLog /dev/stdout combined
-	ProxyPreserveHost on
-	RewriteEngine on
-	SSLEngine on
-	SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
-	SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
-	RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
-	RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
-	ProxyPass "/" "ajp://server:9090/"
-	# RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
-	ProxyPassReverse "/" "ajp://server:9090/"
-	<Location "/">
-		Require all granted
-	</Location>
-	<Location "/test-mtls/">
-		SSLVerifyClient optional_no_ca
-		RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
-		RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}s"
-	</Location>
+  ServerName localhost
+  ErrorLog /dev/stderr
+  CustomLog /dev/stdout combined
+  ProxyPreserveHost on
+  RewriteEngine on
+  SSLEngine on
+  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2
+  SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
+  SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
+  RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
+  RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+  RequestHeader set X-Forwarded-Proto https
+  RequestHeader set X-Forwarded-Port 8443
+  ProxyPass "/" "http://server:8080/"
+  # RewriteRule "^/(.*)$" "http://server:8080/$1" [P]
+  ProxyPassReverse "/" "http://server:8080/"
+  <Location "/">
+    Require all granted
+  </Location>
+  <Location "/test-mtls">
+    RequestHeader set X-Test-Mtls-Called-On-Wrong-Host "true"
+  </Location>
+</VirtualHost>
+<VirtualHost *:8444>
+  ServerName localhost
+  ErrorLog /dev/stderr
+  CustomLog /dev/stdout combined
+  ProxyPreserveHost on
+  RewriteEngine on
+  SSLEngine on
+  SSLProtocol +TLSv1.2 +TLSv1.3
+  Protocols http/1.1
+  SSLCertificateFile /etc/ssl/certs/ory-conformity.crt
+  SSLCertificateKeyFile /etc/ssl/private/ory-conformity.key
+  RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}s"
+  RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}s"
+  RequestHeader set X-Forwarded-Proto https
+  RequestHeader set X-Forwarded-Port 8444
+  ProxyPass "/" "http://server:8080/"
+  ProxyPassReverse "/" "http://server:8080/"
+  <Location "/">
+    Require all granted
+  </Location>
+
+  SSLVerifyClient optional_no_ca
+  SSLVerifyDepth 5
+  RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}s"
+  RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}s"
+  RequestHeader set X-Ssl-Cert-Chain-0 "%{SSL_CLIENT_CERT_CHAIN_0}s"
+  RequestHeader set X-Ssl-Cert-Chain-1 "%{SSL_CLIENT_CERT_CHAIN_1}s"
+  RequestHeader set X-Ssl-Cert-Chain-2 "%{SSL_CLIENT_CERT_CHAIN_2}s"
+  RequestHeader set X-Ssl-Cert-Chain-3 "%{SSL_CLIENT_CERT_CHAIN_3}s"
+  RequestHeader set X-Ssl-Cert-Chain-4 "%{SSL_CLIENT_CERT_CHAIN_4}s"
+  RequestHeader set X-Ssl-Cert-Chain-5 "%{SSL_CLIENT_CERT_CHAIN_5}s"
 </VirtualHost>