search

nuxsmin / docker-syspass

Docker stuff for running sysPass on Docker
GNU General Public License v3.0
39 stars 21 forks source link

Updated docker-compose File #35

Closed 3XC1T3D closed 2 years ago

3XC1T3D commented 4 years ago

Hi,

i worked a little bit with your docker-compose file and it wasn't very handy. For exmaple if i shout down the appliction and databse and restartet it (docker compose down and up) because of the docker link feature, the container are getting dhcp ip adresses. Also i exposed the Port 80 and 443 like in your Documentation. Also i am using LDAPS. Therefore i changed a little bit of the compose file. If your interested to merge some changes to yours, feel free.

version: '2'
services:
  app:
    container_name: syspass-app
    image: syspass/syspass:3.1.1
    hostname: <SYSPASS_HOSTNAME>
    networks:
      syspass_net:
        ipv4_address: 172.21.0.3
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /opt/syspass/config:/var/www/html/sysPass/app/config
      - /opt/syspass/backup:/var/www/html/sysPass/app/backup
      - /opt/syspass/ssl/<SYSPASS_CERT>:/etc/ssl/certs/ssl-cert-snakeoil.pem
      - /opt/syspass/ssl/<SYSPASS_KEY>:/etc/ssl/private/ssl-cert-snakeoil.key
      - /opt/syspass/ssl/<AD_CA_CERT>:/etc/ssl/certs/ca-certificates.crt
    environment:
      - USE_SSL=yes
  db:
    container_name: syspass-db
    restart: always
    image: mariadb:10.2
    networks:
      syspass_net:
        ipv4_address: 172.21.0.4
    environment:
      - MYSQL_ROOT_PASSWORD=syspass
    expose:
      - "3306"
    volumes:
      - /opt/syspass/db:/var/lib/mysql
networks:
  syspass_net:
    ipam:
      driver: default
      config:
        - subnet: 172.21.0.0/16
is the Hostname / DNS Entry which you want to call in Browser. is the SSL Certificate for the Apache is the SSL Key for the Apache is the SSL CA Certificate from your Active Directory for LDAPS. You can get this Certificate via: ```bash echo -n | openssl s_client -connect :636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.crt ``` If you run syspass in your Environment, it should be enough to mount the AD CA Certificate to /etc/ssl/certs/ca-certificates.crt into container if you have questions don't hesitate to contact me best regards
CyrosX commented 4 years ago

We're using it right now with our Synology and it seems to work very fine. Thank you. In LDAP connection we had to leave TLS off and the connection set to ldaps://name.of.server. (So it uses the 636 port instead of normal 389) At first we didn't get the connection to the syspass-db to work, but after some days of waiting it mysteriously worked (same on the normal dockerfile). Only part we've changed is the left side of: ` ports:

I've added the certificates to the container and in Synology to bind it to the reverse proxy (dunno what's really needed, but seem to work)

nuxsmin commented 4 years ago

Hello, sorry for the late reply...

I know Docker installations are tricky because the network, but setting a fixed IP address would lead to an IP address conflict on many environments, since Docker is a dynamic environment and many people doesn't care about IPAM related stuff.

Anyway, I'll take some useful parts from your composer file like certificates handling.

Many thanks for your contribution @3XC1T3D !

3XC1T3D commented 4 years ago

Hi @nuxsmin ,

yeah i know the fact with the fixed ip address, but i think it's the only way to run it productive in Docker. Eventually you make a hint in the docker compose readme.

Thank you, for your work :)

kfeina commented 3 years ago

Hello,

I had the same problem with the non exposed ports in the syspass-app container.

In my opinion, configuring ports: - "80:80" - "443:443" by default is mandatory to facilitate docker deployment.

It happens also in v3.2.1.

Regards.

nuxsmin commented 3 years ago

@kfeina I agree with you, but taking into account that sysPass is a security application, it could be risky to use these default HTTP/S ports for inexperienced users or non-tested installations. That is the fact because these ports are set randomly.

Regards

CyrosX commented 3 years ago

I've fiddled around and made this solution: You only need to get the public certificate .pem (rename it to .crt) / .crt of the CA and put it in a folder to mount it:

volumes:

This also allows renewing of the certificate on an easy way.

Maybe "update-ca-certificates" should be added to entrypoint.sh ? @nuxsmin