From 6214417384aa24ff1444e63bdd8bb3b7853180c9 Mon Sep 17 00:00:00 2001 From: lordrobincbz Date: Wed, 11 Dec 2024 14:44:09 +0100 Subject: [PATCH 01/17] feat:(config.inc.php/docker-entrypoint.sh): Add support for mTLS to a remote server/cluster/service --- README.md | 9 ++++- apache/config.inc.php | 28 +++++++++++++++ apache/docker-entrypoint.sh | 64 +++++++++++++++++++++++++++++++++ fpm-alpine/config.inc.php | 28 +++++++++++++++ fpm-alpine/docker-entrypoint.sh | 63 ++++++++++++++++++++++++++++++++ fpm/config.inc.php | 28 +++++++++++++++ fpm/docker-entrypoint.sh | 63 ++++++++++++++++++++++++++++++++ 7 files changed, 282 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8fbece6..dfa2279 100644 --- a/README.md +++ b/README.md @@ -185,7 +185,14 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_SOCKET`` - define socket file for the MySQL connection * ``PMA_SOCKETS`` - define comma separated list of socket files for the MySQL connections * ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection -* ``PMA_SSLS`` - comma separated list of `0` and `1` defining SSL usage for the corresponding MySQL connections +* ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. +* ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. +* ``PMA_SSL_CA_BASE64`` - in the context of mTLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CAS_BASE64`` - in the context of mTLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CERT_BASE64`` - in the context of mTLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CERTS_BASE64`` - in the context of mTLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_KEY_BASE64`` - in the context of mTLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_KEYS_BASE64`` - in the context of mTLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. * ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method * ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri). * ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable diff --git a/apache/config.inc.php b/apache/config.inc.php index 9f5d2ac..693a715 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -28,7 +28,15 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSL_VERIFY', + 'PMA_SSL_CA', + 'PMA_SSL_KEY', + 'PMA_SSL_CERT', 'PMA_SSLS', + 'PMA_SSL_VERIFIES', + 'PMA_SSL_CAS', + 'PMA_SSL_KEYS', + 'PMA_SSL_CERTS' ]; foreach ($vars as $var) { @@ -66,11 +74,19 @@ $verbose = [$_ENV['PMA_VERBOSE']]; $ports = [$_ENV['PMA_PORT']]; $ssls = [$_ENV['PMA_SSL']]; + $ssl_verifies = [$_ENV['PMA_SSL_VERIFY']]; + $ssl_cas = [$_ENV['PMA_SSL_CA']]; + $ssl_keys = [$_ENV['PMA_SSL_KEY']]; + $ssl_certs = [$_ENV['PMA_SSL_CERT']]; } elseif (! empty($_ENV['PMA_HOSTS'])) { $hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS'])); $verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES'])); $ports = array_map('trim', explode(',', $_ENV['PMA_PORTS'])); $ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS'])); + $ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES'])); + $ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS'])); + $ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS'])); + $ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS'])); } if (! empty($_ENV['PMA_SOCKET'])) { @@ -84,6 +100,18 @@ if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') { $cfg['Servers'][$i]['ssl'] = $ssls[$i - 1]; } + if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') { + $cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1]; + } + if (isset($ssl_cas[$i - 1])) { + $cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1]; + } + if (isset($ssl_keys[$i - 1])) { + $cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1]; + } + if (isset($ssl_certs[$i - 1])) { + $cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1]; + } $cfg['Servers'][$i]['host'] = $hosts[$i - 1]; if (isset($verbose[$i - 1])) { $cfg['Servers'][$i]['verbose'] = $verbose[$i - 1]; diff --git a/apache/docker-entrypoint.sh b/apache/docker-entrypoint.sh index 5c2e85a..655072f 100755 --- a/apache/docker-entrypoint.sh +++ b/apache/docker-entrypoint.sh @@ -29,6 +29,45 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php fi +if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-ca from base64." + echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem + export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" +fi + +if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-key from base64." + echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key + export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" +fi + +if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-cert from base64." + echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem + export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" +fi + +if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-ca from base64." + PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") + export "PMA_SSL_CAS" +fi + +if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-key from base64." + PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") + export "PMA_SSL_KEYS" +fi + +if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-cert from base64." + PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") + export "PMA_SSL_CERTS" +fi + # start: Apache specific settings if [ -n "${APACHE_PORT+x}" ]; then echo "Setting apache port to ${APACHE_PORT}." @@ -50,6 +89,31 @@ get_docker_secret() { fi } +# This function generates SSL files from a base64 encoded string. +# Arguments: +# 1. base64_string: A comma-separated string of base64 encoded SSL files. +# 2. prefix: A prefix to be used in the output file names. +# 3. extension: The file extension to be used for the output files. +# The function creates a directory for the SSL files, decodes each base64 string, +# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. +# +generate_ssl_files() { + local base64_string="${1}" + local output_dir="/etc/phpmyadmin/ssl" + mkdir -p "${output_dir}" + IFS=',' read -ra FILES <<< "${base64_string}" + local counter=1 + local ssl_files="" + for file in "${FILES[@]}"; do + local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" + echo "${file}" | base64 -d > "${output_file}" + ssl_files="${ssl_files}${output_file}," + counter=$((counter + 1)) + done + ssl_files="${ssl_files%,}" + echo "${ssl_files}" +} + get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm-alpine/config.inc.php b/fpm-alpine/config.inc.php index 9f5d2ac..693a715 100644 --- a/fpm-alpine/config.inc.php +++ b/fpm-alpine/config.inc.php @@ -28,7 +28,15 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSL_VERIFY', + 'PMA_SSL_CA', + 'PMA_SSL_KEY', + 'PMA_SSL_CERT', 'PMA_SSLS', + 'PMA_SSL_VERIFIES', + 'PMA_SSL_CAS', + 'PMA_SSL_KEYS', + 'PMA_SSL_CERTS' ]; foreach ($vars as $var) { @@ -66,11 +74,19 @@ $verbose = [$_ENV['PMA_VERBOSE']]; $ports = [$_ENV['PMA_PORT']]; $ssls = [$_ENV['PMA_SSL']]; + $ssl_verifies = [$_ENV['PMA_SSL_VERIFY']]; + $ssl_cas = [$_ENV['PMA_SSL_CA']]; + $ssl_keys = [$_ENV['PMA_SSL_KEY']]; + $ssl_certs = [$_ENV['PMA_SSL_CERT']]; } elseif (! empty($_ENV['PMA_HOSTS'])) { $hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS'])); $verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES'])); $ports = array_map('trim', explode(',', $_ENV['PMA_PORTS'])); $ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS'])); + $ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES'])); + $ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS'])); + $ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS'])); + $ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS'])); } if (! empty($_ENV['PMA_SOCKET'])) { @@ -84,6 +100,18 @@ if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') { $cfg['Servers'][$i]['ssl'] = $ssls[$i - 1]; } + if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') { + $cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1]; + } + if (isset($ssl_cas[$i - 1])) { + $cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1]; + } + if (isset($ssl_keys[$i - 1])) { + $cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1]; + } + if (isset($ssl_certs[$i - 1])) { + $cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1]; + } $cfg['Servers'][$i]['host'] = $hosts[$i - 1]; if (isset($verbose[$i - 1])) { $cfg['Servers'][$i]['verbose'] = $verbose[$i - 1]; diff --git a/fpm-alpine/docker-entrypoint.sh b/fpm-alpine/docker-entrypoint.sh index 0d98e27..7a4c8f7 100755 --- a/fpm-alpine/docker-entrypoint.sh +++ b/fpm-alpine/docker-entrypoint.sh @@ -29,6 +29,44 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php fi +if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-ca from base64." + echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem + export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" +fi + +if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-key from base64." + echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key + export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" +fi + +if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-cert from base64." + echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem + export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" +fi + +if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-ca from base64." + PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") + export "PMA_SSL_CAS" +fi + +if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-key from base64." + PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") + export "PMA_SSL_KEYS" +fi + +if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-cert from base64." + PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") + export "PMA_SSL_CERTS" +fi get_docker_secret() { local env_var="${1}" @@ -42,6 +80,31 @@ get_docker_secret() { fi } +# This function generates SSL files from a base64 encoded string. +# Arguments: +# 1. base64_string: A comma-separated string of base64 encoded SSL files. +# 2. prefix: A prefix to be used in the output file names. +# 3. extension: The file extension to be used for the output files. +# The function creates a directory for the SSL files, decodes each base64 string, +# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. +# +generate_ssl_files() { + local base64_string="${1}" + local output_dir="/etc/phpmyadmin/ssl" + mkdir -p "${output_dir}" + IFS=',' read -ra FILES <<< "${base64_string}" + local counter=1 + local ssl_files="" + for file in "${FILES[@]}"; do + local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" + echo "${file}" | base64 -d > "${output_file}" + ssl_files="${ssl_files}${output_file}," + counter=$((counter + 1)) + done + ssl_files="${ssl_files%,}" + echo "${ssl_files}" +} + get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm/config.inc.php b/fpm/config.inc.php index 9f5d2ac..693a715 100644 --- a/fpm/config.inc.php +++ b/fpm/config.inc.php @@ -28,7 +28,15 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSL_VERIFY', + 'PMA_SSL_CA', + 'PMA_SSL_KEY', + 'PMA_SSL_CERT', 'PMA_SSLS', + 'PMA_SSL_VERIFIES', + 'PMA_SSL_CAS', + 'PMA_SSL_KEYS', + 'PMA_SSL_CERTS' ]; foreach ($vars as $var) { @@ -66,11 +74,19 @@ $verbose = [$_ENV['PMA_VERBOSE']]; $ports = [$_ENV['PMA_PORT']]; $ssls = [$_ENV['PMA_SSL']]; + $ssl_verifies = [$_ENV['PMA_SSL_VERIFY']]; + $ssl_cas = [$_ENV['PMA_SSL_CA']]; + $ssl_keys = [$_ENV['PMA_SSL_KEY']]; + $ssl_certs = [$_ENV['PMA_SSL_CERT']]; } elseif (! empty($_ENV['PMA_HOSTS'])) { $hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS'])); $verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES'])); $ports = array_map('trim', explode(',', $_ENV['PMA_PORTS'])); $ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS'])); + $ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES'])); + $ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS'])); + $ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS'])); + $ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS'])); } if (! empty($_ENV['PMA_SOCKET'])) { @@ -84,6 +100,18 @@ if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') { $cfg['Servers'][$i]['ssl'] = $ssls[$i - 1]; } + if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') { + $cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1]; + } + if (isset($ssl_cas[$i - 1])) { + $cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1]; + } + if (isset($ssl_keys[$i - 1])) { + $cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1]; + } + if (isset($ssl_certs[$i - 1])) { + $cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1]; + } $cfg['Servers'][$i]['host'] = $hosts[$i - 1]; if (isset($verbose[$i - 1])) { $cfg['Servers'][$i]['verbose'] = $verbose[$i - 1]; diff --git a/fpm/docker-entrypoint.sh b/fpm/docker-entrypoint.sh index 0d98e27..7a4c8f7 100755 --- a/fpm/docker-entrypoint.sh +++ b/fpm/docker-entrypoint.sh @@ -29,6 +29,44 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php fi +if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-ca from base64." + echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem + export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" +fi + +if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-key from base64." + echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key + export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" +fi + +if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then + mkdir -p /etc/phpmyadmin/ssl + echo "Adding the custom pma-ssl-cert from base64." + echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem + export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" +fi + +if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-ca from base64." + PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") + export "PMA_SSL_CAS" +fi + +if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-key from base64." + PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") + export "PMA_SSL_KEYS" +fi + +if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then + echo "Adding multiples custom pma-ssl-cert from base64." + PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") + export "PMA_SSL_CERTS" +fi get_docker_secret() { local env_var="${1}" @@ -42,6 +80,31 @@ get_docker_secret() { fi } +# This function generates SSL files from a base64 encoded string. +# Arguments: +# 1. base64_string: A comma-separated string of base64 encoded SSL files. +# 2. prefix: A prefix to be used in the output file names. +# 3. extension: The file extension to be used for the output files. +# The function creates a directory for the SSL files, decodes each base64 string, +# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. +# +generate_ssl_files() { + local base64_string="${1}" + local output_dir="/etc/phpmyadmin/ssl" + mkdir -p "${output_dir}" + IFS=',' read -ra FILES <<< "${base64_string}" + local counter=1 + local ssl_files="" + for file in "${FILES[@]}"; do + local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" + echo "${file}" | base64 -d > "${output_file}" + ssl_files="${ssl_files}${output_file}," + counter=$((counter + 1)) + done + ssl_files="${ssl_files%,}" + echo "${ssl_files}" +} + get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD From b78da1f2a386e6c427b204efeb31e155bc8c32ec Mon Sep 17 00:00:00 2001 From: lordrobincbz Date: Sat, 21 Dec 2024 16:22:07 +0100 Subject: [PATCH 02/17] fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files --- apache/Dockerfile | 1 + apache/config.inc.php | 44 +++++++++++++++++++++++++ apache/docker-entrypoint.sh | 64 ------------------------------------- apache/helpers.php | 43 +++++++++++++++++++++++++ 4 files changed, 88 insertions(+), 64 deletions(-) create mode 100644 apache/helpers.php diff --git a/apache/Dockerfile b/apache/Dockerfile index 2984356..dfae652 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -140,6 +140,7 @@ RUN set -ex; \ # Copy configuration COPY config.inc.php /etc/phpmyadmin/config.inc.php +COPY helpers.php /etc/phpmyadmin/helpers.php RUN chown www-data:www-data -R /etc/phpmyadmin/ # Copy main script diff --git a/apache/config.inc.php b/apache/config.inc.php index 693a715..74e5085 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -1,6 +1,9 @@ /etc/phpmyadmin/config.user.inc.php fi -if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-ca from base64." - echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem - export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" -fi - -if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-key from base64." - echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key - export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" -fi - -if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-cert from base64." - echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem - export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" -fi - -if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-ca from base64." - PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") - export "PMA_SSL_CAS" -fi - -if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-key from base64." - PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") - export "PMA_SSL_KEYS" -fi - -if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-cert from base64." - PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") - export "PMA_SSL_CERTS" -fi - # start: Apache specific settings if [ -n "${APACHE_PORT+x}" ]; then echo "Setting apache port to ${APACHE_PORT}." @@ -89,31 +50,6 @@ get_docker_secret() { fi } -# This function generates SSL files from a base64 encoded string. -# Arguments: -# 1. base64_string: A comma-separated string of base64 encoded SSL files. -# 2. prefix: A prefix to be used in the output file names. -# 3. extension: The file extension to be used for the output files. -# The function creates a directory for the SSL files, decodes each base64 string, -# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. -# -generate_ssl_files() { - local base64_string="${1}" - local output_dir="/etc/phpmyadmin/ssl" - mkdir -p "${output_dir}" - IFS=',' read -ra FILES <<< "${base64_string}" - local counter=1 - local ssl_files="" - for file in "${FILES[@]}"; do - local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" - echo "${file}" | base64 -d > "${output_file}" - ssl_files="${ssl_files}${output_file}," - counter=$((counter + 1)) - done - ssl_files="${ssl_files%,}" - echo "${ssl_files}" -} - get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/apache/helpers.php b/apache/helpers.php new file mode 100644 index 0000000..54d2942 --- /dev/null +++ b/apache/helpers.php @@ -0,0 +1,43 @@ + Date: Sat, 21 Dec 2024 16:24:25 +0100 Subject: [PATCH 03/17] fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files, in all other build --- README.md | 12 +++---- fpm-alpine/Dockerfile | 1 + fpm-alpine/config.inc.php | 41 +++++++++++++++++++++ fpm-alpine/docker-entrypoint.sh | 64 --------------------------------- fpm-alpine/helpers.php | 43 ++++++++++++++++++++++ fpm/Dockerfile | 1 + fpm/config.inc.php | 41 +++++++++++++++++++++ fpm/docker-entrypoint.sh | 64 --------------------------------- fpm/helpers.php | 43 ++++++++++++++++++++++ 9 files changed, 176 insertions(+), 134 deletions(-) create mode 100644 fpm-alpine/helpers.php create mode 100644 fpm/helpers.php diff --git a/README.md b/README.md index dfa2279..34c202b 100644 --- a/README.md +++ b/README.md @@ -187,12 +187,12 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection * ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. * ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. -* ``PMA_SSL_CA_BASE64`` - in the context of mTLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CAS_BASE64`` - in the context of mTLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_CERT_BASE64`` - in the context of mTLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CERTS_BASE64`` - in the context of mTLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_KEY_BASE64`` - in the context of mTLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_KEYS_BASE64`` - in the context of mTLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CA_BASE64`` - in the context of mutual TLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CAS_BASE64`` - in the context of mutual TLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CERT_BASE64`` - in the context of mutual TLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_CERTS_BASE64`` - in the context of mutual TLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_KEY_BASE64`` - in the context of mutual TLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. +* ``PMA_SSL_KEYS_BASE64`` - in the context of mutual TLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. * ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method * ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri). * ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index f947994..4e189a0 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -120,6 +120,7 @@ RUN set -ex; \ # Copy configuration COPY config.inc.php /etc/phpmyadmin/config.inc.php +COPY helpers.php /etc/phpmyadmin/helpers.php RUN chown www-data:www-data -R /etc/phpmyadmin/ # Copy main script diff --git a/fpm-alpine/config.inc.php b/fpm-alpine/config.inc.php index 693a715..fb0feeb 100644 --- a/fpm-alpine/config.inc.php +++ b/fpm-alpine/config.inc.php @@ -63,6 +63,47 @@ $cfg['PmaAbsoluteUri'] = trim($_ENV['PMA_ABSOLUTE_URI']); } +if (isset($_ENV['PMA_SSL_CA_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-ca.pem', base64_decode($_ENV['PMA_SSL_CA_BASE64'])); + $_ENV['PMA_SSL_CA'] = SSL_DIR . '/pma-ssl-ca.pem'; +} + +/* Decode and save the SSL key from base64 */ +if (isset($_ENV['PMA_SSL_KEY_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-key.key', base64_decode($_ENV['PMA_SSL_KEY_BASE64'])); + $_ENV['PMA_SSL_KEY'] = SSL_DIR . '/pma-ssl-key.key'; +} + +/* Decode and save the SSL certificate from base64 */ +if (isset($_ENV['PMA_SSL_CERT_BASE64'])) { + if (!is_dir(SSL_DIR)) { + mkdir(SSL_DIR, 0755, true); + } + file_put_contents(SSL_DIR . '/pma-ssl-cert.pem', base64_decode($_ENV['PMA_SSL_CERT_BASE64'])); + $_ENV['PMA_SSL_CERT'] = SSL_DIR . '/pma-ssl-cert.pem'; +} + +/* Decode and save multiple SSL CA certificates from base64 */ +if (isset($_ENV['PMA_SSL_CAS_BASE64'])) { + $_ENV['PMA_SSL_CAS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CAS_BASE64'], 'CA', 'pem'); +} + +/* Decode and save multiple SSL keys from base64 */ +if (isset($_ENV['PMA_SSL_KEYS_BASE64'])) { + $_ENV['PMA_SSL_KEYS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'CERT', 'cert'); +} + +/* Decode and save multiple SSL certificates from base64 */ +if (isset($_ENV['PMA_SSL_CERTS_BASE64'])) { + $_ENV['PMA_SSL_CERTS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'KEY', 'key'); +} + /* Figure out hosts */ /* Fallback to default linked */ diff --git a/fpm-alpine/docker-entrypoint.sh b/fpm-alpine/docker-entrypoint.sh index 7a4c8f7..51c8303 100755 --- a/fpm-alpine/docker-entrypoint.sh +++ b/fpm-alpine/docker-entrypoint.sh @@ -29,45 +29,6 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php fi -if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-ca from base64." - echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem - export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" -fi - -if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-key from base64." - echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key - export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" -fi - -if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-cert from base64." - echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem - export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" -fi - -if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-ca from base64." - PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") - export "PMA_SSL_CAS" -fi - -if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-key from base64." - PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") - export "PMA_SSL_KEYS" -fi - -if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-cert from base64." - PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") - export "PMA_SSL_CERTS" -fi - get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" @@ -80,31 +41,6 @@ get_docker_secret() { fi } -# This function generates SSL files from a base64 encoded string. -# Arguments: -# 1. base64_string: A comma-separated string of base64 encoded SSL files. -# 2. prefix: A prefix to be used in the output file names. -# 3. extension: The file extension to be used for the output files. -# The function creates a directory for the SSL files, decodes each base64 string, -# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. -# -generate_ssl_files() { - local base64_string="${1}" - local output_dir="/etc/phpmyadmin/ssl" - mkdir -p "${output_dir}" - IFS=',' read -ra FILES <<< "${base64_string}" - local counter=1 - local ssl_files="" - for file in "${FILES[@]}"; do - local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" - echo "${file}" | base64 -d > "${output_file}" - ssl_files="${ssl_files}${output_file}," - counter=$((counter + 1)) - done - ssl_files="${ssl_files%,}" - echo "${ssl_files}" -} - get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm-alpine/helpers.php b/fpm-alpine/helpers.php new file mode 100644 index 0000000..54d2942 --- /dev/null +++ b/fpm-alpine/helpers.php @@ -0,0 +1,43 @@ + /etc/phpmyadmin/config.user.inc.php fi -if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-ca from base64." - echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem - export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem" -fi - -if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-key from base64." - echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key - export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key" -fi - -if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then - mkdir -p /etc/phpmyadmin/ssl - echo "Adding the custom pma-ssl-cert from base64." - echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem - export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem" -fi - -if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-ca from base64." - PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem") - export "PMA_SSL_CAS" -fi - -if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-key from base64." - PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert") - export "PMA_SSL_KEYS" -fi - -if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then - echo "Adding multiples custom pma-ssl-cert from base64." - PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key") - export "PMA_SSL_CERTS" -fi - get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" @@ -80,31 +41,6 @@ get_docker_secret() { fi } -# This function generates SSL files from a base64 encoded string. -# Arguments: -# 1. base64_string: A comma-separated string of base64 encoded SSL files. -# 2. prefix: A prefix to be used in the output file names. -# 3. extension: The file extension to be used for the output files. -# The function creates a directory for the SSL files, decodes each base64 string, -# writes the decoded content to a file, and returns a comma-separated list of the generated file paths. -# -generate_ssl_files() { - local base64_string="${1}" - local output_dir="/etc/phpmyadmin/ssl" - mkdir -p "${output_dir}" - IFS=',' read -ra FILES <<< "${base64_string}" - local counter=1 - local ssl_files="" - for file in "${FILES[@]}"; do - local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}" - echo "${file}" | base64 -d > "${output_file}" - ssl_files="${ssl_files}${output_file}," - counter=$((counter + 1)) - done - ssl_files="${ssl_files%,}" - echo "${ssl_files}" -} - get_docker_secret PMA_USER get_docker_secret PMA_PASSWORD get_docker_secret MYSQL_ROOT_PASSWORD diff --git a/fpm/helpers.php b/fpm/helpers.php new file mode 100644 index 0000000..54d2942 --- /dev/null +++ b/fpm/helpers.php @@ -0,0 +1,43 @@ + Date: Sat, 21 Dec 2024 16:28:20 +0100 Subject: [PATCH 04/17] fix(config.inc.php): import require statements --- fpm-alpine/config.inc.php | 3 +++ fpm/config.inc.php | 3 +++ 2 files changed, 6 insertions(+) diff --git a/fpm-alpine/config.inc.php b/fpm-alpine/config.inc.php index fb0feeb..74e5085 100644 --- a/fpm-alpine/config.inc.php +++ b/fpm-alpine/config.inc.php @@ -1,6 +1,9 @@ Date: Sat, 21 Dec 2024 21:40:29 +0100 Subject: [PATCH 05/17] Update apache/helpers.php Co-authored-by: William Desportes --- apache/helpers.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apache/helpers.php b/apache/helpers.php index 54d2942..a8ad0fd 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -30,7 +30,8 @@ function decodeAndSaveSslFiles($base64_string, $prefix, $extension) { // Write the decoded file to the output directory if (file_put_contents($output_file, base64_decode($file)) === false) { - throw new SslFileGenerationException("Failed to write to $output_file"); + echo 'Failed to write to ' . $output_file; + exit(1); } // Add the output file path to the list From 92ca977edcc50df4a250ea81483c6eeec61eddb9 Mon Sep 17 00:00:00 2001 From: Lord Robin Crombez <137684928+LordRobinCbz@users.noreply.github.com> Date: Sat, 21 Dec 2024 21:41:11 +0100 Subject: [PATCH 06/17] Update apache/helpers.php add types to function parameters Co-authored-by: William Desportes --- apache/helpers.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apache/helpers.php b/apache/helpers.php index a8ad0fd..61b3554 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -13,7 +13,7 @@ class SslFileGenerationException extends Exception {} * @param string $extension The file extension to use for the generated SSL files. * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles($base64_string, $prefix, $extension) { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): array { // Ensure the output directory exists if (!is_dir(OUTPUT_DIR)) { mkdir(OUTPUT_DIR, 0755, true); From 35ad5ea06330d089e5ea9c24d7a3067672a70bbc Mon Sep 17 00:00:00 2001 From: Lord Robin Crombez <137684928+LordRobinCbz@users.noreply.github.com> Date: Sat, 21 Dec 2024 21:42:19 +0100 Subject: [PATCH 07/17] Update apache/helpers.php Remove the custom exception Co-authored-by: William Desportes --- apache/helpers.php | 1 - 1 file changed, 1 deletion(-) diff --git a/apache/helpers.php b/apache/helpers.php index 61b3554..1f7418f 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -1,6 +1,5 @@ Date: Sat, 21 Dec 2024 22:03:31 +0100 Subject: [PATCH 08/17] fix(dockerfiles, config.inc.php): Add ENV in Dockerfile, edited templates, add PMA_SSLS in the README and add PMA_SSL_DIR to set output path for certificate generation --- Dockerfile-alpine.template | 1 + Dockerfile-debian.template | 1 + README.md | 2 + apache/Dockerfile | 2 +- apache/config.inc.php | 29 +++++++------- apache/helpers.php | 8 ++-- config.inc.php | 71 +++++++++++++++++++++++++++++++++ fpm-alpine/Dockerfile | 2 +- fpm-alpine/config.inc.php | 29 +++++++------- fpm-alpine/docker-entrypoint.sh | 1 + fpm-alpine/helpers.php | 14 +++---- fpm/Dockerfile | 2 +- fpm/config.inc.php | 29 +++++++------- fpm/docker-entrypoint.sh | 1 + fpm/helpers.php | 14 +++---- 15 files changed, 140 insertions(+), 66 deletions(-) diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index f237639..d5c32a7 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -39,6 +39,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 7c757e0..aec666f 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -50,6 +50,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K diff --git a/README.md b/README.md index 34c202b..829f250 100644 --- a/README.md +++ b/README.md @@ -184,7 +184,9 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_PORTS`` - define comma separated list of ports of the MySQL servers * ``PMA_SOCKET`` - define socket file for the MySQL connection * ``PMA_SOCKETS`` - define comma separated list of socket files for the MySQL connections +* ``PMA_SSL_DIR`` - define the path used for SSL files generated from environement variables, default value is `/etc/phpmyadmin/ssl` * ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection +* ``PMA_SSLS`` - comma separated list of `0` and `1` defining SSL usage for the corresponding MySQL connections * ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. * ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. * ``PMA_SSL_CA_BASE64`` - in the context of mutual TLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. diff --git a/apache/Dockerfile b/apache/Dockerfile index dfae652..75112cd 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -51,6 +51,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K @@ -140,7 +141,6 @@ RUN set -ex; \ # Copy configuration COPY config.inc.php /etc/phpmyadmin/config.inc.php -COPY helpers.php /etc/phpmyadmin/helpers.php RUN chown www-data:www-data -R /etc/phpmyadmin/ # Copy main script diff --git a/apache/config.inc.php b/apache/config.inc.php index 74e5085..c1a043a 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -1,7 +1,5 @@ /etc/phpmyadmin/config.user.inc.php fi + get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" diff --git a/fpm-alpine/helpers.php b/fpm-alpine/helpers.php index 54d2942..bb431aa 100644 --- a/fpm-alpine/helpers.php +++ b/fpm-alpine/helpers.php @@ -1,8 +1,7 @@ /etc/phpmyadmin/config.user.inc.php fi + get_docker_secret() { local env_var="${1}" local env_var_file="${env_var}_FILE" diff --git a/fpm/helpers.php b/fpm/helpers.php index 54d2942..bb431aa 100644 --- a/fpm/helpers.php +++ b/fpm/helpers.php @@ -1,8 +1,7 @@ Date: Sun, 22 Dec 2024 10:20:05 +0100 Subject: [PATCH 09/17] fix(helpers,update.sh): add helpers file to the root and edited update script to import it in target folders/images Signed-off-by: lordrobincbz --- apache/config.inc.php | 4 ++-- config.inc.php | 4 ++-- fpm-alpine/config.inc.php | 4 ++-- fpm/config.inc.php | 4 ++-- helpers.php | 43 +++++++++++++++++++++++++++++++++++++++ update.sh | 3 ++- 6 files changed, 53 insertions(+), 9 deletions(-) create mode 100644 helpers.php diff --git a/apache/config.inc.php b/apache/config.inc.php index c1a043a..05a4f9e 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -1,7 +1,7 @@ Date: Sat, 4 Jan 2025 00:11:33 +0100 Subject: [PATCH 10/17] Fix return type hint and detect base64 decode crashes --- apache/helpers.php | 14 ++++++++++---- fpm-alpine/helpers.php | 14 ++++++++++---- fpm/helpers.php | 14 ++++++++++---- helpers.php | 14 ++++++++++---- 4 files changed, 40 insertions(+), 16 deletions(-) diff --git a/apache/helpers.php b/apache/helpers.php index bb431aa..c5c72f1 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -12,7 +12,7 @@ * @param string $extension The file extension to use for the generated SSL files. * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): array { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); @@ -26,13 +26,19 @@ function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $ex // Process each file foreach ($files as $file) { $output_file = PMA_SSL_DIR . "/pma-ssl-$prefix-$counter.$extension"; - + + $file_contents = base64_decode($file, true); + if ($file_contents === false) { + echo 'Failed to decode: ' . $file; + exit(1); + } + // Write the decoded file to the output directory - if (file_put_contents($output_file, base64_decode($file)) === false) { + if (file_put_contents($output_file, $file_contents) === false) { echo 'Failed to write to ' . $output_file; exit(1); } - + // Add the output file path to the list $ssl_files[] = $output_file; $counter++; diff --git a/fpm-alpine/helpers.php b/fpm-alpine/helpers.php index bb431aa..c5c72f1 100644 --- a/fpm-alpine/helpers.php +++ b/fpm-alpine/helpers.php @@ -12,7 +12,7 @@ * @param string $extension The file extension to use for the generated SSL files. * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): array { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); @@ -26,13 +26,19 @@ function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $ex // Process each file foreach ($files as $file) { $output_file = PMA_SSL_DIR . "/pma-ssl-$prefix-$counter.$extension"; - + + $file_contents = base64_decode($file, true); + if ($file_contents === false) { + echo 'Failed to decode: ' . $file; + exit(1); + } + // Write the decoded file to the output directory - if (file_put_contents($output_file, base64_decode($file)) === false) { + if (file_put_contents($output_file, $file_contents) === false) { echo 'Failed to write to ' . $output_file; exit(1); } - + // Add the output file path to the list $ssl_files[] = $output_file; $counter++; diff --git a/fpm/helpers.php b/fpm/helpers.php index bb431aa..c5c72f1 100644 --- a/fpm/helpers.php +++ b/fpm/helpers.php @@ -12,7 +12,7 @@ * @param string $extension The file extension to use for the generated SSL files. * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): array { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); @@ -26,13 +26,19 @@ function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $ex // Process each file foreach ($files as $file) { $output_file = PMA_SSL_DIR . "/pma-ssl-$prefix-$counter.$extension"; - + + $file_contents = base64_decode($file, true); + if ($file_contents === false) { + echo 'Failed to decode: ' . $file; + exit(1); + } + // Write the decoded file to the output directory - if (file_put_contents($output_file, base64_decode($file)) === false) { + if (file_put_contents($output_file, $file_contents) === false) { echo 'Failed to write to ' . $output_file; exit(1); } - + // Add the output file path to the list $ssl_files[] = $output_file; $counter++; diff --git a/helpers.php b/helpers.php index bb431aa..c5c72f1 100644 --- a/helpers.php +++ b/helpers.php @@ -12,7 +12,7 @@ * @param string $extension The file extension to use for the generated SSL files. * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): array { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); @@ -26,13 +26,19 @@ function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $ex // Process each file foreach ($files as $file) { $output_file = PMA_SSL_DIR . "/pma-ssl-$prefix-$counter.$extension"; - + + $file_contents = base64_decode($file, true); + if ($file_contents === false) { + echo 'Failed to decode: ' . $file; + exit(1); + } + // Write the decoded file to the output directory - if (file_put_contents($output_file, base64_decode($file)) === false) { + if (file_put_contents($output_file, $file_contents) === false) { echo 'Failed to write to ' . $output_file; exit(1); } - + // Add the output file path to the list $ssl_files[] = $output_file; $counter++; From 4ceefa6c8051633d0292a84f23f593d69a0b0903 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 00:13:31 +0100 Subject: [PATCH 11/17] Apply the coding standard --- apache/helpers.php | 10 ++++++---- fpm-alpine/helpers.php | 10 ++++++---- fpm/helpers.php | 10 ++++++---- helpers.php | 10 ++++++---- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/apache/helpers.php b/apache/helpers.php index c5c72f1..d47db78 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -7,12 +7,14 @@ * Helper function to decode and save multiple SSL files from base64. * * @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas. - * If no commas are present, the entire string is treated as a single file. - * @param string $prefix The prefix to use for the generated SSL file names. - * @param string $extension The file extension to use for the generated SSL files. + * If no commas are present, the entire string is treated as a single file. + * @param string $prefix The prefix to use for the generated SSL file names. + * @param string $extension The file extension to use for the generated SSL files. + * * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string +{ // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); diff --git a/fpm-alpine/helpers.php b/fpm-alpine/helpers.php index c5c72f1..d47db78 100644 --- a/fpm-alpine/helpers.php +++ b/fpm-alpine/helpers.php @@ -7,12 +7,14 @@ * Helper function to decode and save multiple SSL files from base64. * * @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas. - * If no commas are present, the entire string is treated as a single file. - * @param string $prefix The prefix to use for the generated SSL file names. - * @param string $extension The file extension to use for the generated SSL files. + * If no commas are present, the entire string is treated as a single file. + * @param string $prefix The prefix to use for the generated SSL file names. + * @param string $extension The file extension to use for the generated SSL files. + * * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string +{ // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); diff --git a/fpm/helpers.php b/fpm/helpers.php index c5c72f1..d47db78 100644 --- a/fpm/helpers.php +++ b/fpm/helpers.php @@ -7,12 +7,14 @@ * Helper function to decode and save multiple SSL files from base64. * * @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas. - * If no commas are present, the entire string is treated as a single file. - * @param string $prefix The prefix to use for the generated SSL file names. - * @param string $extension The file extension to use for the generated SSL files. + * If no commas are present, the entire string is treated as a single file. + * @param string $prefix The prefix to use for the generated SSL file names. + * @param string $extension The file extension to use for the generated SSL files. + * * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string +{ // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); diff --git a/helpers.php b/helpers.php index c5c72f1..d47db78 100644 --- a/helpers.php +++ b/helpers.php @@ -7,12 +7,14 @@ * Helper function to decode and save multiple SSL files from base64. * * @param string $base64_string The base64 encoded string containing multiple SSL files separated by commas. - * If no commas are present, the entire string is treated as a single file. - * @param string $prefix The prefix to use for the generated SSL file names. - * @param string $extension The file extension to use for the generated SSL files. + * If no commas are present, the entire string is treated as a single file. + * @param string $prefix The prefix to use for the generated SSL file names. + * @param string $extension The file extension to use for the generated SSL files. + * * @return string A comma-separated list of paths to the generated SSL files. */ -function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string { +function decodeAndSaveSslFiles(string $base64_string, string $prefix, string $extension): string +{ // Ensure the output directory exists if (!is_dir(PMA_SSL_DIR)) { mkdir(PMA_SSL_DIR, 0755, true); From 95bf9271c64ddbff389f573e21a60a1c8e23693e Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 00:38:15 +0100 Subject: [PATCH 12/17] Make the helper function usable for another use --- apache/config.inc.php | 31 +++++++++++------------------ apache/helpers.php | 42 +++++++++++++++++++-------------------- config.inc.php | 31 +++++++++++------------------ fpm-alpine/config.inc.php | 31 +++++++++++------------------ fpm-alpine/helpers.php | 42 +++++++++++++++++++-------------------- fpm/config.inc.php | 31 +++++++++++------------------ fpm/helpers.php | 42 +++++++++++++++++++-------------------- helpers.php | 42 +++++++++++++++++++-------------------- 8 files changed, 132 insertions(+), 160 deletions(-) diff --git a/apache/config.inc.php b/apache/config.inc.php index 05a4f9e..d33359e 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -29,6 +29,7 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSL_DIR', 'PMA_SSL_VERIFY', 'PMA_SSL_CA', 'PMA_SSL_KEY', @@ -38,7 +39,6 @@ 'PMA_SSL_CAS', 'PMA_SSL_KEYS', 'PMA_SSL_CERTS', - 'PMA_PMA_SSL_DIR' ]; foreach ($vars as $var) { @@ -47,6 +47,11 @@ $_ENV[$var] = $env; } } + +if (! defined('PMA_SSL_DIR')) { + define('PMA_SSL_DIR', $_ENV['PMA_SSL_DIR'] ?? '/etc/phpmyadmin/ssl'); +} + if (isset($_ENV['PMA_QUERYHISTORYDB'])) { $cfg['QueryHistoryDB'] = (bool) $_ENV['PMA_QUERYHISTORYDB']; } @@ -66,44 +71,32 @@ } if (isset($_ENV['PMA_SSL_CA_BASE64'])) { - if (!is_dir(PMA_SSL_DIR)) { - mkdir(PMA_SSL_DIR, 0755, true); - } - file_put_contents(PMA_SSL_DIR . '/pma-ssl-ca.pem', base64_decode($_ENV['PMA_SSL_CA_BASE64'])); - $_ENV['PMA_SSL_CA'] = PMA_SSL_DIR . '/pma-ssl-ca.pem'; + $_ENV['PMA_SSL_CA'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_CA_BASE64'], 'phpmyadmin-ssl-CA', 'pem', PMA_SSL_DIR); } /* Decode and save the SSL key from base64 */ if (isset($_ENV['PMA_SSL_KEY_BASE64'])) { - if (!is_dir(PMA_SSL_DIR)) { - mkdir(PMA_SSL_DIR, 0755, true); - } - file_put_contents(PMA_SSL_DIR . '/pma-ssl-key.key', base64_decode($_ENV['PMA_SSL_KEY_BASE64'])); - $_ENV['PMA_SSL_KEY'] = PMA_SSL_DIR . '/pma-ssl-key.key'; + $_ENV['PMA_SSL_KEY'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_KEY_BASE64'], 'phpmyadmin-ssl-CERT', 'cert', PMA_SSL_DIR); } /* Decode and save the SSL certificate from base64 */ if (isset($_ENV['PMA_SSL_CERT_BASE64'])) { - if (!is_dir(PMA_SSL_DIR)) { - mkdir(PMA_SSL_DIR, 0755, true); - } - file_put_contents(PMA_SSL_DIR . '/pma-ssl-cert.pem', base64_decode($_ENV['PMA_SSL_CERT_BASE64'])); - $_ENV['PMA_SSL_CERT'] = PMA_SSL_DIR . '/pma-ssl-cert.pem'; + $_ENV['PMA_SSL_CERT'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_CERT_BASE64'], 'phpmyadmin-ssl-CERT', 'cert', PMA_SSL_DIR); } /* Decode and save multiple SSL CA certificates from base64 */ if (isset($_ENV['PMA_SSL_CAS_BASE64'])) { - $_ENV['PMA_SSL_CAS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CAS_BASE64'], 'CA', 'pem'); + $_ENV['PMA_SSL_CAS'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_CAS_BASE64'], 'phpmyadmin-ssl-CA', 'pem', PMA_SSL_DIR); } /* Decode and save multiple SSL keys from base64 */ if (isset($_ENV['PMA_SSL_KEYS_BASE64'])) { - $_ENV['PMA_SSL_KEYS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'CERT', 'cert'); + $_ENV['PMA_SSL_KEYS'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_KEYS_BASE64'], 'phpmyadmin-ssl-CERT', 'cert', PMA_SSL_DIR); } /* Decode and save multiple SSL certificates from base64 */ if (isset($_ENV['PMA_SSL_CERTS_BASE64'])) { - $_ENV['PMA_SSL_CERTS'] = decodeAndSaveSslFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'KEY', 'key'); + $_ENV['PMA_SSL_CERTS'] = decodeBase64AndSaveFiles($_ENV['PMA_SSL_CERTS_BASE64'], 'phpmyadmin-ssl-KEY', 'key', PMA_SSL_DIR); } /* Figure out hosts */ diff --git a/apache/helpers.php b/apache/helpers.php index d47db78..fd06bcd 100644 --- a/apache/helpers.php +++ b/apache/helpers.php @@ -1,51 +1,51 @@ Date: Sat, 4 Jan 2025 00:38:25 +0100 Subject: [PATCH 13/17] Add chown to the ssl folder --- Dockerfile-alpine.template | 1 + Dockerfile-debian.template | 1 + apache/Dockerfile | 1 + fpm-alpine/Dockerfile | 1 + fpm/Dockerfile | 1 + 5 files changed, 5 insertions(+) diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index d5c32a7..8a9dd8f 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -94,6 +94,7 @@ RUN set -ex; \ mkdir $SESSION_SAVE_PATH; \ chmod 1777 $SESSION_SAVE_PATH; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="%%GPG_KEY%%"; \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index aec666f..ea5fc3e 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -110,6 +110,7 @@ RUN set -ex; \ mkdir $SESSION_SAVE_PATH; \ chmod 1777 $SESSION_SAVE_PATH; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="%%GPG_KEY%%"; \ diff --git a/apache/Dockerfile b/apache/Dockerfile index 75112cd..f77b5d1 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -111,6 +111,7 @@ RUN set -ex; \ mkdir $SESSION_SAVE_PATH; \ chmod 1777 $SESSION_SAVE_PATH; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \ diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index 6e2a71e..5275027 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -95,6 +95,7 @@ RUN set -ex; \ mkdir $SESSION_SAVE_PATH; \ chmod 1777 $SESSION_SAVE_PATH; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \ diff --git a/fpm/Dockerfile b/fpm/Dockerfile index f6d668f..731265d 100644 --- a/fpm/Dockerfile +++ b/fpm/Dockerfile @@ -108,6 +108,7 @@ RUN set -ex; \ mkdir $SESSION_SAVE_PATH; \ chmod 1777 $SESSION_SAVE_PATH; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \ From 9b2667c13f4f80db06247beb4a01fedc46efc02f Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 01:09:31 +0100 Subject: [PATCH 14/17] Fixup config and edit the README --- README.md | 25 +++++++++++++++++++------ apache/config.inc.php | 14 ++++++++++---- config.inc.php | 14 ++++++++++---- fpm-alpine/config.inc.php | 14 ++++++++++---- fpm/config.inc.php | 14 ++++++++++---- 5 files changed, 59 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 829f250..d60fd12 100644 --- a/README.md +++ b/README.md @@ -189,12 +189,12 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_SSLS`` - comma separated list of `0` and `1` defining SSL usage for the corresponding MySQL connections * ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. * ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. -* ``PMA_SSL_CA_BASE64`` - in the context of mutual TLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CAS_BASE64`` - in the context of mutual TLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_CERT_BASE64`` - in the context of mutual TLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_CERTS_BASE64`` - in the context of mutual TLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`. -* ``PMA_SSL_KEY_BASE64`` - in the context of mutual TLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`. -* ``PMA_SSL_KEYS_BASE64`` - in the context of mutual TLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`. +* ``PMA_SSL_CA`` - in the context of mutual TLS security, allows setting your CA certificate file as a string inside the default `config.inc.php`. +* ``PMA_SSL_CAS`` - in the context of mutual TLS security, allows setting multiple CA certificate files as a comma-separated list of strings inside the default `config.inc.php`. +* ``PMA_SSL_CERT`` - in the context of mutual TLS security, allows setting your certificate file as a string inside the default `config.inc.php`. +* ``PMA_SSL_CERTS`` - in the context of mutual TLS security, allows setting multiple certificate files as a comma-separated list of strings inside the default `config.inc.php`. +* ``PMA_SSL_KEY`` - in the context of mutual TLS security, allows setting your private key file as a string inside the default `config.inc.php`. +* ``PMA_SSL_KEYS`` - in the context of mutual TLS security, allows setting multiple private key files as a comma-separated list of strings inside the default `config.inc.php`. * ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method * ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri). * ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable @@ -221,6 +221,19 @@ For usage with Docker secrets, appending ``_FILE`` to the ``PMA_PASSWORD`` envir docker run --name phpmyadmin -d -e PMA_PASSWORD_FILE=/run/secrets/db_password.txt -p 8080:80 phpmyadmin:latest ``` +#### Variables that can store the file contents using ``_BASE64`` + +- `PMA_SSL_CA` +- `PMA_SSL_CAS` +- `PMA_SSL_KEY` +- `PMA_SSL_KEYS` +- `PMA_SSL_CERT` +- `PMA_SSL_CERTS` + +Also includes: `PMA_CONFIG_BASE64` or `PMA_USER_CONFIG_BASE64`. + +For example, the variable would be named `PMA_SSL_CA_BASE64` and the value is the base64 encoded contents of the file. + #### Variables that can be read from a file using ``_FILE`` - `MYSQL_ROOT_PASSWORD` diff --git a/apache/config.inc.php b/apache/config.inc.php index d33359e..6317a34 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -29,16 +29,22 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSLS', 'PMA_SSL_DIR', 'PMA_SSL_VERIFY', - 'PMA_SSL_CA', - 'PMA_SSL_KEY', - 'PMA_SSL_CERT', - 'PMA_SSLS', 'PMA_SSL_VERIFIES', + 'PMA_SSL_CA', 'PMA_SSL_CAS', + 'PMA_SSL_CA_BASE64', + 'PMA_SSL_CAS_BASE64', + 'PMA_SSL_KEY', 'PMA_SSL_KEYS', + 'PMA_SSL_KEY_BASE64', + 'PMA_SSL_KEYS_BASE64', + 'PMA_SSL_CERT', 'PMA_SSL_CERTS', + 'PMA_SSL_CERT_BASE64', + 'PMA_SSL_CERTS_BASE64', ]; foreach ($vars as $var) { diff --git a/config.inc.php b/config.inc.php index d33359e..6317a34 100644 --- a/config.inc.php +++ b/config.inc.php @@ -29,16 +29,22 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSLS', 'PMA_SSL_DIR', 'PMA_SSL_VERIFY', - 'PMA_SSL_CA', - 'PMA_SSL_KEY', - 'PMA_SSL_CERT', - 'PMA_SSLS', 'PMA_SSL_VERIFIES', + 'PMA_SSL_CA', 'PMA_SSL_CAS', + 'PMA_SSL_CA_BASE64', + 'PMA_SSL_CAS_BASE64', + 'PMA_SSL_KEY', 'PMA_SSL_KEYS', + 'PMA_SSL_KEY_BASE64', + 'PMA_SSL_KEYS_BASE64', + 'PMA_SSL_CERT', 'PMA_SSL_CERTS', + 'PMA_SSL_CERT_BASE64', + 'PMA_SSL_CERTS_BASE64', ]; foreach ($vars as $var) { diff --git a/fpm-alpine/config.inc.php b/fpm-alpine/config.inc.php index d33359e..6317a34 100644 --- a/fpm-alpine/config.inc.php +++ b/fpm-alpine/config.inc.php @@ -29,16 +29,22 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSLS', 'PMA_SSL_DIR', 'PMA_SSL_VERIFY', - 'PMA_SSL_CA', - 'PMA_SSL_KEY', - 'PMA_SSL_CERT', - 'PMA_SSLS', 'PMA_SSL_VERIFIES', + 'PMA_SSL_CA', 'PMA_SSL_CAS', + 'PMA_SSL_CA_BASE64', + 'PMA_SSL_CAS_BASE64', + 'PMA_SSL_KEY', 'PMA_SSL_KEYS', + 'PMA_SSL_KEY_BASE64', + 'PMA_SSL_KEYS_BASE64', + 'PMA_SSL_CERT', 'PMA_SSL_CERTS', + 'PMA_SSL_CERT_BASE64', + 'PMA_SSL_CERTS_BASE64', ]; foreach ($vars as $var) { diff --git a/fpm/config.inc.php b/fpm/config.inc.php index d33359e..6317a34 100644 --- a/fpm/config.inc.php +++ b/fpm/config.inc.php @@ -29,16 +29,22 @@ 'PMA_UPLOADDIR', 'PMA_SAVEDIR', 'PMA_SSL', + 'PMA_SSLS', 'PMA_SSL_DIR', 'PMA_SSL_VERIFY', - 'PMA_SSL_CA', - 'PMA_SSL_KEY', - 'PMA_SSL_CERT', - 'PMA_SSLS', 'PMA_SSL_VERIFIES', + 'PMA_SSL_CA', 'PMA_SSL_CAS', + 'PMA_SSL_CA_BASE64', + 'PMA_SSL_CAS_BASE64', + 'PMA_SSL_KEY', 'PMA_SSL_KEYS', + 'PMA_SSL_KEY_BASE64', + 'PMA_SSL_KEYS_BASE64', + 'PMA_SSL_CERT', 'PMA_SSL_CERTS', + 'PMA_SSL_CERT_BASE64', + 'PMA_SSL_CERTS_BASE64', ]; foreach ($vars as $var) { From cdbcee1c6894eb1315d04b6c4f278cce323660bb Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 01:26:31 +0100 Subject: [PATCH 15/17] Also mkdir the folder and chmod it --- Dockerfile-alpine.template | 2 ++ Dockerfile-debian.template | 2 ++ apache/Dockerfile | 2 ++ fpm-alpine/Dockerfile | 2 ++ fpm/Dockerfile | 2 ++ 5 files changed, 10 insertions(+) diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 8a9dd8f..9c7b6bb 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -92,7 +92,9 @@ RUN set -ex; \ gnupg \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ chown www-data:www-data $PMA_SSL_DIR; \ \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index ea5fc3e..5b420b8 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -108,7 +108,9 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ chown www-data:www-data $PMA_SSL_DIR; \ \ diff --git a/apache/Dockerfile b/apache/Dockerfile index f77b5d1..ebde644 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -109,7 +109,9 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ chown www-data:www-data $PMA_SSL_DIR; \ \ diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index 5275027..89002fc 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -93,7 +93,9 @@ RUN set -ex; \ gnupg \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ chown www-data:www-data $PMA_SSL_DIR; \ \ diff --git a/fpm/Dockerfile b/fpm/Dockerfile index 731265d..94b070b 100644 --- a/fpm/Dockerfile +++ b/fpm/Dockerfile @@ -106,7 +106,9 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ chown www-data:www-data $PMA_SSL_DIR; \ \ From 2cf099ceecd09aa9ef23fe2686c58f58eba658da Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 01:26:48 +0100 Subject: [PATCH 16/17] Ignore all pem files --- .gitignore | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index c693c69..976dab4 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ __pycache__ .pytest_cache .vscode .history -.venv \ No newline at end of file +.venv +testing/*.pem From 518ebc03af8e84ddd7606823dfd81c71515c3dfb Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 4 Jan 2025 01:27:39 +0100 Subject: [PATCH 17/17] mkdir all the path --- Dockerfile-alpine.template | 2 +- Dockerfile-debian.template | 2 +- apache/Dockerfile | 2 +- fpm-alpine/Dockerfile | 2 +- fpm/Dockerfile | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 9c7b6bb..d0f2169 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -92,7 +92,7 @@ RUN set -ex; \ gnupg \ ; \ mkdir $SESSION_SAVE_PATH; \ - mkdir $PMA_SSL_DIR; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 5b420b8..a6b50f9 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -108,7 +108,7 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ - mkdir $PMA_SSL_DIR; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ diff --git a/apache/Dockerfile b/apache/Dockerfile index ebde644..5556aba 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -109,7 +109,7 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ - mkdir $PMA_SSL_DIR; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index 89002fc..ba1ae59 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -93,7 +93,7 @@ RUN set -ex; \ gnupg \ ; \ mkdir $SESSION_SAVE_PATH; \ - mkdir $PMA_SSL_DIR; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ diff --git a/fpm/Dockerfile b/fpm/Dockerfile index 94b070b..933cb0d 100644 --- a/fpm/Dockerfile +++ b/fpm/Dockerfile @@ -106,7 +106,7 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ - mkdir $PMA_SSL_DIR; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \