Commit 4c508896 authored by Your Name's avatar Your Name
Browse files

-

parents
version: '2'
networks:
# for use with a reverse proxy
backend:
driver: bridge
services:
moodle:
build:
context: ./docker/
dockerfile: Dockerfile
image: moodle1404shib:dirty
restart: always
hostname: vc-test.uni-bamberg.de
expose:
- 22
- 80
- 443
ports:
- "141.13.240.124:22:22"
- "141.13.240.124:80:80"
- "141.13.240.124:443:443"
networks:
- backend
volumes:
- ./volumes/var/www:/var/www
- ./volumes/var/www:/var/moodledata
- ./volumes/var/lib/mysql:/var/lib/mysql
- ./volumes/opt:/opt
- ./volumes/root/uniba.de/share:/root/uniba.de/share
- ./volumes/.git:/.git
FROM ubuntu:14.04
RUN rm /etc/apt/sources.list
ADD sources.list /etc/apt/sources.list
RUN apt-get update
RUN apt-get upgrade -y
RUN apt-get install -y \
bash-completion \
vim \
git \
sudo \
rsync \
cron \
byobu
#DEBIAN_FRONTEND=noninteractive
RUN DEBIAN_FRONTEND=noninteractive apt-get install -y \
apache2 \
openssh-server \
rsync \
mysql-server
#moodle
RUN apt-get install -y \
apache2-utils \
libapache2-mod-php5 \
php5 \
php5-intl \
php5-common \
php5-curl \
php5-gd \
php5-mysql \
php5-xmlrpc \
php5-cli \
php5-json \
php5-readline \
php5-ldap \
php5-mcrypt \
postfix \
mailutils \
curl
RUN locale-gen de_DE.utf8 && locale -a
RUN a2ensite default-ssl && a2enmod ssl
RUN make-ssl-cert generate-default-snakeoil --force-overwrite
#RUN a2dismod mpm_event && a2enmod mpm_prefork && a2enmod headers
RUN mkdir -p /root/uniba.de/initial
RUN mkdir -p /root/uniba.de/initial/var/lib/mysql/
RUN rsync -a /var/lib/mysql/ /root/uniba.de/initial/var/lib/mysql/
ADD start.sh /start
RUN chmod +x /start
RUN mkdir -p /root/uniba.de/initial/remove-after-run
ADD setup.sh /root/uniba.de/initial/remove-after-run/setup.sh
RUN mkdir -p /root/.ssh/
ADD authorized_keys2 /root/.ssh/authorized_keys2
ADD SWITCHaai-swdistrib.asc /SWITCHaai-swdistrib.asc
RUN gpg --with-fingerprint SWITCHaai-swdistrib.asc
RUN apt-key add SWITCHaai-swdistrib.asc
RUN echo 'deb http://pkg.switch.ch/switchaai/ubuntu trusty main' | tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
RUN apt-get update
RUN apt-get install --yes shibboleth
CMD ["/start", "-D"]
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: SWITCHaai Software Distribution Signing Key
#
-----END PGP PUBLIC KEY BLOCK-----
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVhpkCOPHFkPL4+9KkMQ/ZvDZNjs4+ljGSGZdwqYwLD8zGzBBTqRbjtIw/1Vse50uLyCVNld5GdpLr22OCwQyozYxbmJ35D0241jQTJTM6xzWkLw0wEjhjiJyrLmllqeN/FieRvXzLXbbxW8lypYmAAR2JWfAuu11Bub7NuHExEv+KOKbZs8m0gy0Rh9+bDXUlo5MWAgrWk2UYTETuAoyjCbXpcl/1u/Vqj8gHl4VNRdXeyXzPoAvhv0jptoy7RlS3oQoniGDK2ho1WiLY7i4EmC2XJ29v3jGpeQrrcue+Cppx0K+dZVr6wdWJ5Yad03MXCfKBUrQn7/Zb6k4iY/S5 martin@martin
#!/bin/bash
sudo curl -k -O http://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.asc
gpg --with-fingerprint SWITCHaai-swdistrib.asc
sudo apt-key add SWITCHaai-swdistrib.asc
echo 'deb http://pkg.switch.ch/switchaai/ubuntu trusty main' | sudo tee /etc/apt/sources.list.d/SWITCHaai-swdistrib.list > /dev/null
sudo apt-get update
sudo apt-get install --yes shibboleth
a2enmod headers
rsync -a -v /root/uniba.de/share/overlay/ /
mkdir -p /var/www/html
chown www-data /var/www/html
mkdir -p /var/moodledata
chown www-data /var/moodledata
#a2enconf limit-rz-ip-all
service apache2 restart
#
# deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted
#deb cdrom:[Ubuntu-Server 14.04 LTS _Trusty Tahr_ - Release amd64 (20140416.2)]/ trusty main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty main restricted
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty main restricted
## Major bug fix updates produced after the final release of the
## distribution.
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates main restricted
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates main restricted
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty universe
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty universe
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates universe
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates universe
## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty multiverse
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty multiverse
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates multiverse
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty-updates multiverse
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
deb http://ubuntu.mirror.lrz.de/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://ubuntu.mirror.lrz.de/ubuntu/ trusty-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu trusty-security main restricted
deb-src http://security.ubuntu.com/ubuntu trusty-security main restricted
deb http://security.ubuntu.com/ubuntu trusty-security universe
deb-src http://security.ubuntu.com/ubuntu trusty-security universe
deb http://security.ubuntu.com/ubuntu trusty-security multiverse
deb-src http://security.ubuntu.com/ubuntu trusty-security multiverse
## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu trusty partner
# deb-src http://archive.canonical.com/ubuntu trusty partner
## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu trusty main
# deb-src http://extras.ubuntu.com/ubuntu trusty main
#!/bin/bash
sh /root/uniba.de/initial/remove-after-run/setup.sh
rm /root/uniba.de/initial/remove-after-run/setup.sh
mkdir /root/.ssh/
touch /root/.ssh/authorized_keys2
chmod 700 /root/.ssh/authorized_keys2
/sbin/init
service ssh restart
service rsyslog restart
service shibd restart
service apache2 restart
service mysql restart
cron
tail -f /start
<Location "/">
Order deny,allow
deny from all
allow from 127.0.0.1
#allow from 141.13.241.
</Location>
ServerName http://vc-test.uni-bamberg.de
UseCanonicalName on
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
#SSLProtocol +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCompression off
Header add Strict-Transport-Security "max-age=15768000"
SSLCipherSuite "ECDH+aRSA+AES256:DH+aRSA+AES256:!SHA384!SHA256"
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/cert-vc-test.uni-bamberg.de.pem
SSLCertificateKeyFile /etc/ssl/private/key-vc-test.uni-bamberg.de.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
SSLCertificateChainFile /etc/ssl/certs/chain.pem
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
#Zugriff auf die Shibboleth-Ressourcen gewähren
<Location /Shibboleth.sso>
AuthType None
Require all granted
SetHandler shib
</Location>
<Location /shibboleth-sp>
AuthType None
Require all granted
</Location>
#Alias für CSS
Alias /shibboleth-sp/main.css /opt/shibboleth-sp/share/shibboleth/main.css
Alias /shibboleth-sp/logo.jpg /opt/shibboleth-sp/share/shibboleth/logo.jpg
#optional (Metadata-Access at entityID-URL)
Redirect seeother /shibboleth https://vc-test.uni-bamberg.de/Shibboleth.sso/Metadata
<Location /foo>
authType shibboleth
ShibRequestSetting requireSession true
Require valid-user
</Location>
<Directory /var/www/html/moodle/auth/shibboleth/index.php>
AuthType shibboleth
ShibRequestSetting requireSession true
require valid-user
</Directory>
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
#
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock
# Here is entries for some specific programs
# The following values assume you have at least 32M ram
# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0
[mysqld]
#
# * Basic Settings
#
user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
lc-messages-dir = /usr/share/mysql
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address = 127.0.0.1
#
# * Fine Tuning
#
#key_buffer = 16M
#uniba.de
max_allowed_packet = 64M
thread_stack = 192K
thread_cache_size = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover = BACKUP
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10
#
# * Query Cache Configuration
#
query_cache_limit = 1M
query_cache_size = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file = /var/log/mysql/mysql.log
#general_log = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Here you can see queries with especially long duration
#log_slow_queries = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
# other settings you may need to change.
#server-id = 1
#log_bin = /var/log/mysql/mysql-bin.log
expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem
[mysqldump]
quick
quote-names
max_allowed_packet = 16M
[mysql]
#no-auto-rehash # faster start of mysql but no tab completition
[isamchk]
key_buffer = 16M
#
# * IMPORTANT: Additional settings that can override those from this file!
# The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/
This diff is collapsed.
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
The mappings are a mix of SAML 1.1 and SAML 2.0 attribute names agreed to within the Shibboleth
community. The non-OID URNs are SAML 1.1 names and most of the OIDs are SAML 2.0 names, with a
few exceptions for newer attributes where the name is the same for both versions. You will
usually want to uncomment or map the names for both SAML versions as a unit.
-->
<!-- First some useful eduPerson attributes that many sites might use. -->
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
<AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<!-- A persistent id attribute that supports personalized anonymous access. -->