Merge pull request #239 from cytopia/https

Add HTTPS support

.devilbox/www/config.php

@@ -13,8 +13,8 @@
 putenv('RES_OPTIONS=retrans:1 retry:1 timeout:1 attempts:1');
 
 
-$DEVILBOX_VERSION = 'v0.13.1';
-$DEVILBOX_DATE = '2018-04-28';
+$DEVILBOX_VERSION = 'v0.14';
+$DEVILBOX_DATE = '2018-05-05';
 $DEVILBOX_API_PAGE = 'devilbox-api/status.json';
 
 //

.devilbox/www/htdocs/index.php

@@ -584,8 +584,11 @@
 											</tr>
 											<tr>
 												<th>httpd</th>
-												<td><?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD');?></td>
-												<td>80</td>
+												<td>
+													<?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD');?><br/>
+													<?php echo loadClass('Helper')->getEnv('LOCAL_LISTEN_ADDR').loadClass('Helper')->getEnv('HOST_PORT_HTTPD_SSL');?>
+												</td>
+												<td>80<br/>443</td>
 											</tr>
 											<?php if ($avail_mysql): ?>
 												<tr>

.devilbox/www/htdocs/vhosts.php

@@ -118,12 +118,12 @@ function checkDns(vhost) {
 						if (el_valid.innerHTML != 'WARN') {
 							el_valid.innerHTML = 'OK';
 						}
-						el_href.innerHTML = '<a target="_blank" href="http://'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>">'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?></a>' + el_href.innerHTML;
+						el_href.innerHTML = '<a target="_blank" href="//'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>">'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?></a>' + el_href.innerHTML;
 					} else {
 						//console.log(vhost);
 					}
 				}
-				xhttp.open('POST', 'http://'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>/devilbox-api/status.json', true);
+				xhttp.open('POST', '//'+vhost+'.<?php echo loadClass('Httpd')->getTldSuffix().loadClass('Httpd')->getPort();?>/devilbox-api/status.json', true);
 				xhttp.send();
 
 				// Timeout to abort in 1 second

.gitignore

@@ -19,6 +19,9 @@
 /data/*
 /backups/*
 
+# Ignore Certificate Authority
+/ca/*
+
 # Ignore compose override file
 docker-compose.override.yml
 

README.md

@@ -21,7 +21,9 @@
 [![type](https://img.shields.io/badge/type-Docker-orange.svg)](https://www.docker.com/)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-The devilbox is a modern and highly customisable **dockerized PHP stack** supporting full **LAMP** and **MEAN** and running on all major platforms. The main goal is to easily switch and combine any version required for local development. It supports an unlimited number of projects for which vhosts and DNS records are created automatically. Email catch-all and popular development tools will be at your service as well.  Configuration is not necessary, as everything is pre-setup with mass virtual hosting.
+<img width="200" style="width:200px;" src="docs/_static/img/global-configuration/https-ssl-address-bar.png" />
+
+The devilbox is a modern and highly customisable **dockerized PHP stack** supporting full **LAMP** and **MEAN** and running on all major platforms. The main goal is to easily switch and combine any version required for local development. It supports an **unlimited number of projects** for which vhosts, **SSL certificates** and **DNS records** are created automatically. Email catch-all and popular development tools will be at your service as well.  Configuration is not necessary, as everything is pre-setup with mass virtual hosting.
 
 **Requirements**
 
@@ -239,6 +241,10 @@ The devilbox has everything setup for you. The only thing you will have to insta
     <td width="220" style="width:220px;">:star: Auto virtual hosts</td>
     <td>New virtual hosts are created automatically and instantly whenever you add a project directory. This is done internally via <a href="https://travis-ci.org/devilbox/vhost-gen">vhost-gen</a> and <a href="https://github.com/devilbox/watcherd">watcherd</a>.</td>
   </tr>
+  <tr>
+    <td>:star: Automated SSL certificate generation</td>
+    <td>SSL certificates are automatically created for each vhost and signed by the Devilbox CA.</td>
+  </tr>
   <tr>
     <td>:star: Unlimited vhosts</td>
     <td>Run as many projects as you need with a single instance of the devilbox.</td>

docker-compose.yml

@@ -196,7 +196,7 @@ services:
   # Web Server
   # ------------------------------------------------------------
   httpd:
-    image: devilbox/${HTTPD_SERVER:-nginx-stable}:0.13
+    image: devilbox/${HTTPD_SERVER:-nginx-stable}:0.15
     restart: always
 
     environment:
@@ -222,9 +222,12 @@ services:
       ##
       ## Disable default vhost?
       ##
-      - MAIN_VHOST_DISABLE=${DEVILBOX_UI_DISABLE}
+      - MAIN_VHOST_ENABLE=${DEVILBOX_UI_ENABLE}
       - MAIN_VHOST_STATUS_ENABLE=1
       - MAIN_VHOST_STATUS_ALIAS=/devilbox-httpd-status
+      - MAIN_VHOST_SSL_TYPE=both
+      - MAIN_VHOST_SSL_GEN=1
+      - MAIN_VHOST_SSL_CN=${DEVILBOX_UI_SSL_CN:-localhost}
 
       ##
       ## Enable Mass Vhosts
@@ -233,6 +236,8 @@ services:
       - MASS_VHOST_TLD=.${TLD_SUFFIX}
       - MASS_VHOST_DOCROOT=${HTTPD_DOCROOT_DIR}
       - MASS_VHOST_TPL=${HTTPD_TEMPLATE_DIR}
+      - MASS_VHOST_SSL_TYPE=both
+      - MASS_VHOST_SSL_GEN=1
 
       ##
       ## PHP-FPM Remote Server
@@ -245,6 +250,7 @@ services:
       # ---- Format: ----
       # [HOST-ADDR : ] HOST-PORT : DOCKER-PORT
       - "${LOCAL_LISTEN_ADDR}${HOST_PORT_HTTPD}:80"
+      - "${LOCAL_LISTEN_ADDR}${HOST_PORT_HTTPD_SSL}:443"
 
     networks:
       app_net:
@@ -266,6 +272,9 @@ services:
       # Mount logs
       - ${DEVILBOX_PATH}/log/${HTTPD_SERVER}:/var/log/${HTTPD_SERVER}
 
+      # Certificate Authority public key
+      - ${DEVILBOX_PATH}/ca:/ca
+
     depends_on:
       - bind
       - php

docs/configuration-files/env-file.rst

@@ -423,6 +423,36 @@ and report as unsuccessful. The default is ``1`` second, wich should be fairly s
 +-----------------------+----------------+-------------------+
 
 
+.. _env_devilbox_ui_ssl_cn:
+
+DEVILBOX_UI_SSL_CN
+------------------
+
+When accessing the Devilbox intranet via ``https`` it will use an automatically created SSL certificate.
+Each SSL certificate requires a valid Common Name, which must match the virtual host name.
+
+This setting let's you specify by what **name** you are accessing the Devilbox intranet.
+The default is ``localhost``, but if you have created your own alias, you must change this value
+accordingly. Also note that multiple values are possible and must be separated with a comma.
+When you add an asterisk (``*.``) to the beginning, it means it will create a wildcard certificate for that
+hostname.
+
++-------------------------+------------------------------+-----------------------------------------------+
+| Name                    | Allowed values               | Default value                                 |
++=========================+==============================+===============================================+
+| ``DEVILBOX_UI_SSL_CN``  | comma separated list of CN's | ``localhost,*.localhost,devilbox,*.devilbox`` |
++-------------------------+------------------------------+-----------------------------------------------+
+
+**Examples**:
+
+* ``DEVILBOX_UI_SSL_CN=localhost``
+* ``DEVILBOX_UI_SSL_CN=localhost,*.localhost``
+* ``DEVILBOX_UI_SSL_CN=localhost,*.localhost,devilbox,*.devilbox``
+* ``DEVILBOX_UI_SSL_CN=intranet.example.com``
+
+.. seealso:: :ref:`configuration_https_ssl`
+
+
 .. _env_devilbox_ui_protect:
 
 DEVILBOX_UI_PROTECT
@@ -458,13 +488,13 @@ password by which it will be protected.
 +--------------------------+----------------+-------------------+
 
 
-.. _env_devilbox_ui_disable:
+.. _env_devilbox_ui_enable:
 
-DEVILBOX_UI_DISABLE
+DEVILBOX_UI_ENABLE
 -------------------
 
 In case you want to completely disable the Devilbox intranet, such as when running it on production,
-you need to set this variable to ``1``.
+you need to set this variable to ``0``.
 
 By disabling the intranet, the webserver will simply remove the default virtual host and redirect
 all IP-based requests to the first available virtual host, which will be you first project when
@@ -473,7 +503,7 @@ ordering their names alphabetically.
 +-------------------------+----------------+-------------------+
 | Name                    | Allowed values | Default value     |
 +=========================+================+===================+
-| ``DEVILBOX_UI_DISABLE`` | ``0`` or ``1`` | ``0``             |
+| ``DEVILBOX_UI_ENABLE``  | ``0`` or ``1`` | ``1``             |
 +-------------------------+----------------+-------------------+
 
 
@@ -990,6 +1020,19 @@ else if 80 is already in use on your host operating system.
 +----------------------+-------------------+------------------+
 
 
+HOST_PORT_HTTPD_SSL
+-------------------
+
+The port to expose for the web server (Apache or Nginx) for HTTPS (SSL) requests. This is usually
+443. Set it to something else if 443 is already in use on your host operating system.
+
++--------------------------+-------------------+------------------+
+| Name                     | Allowed values    | Default value    |
++==========================+===================+==================+
+| ``HOST_PORT_HTTPD_SSL``  | ``1`` - ``65535`` | ``443``           |
++--------------------------+-------------------+------------------+
+
+
 HOST_PORT_MYSQL
 ---------------
 

docs/configuration-global/bind.rst

@@ -0,0 +1,3 @@
+****
+BIND
+****

docs/configuration-global/devilbox-intranet.rst

@@ -0,0 +1,3 @@
+*****************
+Devilbox Intranet
+*****************

docs/configuration-global/https-ssl.rst

@@ -0,0 +1,132 @@
+.. _configuration_https_ssl:
+
+***********
+HTTPS (SSL)
+***********
+
+This page shows you how to use the Devilbox on https and how to import the Certificate Authority
+into your browser once, so that you always and automatically get valid SSL certificates for all new
+projects.
+
+SSL certificates are generated automatically and there is nothing to do from your side.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+**Table of Contents**
+
+.. contents:: :local:
+
+
+TL;DR
+=====
+
+Import the Certificate Authority into your browser and you are all set.
+
+
+How does it work
+================
+
+Certificate Authority
+---------------------
+
+When the Devilbox starts up for the first time, it will generate a
+`Certificate Authority <https://en.wikipedia.org/wiki/Certificate_authority>`_ and will store its
+public and private key in ``./ca/`` within the Devilbox git directory.
+
+The keys are only generated if they don't exist and kept permanently if you don't delete them
+manually, i.e. they are not overwritten.
+
+.. code-block:: bash
+
+    host> cd path/to/devilbox
+    host> ls -l ca/
+    -rw-r--r--  1 cytopia cytopia 1558 May  2 11:12 devilbox-ca.crt
+    -rw-------  1 cytopia cytopia 1675 May  2 11:12 devilbox-ca.key
+    -rw-r--r--  1 cytopia cytopia   17 May  4 08:35 devilbox-ca.srl
+
+
+SSL Certificates
+----------------
+
+Whenever you create a new project directory, multiple things happen in the background:
+
+1. A new virtual host is created
+2. DNS is provided via :ref:`global_configuration_auto_dns`
+3. A new SSL certificate is generated for that vhost
+4. **The SSL certificate is signed by the Devilbox Certificate Authority**
+
+By having a SSL certificates signed by the provided CA, you will only have to import the CA
+into your browser ones and all current projects and future projects will automatically have
+valid and trusted SSL certificates without any further work.
+
+.. important::
+    Importing the CA into the browser is also recommended and required for the Devilbox
+    intranet page to work properly.
+
+
+Import the CA into your browser
+===============================
+
+Chrome / Chromium
+-----------------
+
+Open Chrome settings, scroll down to the very bottom and click on ``Advanced`` to expand the
+advanced settings.
+
+.. image:: /_static/img/global-configuration/https-ssl-01-chrome-settings.png
+
+Find the setting ``Manage certificates`` and open it.
+
+.. image:: /_static/img/global-configuration/https-ssl-02-chrome-advanced-settings.png
+
+Navigate to the tab setting ``AUTHORITIES`` and click on ``IMPORT``.
+
+.. image:: /_static/img/global-configuration/https-ssl-03-chrome-authorities.png
+
+Select ``devilbox-ca.crt`` from within the Devilbox ``./ca`` directory:
+
+.. image:: /_static/img/global-configuration/https-ssl-04-import.png
+
+As the last step you are asked what permissions you want to grant the newly importat CA.
+To make sure it works everywhere, check all options and proceed with ``OK``.
+
+.. image:: /_static/img/global-configuration/https-ssl-05-chrome-set-trust.png
+
+Now you are all set and all generated SSL certificates will be valid from now on.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+
+Firefox
+-------
+
+Open Firefox settings and click on ``Privacy & Security``.
+
+.. image:: /_static/img/global-configuration/https-ssl-01-firefox-settings.png
+
+At the very bottom click on the button ``View Certificates``.
+
+.. image:: /_static/img/global-configuration/https-ssl-02-firefox-security-settings.png
+
+In the ``Authories`` tab, click on ``Import``.
+
+.. image:: /_static/img/global-configuration/https-ssl-03-firefox-authorities.png
+
+Select ``devilbox-ca.crt`` from within the Devilbox ``./ca`` directory:
+
+.. image:: /_static/img/global-configuration/https-ssl-04-import.png
+
+As the last step you are asked what permissions you want to grant the newly importat CA.
+To make sure it works everywhere, check all options and proceed with ``OK``.
+
+.. image:: /_static/img/global-configuration/https-ssl-05-firefox-set-trust.png
+
+Now you are all set and all generated SSL certificates will be valid from now on.
+
+.. image:: /_static/img/global-configuration/https-ssl-address-bar.png
+
+
+Further Reading
+===============
+
+.. seealso:: ``.env`` variable: :ref:`env_devilbox_ui_ssl_cn`

docs/configuration-global/memcached.rst

@@ -0,0 +1,3 @@
+*********
+Memcached
+*********

docs/configuration-global/mongodb.rst

@@ -0,0 +1,3 @@
+*******
+MongoDB
+*******

docs/configuration-global/mysql.rst

@@ -0,0 +1,3 @@
+*****
+MySQL
+*****

docs/configuration-global/php.rst

@@ -0,0 +1,5 @@
+***
+PHP
+***
+
+Environment variables

docs/configuration-global/redis.rst

@@ -0,0 +1,3 @@
+*****
+Redis
+*****