From f7fe09f91240c8d10c967173991b50211471c4c8 Mon Sep 17 00:00:00 2001
From: Dave Conroy <dave@tiredofit.ca>
Date: Tue, 16 Jul 2019 10:47:00 -0700
Subject: [PATCH] New environment Variables

---
 CHANGELOG.md                           | 11 ++++
 README.md                              | 11 +++-
 install/etc/cont-init.d/10-loolwsd     | 82 +++++++++++++++++---------
 install/etc/s6/services/10-loolwsd/run |  5 ++
 4 files changed, 80 insertions(+), 29 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 11f1f9f..4ea49ac 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.4 2019-07-16 <dave at tiredofit dot ca>
+
+* Added new Environment Variables
+  - `ENABLE_TLS` (Default: `TRUE`)
+  - `ENABLE_TLS_CERT_GENERATE` (Default: `TRUE`)
+  - `ENABLE_TLS_REVERSE_PROXY` (Default: `FALSE`)
+  - `TLS_CERT_PATH` (Default: `/etc/loolwsd/certs`)
+  - `TLS_CA_FILENAME` (Default: `ca-chain-cert.pem`)
+  - `TLS_CERT_FILENAME` (Default: `cert.pem`)
+  - `TLS_KEY_FILENAME` (Default: `key.pem`)
+
 ## 1.3.3 2019-07-07 <dave at tiredofit dot ca>
 
 * Final Fixup for failing upgraded packages
diff --git a/README.md b/README.md
index 09f3d8a..8b2bb91 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,8 @@ This will build a container for [LibreOffice Online](https://libreoffice.org/) f
 * This Container uses a [customized Debian Linux base](https://hub.docker.com/r/tiredofit/debian) which includes [s6 overlay](https://github.com/just-containers/s6-overlay) enabled for PID 1 Init capabilities, [zabbix-agent](https://zabbix.org) for individual container monitoring, Cron also installed along with other tools (bash,curl, less, logrotate, nano, vim) for easier management.
 
 * Configurable Concurrent User and Document Limit (set to generarous values by default)
+* Set features to support autogeneration of TLS certificates/activate reverse proxy support, others..
+* 
 * Zabbix Monitoring of Active Documents, Users, Memory Consumed
 
 [Changelog](CHANGELOG.md)
@@ -55,7 +57,7 @@ docker pull tiredofit/libreoffice-online
 The following image tags are available:
 
 * `latest` - See most recent versioned tag
-* `1.3.3` - Collabora Libreoffice 6.0.30 with Collabora Office Online 4.0.4-1
+* `1.4` - Collabora Libreoffice 6.0.30 with Collabora Office Online 4.0.4-1
 * `1.1` - Collabora Libreoffice 5.3.61 with Collabora Office Online 3.4.2.1
 
 # Quick Start
@@ -87,6 +89,13 @@ Along with the Environment Variables from the [Base image](https://hub.docker.co
 | `ALLOWED_HOSTS` | Set which domains which can access service - Example: `^(.*)\.example\.org` |
 | `DICTIONARIES` | Spell Check Languages - Available `en_GB en_US` - Default `en_GB en_US` |
 | `LOG_LEVEL` | Log Level - Available `none, fatal, critical, error, warning, notice, information, debug, trace` - Default `warning` |
+| `ENABLE_TLS` | Enable TLS - Default: `TRUE`
+| `ENABLE_TLS_CERT_GENERATE` | Enable Self Signed Certificate Generation (Default: `TRUE`)
+| `ENABLE_TLS_REVERSE_PROXY` | If using a Reverse SSL terminating proxy in front of this container (Default: `FALSE`)
+| `TLS_CERT_PATH` | TLS certificates path - Default: `/etc/loolwsd/certs`
+| `TLS_CA_FILENAME` | TLS CA Cert filename with extension - Default: `ca-chain-cert.pem` |
+| `TLS_CERT_FILENAME` | TLS Certificate filename with extension - Default: `cert.pem` |
+|`TLS_KEY_FILENAME` | TLS Private Key filename with extension - Default: `key.pem` |
 | `EXTRA_OPTIONS` | If you want to pass additional arguments upon startup, add it here |
 
 ### Networking
diff --git a/install/etc/cont-init.d/10-loolwsd b/install/etc/cont-init.d/10-loolwsd
index 2040cfc..ca83280 100755
--- a/install/etc/cont-init.d/10-loolwsd
+++ b/install/etc/cont-init.d/10-loolwsd
@@ -6,6 +6,13 @@ if [ "$DEBUG_MODE" = "TRUE" ] || [ "$DEBUG_MODE" = "true" ]; then
 fi
 
 LOG_LEVEL=${LOG_LEVEL:-"information"}
+ENABLE_TLS=${ENABLE_SSL:-"TRUE"}
+ENABLE_TLS_CERT_GENERATE=${ENABLE_SSL_CERT_GENERATE:-"TRUE"}
+ENABLE_TLS_REVERSE_PROXY=${ENABLE_SSL_REVERSE_PROXY:-"FALSE"}
+TLS_CERT_PATH=${TLS_CERT_PATH:-"/etc/loolwsd/certs"}
+TLS_CA_FILENAME=${TLS_CA_FILENAME:-"ca-chain.cert.pem"}
+TLS_CERT_FILENAME=${TLS_CERT_FILENAME:-"cert.pem"}
+TLS_KEY_FILENAME=${TLS_KEY_FILENAME:-"key.pem"}
 
 echo "** [libreoffice-online] Setting configuration"
 
@@ -17,35 +24,42 @@ rm /opt/lool/systemplate/etc/resolv.conf
 ln -s /etc/resolv.conf /opt/lool/systemplate/etc/resolv.conf
 
 ### Custom File Support
-  if [ -d /assets/custom ] ; then
-     echo "** [libreoffice-online] Custom Files Found, Copying over top of Master.."
-     cp -R /assets/custom/* /opt/lool/share/
-     chown -R lool. /opt/lool/share/
-  fi
-
-if test "${DONT_GEN_SSL_CERT-set}" == set; then
-
-# Generate new SSL certificate instead of using the default
-mkdir -p /tmp/ssl/
-cd /tmp/ssl/
-mkdir -p certs/ca
-openssl genrsa -out certs/ca/root.key.pem 2048
-openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=XX/ST=XX/L=XX/O=Dummy 
-Authority/CN=Dummy Authority"
-mkdir -p certs/{servers,tmp}
-mkdir -p "certs/servers/localhost"
-openssl genrsa -out "certs/servers/localhost/privkey.pem" 2048 
-if test "${cert_domain-set}" == set; then
-	openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=localhost"
-else
-	openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=${cert_domain}"
+if [ -d /assets/custom ] ; then
+	echo "** [libreoffice-online] Custom Files Found, Copying over top of Master.."
+	cp -R /assets/custom/* /opt/lool/share/
+	chown -R lool. /opt/lool/share/
 fi
-openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131
-mv certs/servers/localhost/privkey.pem /etc/loolwsd/key.pem
-mv certs/servers/localhost/cert.pem /etc/loolwsd/cert.pem
-mv certs/ca/root.crt.pem /etc/loolwsd/ca-chain.cert.pem
-rm -rf /tmp/ssl
-chown lool /etc/loolwsd/*.pem
+
+if [ "$ENABLE_SSL" = "TRUE" ]; 
+	if [ "$ENABLE_SSL_CERT_GENERATE" = "TRUE" ]
+		mkdir -p $TLS_CERT_PATH
+		# Generate new SSL certificate instead of using the default
+		echo "** [libreoffice-online] Auto Generating Self Signed Certificates"
+		mkdir -p /tmp/ssl/
+		cd /tmp/ssl/
+		mkdir -p certs/ca
+		openssl genrsa -out certs/ca/root.key.pem 2048
+		openssl req -x509 -new -nodes -key certs/ca/root.key.pem -days 9131 -out certs/ca/root.crt.pem -subj "/C=XX/ST=XX/L=XX/O=Dummy 
+		Authority/CN=Dummy Authority"
+		mkdir -p certs/{servers,tmp}
+		mkdir -p "certs/servers/localhost"
+		openssl genrsa -out "certs/servers/localhost/privkey.pem" 2048 
+		if test "${cert_domain-set}" == set; then
+			openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=localhost"
+		else
+			openssl req -key "certs/servers/localhost/privkey.pem" -new -sha256 -out "certs/tmp/localhost.csr.pem" -subj "/C=XX/ST=XX/L=XX/O=Dummy Authority/CN=${cert_domain}"
+		fi
+		openssl x509 -req -in certs/tmp/localhost.csr.pem -CA certs/ca/root.crt.pem -CAkey certs/ca/root.key.pem -CAcreateserial -out certs/servers/localhost/cert.pem -days 9131
+		mv certs/servers/localhost/privkey.pem ${TLS_CERT_PATH}/${TLS_KEY_FILENAME}
+		mv certs/servers/localhost/cert.pem ${TLS_CERT_PATH}/${TLS_KEY_FILENAME}
+		mv certs/ca/root.crt.pem ${TLS_CERT_PATH}/${TLS_CA_FILENAME}
+		rm -rf /tmp/ssl
+		chown -R lool ${TLS_CERT_PATH}
+	else
+		if [ ! -f "${TLS_CERT_PATH}/${TLS_KEY_FILENAME}" ] ||  [ ! -f "${TLS_CERT_PATH}/${TLS_CA_FILENAME}" ] ||  [ ! -f "${TLS_CERT_PATH}/${TLS_CERT_FILENAME}" ] ||  
+	    	echo ** [libreoffice-online] *** ERROR *** TLS Certificates missing. Please switch to autogenerate mode, or place your certifcates in the correct location.
+	 	fi
+	fi
 fi
 
 # Replace Configureation directives
@@ -56,6 +70,18 @@ perl -pi -e "s/localhost<\/host>/${ALLOWED_HOSTS}<\/host>/g" /etc/loolwsd/loolws
 perl -pi -e "s/<username (.*)>.*<\/username>/<username \1>${ADMIN_USER}<\/username>/" /etc/loolwsd/loolwsd.xml
 perl -pi -e "s/<password (.*)>.*<\/password>/<password \1>${ADMIN_PASS}<\/password>/" /etc/loolwsd/loolwsd.xml
 perl -pi -e "s/<server_name (.*)>.*<\/server_name>/<server_name \1>${HOSTNAME}<\/server_name>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<cert_file_path (.*)>.*<\/cert_file_path>/<cert_file_path \1>${TLS_CERT_PATH}/${TLS_CERT_FILENAME}<\/cert_file_path>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<key_file_path (.*)>.*<\/key_file_path>/<key_file_path \1>${TLS_CERT_PATH}/${TLS_KEY_FILENAME}<\/key_file_path>/" /etc/loolwsd/loolwsd.xml
+perl -pi -e "s/<ca_file_path (.*)>.*<\/ca_file_path>/<ca_file_path \1>${TLS_CERT_PATH}/${TLS_CA_FILENAME}<\/key_file_path>/" /etc/loolwsd/loolwsd.xml
+
+if [ "$ENABLE_SSL" != "TRUE" ]; 
+	perl -pi -e "s/<enable (.*)>.*<\/enable>/<enable \1>false<\/enable>/" /etc/loolwsd/loolwsd.xml
+fi
+
+if [ "$ENABLE_SSL_REVERSE_PROXY" != "FALSE" ]; 
+	perl -pi -e "s/<termination (.*)>.*<\/termination>/<termination \1>true<\/termination>/" /etc/loolwsd/loolwsd.xml
+fi
+
 
 mkdir -p /tmp/state
 echo 'Initialization Complete' >/tmp/state/10-loolwsd-init
diff --git a/install/etc/s6/services/10-loolwsd/run b/install/etc/s6/services/10-loolwsd/run
index ce1c199..d92070e 100755
--- a/install/etc/s6/services/10-loolwsd/run
+++ b/install/etc/s6/services/10-loolwsd/run
@@ -9,6 +9,11 @@ if [ ! -f /tmp/state/10-loolwsd ]; then
   touch /tmp/state/10-loolwsd
 fi
 
+### Set Debug Mode
+if [ "$DEBUG_MODE" = "TRUE" ] || [ "$DEBUG_MODE" = "true" ]; then
+    set -x
+fi
+
 echo '**'
 echo '** [libreoffice-online] Starting Libreoffice Online Web Services daemon'
 exec s6-setuidgid lool /opt/lool/bin/loolwsd --version --o:sys_template_path=/opt/lool/systemplate --o:lo_template_path=/opt/libreoffice --o:child_root_path=/opt/lool/jails --o:file_server_root_path=/opt/lool/share/loolwsd storage.filesystem[@allow]=true --o:admin_console.username=${ADMIN_USER} --o:admin_console.password=${ADMIN_PASS} ${EXTRA_OPTIONS} >> /var/log/lool/loolwsd.log