feat(apache2-foreground,Dockerfile-linux.template): Add support for TLS/HTTPS in Apache2, based on base64 files in ENV

[LordRobinCbz]

Description

This PR introduces a script enhancement to allow setting SSL certificates and keys directly from base64 encoded environment variables. This change is aimed at maintaining stateless environments in Docker/Kubernetes and securing communications.

Changes

• Set default SSL directory: ${APACHE_SSL_DIR:-/etc/apache2/ssl}
• Create the SSL directory if it doesn't exist.
• Decode and save the certificate and key from base64 encoded environment variables (APACHE_CERT_BASE64 and APACHE_KEY_BASE64).
• Update the Apache configuration to use the decoded certificate and key.
• Enable the SSL site configuration by creating a symbolic link.
• Set appropriate permissions for the certificate, key, and configuration files.
• Enable the SSL module in Apache.

Benefits

• Allows setting SSL certificates without the need for volume mounts, maintaining stateless environments.
• Enhances security by enabling TLS for PHP and Apache applications.
• Eliminates the need for SSL reverse proxies, simplifying the stack.

Tests done

Here one screen, of a working Apache2 server with HTTLS ready for hosting PHP application:

This is a major improvement as it secures entire stacks and is particularly beneficial for applications using PHP and Apache.

EDIT: I dont know how to edit the README to add new vars:

APACHE_SSL_DIR => string, not mandatory
APACHE_CERT_BASE64 => string
APACHE_KEY_BASE64 => string

[SoeAung95]

https://localhost:8080/

[LordRobinCbz]

Hello @tianon , sorry to ping you but Ive seen that you are the main contributor here.

Can you have a look on this PR ? I really think that this feature would be great for global security of PHP and Apache based applications :)

[LaurentGoderre]

Usually certificates in Kubernetes are stored as secret and can easily be mounted to the desired location which removes the need for this.

[LordRobinCbz]

So you need a volume. Here with this proposal you just need the same secret, but without volume.

With this upgrade, multiples application (like PhpMyAdmin, Symfony, Nextcloud etc) that use this image as base will handle TLS without any modifications or customization with Dockerfile.

Its work with secret for K8S, but with simple infrastructure like vanilla Docker or Swarm, we need a reverse proxy for TLS.

Now we dont need it anymore.

[LordRobinCbz]

Hello, any further information about this pr ?

[williamdes]

Hello, any further information about this pr ?

You should probably rebase it first

[tianon]

Sorry for the delay; unfortunately, this is functionality that we are not interested in maintaining directly here -- given that it's at the very start of apache2-foreground, it should be relatively easy to drop this into a script that you add to your images or bind-mount in at runtime and invoke before apache2-foreground.