diff --git a/.gitignore b/.gitignore index c693c694..976dab41 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ __pycache__ .pytest_cache .vscode .history -.venv \ No newline at end of file +.venv +testing/*.pem diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index f2376397..d0f21694 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -39,6 +39,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K @@ -91,8 +92,11 @@ RUN set -ex; \ gnupg \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="%%GPG_KEY%%"; \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 7c757e09..a6b50f90 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -50,6 +50,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K @@ -107,8 +108,11 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="%%GPG_KEY%%"; \ diff --git a/README.md b/README.md index 8fbece68..d60fd123 100644 --- a/README.md +++ b/README.md @@ -184,8 +184,17 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1, * ``PMA_PORTS`` - define comma separated list of ports of the MySQL servers * ``PMA_SOCKET`` - define socket file for the MySQL connection * ``PMA_SOCKETS`` - define comma separated list of socket files for the MySQL connections +* ``PMA_SSL_DIR`` - define the path used for SSL files generated from environement variables, default value is `/etc/phpmyadmin/ssl` * ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection * ``PMA_SSLS`` - comma separated list of `0` and `1` defining SSL usage for the corresponding MySQL connections +* ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection. +* ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections. +* ``PMA_SSL_CA`` - in the context of mutual TLS security, allows setting your CA certificate file as a string inside the default `config.inc.php`. +* ``PMA_SSL_CAS`` - in the context of mutual TLS security, allows setting multiple CA certificate files as a comma-separated list of strings inside the default `config.inc.php`. +* ``PMA_SSL_CERT`` - in the context of mutual TLS security, allows setting your certificate file as a string inside the default `config.inc.php`. +* ``PMA_SSL_CERTS`` - in the context of mutual TLS security, allows setting multiple certificate files as a comma-separated list of strings inside the default `config.inc.php`. +* ``PMA_SSL_KEY`` - in the context of mutual TLS security, allows setting your private key file as a string inside the default `config.inc.php`. +* ``PMA_SSL_KEYS`` - in the context of mutual TLS security, allows setting multiple private key files as a comma-separated list of strings inside the default `config.inc.php`. * ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method * ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri). * ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable @@ -212,6 +221,19 @@ For usage with Docker secrets, appending ``_FILE`` to the ``PMA_PASSWORD`` envir docker run --name phpmyadmin -d -e PMA_PASSWORD_FILE=/run/secrets/db_password.txt -p 8080:80 phpmyadmin:latest ``` +#### Variables that can store the file contents using ``_BASE64`` + +- `PMA_SSL_CA` +- `PMA_SSL_CAS` +- `PMA_SSL_KEY` +- `PMA_SSL_KEYS` +- `PMA_SSL_CERT` +- `PMA_SSL_CERTS` + +Also includes: `PMA_CONFIG_BASE64` or `PMA_USER_CONFIG_BASE64`. + +For example, the variable would be named `PMA_SSL_CA_BASE64` and the value is the base64 encoded contents of the file. + #### Variables that can be read from a file using ``_FILE`` - `MYSQL_ROOT_PASSWORD` diff --git a/apache/Dockerfile b/apache/Dockerfile index 2984356b..5556aba7 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -51,6 +51,7 @@ RUN set -ex; \ # set recommended PHP.ini settings # see https://secure.php.net/manual/en/opcache.installation.php +ENV PMA_SSL_DIR /etc/phpmyadmin/ssl ENV MAX_EXECUTION_TIME 600 ENV MEMORY_LIMIT 512M ENV UPLOAD_LIMIT 2048K @@ -108,8 +109,11 @@ RUN set -ex; \ dirmngr \ ; \ mkdir $SESSION_SAVE_PATH; \ + mkdir -p $PMA_SSL_DIR; \ chmod 1777 $SESSION_SAVE_PATH; \ + chmod 755 $PMA_SSL_DIR; \ chown www-data:www-data $SESSION_SAVE_PATH; \ + chown www-data:www-data $PMA_SSL_DIR; \ \ export GNUPGHOME="$(mktemp -d)"; \ export GPGKEY="3D06A59ECE730EB71B511C17CE752F178259BD92"; \ diff --git a/apache/config.inc.php b/apache/config.inc.php index 9f5d2ac7..6317a34e 100644 --- a/apache/config.inc.php +++ b/apache/config.inc.php @@ -1,6 +1,7 @@