DEV-527: Refactor to more flexible UBI8 base image (#2)

- Switches to the Red Hat UBI8/httpd-24 base image. This image supports flexible configuration via conf.d/*.conf and conf.modules.d/*.conf files, which the "official" httpd24 image does not. It is supported by the standard RHEL UBI policy (i.e. tracks RHEL8).
- Bakes in the CAS configuration exactly as before.
- Adds our custom index styling.
- Adds TrustedProxy configuration so this image works behind NGINX, Traefik, etc.

Author: danschmidt5189

.github/workflows/build.yml

@@ -42,7 +42,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run tests
-        run: ./test.sh
+        run: ./test/run_tests.sh
 
       - name: Log in to the Container registry
         uses: docker/login-action@v2

Dockerfile

@@ -1,10 +1,14 @@
-FROM httpd:2.4
+FROM registry.access.redhat.com/ubi8/httpd-24
 
-RUN apt -y update && \
-    apt -y upgrade && \
-    apt -y install libapache2-mod-auth-cas && \
-    install -d /var/cache/apache2/mod_auth_cas -o www-data -g www-data
+USER root
+RUN yum -y update && \
+    yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
+    yum -y install \
+        xemacs-nox \
+        mod_auth_cas \
+        vim && \
+    install -d -o apache /var/cache/httpd/mod_auth_cas
 
-COPY httpd.conf /usr/local/apache2/conf/httpd.conf
-
-VOLUME [ "/var/cache/apache2/mod_auth_cas" ]
+USER root
+COPY files/etc/httpd /etc/httpd
+COPY files/var/www /var/www

data/UCB/sample3.txt

@@ -9,6 +9,7 @@ services:
       - CAS_PROXY_VALIDATE_URL=https://auth.berkeley.edu/cas/proxyValidate
       - CAS_ROOT_PROXIED_AS=http://localhost
     ports:
-      - 80:80
+      - 80:8080
     volumes:
-      - ./data:/usr/local/apache2/htdocs:ro
+      - ./test/conf/cas-vhost.conf:/etc/httpd/conf.d/cas-vhost.conf:ro
+      - ./test/data:/var/www/html:ro

data/UCB/sample4.txt

@@ -0,0 +1,15 @@
+<IfModule auth_cas_module>
+    CASVersion 2
+    CASDebug Off
+    CASLoginURL ${CAS_LOGIN_URL}
+    CASValidateURL ${CAS_VALIDATE_URL}
+    CASProxyValidateURL ${CAS_PROXY_VALIDATE_URL}
+    CASTimeout 7200
+    CASIdleTimeout 3600
+    CASCacheCleanInterval 1800
+    CASCookiePath /var/cache/httpd/mod_auth_cas/
+    CASCookieEntropy 32
+
+    # You must set CAS_ROOT_PROXIED_AS in the environment
+    CASRootProxiedAs ${CAS_ROOT_PROXIED_AS}
+</IfModule>

data/public/sample1.txt

@@ -0,0 +1,117 @@
+#
+# Directives controlling the display of server-generated directory listings.
+#
+# Required modules: mod_authz_core, mod_authz_host,
+#                   mod_autoindex, mod_alias
+#
+# To see the listing of a directory, the Options directive for the
+# directory must include "Indexes", and the directory must not contain
+# a file matching those listed in the DirectoryIndex directive.
+#
+
+# IndexOptions: Controls the appearance of server-generated directory
+# listings.
+#
+# Charset=utf-8 handles rendering of filenames with Asian-language
+# characters; see: https://git.lib.berkeley.edu/ops/ansible/issues/304
+IndexOptions Charset=utf-8 FancyIndexing HTMLTable IconsAreLinks IgnoreCase NameWidth=* VersionSort
+
+# We include the /icons/ alias for FancyIndexed directory listings.  If
+# you do not use FancyIndexing, you may comment this out.
+Alias /icons/ "/usr/share/httpd/icons/"
+Alias /autoindex/ "/var/www/autoindex/"
+
+<Directory "/usr/share/httpd/icons">
+  Options Indexes MultiViews FollowSymlinks
+  AllowOverride None
+  Require all granted
+</Directory>
+
+# NOTE(dcschmidt): Custom styles/partials/images
+# @see https://git.lib.berkeley.edu/lap/digital-preservation-assets/issues/1
+Alias /favicon.ico "/var/www/autoindex/images/favicon.ico"
+<Directory /var/www/html>
+  Options Indexes MultiViews FollowSymlinks
+  AllowOverride None
+  Require all granted
+</Directory>
+
+#
+# AddIcon* directives tell the server which icon to show for different
+# files or filename extensions.  These are only displayed for
+# FancyIndexed directories.
+#
+AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
+
+AddIconByType (TXT,/icons/text.gif) text/*
+AddIconByType (IMG,/icons/image2.gif) image/*
+AddIconByType (SND,/icons/sound2.gif) audio/*
+AddIconByType (VID,/icons/movie.gif) video/*
+
+AddIcon /icons/binary.gif .bin .exe
+AddIcon /icons/binhex.gif .hqx
+AddIcon /icons/tar.gif .tar
+AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
+AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
+AddIcon /icons/a.gif .ps .ai .eps
+AddIcon /icons/layout.gif .html .shtml .htm .pdf
+AddIcon /icons/text.gif .txt
+AddIcon /icons/c.gif .c
+AddIcon /icons/p.gif .pl .py
+AddIcon /icons/f.gif .for
+AddIcon /icons/dvi.gif .dvi
+AddIcon /icons/uuencoded.gif .uu
+AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+AddIcon /icons/tex.gif .tex
+AddIcon /icons/bomb.gif /core
+AddIcon /icons/bomb.gif */core.*
+
+AddIcon /icons/back.gif ..
+AddIcon /icons/hand.right.gif README
+AddIcon /icons/folder.gif ^^DIRECTORY^^
+AddIcon /icons/blank.gif ^^BLANKICON^^
+
+#
+# DefaultIcon is which icon to show for files which do not have an icon
+# explicitly set.
+#
+DefaultIcon /icons/unknown.gif
+
+#
+# AddDescription allows you to place a short description after a file in
+# server-generated indexes.  These are only displayed for FancyIndexed
+# directories.
+# Format: AddDescription "description" filename
+#
+#AddDescription "GZIP compressed document" .gz
+#AddDescription "tar archive" .tar
+#AddDescription "GZIP compressed tar archive" .tgz
+
+#
+# ReadmeName is the name of the README file the server will look for by
+# default, and append to directory listings.
+#
+# HeaderName is the name of a file which should be prepended to
+# directory indexes.
+ReadmeName README.html
+HeaderName HEADER.html
+
+#
+# IndexIgnore is a set of filenames which directory indexing should ignore
+# and not include in the listing.  Shell-style wildcarding is permitted.
+#
+# NOTE(dcschmidt): _SYNCAPP directories are created by the Allway Sync program.
+# Lynne uses this to copy files from workstations to the NetApp/NFS server.
+#
+IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t _SYNCAPP*
+
+# NOTE(dcschmidt): Implements custom styles. This depends on settings in
+# autoindex.conf that alias and allow the .html/ directory.
+#
+# @see http://digitalassets.lib.berkeley.edu/UCBonly/ldc/2004T04/ Test Case
+# @see https://git.lib.berkeley.edu/lap/digital-preservation-assets/issues/1
+IndexHeadInsert "<meta name=\"viewport\" content=\"width=device-width\">"
+IndexHeadInsert "<link rel=\"stylesheet\" href=\"https://use.typekit.net/rxa5jay.css\">"
+IndexStyleSheet /autoindex/css/style.css
+ReadmeName /autoindex/partials/footer.html
+HeaderName /autoindex/partials/header.html

data/public/sample2.txt

@@ -0,0 +1,15 @@
+<IfModule remoteip_module>
+    RemoteIPHeader X-Forwarded-For
+    # Docker bridge internal network ranges
+    RemoteIPTrustedProxy 172.17.0.0/16 172.18.0.0/16
+    # Traefik network ranges
+    RemoteIPTrustedProxy 10.0.0.0/8
+    # Standard IP ranges for Library servers in EWH
+    RemoteIPTrustedProxy 128.32.10.128/25 169.229.32.0/24 169.229.33.128/25
+    # Temporary Elastic IPs for NGINX in AWS.
+    # @see https://jira-secure.berkeley.edu/browse/LIT-1935
+    RemoteIPTrustedProxy 3.101.9.5 13.56.7.239 50.18.47.155
+    # SDSC NGINX ip
+    # @see https://ucblib.atlassian.net/browse/DEV-639
+    RemoteIPTrustedProxy 192.31.161.30
+</IfModule>