DEV-527: Make all CAS variables configurable via the environment with default values set by init script (#3)

Author: danschmidt5189

Dockerfile

@@ -11,4 +11,5 @@ RUN yum -y update && \
 
 USER root
 COPY files/etc/httpd /etc/httpd
+COPY files/pre-init /usr/share/container-scripts/httpd/pre-init
 COPY files/var/www /var/www

README.md

@@ -1,10 +1,35 @@
 # Apache w/mod-auth-cas docker image
 
-A simple Debian-based Apache 2.4 image with mod-auth-cas installed. Customize the CAS configuration by setting environment variables:
+A Red Hat 8 Universal Base Image running Apache with a few helpful extras:
 
-- `CAS_LOGIN_URL`
-- `CAS_VALIDATE_URL`
-- `CAS_PROXY_VALIDATE_URL`
-- `CAS_ROOT_PROXIED_AS`
+1. mod_auth_cas, configurable at runtime by setting environment variables.
+2. A RemoteIP configuration suitable for running behind NGINX, Traefik, etc.
+3. Our branded auto-index pages.
 
-The environment variables are named after the corresponding CAS configuration directives. See the [mod-auth-cas documentation](https://github.com/apereo/mod_auth_cas).
+Listens on 8080/tcp.
+
+## CAS Configuration
+
+The CAS configuration works for localhost and auth.berkeley.edu out-of-the-box. You can override any of the options defined in [files/etc/httpd/conf.d/auth_cas.conf](files/etc/httpd/conf.d/auth_cas.conf) by setting environment variables of the form `CAS_OPTION_NAME`.
+
+**Example 1:** Using auth-test instead of auth.
+
+```
+CAS_DOMAIN=auth-test.berkeley.edu
+```
+
+**Example 2:** Setting a production return URL.
+
+```
+CAS_ROOT_PROXIED_AS=https://mysite.lib.berkeley.edu
+```
+
+The environment variables are named after the corresponding CAS configuration directives. See the [mod-auth-cas documentation](https://github.com/apereo/mod_auth_cas). The only exception is `CAS_DOMAIN`, which is a helper variable for setting all of the other CAS URLs to a specific domain.
+
+## Trusted Proxies
+
+See [files/etc/httpd/conf.d/trusted_proxies.conf](files/etc/httpd/conf.d/trusted_proxies.conf) for the list of trusted proxies. This must be updated if/when a new ingress point is added.
+
+## Branded Index Pages
+
+This image bakes in custom branding and styling for Apache-generated index pages. See [files/var/www/autoindex](files/var/www/autoindex) for details.

docker-compose.yml

@@ -3,11 +3,6 @@
 services:
   app:
     build: .
-    environment:
-      - CAS_LOGIN_URL=https://auth.berkeley.edu/cas/
-      - CAS_VALIDATE_URL=https://auth.berkeley.edu/cas/serviceValidate
-      - CAS_PROXY_VALIDATE_URL=https://auth.berkeley.edu/cas/proxyValidate
-      - CAS_ROOT_PROXIED_AS=http://localhost
     ports:
       - 80:8080
     volumes:

files/etc/httpd/conf.d/auth_cas.conf

@@ -1,15 +1,13 @@
 <IfModule auth_cas_module>
-    CASVersion 2
-    CASDebug Off
+    CASVersion ${CAS_VERSION}
+    CASDebug ${CAS_DEBUG}
     CASLoginURL ${CAS_LOGIN_URL}
     CASValidateURL ${CAS_VALIDATE_URL}
     CASProxyValidateURL ${CAS_PROXY_VALIDATE_URL}
-    CASTimeout 7200
-    CASIdleTimeout 3600
-    CASCacheCleanInterval 1800
-    CASCookiePath /var/cache/httpd/mod_auth_cas/
-    CASCookieEntropy 32
-
-    # You must set CAS_ROOT_PROXIED_AS in the environment
+    CASTimeout ${CAS_TIMEOUT}
+    CASIdleTimeout ${CAS_IDLE_TIMEOUT}
+    CASCacheCleanInterval ${CAS_CACHE_CLEAN_INTERVAL}
+    CASCookieEntropy ${CAS_COOKIE_ENTROPY}
     CASRootProxiedAs ${CAS_ROOT_PROXIED_AS}
+    CASCookiePath ${CAS_COOKIE_PATH}
 </IfModule>

files/pre-init/50-cas-variables.sh

@@ -0,0 +1,17 @@
+# For option definitions:
+# @see https://github.com/apereo/mod_auth_cas
+
+# Special helper variable that allows setting all the CAS URLs at once.
+export CAS_DOMAIN=${CAS_DOMAIN:-auth.berkeley.edu}
+
+export CAS_CACHE_CLEAN_INTERVAL="${CAS_CACHE_CLEAN_INTERVAL:-1800}"
+export CAS_COOKIE_ENTROPY="${CAS_COOKIE_ENTROPY:-32}"
+export CAS_COOKIE_PATH="${CAS_COOKIE_PATH:-/var/cache/httpd/mod_auth_cas/}"
+export CAS_DEBUG="${CAS_DEBUG:-off}"
+export CAS_IDLE_TIMEOUT="${CAS_IDLE_TIMEOUT:-3600}"
+export CAS_LOGIN_URL="${CAS_LOGIN_URL:-https://$CAS_DOMAIN/cas/}"
+export CAS_PROXY_VALIDATE_URL="${CAS_PROXY_VALIDATE_URL:-https://$CAS_DOMAIN/cas/proxyValidate}"
+export CAS_ROOT_PROXIED_AS="${CAS_ROOT_PROXIED_AS:-http://localhost}"
+export CAS_TIMEOUT="${CAS_TIMEOUT:-7200}"
+export CAS_VALIDATE_URL="${CAS_VALIDATE_URL:-https://$CAS_DOMAIN/cas/serviceValidate}"
+export CAS_VERSION="${CAS_VERSION:-2}"