🔑 Add client cert auth

shallow-server/Dockerfile

@@ -41,6 +41,8 @@ ADD ssl/dhparam.pem /etc/ssl/certs/
 ADD ssl/default-ssl.conf /etc/apache2/conf-available/ssl-params.conf
 ADD ssl/nextcloud.crt /etc/ssl/certs/nextcloud.crt
 ADD ssl/nextcloud.key /etc/ssl/private/nextcloud.key
+ADD ssl/dev-test-key.crt /etc/ssl/certs/dev-test-key.crt
+ADD ssl/dev-test-key.key /etc/ssl/private/dev-test-key.key
 ADD ssl/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf
 ADD default-nextcloud.conf /etc/apache2/sites-enabled/default-nextcloud.conf
 ADD nextcloud.ini /etc/php/8.1/apache2/conf.d/nextcloud.ini

shallow-server/initnc.sh

@@ -6,7 +6,7 @@ export BRANCH=${BRANCH:=master}
 cd /var/www/html/
 
 # Run 'apt-get update' to unlock files. This seems neccessary on self hosted runners with fuse-overlayfs,
-# otherwise git checkout will error out with 'file exists' error. Needs to be run here, doesn't work when 
+# otherwise git checkout will error out with 'file exists' error. Needs to be run here, doesn't work when
 # done inside the Dockerfile
 apt-get update
 
@@ -40,7 +40,7 @@ else
 fi
 
 
-if test -z "$REDIS" 
+if test -z "$REDIS"
 then
 	  echo "\$REDIS not set, ignoring..."
 else

shallow-server/run.sh

@@ -3,6 +3,8 @@
 set -e
 cd /var/www/html/
 
+echo "Listen 8080" >> /etc/apache2/ports.conf
+
 . /etc/apache2/envvars
 
 # allow php and apache2 to create their run socket

shallow-server/ssl/default-ssl.conf

@@ -24,4 +24,37 @@
                                downgrade-1.0 force-response-1.0
 
         </VirtualHost>
+
+        <VirtualHost _default_:8080>
+                        ServerAdmin webmaster@localhost
+
+                        DocumentRoot /var/www/html
+
+                        ErrorLog ${APACHE_LOG_DIR}/error.log
+                        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+                        SSLEngine on
+
+                        SSLCertificateFile      /etc/ssl/certs/nextcloud.crt
+                        SSLCertificateKeyFile /etc/ssl/private/nextcloud.key
+
+                        # client cert
+                        ## This is for local development testing only!
+         				SSLCACertificateFile    /etc/ssl/certs/dev-test-key.crt
+         				SSLCertificateKeyFile /etc/ssl/private/dev-test-key.key
+         				SSLVerifyClient require
+         				SSLVerifyDepth 10
+
+                        <FilesMatch "\.(cgi|shtml|phtml|php)$">
+                                        SSLOptions +StdEnvVars
+                        </FilesMatch>
+                        <Directory /usr/lib/cgi-bin>
+                                        SSLOptions +StdEnvVars
+                        </Directory>
+
+                        BrowserMatch "MSIE [2-6]" \
+                                       nokeepalive ssl-unclean-shutdown \
+                                       downgrade-1.0 force-response-1.0
+
+                </VirtualHost>
 </IfModule>

shallow-server/ssl/dev-test-key.crt

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeYCAWUwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDAeFw0yMzEyMTgxMzM2NDZaFw0yNDEyMTcxMzM2NDZaMEUxCzAJBgNVBAYTAkFV
+MRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRz
+IFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD3jKLeOiSB
+aJAT97e6InHWGJPZpQLaVMF2QvV4Qo5bG6erlK9+AWsRjXUAddO/8K66PMNRI1Yg
+8lv/2bajzyC6bKJEi+C5FidAY0yfaKmDrEIVTtMPQoMriFUwxOAiupfsQsr8qo78
+tP9hgL44u6VgSirH29EoFpi+UD92Y2NYM+RSNMWFaBubidq2q6+3LeSmfbG3UF3x
+dfgRudSzWwU/sNdHn3a0avZ2LdubJnYDRsKtMzsRyfYttLHtKInpD+jHoQ8mX6st
+zrDTbVoPCiEQFsBKbB0ZZk5QC9MpB7RSFNy9x+gywHzu2PKhqdoI7KHKULMJRUXF
+K4rRJO7gA857AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIZb9ClWoDKH0kdSstSH
+hxSkrbrkpKOLUGnkZqEfi1mm4wLCreJjZl7ETg9PceqvYmqf+BC1VQsmPZ3Kd2vI
+8HtmJ3KpAUgz3gcl4GctKKQRNWMXaX1p9beuS6C9e0bE1+zXWs0+gvs4+0Im55XP
+wsbUWz90Ne/eZo7zM3uYBCIJSuWrXSZqXRuX4XCY57Y3NiL94ORaar7BJp2VrL1I
+lvYLXsH1TgRzuJGq+2kTIsXioyVsnIIy91WfZKgWIHG0ta9UKoJdm57QQWAG8sLY
+OOgANBJwDvtYvilmiFajpNVy7x9pGxq8kaUi4KNh5otu8bmCON7SErSXMj+xAuwd
+KLU=
+-----END CERTIFICATE-----

shallow-server/ssl/dev-test-key.csr

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPeMot46JIFokBP3t7oicdYYk9mlAtpUwXZC9XhC
+jlsbp6uUr34BaxGNdQB107/wrro8w1EjViDyW//ZtqPPILpsokSL4LkWJ0BjTJ9o
+qYOsQhVO0w9CgyuIVTDE4CK6l+xCyvyqjvy0/2GAvji7pWBKKsfb0SgWmL5QP3Zj
+Y1gz5FI0xYVoG5uJ2rarr7ct5KZ9sbdQXfF1+BG51LNbBT+w10efdrRq9nYt25sm
+dgNGwq0zOxHJ9i20se0oiekP6MehDyZfqy3OsNNtWg8KIRAWwEpsHRlmTlAL0ykH
+tFIU3L3H6DLAfO7Y8qGp2gjsocpQswlFRcUritEk7uADznsCAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQAEyqpbulAtsCRSvukliH1VRqwA759+ySXTl05PKHfK313m
+9JkoOGSfQX7j5aJwPyGfPhh3OjlzVX0PK6FaNrXloXSkcsgB5lVxCsk5Fw3bq1sj
+bZA/Vv7CMF5mFmkIdRl9xJ5m5j5z+w8GQosOMPr/avSBaVncA/cqhd3vx0ZmiE7p
+V/qI9w8xTu6CNkdtTrqTz5cveuIkqOwqUcdxtHqhSuoz0RGWAk6FJ6FRY8Ml3iAP
+ZC6vGbu/k5YHo4xPB7V8b8yRLh9/5FIVpBgfYSgyvwSedOV2DdrDHQmFtol+ym/d
+14gMprNeRH7o0/FaVUu/JxpQdPy8hP6YQR/o/ASC
+-----END CERTIFICATE REQUEST-----

shallow-server/ssl/dev-test-key.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD3jKLeOiSBaJAT
+97e6InHWGJPZpQLaVMF2QvV4Qo5bG6erlK9+AWsRjXUAddO/8K66PMNRI1Yg8lv/
+2bajzyC6bKJEi+C5FidAY0yfaKmDrEIVTtMPQoMriFUwxOAiupfsQsr8qo78tP9h
+gL44u6VgSirH29EoFpi+UD92Y2NYM+RSNMWFaBubidq2q6+3LeSmfbG3UF3xdfgR
+udSzWwU/sNdHn3a0avZ2LdubJnYDRsKtMzsRyfYttLHtKInpD+jHoQ8mX6stzrDT
+bVoPCiEQFsBKbB0ZZk5QC9MpB7RSFNy9x+gywHzu2PKhqdoI7KHKULMJRUXFK4rR
+JO7gA857AgMBAAECggEAGMG3AhF/gspMamrM3tprVwrTMnd8Wbhoi/q1+4ZwdS/G
+rMlXDvt2U+WOjMgRMAdnz1acqUR8QcRAgM2q+dE7nS6YaybasmKYSf9ZnjGZ46y6
+WSYubmlrnn1pGPz/dgms1Y3NKMf9Onb2zq9Q7ByRX+1a6kI+CyEjZRkNF7pofjKp
+VCy623TJIPEml3P2Anxst2ZwglwPcu52IDt3yqssQ0SfX25g04uU6Tem0MClvDLO
+iMYjFNPWT8Xek3HiwlvWHvQzrcJzdo+hc9XU4gxynCRtxcWTd2+2lJTIJW24vTcc
+VW3aNIdA95GMFZHrM/0c5s40ZBKo21fjw/TCPlQg6QKBgQD9oQirpfimfKk8AQdQ
+XLeqrm/NY4SmID901eHTOgNW7x1QT9LqfgsV449agQ85J12oo3JicfVOLrcloO8F
+Z9zPxoWOvn8qlbJXecDNVqaO3lK9uyc6mNhu1ljItEZTdpamF9LudEv0UkgVWI19
+8XeMA/gnPAT2t/nkbu+AzWhVcwKBgQD53Q2K5WflcHKvzo9LhsORkN3zS3k05DFS
+cPyOwi7Bkr2K9oG7oGxzELgWNRUDCBC0gDGC6RUu1+eaS3BAQJk88miZX2BkiUcS
+mj9Hn3MmQ5aPwCNRMfrQkBXsU6bEGkKoz12IFioApATj2yBuRVA+WpjeafsASeiB
+6jmCp0cg2QKBgGIqsAZv6PvXiFE3PLN4D4a6mX9vo2oBVU5NcmilLaG6TyhEnSgx
+vOyt9VBcX54JhJC/IojD/uRR5IVl8t2uw6KP/iWvydybsDl3YI6ZmUH2/yN8isR9
+YFgWEqssS4QGhGypD/VHghaAunG4ops6mMDS0HuvGWS89LXb0kuSNW3NAoGAc2no
+F4BfvVtznkGLbxeQvmxsGTWDhyrgnXQTNN39OuzNIKM8ya4QahYO8jMSwZO4I6gT
+NqTzY+/Wyy6NayBrp/tQ1Yd4vveqHK2jDTJZvhL6OOxHY/nyIORtO/xny61VnSQr
+z/Bs9l7M43MUR9s8dZDji9joV/nLrDbE2dTqxgECgYB8+QH+PiRXO2zwqDp5AOiP
+sfGY/+mNd33Hniuh7eZCEoBFopgvP/Hcz+Fo6oaOZapKP120x3rYsNQxgOUvr4Z+
+sKqsWqUqMy/yKwD8WIFp5BeNam4/duItoEDntx79LAwbTQB0nZxoyPAuU5A2x2dC
+TAWBlEw8g/ePIHm3cPiQMg==
+-----END PRIVATE KEY-----