Merge pull request #2 from AtomGraph/feat-RemoteIpValve

Support for adding `RemoteIpValve`

Author: namedgraph

CLAUDE.md

@@ -0,0 +1,94 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+This repository provides a Docker image that combines Apache Tomcat with Let's Encrypt HTTPS certificates. It automates the conversion of Let's Encrypt PEM certificates to Java keystores (JKS) and dynamically configures Tomcat's `server.xml` using XSLT transformations.
+
+## Architecture
+
+### Certificate Conversion Flow
+
+The entrypoint script (`entrypoint.sh`) performs certificate conversion on container startup:
+
+1. Validates required environment variables (`LETSENCRYPT_CERT_DIR`, `PKCS12_PASSWORD`, `JKS_KEY_PASSWORD`, `JKS_STORE_PASSWORD`)
+2. Converts Let's Encrypt PEM certificates to PKCS12 format using OpenSSL
+3. Imports PKCS12 into Java Keystore (JKS) format using keytool
+4. Transforms Tomcat's `server.xml` configuration using XSLT
+5. Starts Tomcat with `catalina.sh run`
+
+### Dynamic Configuration via XSLT
+
+The `letsencrypt-tomcat.xsl` stylesheet dynamically modifies Tomcat's `server.xml` based on environment variables:
+
+- **HTTP Connector**: Conditionally enabled/disabled, with proxy settings and compression
+- **HTTPS Connector**: Adds SSL/TLS configuration with keystore settings when enabled
+- **RemoteIpValve**: Optional configuration for X-Forwarded headers when behind a proxy
+
+The XSLT transformation is executed by `xsltproc` with environment variables passed as string parameters.
+
+## Building and Testing
+
+### Build Docker Image
+
+```bash
+docker build -t atomgraph/letsencrypt-tomcat .
+```
+
+### Run Container
+
+```bash
+docker run \
+  -v /etc/letsencrypt:/etc/letsencrypt \
+  -e LETSENCRYPT_CERT_DIR=/etc/letsencrypt \
+  -e PKCS12_PASSWORD=<password> \
+  -e JKS_KEY_PASSWORD=<password> \
+  -e JKS_STORE_PASSWORD=<password> \
+  atomgraph/letsencrypt-tomcat
+```
+
+### Test XSLT Transformation
+
+To test XSLT changes without building the full image:
+
+```bash
+xsltproc \
+  --stringparam http true \
+  --stringparam http.port 8080 \
+  --stringparam https true \
+  --stringparam https.port 8443 \
+  --stringparam https.keystoreFile letsencrypt.jks \
+  --stringparam https.keystorePass <password> \
+  --stringparam https.keyAlias letsencrypt \
+  --stringparam https.keyPass <password> \
+  letsencrypt-tomcat.xsl /path/to/server.xml
+```
+
+## CI/CD
+
+GitHub Actions workflow (`.github/workflows/image.yml`) triggers on git tags:
+
+- Builds multi-platform images (linux/amd64, linux/arm64)
+- Pushes to Docker Hub with tags: `latest`, `MAJOR.MINOR.PATCH`, `MAJOR.MINOR`, `MAJOR`
+- Uses QEMU for cross-platform builds
+
+## Key Files
+
+- **Dockerfile**: Base image from `tomcat:10.1.34-jdk17`, installs xsltproc
+- **entrypoint.sh**: Certificate conversion and Tomcat configuration script
+- **letsencrypt-tomcat.xsl**: XSLT stylesheet for server.xml transformation
+
+## Environment Variables
+
+All configuration is done through environment variables. See README.md for the full list of supported variables for HTTP/HTTPS connectors.
+
+Required variables:
+- `LETSENCRYPT_CERT_DIR`: Path to Let's Encrypt certificates
+- `PKCS12_PASSWORD`: Password for PKCS12 keystore
+- `JKS_KEY_PASSWORD`: Password for JKS key
+- `JKS_STORE_PASSWORD`: Password for JKS store
+
+## XSLT Parameter Naming Convention
+
+Parameters in the XSLT stylesheet use dot notation (e.g., `Connector.port.http`, `Connector.keystoreFile.https`), while the entrypoint script converts environment variables with underscores (e.g., `HTTP_PORT`, `HTTPS_PORT`) to the corresponding XSLT parameter names with dots and prefixes.

README.md

@@ -15,13 +15,15 @@ Docker image combining Tomcat and LetsEncrypt HTTPS certificates
 
 Supported environment variables:
 * `HTTP` - enable HTTP connector? (default: `true`)
+* `HTTP_SCHEME`
 * `HTTP_PORT`
 * `HTTP_PROXY_NAME`
 * `HTTP_PROXY_PORT`
 * `HTTP_REDIRECT_PORT`
 * `HTTP_CONNECTION_TIMEOUT`
 * `HTTP_COMPRESSION`
-* `HTTP` - enable HTTPS connector? (default: `false`)
+* `HTTPS` - enable HTTPS connector? (default: `false`)
+* `HTTPS_SCHEME`
 * `HTTPS_PORT`
 * `HTTPS_MAX_THREADS`
 * `HTTPS_CLIENT_AUTH`
@@ -33,6 +35,11 @@ Supported environment variables:
 * `KEY_ALIAS`
 * `JKS_STORE_PASSWORD`
 * `P12_FILE`
+* `REMOTE_IP_VALVE` - enable `RemoteIpValve`? (default: `false`)
+* `REMOTE_IP_VALVE_PROTOCOL_HEADER` - protocol header name (default: `X-Forwarded-Proto`)
+* `REMOTE_IP_VALVE_PORT_HEADER` - port header name (default: `X-Forwarded-Port`)
+* `REMOTE_IP_VALVE_REMOTE_IP_HEADER` - remote IP header name (default: `X-Forwarded-For`)
+* `REMOTE_IP_VALVE_HOST_HEADER` - host header name (default: `X-Forwarded-Host`)
 
 ## More info
 

entrypoint.sh

@@ -53,82 +53,102 @@ keytool -importkeystore \
 # change server configuration
 
 if [ -n "$HTTP" ] ; then
-    HTTP_PARAM="--stringparam http $HTTP "
+    HTTP_PARAM="--stringparam Connector.http $HTTP "
 fi
 
 if [ -n "$HTTP_SCHEME" ] ; then
-    HTTP_SCHEME_PARAM="--stringparam http.scheme $HTTP_SCHEME "
+    HTTP_SCHEME_PARAM="--stringparam Connector.scheme.http $HTTP_SCHEME "
 fi
 
 if [ -n "$HTTP_PORT" ] ; then
-    HTTP_PORT_PARAM="--stringparam http.port $HTTP_PORT "
+    HTTP_PORT_PARAM="--stringparam Connector.port.http $HTTP_PORT "
 fi
 
 if [ -n "$HTTP_PROXY_NAME" ] ; then
-    HTTP_PROXY_NAME_PARAM="--stringparam http.proxyName $HTTP_PROXY_NAME "
+    HTTP_PROXY_NAME_PARAM="--stringparam Connector.proxyName.http $HTTP_PROXY_NAME "
 fi
 
 if [ -n "$HTTP_PROXY_PORT" ] ; then
-    HTTP_PROXY_PORT_PARAM="--stringparam http.proxyPort $HTTP_PROXY_PORT "
+    HTTP_PROXY_PORT_PARAM="--stringparam Connector.proxyPort.http $HTTP_PROXY_PORT "
 fi
 
 if [ -n "$HTTP_REDIRECT_PORT" ] ; then
-    HTTP_REDIRECT_PORT_PARAM="--stringparam http.redirectPort $HTTP_REDIRECT_PORT "
+    HTTP_REDIRECT_PORT_PARAM="--stringparam Connector.redirectPort.http $HTTP_REDIRECT_PORT "
 fi
 
 if [ -n "$HTTP_CONNECTION_TIMEOUT" ] ; then
-    HTTP_CONNECTION_TIMEOUT_PARAM="--stringparam http.connectionTimeout $HTTP_CONNECTION_TIMEOUT "
+    HTTP_CONNECTION_TIMEOUT_PARAM="--stringparam Connector.connectionTimeout.http $HTTP_CONNECTION_TIMEOUT "
 fi
 
 if [ -n "$HTTP_COMPRESSION" ] ; then
-    HTTP_COMPRESSION_PARAM="--stringparam http.compression $HTTP_COMPRESSION "
+    HTTP_COMPRESSION_PARAM="--stringparam Connector.compression.http $HTTP_COMPRESSION "
 fi
 
 if [ -n "$HTTPS" ] ; then
-    HTTPS_PARAM="--stringparam https $HTTPS "
+    HTTPS_PARAM="--stringparam Connector.https $HTTPS "
 fi
 
 if [ -n "$HTTPS_SCHEME" ] ; then
-    HTTPS_SCHEME_PARAM="--stringparam https.scheme $HTTPS_SCHEME "
+    HTTPS_SCHEME_PARAM="--stringparam Connector.scheme.https $HTTPS_SCHEME "
 fi
 
 if [ -n "$HTTPS_PORT" ] ; then
-    HTTPS_PORT_PARAM="--stringparam https.port $HTTPS_PORT "
+    HTTPS_PORT_PARAM="--stringparam Connector.port.https $HTTPS_PORT "
 fi
 
 if [ -n "$HTTPS_MAX_THREADS" ] ; then
-    HTTPS_MAX_THREADS_PARAM="--stringparam https.maxThreads $HTTPS_MAX_THREADS "
+    HTTPS_MAX_THREADS_PARAM="--stringparam Connector.maxThreads.https $HTTPS_MAX_THREADS "
 fi
 
 if [ -n "$HTTPS_CLIENT_AUTH" ] ; then
-    HTTPS_CLIENT_AUTH_PARAM="--stringparam https.clientAuth $HTTPS_CLIENT_AUTH "
+    HTTPS_CLIENT_AUTH_PARAM="--stringparam Connector.clientAuth.https $HTTPS_CLIENT_AUTH "
 fi
 
 if [ -n "$HTTPS_PROXY_NAME" ] ; then
-    HTTPS_PROXY_NAME_PARAM="--stringparam https.proxyName $HTTPS_PROXY_NAME "
+    HTTPS_PROXY_NAME_PARAM="--stringparam Connector.proxyName.https $HTTPS_PROXY_NAME "
 fi
 
 if [ -n "$HTTPS_PROXY_PORT" ] ; then
-    HTTPS_PROXY_PORT_PARAM="--stringparam https.proxyPort $HTTPS_PROXY_PORT "
+    HTTPS_PROXY_PORT_PARAM="--stringparam Connector.proxyPort.https $HTTPS_PROXY_PORT "
 fi
 
 if [ -n "$HTTPS_COMPRESSION" ] ; then
-    HTTPS_COMPRESSION_PARAM="--stringparam https.compression $HTTPS_COMPRESSION "
+    HTTPS_COMPRESSION_PARAM="--stringparam Connector.compression.https $HTTPS_COMPRESSION "
 fi
 
 if [ -n "$JKS_FILE" ] ; then
-    JKS_FILE_PARAM="--stringparam https.keystoreFile $JKS_FILE "
+    JKS_FILE_PARAM="--stringparam Connector.keystoreFile.https $JKS_FILE "
 fi
 if [ -n "$JKS_KEY_PASSWORD" ] ; then
-    JKS_KEY_PASSWORD_PARAM="--stringparam https.keystorePass $JKS_KEY_PASSWORD "
+    JKS_KEY_PASSWORD_PARAM="--stringparam Connector.keystorePass.https $JKS_KEY_PASSWORD "
 fi
 
 if [ -n "$KEY_ALIAS" ] ; then
-    KEY_ALIAS_PARAM="--stringparam https.keyAlias $KEY_ALIAS "
+    KEY_ALIAS_PARAM="--stringparam Connector.keyAlias.https $KEY_ALIAS "
 fi
 
 if [ -n "$JKS_STORE_PASSWORD" ] ; then
-    JKS_STORE_PASSWORD_PARAM="--stringparam https.keyPass $JKS_STORE_PASSWORD "
+    JKS_STORE_PASSWORD_PARAM="--stringparam Connector.keyPass.https $JKS_STORE_PASSWORD "
+fi
+
+if [ -n "$REMOTE_IP_VALVE" ] ; then
+    REMOTE_IP_VALVE_PARAM="--stringparam RemoteIpValve $REMOTE_IP_VALVE "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_PROTOCOL_HEADER" ] ; then
+    REMOTE_IP_VALVE_PROTOCOL_HEADER_PARAM="--stringparam RemoteIpValve.protocolHeader $REMOTE_IP_VALVE_PROTOCOL_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_PORT_HEADER" ] ; then
+    REMOTE_IP_VALVE_PORT_HEADER_PARAM="--stringparam RemoteIpValve.portHeader $REMOTE_IP_VALVE_PORT_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_REMOTE_IP_HEADER" ] ; then
+    REMOTE_IP_VALVE_REMOTE_IP_HEADER_PARAM="--stringparam RemoteIpValve.remoteIpHeader $REMOTE_IP_VALVE_REMOTE_IP_HEADER "
+fi
+
+if [ -n "$REMOTE_IP_VALVE_HOST_HEADER" ] ; then
+    REMOTE_IP_VALVE_HOST_HEADER_PARAM="--stringparam RemoteIpValve.hostHeader $REMOTE_IP_VALVE_HOST_HEADER "
 fi
 
 transform="xsltproc \
@@ -153,6 +173,11 @@ transform="xsltproc \
   $JKS_KEY_PASSWORD_PARAM \
   $KEY_ALIAS_PARAM \
   $JKS_STORE_PASSWORD_PARAM \
+  $REMOTE_IP_VALVE_PARAM \
+  $REMOTE_IP_VALVE_PROTOCOL_HEADER_PARAM \
+  $REMOTE_IP_VALVE_PORT_HEADER_PARAM \
+  $REMOTE_IP_VALVE_REMOTE_IP_HEADER_PARAM \
+  $REMOTE_IP_VALVE_HOST_HEADER_PARAM \
   conf/letsencrypt-tomcat.xsl \
   conf/server.xml"