Skip to content

Commit 6214417

Browse files
LordRobinCbzLordRobinCbz
committed
feat:(config.inc.php/docker-entrypoint.sh): Add support for mTLS to a remote server/cluster/service
1 parent f79c707 commit 6214417

File tree

7 files changed

+282
-1
lines changed

7 files changed

+282
-1
lines changed

README.md

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,7 +185,14 @@ docker run --name phpmyadmin -d -e PMA_HOSTS='sslhost,nosslhost' -e PMA_SSLS='1,
185185
* ``PMA_SOCKET`` - define socket file for the MySQL connection
186186
* ``PMA_SOCKETS`` - define comma separated list of socket files for the MySQL connections
187187
* ``PMA_SSL`` - when set to 1, defines SSL usage for the MySQL connection
188-
* ``PMA_SSLS`` - comma separated list of `0` and `1` defining SSL usage for the corresponding MySQL connections
188+
* ``PMA_SSL_VERIFY`` - when set to 1, enables SSL certificate verification for the MySQL connection.
189+
* ``PMA_SSL_VERIFIES`` - comma-separated list of `0` and `1` to enable or disable SSL certificate verification for multiple MySQL connections.
190+
* ``PMA_SSL_CA_BASE64`` - in the context of mTLS security, allows setting your CA file as a base64 string inside the default `config.inc.php`.
191+
* ``PMA_SSL_CAS_BASE64`` - in the context of mTLS security, allows setting multiple CA files as a comma-separated list of base64 strings inside the default `config.inc.php`.
192+
* ``PMA_SSL_CERT_BASE64`` - in the context of mTLS security, allows setting your CERT file as a base64 string inside the default `config.inc.php`.
193+
* ``PMA_SSL_CERTS_BASE64`` - in the context of mTLS security, allows setting multiple CERT files as a comma-separated list of base64 strings inside the default `config.inc.php`.
194+
* ``PMA_SSL_KEY_BASE64`` - in the context of mTLS security, allows setting your KEY file as a base64 string inside the default `config.inc.php`.
195+
* ``PMA_SSL_KEYS_BASE64`` - in the context of mTLS security, allows setting multiple KEY files as a comma-separated list of base64 strings inside the default `config.inc.php`.
189196
* ``PMA_USER`` and ``PMA_PASSWORD`` - define username and password to use only with the `config` authentication method
190197
* ``PMA_ABSOLUTE_URI`` - the full URL to phpMyAdmin. Sometimes needed when used in a reverse-proxy configuration. Don't set this unless needed. See [documentation](https://docs.phpmyadmin.net/en/latest/config.html#cfg_PmaAbsoluteUri).
191198
* ``PMA_CONFIG_BASE64`` - if set, this option will override the default `config.inc.php` with the base64 decoded contents of the variable

apache/config.inc.php

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,15 @@
2828
'PMA_UPLOADDIR',
2929
'PMA_SAVEDIR',
3030
'PMA_SSL',
31+
'PMA_SSL_VERIFY',
32+
'PMA_SSL_CA',
33+
'PMA_SSL_KEY',
34+
'PMA_SSL_CERT',
3135
'PMA_SSLS',
36+
'PMA_SSL_VERIFIES',
37+
'PMA_SSL_CAS',
38+
'PMA_SSL_KEYS',
39+
'PMA_SSL_CERTS'
3240
];
3341

3442
foreach ($vars as $var) {
@@ -66,11 +74,19 @@
6674
$verbose = [$_ENV['PMA_VERBOSE']];
6775
$ports = [$_ENV['PMA_PORT']];
6876
$ssls = [$_ENV['PMA_SSL']];
77+
$ssl_verifies = [$_ENV['PMA_SSL_VERIFY']];
78+
$ssl_cas = [$_ENV['PMA_SSL_CA']];
79+
$ssl_keys = [$_ENV['PMA_SSL_KEY']];
80+
$ssl_certs = [$_ENV['PMA_SSL_CERT']];
6981
} elseif (! empty($_ENV['PMA_HOSTS'])) {
7082
$hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS']));
7183
$verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES']));
7284
$ports = array_map('trim', explode(',', $_ENV['PMA_PORTS']));
7385
$ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS']));
86+
$ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES']));
87+
$ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS']));
88+
$ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS']));
89+
$ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS']));
7490
}
7591

7692
if (! empty($_ENV['PMA_SOCKET'])) {
@@ -84,6 +100,18 @@
84100
if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') {
85101
$cfg['Servers'][$i]['ssl'] = $ssls[$i - 1];
86102
}
103+
if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') {
104+
$cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1];
105+
}
106+
if (isset($ssl_cas[$i - 1])) {
107+
$cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1];
108+
}
109+
if (isset($ssl_keys[$i - 1])) {
110+
$cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1];
111+
}
112+
if (isset($ssl_certs[$i - 1])) {
113+
$cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1];
114+
}
87115
$cfg['Servers'][$i]['host'] = $hosts[$i - 1];
88116
if (isset($verbose[$i - 1])) {
89117
$cfg['Servers'][$i]['verbose'] = $verbose[$i - 1];

apache/docker-entrypoint.sh

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,45 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then
2929
echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php
3030
fi
3131

32+
if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then
33+
mkdir -p /etc/phpmyadmin/ssl
34+
echo "Adding the custom pma-ssl-ca from base64."
35+
echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem
36+
export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem"
37+
fi
38+
39+
if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then
40+
mkdir -p /etc/phpmyadmin/ssl
41+
echo "Adding the custom pma-ssl-key from base64."
42+
echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key
43+
export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key"
44+
fi
45+
46+
if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then
47+
mkdir -p /etc/phpmyadmin/ssl
48+
echo "Adding the custom pma-ssl-cert from base64."
49+
echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem
50+
export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem"
51+
fi
52+
53+
if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then
54+
echo "Adding multiples custom pma-ssl-ca from base64."
55+
PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem")
56+
export "PMA_SSL_CAS"
57+
fi
58+
59+
if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then
60+
echo "Adding multiples custom pma-ssl-key from base64."
61+
PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert")
62+
export "PMA_SSL_KEYS"
63+
fi
64+
65+
if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then
66+
echo "Adding multiples custom pma-ssl-cert from base64."
67+
PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key")
68+
export "PMA_SSL_CERTS"
69+
fi
70+
3271
# start: Apache specific settings
3372
if [ -n "${APACHE_PORT+x}" ]; then
3473
echo "Setting apache port to ${APACHE_PORT}."
@@ -50,6 +89,31 @@ get_docker_secret() {
5089
fi
5190
}
5291

92+
# This function generates SSL files from a base64 encoded string.
93+
# Arguments:
94+
# 1. base64_string: A comma-separated string of base64 encoded SSL files.
95+
# 2. prefix: A prefix to be used in the output file names.
96+
# 3. extension: The file extension to be used for the output files.
97+
# The function creates a directory for the SSL files, decodes each base64 string,
98+
# writes the decoded content to a file, and returns a comma-separated list of the generated file paths.
99+
#
100+
generate_ssl_files() {
101+
local base64_string="${1}"
102+
local output_dir="/etc/phpmyadmin/ssl"
103+
mkdir -p "${output_dir}"
104+
IFS=',' read -ra FILES <<< "${base64_string}"
105+
local counter=1
106+
local ssl_files=""
107+
for file in "${FILES[@]}"; do
108+
local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}"
109+
echo "${file}" | base64 -d > "${output_file}"
110+
ssl_files="${ssl_files}${output_file},"
111+
counter=$((counter + 1))
112+
done
113+
ssl_files="${ssl_files%,}"
114+
echo "${ssl_files}"
115+
}
116+
53117
get_docker_secret PMA_USER
54118
get_docker_secret PMA_PASSWORD
55119
get_docker_secret MYSQL_ROOT_PASSWORD

fpm-alpine/config.inc.php

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,15 @@
2828
'PMA_UPLOADDIR',
2929
'PMA_SAVEDIR',
3030
'PMA_SSL',
31+
'PMA_SSL_VERIFY',
32+
'PMA_SSL_CA',
33+
'PMA_SSL_KEY',
34+
'PMA_SSL_CERT',
3135
'PMA_SSLS',
36+
'PMA_SSL_VERIFIES',
37+
'PMA_SSL_CAS',
38+
'PMA_SSL_KEYS',
39+
'PMA_SSL_CERTS'
3240
];
3341

3442
foreach ($vars as $var) {
@@ -66,11 +74,19 @@
6674
$verbose = [$_ENV['PMA_VERBOSE']];
6775
$ports = [$_ENV['PMA_PORT']];
6876
$ssls = [$_ENV['PMA_SSL']];
77+
$ssl_verifies = [$_ENV['PMA_SSL_VERIFY']];
78+
$ssl_cas = [$_ENV['PMA_SSL_CA']];
79+
$ssl_keys = [$_ENV['PMA_SSL_KEY']];
80+
$ssl_certs = [$_ENV['PMA_SSL_CERT']];
6981
} elseif (! empty($_ENV['PMA_HOSTS'])) {
7082
$hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS']));
7183
$verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES']));
7284
$ports = array_map('trim', explode(',', $_ENV['PMA_PORTS']));
7385
$ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS']));
86+
$ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES']));
87+
$ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS']));
88+
$ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS']));
89+
$ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS']));
7490
}
7591

7692
if (! empty($_ENV['PMA_SOCKET'])) {
@@ -84,6 +100,18 @@
84100
if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') {
85101
$cfg['Servers'][$i]['ssl'] = $ssls[$i - 1];
86102
}
103+
if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') {
104+
$cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1];
105+
}
106+
if (isset($ssl_cas[$i - 1])) {
107+
$cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1];
108+
}
109+
if (isset($ssl_keys[$i - 1])) {
110+
$cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1];
111+
}
112+
if (isset($ssl_certs[$i - 1])) {
113+
$cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1];
114+
}
87115
$cfg['Servers'][$i]['host'] = $hosts[$i - 1];
88116
if (isset($verbose[$i - 1])) {
89117
$cfg['Servers'][$i]['verbose'] = $verbose[$i - 1];

fpm-alpine/docker-entrypoint.sh

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,44 @@ if [ ! -z "${PMA_USER_CONFIG_BASE64}" ]; then
2929
echo "${PMA_USER_CONFIG_BASE64}" | base64 -d > /etc/phpmyadmin/config.user.inc.php
3030
fi
3131

32+
if [ ! -z "${PMA_SSL_CA_BASE64}" ]; then
33+
mkdir -p /etc/phpmyadmin/ssl
34+
echo "Adding the custom pma-ssl-ca from base64."
35+
echo "${PMA_SSL_CA_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-ca.pem
36+
export "PMA_SSL_CA"="/etc/phpmyadmin/ssl/pma-ssl-ca.pem"
37+
fi
38+
39+
if [ ! -z "${PMA_SSL_KEY_BASE64}" ]; then
40+
mkdir -p /etc/phpmyadmin/ssl
41+
echo "Adding the custom pma-ssl-key from base64."
42+
echo "${PMA_SSL_KEY_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-key.key
43+
export "PMA_SSL_KEY"="/etc/phpmyadmin/ssl/pma-ssl-key.key"
44+
fi
45+
46+
if [ ! -z "${PMA_SSL_CERT_BASE64}" ]; then
47+
mkdir -p /etc/phpmyadmin/ssl
48+
echo "Adding the custom pma-ssl-cert from base64."
49+
echo "${PMA_SSL_CERT_BASE64}" | base64 -d > /etc/phpmyadmin/ssl/pma-ssl-cert.pem
50+
export "PMA_SSL_CERT"="/etc/phpmyadmin/ssl/pma-ssl-cert.pem"
51+
fi
52+
53+
if [ ! -z "${PMA_SSL_CAS_BASE64}" ]; then
54+
echo "Adding multiples custom pma-ssl-ca from base64."
55+
PMA_SSL_CAS=$(generate_ssl_files "${PMA_SSL_CAS_BASE64}" "CA" "pem")
56+
export "PMA_SSL_CAS"
57+
fi
58+
59+
if [ ! -z "${PMA_SSL_KEYS_BASE64}" ]; then
60+
echo "Adding multiples custom pma-ssl-key from base64."
61+
PMA_SSL_KEYS=$(generate_ssl_files "${PMA_SSL_KEYS_BASE64}" "CERT" "cert")
62+
export "PMA_SSL_KEYS"
63+
fi
64+
65+
if [ ! -z "${PMA_SSL_CERTS_BASE64}" ]; then
66+
echo "Adding multiples custom pma-ssl-cert from base64."
67+
PMA_SSL_CERTS=$(generate_ssl_files "${PMA_SSL_CERTS_BASE64}" "KEY" "key")
68+
export "PMA_SSL_CERTS"
69+
fi
3270

3371
get_docker_secret() {
3472
local env_var="${1}"
@@ -42,6 +80,31 @@ get_docker_secret() {
4280
fi
4381
}
4482

83+
# This function generates SSL files from a base64 encoded string.
84+
# Arguments:
85+
# 1. base64_string: A comma-separated string of base64 encoded SSL files.
86+
# 2. prefix: A prefix to be used in the output file names.
87+
# 3. extension: The file extension to be used for the output files.
88+
# The function creates a directory for the SSL files, decodes each base64 string,
89+
# writes the decoded content to a file, and returns a comma-separated list of the generated file paths.
90+
#
91+
generate_ssl_files() {
92+
local base64_string="${1}"
93+
local output_dir="/etc/phpmyadmin/ssl"
94+
mkdir -p "${output_dir}"
95+
IFS=',' read -ra FILES <<< "${base64_string}"
96+
local counter=1
97+
local ssl_files=""
98+
for file in "${FILES[@]}"; do
99+
local output_file="${output_dir}/pma-ssl-${2}-${counter}.${3}"
100+
echo "${file}" | base64 -d > "${output_file}"
101+
ssl_files="${ssl_files}${output_file},"
102+
counter=$((counter + 1))
103+
done
104+
ssl_files="${ssl_files%,}"
105+
echo "${ssl_files}"
106+
}
107+
45108
get_docker_secret PMA_USER
46109
get_docker_secret PMA_PASSWORD
47110
get_docker_secret MYSQL_ROOT_PASSWORD

fpm/config.inc.php

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,15 @@
2828
'PMA_UPLOADDIR',
2929
'PMA_SAVEDIR',
3030
'PMA_SSL',
31+
'PMA_SSL_VERIFY',
32+
'PMA_SSL_CA',
33+
'PMA_SSL_KEY',
34+
'PMA_SSL_CERT',
3135
'PMA_SSLS',
36+
'PMA_SSL_VERIFIES',
37+
'PMA_SSL_CAS',
38+
'PMA_SSL_KEYS',
39+
'PMA_SSL_CERTS'
3240
];
3341

3442
foreach ($vars as $var) {
@@ -66,11 +74,19 @@
6674
$verbose = [$_ENV['PMA_VERBOSE']];
6775
$ports = [$_ENV['PMA_PORT']];
6876
$ssls = [$_ENV['PMA_SSL']];
77+
$ssl_verifies = [$_ENV['PMA_SSL_VERIFY']];
78+
$ssl_cas = [$_ENV['PMA_SSL_CA']];
79+
$ssl_keys = [$_ENV['PMA_SSL_KEY']];
80+
$ssl_certs = [$_ENV['PMA_SSL_CERT']];
6981
} elseif (! empty($_ENV['PMA_HOSTS'])) {
7082
$hosts = array_map('trim', explode(',', $_ENV['PMA_HOSTS']));
7183
$verbose = array_map('trim', explode(',', $_ENV['PMA_VERBOSES']));
7284
$ports = array_map('trim', explode(',', $_ENV['PMA_PORTS']));
7385
$ssls = array_map('trim', explode(',', $_ENV['PMA_SSLS']));
86+
$ssl_verifies = array_map('trim', explode(',', $_ENV['PMA_SSL_VERIFIES']));
87+
$ssl_cas = array_map('trim', explode(',', $_ENV['PMA_SSL_CAS']));
88+
$ssl_keys = array_map('trim', explode(',', $_ENV['PMA_SSL_KEYS']));
89+
$ssl_certs = array_map('trim', explode(',', $_ENV['PMA_SSL_CERTS']));
7490
}
7591

7692
if (! empty($_ENV['PMA_SOCKET'])) {
@@ -84,6 +100,18 @@
84100
if (isset($ssls[$i - 1]) && $ssls[$i - 1] === '1') {
85101
$cfg['Servers'][$i]['ssl'] = $ssls[$i - 1];
86102
}
103+
if (isset($ssl_verifies[$i - 1]) && $ssl_verifies[$i - 1] === '1') {
104+
$cfg['Servers'][$i]['ssl_verify'] = $ssl_verifies[$i - 1];
105+
}
106+
if (isset($ssl_cas[$i - 1])) {
107+
$cfg['Servers'][$i]['ssl_ca'] = $ssl_cas[$i - 1];
108+
}
109+
if (isset($ssl_keys[$i - 1])) {
110+
$cfg['Servers'][$i]['ssl_key'] = $ssl_keys[$i - 1];
111+
}
112+
if (isset($ssl_certs[$i - 1])) {
113+
$cfg['Servers'][$i]['ssl_cert'] = $ssl_certs[$i - 1];
114+
}
87115
$cfg['Servers'][$i]['host'] = $hosts[$i - 1];
88116
if (isset($verbose[$i - 1])) {
89117
$cfg['Servers'][$i]['verbose'] = $verbose[$i - 1];

0 commit comments

Comments
 (0)