This is an automated email from the ASF dual-hosted git repository.
sebb pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/attic.git
The following commit(s) were added to refs/heads/main by this push:
new d86382a Merge docker code from attic-docker repo
d86382a is described below
commit d86382a9c33e7f8803b1382edfa84b470ec600e4
Author: Sebb <[email protected]>
AuthorDate: Thu Oct 9 17:57:08 2025 +0100
Merge docker code from attic-docker repo
---
.dockerignore | 6 +++++
DOCKER.md | 47 +++++++++++++++++++++++++++++++++
Dockerfile | 35 ++++++++++++++++++++++++
README.md | 3 ++-
_config.yml | 2 +-
_docker/000-default.conf | 69 ++++++++++++++++++++++++++++++++++++++++++++++++
_docker/wrapper.lua | 18 +++++++++++++
_docker/www/index.html | 9 +++++++
compose.yaml | 18 +++++++++++++
9 files changed, 205 insertions(+), 2 deletions(-)
diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..fe080ff
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,6 @@
+# Ignore everything initially
+**
+
+# Allow what we want
+!_docker/**
+!scripts/attic_filter.lua
diff --git a/DOCKER.md b/DOCKER.md
new file mode 100644
index 0000000..c72734d
--- /dev/null
+++ b/DOCKER.md
@@ -0,0 +1,47 @@
+Docker build for testing Attic banner and CSP.
+
+Build:
+`docker compose build`
+
+Checkout the website to be tested in a spare directory, e.g.
+- `git clone [-b BRANCH --single-branch] https://github.com/apache/xyz-site
/path/to/repo`
+or
+- `svn co https://svn-master.apache.org/repos/asf/xyz/site/trunk/
/path/to/repo`
+
+Check the location of the source on the following Infra page:
+https://infra-reports.apache.org/#sitesource
+
+Some sites are served from a subdir of the repository, e.g.
/path/to/repo/content
+This is shown as /path/to/website in the following descriptions
+
+To enable/disable the Attic banner, create/delete the directory (not a file!):
+`mkdir /path/to/website/_ATTIC`
+
+Alternatively, define the variable VAR_ATTIC=yes
+
+If the banner does not display correctly (e.g. it may be partially hidden
under the menu bar),
+you can try to see if any of the existing filter overrides work. Just use the
relevant sitename
+in the docker command below instead of the target sitename.
+You can quickly check all the existing overrides using this method.
+
+To process download cgi pages, you will need access to
+the closer_cgi/files directory in the private infrastructure-p6 repository.
+If not available, such pages will fail to load, but the site should otherwise
work OK.
+
+Start:
+`[VAR_DYN=/path/to/closer_cgi/files] VAR_HTML=/path/to/website
VAR_NAME=sitename [VAR_ATTIC=yes] docker compose up`
+
+browse to localhost:8000
+
+Start shell (container must be running):
+`docker compose exec attic_lua_csp /bin/bash`
+
+Restart httpd server
+`docker compose exec attic_lua_csp apachectl restart`
+
+Stop httpd server (and the container):
+`docker compose exec attic_lua_csp apachectl stop`
+
+To make changes to the CSP, edit the
+file
[_docker/000-default.conf#L9-L17](https://github.com/apache/attic-docker/blob/main/_docker/000-default.conf#L9-L17)
+Then rebuild the image (should be very quick) and restart.
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..2471283
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,35 @@
+FROM ubuntu:20.04
+
+ENV GEM_HOME="/srv/gems" \
+ LANG=C.UTF-8 \
+ LC_ALL=C.UTF-8
+
+RUN apt-get update && \
+ DEBIAN_FRONTEND='noninteractive' apt-get install -y \
+ apache2
+
+RUN DEBIAN_FRONTEND='noninteractive' apt-get install -y \
+ lua5.2 \
+ lua5.2-sec \
+ lua-socket \
+ lua-posix
+
+RUN a2enmod cgi && \
+ a2enmod lua && \
+ a2enmod headers && \
+ a2enmod rewrite
+
+RUN apt-get update && DEBIAN_FRONTEND='noninteractive' apt-get install -y \
+ vim
+
+RUN echo "ServerName apache-lua.local" >
/etc/apache2/conf-enabled/servername.conf
+
+COPY _docker/000-default.conf /etc/apache2/sites-enabled/000-default.conf
+COPY scripts/attic_filter.lua /etc/apache2/conf-enabled/attic_filter.lua
+COPY _docker/wrapper.lua /etc/apache2/conf-enabled/wrapper.lua
+
+EXPOSE 80
+
+WORKDIR /var/www
+
+CMD ["apache2ctl", "-DFOREGROUND"]
\ No newline at end of file
diff --git a/README.md b/README.md
index d42e91d..fc7e67a 100644
--- a/README.md
+++ b/README.md
@@ -85,4 +85,5 @@ To run retire.rb:
## Testing the Attic banner and CSP using Docker
-There is a Docker build for testing the Attic banner and CSP at
https://github.com/apache/attic-docker
+There is a [Docker build](DOCKER.md) for testing the Attic banner and CSP
+
diff --git a/_config.yml b/_config.yml
index a04b1c4..e4cd9bd 100644
--- a/_config.yml
+++ b/_config.yml
@@ -5,7 +5,7 @@ description: >-
url: https://attic.apache.org/
include: [.htaccess]
-exclude: [README.md, retire.rb]
+exclude: [README.md, retire.rb, DOCKER.md, compose.yaml, Dockerfile]
keep_files: [projects.json]
timezone: UTC
repo: https://github.com/apache/attic
diff --git a/_docker/000-default.conf b/_docker/000-default.conf
new file mode 100644
index 0000000..3f9c9eb
--- /dev/null
+++ b/_docker/000-default.conf
@@ -0,0 +1,69 @@
+<VirtualHost *:80>
+
+ ServerAdmin webmaster@localhost
+ # This is mapped at run-time
+ DocumentRoot /var/www/site.apache.org
+
+ # Always set CSP; ensure this agrees with TLP version
+
+ # Base foundation allowances: self, data/blob, inline, and our own
known domains
+ SetEnv CSP_INFRA_BASE "'self' data: blob: 'unsafe-inline' 'unsafe-eval'
https://www.apachecon.com/ https://www.communityovercode.org/
https://*.apache.org/ https://apache.org/";
+
+ # Third party approved domains, separate with space
+ SetEnv CSP_THIRD_PARTY "https://*.scarf.sh/ "
+
+ # CSP_PROJECT_DOMAINS can be set in .htaccess to expand CSP. MUST have
commentary in the .htaccess file explaining why these domains are added and
with whose permission.
+ SetEnv CSP_PROJECT_DOMAINS ""
+ Header set Content-Security-Policy "default-src %{CSP_INFRA_BASE}e
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; script-src %{CSP_INFRA_BASE}e
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; style-src %{CSP_INFRA_BASE}e
%{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; frame-ancestors 'self'; frame-src
%{CSP_INFRA_BASE}e %{CSP_THIRD_PARTY}e %{CSP_PROJECT_DOMAINS}e; worker-src
'self' data: blob:;"
+
+
+ # Allow .htaccess Header set CSP
+ <Directory /var/www/site.apache.org/>
+ # from TLP node definition
+ AllowOverride All
+ Options Indexes FollowSymLinks MultiViews ExecCGI
+ # We don't want to generate an index with index.cgi, as that
invokes closer.lua
+ DirectoryIndex disabled
+ DirectoryIndex index.html
+ </Directory>
+
+ LuaScope thread
+ LuaCodeCache stat
+
+ # CGI handling
+ RewriteEngine On
+ RewriteOptions InheritDown
+ # the f variable must not contain //; it appears that DOCUMENT_ROOT
terminates with /
+ RewriteRule .*\.cgi
/var/www/dyn/closer.lua?f=%{DOCUMENT_ROOT}%{REQUEST_FILENAME} [QSA,L]
+ RewriteRule ^/dyn/closer\.lua
/var/www/dyn/closer.lua?f=%{DOCUMENT_ROOT}%{REQUEST_FILENAME} [QSA,L]
+ RewriteRule ^/dyn/closer_still\.lua
/var/www/dyn/closer_still.lua?f=%{DOCUMENT_ROOT}%{REQUEST_FILENAME} [QSA,L]
+ # This is mapped at run-time
+ <Directory /var/www/dyn/>
+ Require all granted
+ <FilesMatch "closer\.lua">
+ SetHandler lua-script
+ </FilesMatch>
+ <FilesMatch "closer_still\.lua">
+ SetHandler lua-script
+ </FilesMatch>
+ </Directory>
+
+ # Filter website to add Attic header if marker directory is present
+ # LuaOutputFilter attic "/etc/apache2/conf-enabled/attic_filter.lua"
output_filter
+ # Wrapper to allow override of hostname
+ LuaPackagePath /etc/apache2/conf-enabled/?.lua
+ LuaOutputFilter attic "/etc/apache2/conf-enabled/wrapper.lua"
output_filter_wrapper
+ <If "-d '/var/www/site.apache.org/_ATTIC' || env('VAR_ATTIC') == 'yes'">
+ AddOutputFilter attic html lua
+ </If>
+
+ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+ # error, crit, alert, emerg.
+ # It is also possible to configure the loglevel for particular
+ # modules, e.g.
+ #LogLevel info ssl:warn
+
+ ErrorLog /var/log/apache2/error.log
+ CustomLog /var/log/apache2/access.log combined
+
+</VirtualHost>
diff --git a/_docker/wrapper.lua b/_docker/wrapper.lua
new file mode 100644
index 0000000..5a9bf26
--- /dev/null
+++ b/_docker/wrapper.lua
@@ -0,0 +1,18 @@
+--[[
+ This wrapper modifies the hostname in the argument passed to the filter
handler.
+]]
+require 'attic_filter'
+
+function output_filter_wrapper(r)
+ -- copy the variables needed by attic_filter, overriding hostname
+ -- it's not possible to update hostname in the userdata (r), so we provide
a replacment which uses the same syntax
+ s = {}
+ -- Copy across the items need by the filter.
+ s['content_type'] = r.content_type
+ s['hostname'] = os.getenv('VAR_NAME') or 'localhost'
+ -- For local debugging, also add the following:
+ s['warn'] = function(self, txt)
+ r:warn(txt)
+ end
+ output_filter(s) -- call with updated settings
+end
diff --git a/_docker/www/index.html b/_docker/www/index.html
new file mode 100644
index 0000000..edfc61d
--- /dev/null
+++ b/_docker/www/index.html
@@ -0,0 +1,9 @@
+<pre>
+This page shows that the basic Docker instance is working.
+Please define the following variables to use the target website:
+
+VAR_HTML - /path/to/website
+VAR_NAME - hostname (e.g. httpd for testing httpd.apache.org)
+
+See DOCKER.md for full details
+</pre>
\ No newline at end of file
diff --git a/compose.yaml b/compose.yaml
new file mode 100644
index 0000000..e00fed9
--- /dev/null
+++ b/compose.yaml
@@ -0,0 +1,18 @@
+services:
+ attic_lua_csp:
+ image: attic_lua_csp
+ build: .
+ ports:
+ - "8000:80"
+ volumes:
+ # Pick up the closer.lua script etc.
+ # (e.g. set this to a checkout of
infrastructure-p6/modules/closer_cgi/files)
+ - ${VAR_DYN:-.}:/var/www/dyn
+ # Needs to match xxx.apache.org or closer.lua reverts to default template
+ - ${VAR_HTML:-./_docker/www}:/var/www/site.apache.org
+ - ${VAR_LOG:-./_docker/log}:/var/log/apache2
+ environment:
+ # Pass in site name
+ - VAR_NAME=${VAR_NAME:-localhost}
+ # Act as though _ATTIC directory is present (if yes)
+ - VAR_ATTIC=${VAR_ATTIC:-no}
