some lighttpd fixes

Dockerfile

@@ -7,12 +7,13 @@ LABEL maintainer="Nanda Bhikkhu <[email protected]>"
 
 # Testing: pamtester
 RUN echo "http:https://dl-cdn.alpinelinux.org/alpine/edge/testing/" >> /etc/apk/repositories && \
- apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode lighttpd && \
+ apk add --update openvpn iptables bash easy-rsa openvpn-auth-pam google-authenticator pamtester libqrencode lighttpd lighttpd-mod_auth && \
  ln -s /usr/share/easy-rsa/easyrsa /usr/local/bin && \
  rm -rf /tmp/* /var/tmp/* /var/cache/apk/* /var/cache/distfiles/*
 
-ADD ./lighttpd/htdocs/ /var/www/localhost/
+ADD ./lighttpd/htdocs/ /var/www/localhost/htdocs/
 ADD ./lighttpd/config/* /etc/lighttpd/
+RUN chown -R openvpn:openvpn /var/www/localhost/htdocs /etc/lighttpd /var/log/lighttpd
 
 # Needed by scripts
 ENV OPENVPN=/etc/openvpn
@@ -24,7 +25,7 @@ VOLUME ["/etc/openvpn"]
 
 # Internally uses port 1194/udp, remap using `docker run -p 443:1194/tcp`
 EXPOSE 1194/udp
-EXPOSE 80/tcp
+EXPOSE 443/tcp
 
 CMD ["ovpn_run"]
 
@@ -33,3 +34,5 @@ RUN chmod a+x /usr/local/bin/*
 
 # Add support for OTP authentication using a PAM module
 ADD ./otp/openvpn /etc/pam.d/
+
+# TODO: make sure here & in scripts that everything is done as "openvpn" user

lighttpd/config/lighttpd.conf

@@ -17,13 +17,14 @@ server.modules = (
 # "mod_rewrite",
 # "mod_redirect",
 # "mod_alias",
-# "mod_access",
+ "mod_access",
 # "mod_cml",
 # "mod_trigger_b4_dl",
  "mod_auth",
  "mod_authn_file",
+ "mod_openssl",
 # "mod_status",
-# "mod_setenv",
+ "mod_setenv",
 # "mod_proxy",
 # "mod_simple_vhost",
 # "mod_evhost",
@@ -50,8 +51,8 @@ include "mod_cgi.conf"
 # }}}
 
 # {{{ server settings
-server.username = "root"
-server.groupname = "root"
+server.username = "openvpn"
+server.groupname = "openvpn"
 
 server.document-root = var.basedir + "/htdocs"
 server.pid-file = "/run/lighttpd.pid"
@@ -107,7 +108,7 @@ static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")
 # }}}
 
 # {{{ mod_accesslog
-accesslog.filename  = /dev/console
+accesslog.filename = var.logdir + "/access.log"
 # }}}
 
 # {{{ mod_dirlisting
@@ -179,9 +180,8 @@ url.access-deny = ("~", ".inc")
 # {{{ mod_auth
 # see authentication.txt
 #
- auth.backend = "plain"
- auth.backend.htpasswd.file = "/etc/openvpn/http/htpasswd"
- auth.backend.htpasswd.method = "basic"
+ auth.backend = "htpasswd"
+ auth.backend.htpasswd.userfile = "/etc/openvpn/http/htpasswd"
 
 # auth.require = ( "/server-status" =>
 # (

lighttpd/config/mod_cgi.conf

@@ -0,0 +1,31 @@
+###############################################################################
+# mod_cgi.conf
+# include'd by lighttpd.conf.
+# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $
+###############################################################################
+
+#
+# see cgi.txt for more information on using mod_cgi
+#
+
+server.modules += ("mod_cgi")
+
+#
+# Note that you'll also want to enable the
+# cgi-bin alias via mod_alias (above).
+#
+
+# disable directory listings
+dir-listing.activate = "disable"
+cgi.assign = (
+ ".cgi" => "/bin/bash"
+ )
+
+# TODO: send directly not to leave stuff around
+cgi.x-sendfile = "enable" # default "disable" 
+cgi.x-sendfile-docroot = ( var.basedir + "/vpn_configs" )
+
+setenv.set-environment = ( "PATH" => "/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin",
+ "OPENVPN" => "/etc/openvpn/")
+
+# vim: set ft=conf foldmethod=marker et :