From db7a98efc72ee90f75da402c994db9bd0bd58bce Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Wed, 29 Apr 2026 10:39:59 +0200 Subject: [PATCH 01/16] :lock: Add secured connection configuration for databases --- addons/documentation/how_to.md | 6 ++++ .../plugins-enabled/enable-ssl;php.php | 18 ++++++++++++ .../certs/database/ca-key.pem | 28 +++++++++++++++++++ .../certs/database/ca.pem | 19 +++++++++++++ .../certs/database/ca.srl | 1 + .../certs/database/client-cert.pem | 17 +++++++++++ .../certs/database/client-key.pem | 28 +++++++++++++++++++ .../certs/database/client-req.pem | 15 ++++++++++ .../certs/database/server-cert.pem | 17 +++++++++++ .../certs/database/server-key.pem | 28 +++++++++++++++++++ .../certs/database/server-req.pem | 15 ++++++++++ .../certs/{ => webserver}/certificate.crt | 0 .../certs/{ => webserver}/certificate.key | 0 build/default_configuration/mariadb/my.cnf | 10 ++++++- build/default_configuration/mysql/my.cnf | 11 +++++++- build/default_configuration/php/client.cnf | 10 +++++++ docker-compose.yml | 15 ++++++++-- readme.md | 27 ++++++++++++++++-- 18 files changed, 258 insertions(+), 7 deletions(-) create mode 100644 build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php create mode 100644 build/default_configuration/certs/database/ca-key.pem create mode 100644 build/default_configuration/certs/database/ca.pem create mode 100644 build/default_configuration/certs/database/ca.srl create mode 100644 build/default_configuration/certs/database/client-cert.pem create mode 100644 build/default_configuration/certs/database/client-key.pem create mode 100644 build/default_configuration/certs/database/client-req.pem create mode 100644 build/default_configuration/certs/database/server-cert.pem create mode 100644 build/default_configuration/certs/database/server-key.pem create mode 100644 build/default_configuration/certs/database/server-req.pem rename build/default_configuration/certs/{ => webserver}/certificate.crt (100%) rename build/default_configuration/certs/{ => webserver}/certificate.key (100%) create mode 100644 build/default_configuration/php/client.cnf diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index 1ce8fdd..e9ea13e 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -86,6 +86,12 @@ You may also want to have a specific init file for a php version, you have to ov > [!NOTE] > Browse [XDebug settings](https://xdebug.org/docs/all_settings) for more information. +### Change MariaDB client settings +Modify the `client.cnf` file in the php conf directory then restart the container.\ +Note that this file is used by both MariaDB and MySQL clients. +The SSL activation is managed by iTop. +Known limitation, when you perform iTop backup with SSL on a MySQL server, you may experience an error: `--ssl-mode is not recognized`.\ + ### Add a new php version * Duplicate a php section in `docker-compose.yml` then run `docker compose up -d`.\ * Bind a port in the web server then edit the server configuration to add a new virtual host.\ diff --git a/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php b/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php new file mode 100644 index 0000000..fb1cd96 --- /dev/null +++ b/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php @@ -0,0 +1,18 @@ + filename, "cert" => filename, "ca" => filename) + */ +return new AdminerLoginSsl( + $ssl = [ + 'key' => $key, + 'cert' => $cert, + 'ca' => $ca, + 'verify' => false, + ] +); \ No newline at end of file diff --git a/build/default_configuration/certs/database/ca-key.pem b/build/default_configuration/certs/database/ca-key.pem new file mode 100644 index 0000000..64d7be0 --- /dev/null +++ b/build/default_configuration/certs/database/ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCpHm2Aeb4Rn8ke +X4JSL+inGCVdLoDc9Ssy/qK7xTYqV5iscR1R07ZCHk/+r9icXY2I3HqxW64wAlCH +/hHGMmF/dbN8CrNsB0GGU7mne2G+dHpYUKcjbP7jv8+RcCczRG3xz2t5WWaM0KmF +DuJdBWVt/NMWAFD9ghMt0PThNOkHCYyg6z+cbkXypKJuQzi6Evpm3otH1k45PnAr +fQgvHrYJVf1JqzOydzPwy5h8JSLIrf/EYgcddHVeRzI6SO+OJNvI76h1QO7pbgcn +c1rqFJTcsPlrj59JZsmq6twbbtd1JYnRy6BpunSxUS0yMiBeHRSJK//Q23Cc37K0 +P2BT1rcPAgMBAAECggEACLbhq5oaWiwin+cJ/xQq59lNq5SG3VvgwvruBcDuvpXO +7yvQ9/Nx08xeEOCcx8nmTiQWSmdP/XdREQDdh5n2/itheUXP4wQoszRDP8cSzU6R +M1XMlv250KCEoJjn3DNteuVWQ2WA7EagRZPzxBlQFa/ObLbNdZKrTFQVGjmwvEUD +KMrGicCoSZ4TP9tt+cnB3e2K7qOlH2C+6lCkaC/Z6Ee/T+F2prmD4xVX459H9/dU +/4g/20BFOKQYR7Yijf4VyZew+5B2Xj69VEbJKk/2VM/dM4vNnJNZTaccuqIo9Wl2 +zAo1Qe5JWGFvn0d6ydWtMbIjjE6BL61x39twhAkPkQKBgQDkyHbal9dtw3+8Z4zI +1RWhoAsKXtsAwzstU7WInYLLsrq31PQ/5BhmYBxzR4YkiTcUFzZNliWKpMC9phXA +t5G8xgwc3+a6H6vV5pMy6TKm3h0Mn0mw9vL9cDgEtE0+Rkz0Tx/J45Ij5jC4/xF8 +k8sc2kOeHUXhaBIMPllEwDeOmQKBgQC9POdeYffzOfT/p3KaQQobxqS9xO36hsar +TNvV7QM7q08dwuN8jC2iO+ogDaS1rpMfnU7yCuZEfKDXmPG9zOYSEp7SEIFAfAxd +JPhOIHv/EXBe2zTwMEQzQDN08u15YGRHxSdOD6FIVAz4p/AxrVOiEaivchVBt7/2 +kMlZP1tD5wKBgQDj9KoYXDsW7ziTbUnlwgtvo5vclW75b43DOCklGmx8snVBPjqw +foGhYBp48sdCGEZ9CjPdUsHNRyOU06vQ/heEVIE1NBMdWPlKhBgfHiSOB7pCHWS7 +oxOyWuI2LcDZUArVUxGFg+7VPkNF0UCHNGupMAE3xksesSdqc6VWz3+L4QKBgHvN +6KC6/3jFJiBL8JIykuZxIz50JC2PF1LiycA/e6oB/ZS++A13uDM3d4jY5DVorSA1 +znxT3SpZTvE+QommD68rN3S/D5Ccl4oosbqLThQl2Jp2Vz/8k+Hj0sZkWDDcez7p +ITnUx/OF6aaUWHRnrRuO6gk+XeHM0W4Cc3hMFu1pAoGBAORT+sBVRK82krDC3S2f +5f+CzCIAku0tx1wiRcJk9TMQwqlDSb5DgfqyrnvXQNz5afkOnYt3j3naQdDS8qux +gWEjxFhNK6K9C3J+YuzqaXaMEH6qxIhxrpYATGWSJBtXldytOAc8vEIhqSf3gFH9 +kJZUFZgmTlYoHLV40JEYeB8d +-----END PRIVATE KEY----- diff --git a/build/default_configuration/certs/database/ca.pem b/build/default_configuration/certs/database/ca.pem new file mode 100644 index 0000000..0987b81 --- /dev/null +++ b/build/default_configuration/certs/database/ca.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDBzCCAe+gAwIBAgIURR65rn10qrL3Vq3BHMl5TT7K3RMwDQYJKoZIhvcNAQEL +BQAwEzERMA8GA1UEAwwITXlTUUwtQ0EwHhcNMjYwNDI4MDc0NzUyWhcNMzYwNDI1 +MDc0NzUyWjATMREwDwYDVQQDDAhNeVNRTC1DQTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKkebYB5vhGfyR5fglIv6KcYJV0ugNz1KzL+orvFNipXmKxx +HVHTtkIeT/6v2JxdjYjcerFbrjACUIf+EcYyYX91s3wKs2wHQYZTuad7Yb50elhQ +pyNs/uO/z5FwJzNEbfHPa3lZZozQqYUO4l0FZW380xYAUP2CEy3Q9OE06QcJjKDr +P5xuRfKkom5DOLoS+mbei0fWTjk+cCt9CC8etglV/UmrM7J3M/DLmHwlIsit/8Ri +Bx10dV5HMjpI744k28jvqHVA7uluBydzWuoUlNyw+WuPn0lmyarq3Btu13UlidHL +oGm6dLFRLTIyIF4dFIkr/9DbcJzfsrQ/YFPWtw8CAwEAAaNTMFEwHQYDVR0OBBYE +FKf+2UqjzRcI2Bz4dBmWY6amL6wRMB8GA1UdIwQYMBaAFKf+2UqjzRcI2Bz4dBmW +Y6amL6wRMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAFnIOjs+ +Ixl5pdXex2esScqBW4FKkhmWJgBsb9z7OEvLJkZhk2bqJ8aJDTOZOFFP26ucFj6B +O3LkwaeHJonsusAWMRvoXqT8I5H/AQvDuDtpK95FbNfGij09e/L2EnF5MmQrNQGB +q7W9G6E4zVtn7sTYZyU31rk9uStHaqyvoTPtoo1rjehI8GVrOfYhu+E3blVH259Z +5H+CU2DmW6efVwxLCj700eCKsqnM4nl5qoTGp7V5Rm1NQg6ev2sp+7x/4UjX8Mg+ +adGrW56gXldlw3ZhjGJSao7oT6EITU498nZglAWCdLPBDhSCHvWLEN8Dv26fbzum +ZrqAvLREkM/eoF8= +-----END CERTIFICATE----- diff --git a/build/default_configuration/certs/database/ca.srl b/build/default_configuration/certs/database/ca.srl new file mode 100644 index 0000000..895cb9d --- /dev/null +++ b/build/default_configuration/certs/database/ca.srl @@ -0,0 +1 @@ +5FD490D27A0A93E81E4058F01B88EC6A5250CEC9 diff --git a/build/default_configuration/certs/database/client-cert.pem b/build/default_configuration/certs/database/client-cert.pem new file mode 100644 index 0000000..cd893df --- /dev/null +++ b/build/default_configuration/certs/database/client-cert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICrzCCAZcCFF/UkNJ6CpPoHkBY8BuI7GpSUM7JMA0GCSqGSIb3DQEBCwUAMBMx +ETAPBgNVBAMMCE15U1FMLUNBMB4XDTI2MDQyODA3NDg0MVoXDTM2MDQyNTA3NDg0 +MVowFTETMBEGA1UEAwwKcGhwLWNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALi2ZGgze+L3igDaa512IXz8++xBrmmJg5QiUcsVVE47KdmrVXaS +gPYB1yS8vhvW8ewfR+pKykJa9bQ8pnVTe8JEogt54hJFjVWh3tCU4h4iGLfjY23B +S9an5IDLdoh7o02kxgsr6EVzKYNpPZh2LIIs9FyYoJ08iJ74fi/7Fmu+/8mnvSWS +rwoGVtOb6KbH1Wwqc6FeiHBIf9ae73+8Soy3vO6qJqJRu/USn+V/nB8A7tzXTrTX +7Ru6Ku4u6lk5geTdZrhXA093JaWCeXbDPNnUWAdjkCPuejO1XZEBBLa3GqVaY+8f +LrDYZvudXTfpmEdgotxZ0ZkOe6hrBKa8zDUCAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAd+CsTWJX14Hs+yKWOyHLLFxZF349ssfwi6V0pwsLaWmgwSYWTTqYT9W+tq8m +mScbE/gdUyYFqvdQBZ0XjCsIqsvX5CNkvxmeuEJ58GZllidBAnwvzg9X7UFZBWI2 +F+Tv+TvbiojdT49glFSrpcwR61W97SfRbCwOErY2+YTTo854ngJ7YcIp9pelwRUF +7Hg7rchUb+9Z5l/74hsL/F9GsC3gEjhgI5ygvCdJAznFHu4xwvAPzeaZT1iQkkil +9nsuyApCFA0U66Bz39R+0ThgaGsmPJevPB/DJUy6DQWcKDoiHCY8c6/9w2ScS+VN +fVsIyAMt4HR/yrhqHJeG+SjLDw== +-----END CERTIFICATE----- diff --git a/build/default_configuration/certs/database/client-key.pem b/build/default_configuration/certs/database/client-key.pem new file mode 100644 index 0000000..4c36c63 --- /dev/null +++ b/build/default_configuration/certs/database/client-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4tmRoM3vi94oA +2muddiF8/PvsQa5piYOUIlHLFVROOynZq1V2koD2AdckvL4b1vHsH0fqSspCWvW0 +PKZ1U3vCRKILeeISRY1Vod7QlOIeIhi342NtwUvWp+SAy3aIe6NNpMYLK+hFcymD +aT2YdiyCLPRcmKCdPIie+H4v+xZrvv/Jp70lkq8KBlbTm+imx9VsKnOhXohwSH/W +nu9/vEqMt7zuqiaiUbv1Ep/lf5wfAO7c10601+0buiruLupZOYHk3Wa4VwNPdyWl +gnl2wzzZ1FgHY5Aj7noztV2RAQS2txqlWmPvHy6w2Gb7nV036ZhHYKLcWdGZDnuo +awSmvMw1AgMBAAECggEAIXgTG3pwsUCPRfZN15tHGCGy+C0ykDb1m4rYbUbxHrfD +rohIFRMYwPq2ZBa7D8pTzaghXMeufHWE3eK7erjkzN+oyRGNsCfgIysQd5Tyn+kn +t3JBWurSdhO36Mp1MOfOQExiAjYzgRoL5J7WJWEMUY4ZvQl+2N7WFpAKNWF2v5Dt +eVTKOAufVo9PrQ/GLAceZlevef4yfsQxKjhdmjZpq4Zae8EpwlqU/6Sclod3pgHV +/CTxtgepWYWDhrssLBkO9URvvBndumGi/PqymacKbvVr3Tl7bOZFW4owTqDOCQBu +LvNA5LPmiCendFzWRdn4t7ZAWymv1wODUfnsrgbbgQKBgQD+j7Nql+JHYebUfo2R +pgaKQGrHrIqF/hOvSc7u/ZlMnFeB9TiTvfWhr6PTtgoXD5VoW6IEojlep7vFqLFl +qNJqyUWYrRQrNlIWH2CMvorhHGVgYYL7wHUKi3LlXFieA12wZCiett/sq01xBbVV +oy0OipANi60Zo0g2ksKuQCHzIQKBgQC5waJTcN6d5Hif1kOrRutzoAe42tuhajGK +EYLvs8jAzVgEQhRuv/ZzFbvMI6TmctWntE1JUZp+0daTvreC2c947jSCV7bJQtRy +nMDm06ZHu/h9L2i/Mb8xJLkgpDeupLkVwtWMkQbmh1xGWX9ft2V0FCV/k2rAWj+M +IP3i+xsKlQKBgQDpnRcai6itubsM59ckAymdVuCnvkCiFzoZc7LkwPcex5vHODRj +4cC6UWYXtMgtwa9rxiw59GaR53z7OIUUtonkVjH4m14XChLrGoCQqYzqahTfDp4W +S9kdhDw9ITJyUMR6THC6tzlpCQxY3NQ9czK2VZM92yFQlfh/nM/s+g4uAQKBgGvi +gVOy9yh+3GwAtpaQfwlNhY6gVfUexxzoZMKxCUSpPphihJl6FjnrAoJipVBOm7Zm +KokNwwwq9VQj7VMrC6uxtX+KUBf+H4NddU/a1vVMv9p9IXoB+4ggSwEhP1HIS9LO +sNaOGJLlRPt62VaPHnZXiRvaU6LaB5RsSOh+bMstAoGBAMILy7x9+5JsuuJVctXb +oA2PUh8t2jyyV4e6SPbu6UpX2T9jf0ZVenBS8WByet6LrD43mI9QovAcA/ub/xO1 +x0rSHWDMICveahFQHK4LBToIUbylywnWIkad+xFnHUX/qnIX7ZCe+upHO90QlNsz +wNdtSH+sNnQ3iehk5BQtIy+v +-----END PRIVATE KEY----- diff --git a/build/default_configuration/certs/database/client-req.pem b/build/default_configuration/certs/database/client-req.pem new file mode 100644 index 0000000..6d7c155 --- /dev/null +++ b/build/default_configuration/certs/database/client-req.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICWjCCAUICAQAwFTETMBEGA1UEAwwKcGhwLWNsaWVudDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALi2ZGgze+L3igDaa512IXz8++xBrmmJg5QiUcsV +VE47KdmrVXaSgPYB1yS8vhvW8ewfR+pKykJa9bQ8pnVTe8JEogt54hJFjVWh3tCU +4h4iGLfjY23BS9an5IDLdoh7o02kxgsr6EVzKYNpPZh2LIIs9FyYoJ08iJ74fi/7 +Fmu+/8mnvSWSrwoGVtOb6KbH1Wwqc6FeiHBIf9ae73+8Soy3vO6qJqJRu/USn+V/ +nB8A7tzXTrTX7Ru6Ku4u6lk5geTdZrhXA093JaWCeXbDPNnUWAdjkCPuejO1XZEB +BLa3GqVaY+8fLrDYZvudXTfpmEdgotxZ0ZkOe6hrBKa8zDUCAwEAAaAAMA0GCSqG +SIb3DQEBCwUAA4IBAQB111oDanSq2UMJPNAkIP9Y5gcPCrQsn+IrNstQkGnDIUbq +g6h8va6TurU0973n/usQrgeRmQ7B5U+xVx4WOlJ+F08YBa3leS3+yjlg6QD8I2Uq +rvjlJQ8WlJL1vBA0KB+B+qNg8I+r91J7Q1qhTZ9O+XvYZStlFSMsZzJJfdtuBGqT +aL92V7UQ8Dkw7528ePPIodfHBpyxH7CcUf/7XV3FAEXpA4B/5Zhj9V0QefUsreaE +meN6NxeEkVEQTuuMiZ7CecM6Tqn6PCz5zl4Sqth8Rt7IeFUtm8dj7uXXX/kiKiID +bKoPLW+YK/sB4myLRxNCS8Z5VzB5Yx65PsPbcpJL +-----END CERTIFICATE REQUEST----- diff --git a/build/default_configuration/certs/database/server-cert.pem b/build/default_configuration/certs/database/server-cert.pem new file mode 100644 index 0000000..d3132f6 --- /dev/null +++ b/build/default_configuration/certs/database/server-cert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICqjCCAZICFF/UkNJ6CpPoHkBY8BuI7GpSUM7IMA0GCSqGSIb3DQEBCwUAMBMx +ETAPBgNVBAMMCE15U1FMLUNBMB4XDTI2MDQyODA3NDgxNloXDTM2MDQyNTA3NDgx +NlowEDEOMAwGA1UEAwwFbXlzcWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCg8bWnm5ld3N9PbYg00E4Z5KCtUz5FBBBJo6UTUO7rRufkOnLeB7RFwk9b +zjnhciGvE25q/ggU8IyqqK+otNGSrKYd7EGjAmMZsd6mMD56/kECriK9hWmH2FAK +bA0GiTDhsw1T7FgpHMMPn1EP5IPLBd0AGr7ZfinkW4VhokQpV7yN4fvWHBID3aXY +lsyd+KcDpZNupvpI2tM+2Hf+Xzei7lElASRy9TnD6u0Ua6v6MDjiCSUSu0WqgBGS +nodYgfPiJ9n7QFF5+a5b1tF+EJxoG2z3KQ8hJpSXXL36eIfRLvrnVpdp8tRFQl7T +wwNFHqV8ulzmPHqnVn8gLLWGyCq7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAANo +Kmh3DmPxBkxFy+ePS1wpXujY11xoUphbEb7KBjEl9pZzdqYZbZBqVMYcF+u05lrG +R1Ntrl58wJmQ+etZPpIyWimnhTRZ77qdYAPd5W9axVxEAVA5LCrDFRA3NWx3xhI9 +RpkYLMSlYcQVD3EWjvjh02wkc/dtLR+EoWkb0BksZoowvS7CQZj4RMqNGeWYPQ8L +VCVevvKIo/YCxPhh7l/ZGDH7JmRm3ZLa7Pihk3nK7Yfs+w+L2MLvg+n6wrtFP7AA +Yd4awg6MzGGvxDLa2YP5GPE5wappb/kJaZSTyfYwtkgZ0ldIYw0vTPR6dBnaWsgk +x6+1w56yjsmwKW7YjhI= +-----END CERTIFICATE----- diff --git a/build/default_configuration/certs/database/server-key.pem b/build/default_configuration/certs/database/server-key.pem new file mode 100644 index 0000000..4fb44b9 --- /dev/null +++ b/build/default_configuration/certs/database/server-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCg8bWnm5ld3N9P +bYg00E4Z5KCtUz5FBBBJo6UTUO7rRufkOnLeB7RFwk9bzjnhciGvE25q/ggU8Iyq +qK+otNGSrKYd7EGjAmMZsd6mMD56/kECriK9hWmH2FAKbA0GiTDhsw1T7FgpHMMP +n1EP5IPLBd0AGr7ZfinkW4VhokQpV7yN4fvWHBID3aXYlsyd+KcDpZNupvpI2tM+ +2Hf+Xzei7lElASRy9TnD6u0Ua6v6MDjiCSUSu0WqgBGSnodYgfPiJ9n7QFF5+a5b +1tF+EJxoG2z3KQ8hJpSXXL36eIfRLvrnVpdp8tRFQl7TwwNFHqV8ulzmPHqnVn8g +LLWGyCq7AgMBAAECggEAIjlD15BO3JbLJai0/gYNlZP4VuMMqsBidkZGJAVhyMYb +KX0EUBJzUyIunecMh9QtNX18TWQXc9xzDRcxwz4wEnCEInjKvE8Vo7EfF1fK8Xx/ +doJxALwN5MUqwAyZ+HnT2yqn+uCXHqbvE7NdGXQOUm28wPju/HDHl7eedVR8Cg43 +bhPX9VhGjXESaTfPK0rNoIt4o/j+Lrxk9RdLKBrd6uWBLzWrfv3fXVgUYJPIlRW3 +lI/mGZOGdue+LunuzQe270+xJ0PtNmxIiyPibslQ5/EHp3YTnyKunpHAm2KRKGS8 +FhHTFJkya01y6WWgDjl5UFatvoOGNUKB0+DNgAY7gQKBgQDd+VK7tbd7a+mEtr4X +ejU4X162HJ50v6GFE4TCTN+YWpnbtCoK30IpYwfSY7oG/t4HdiWmhks3GdsRjKVk +QZPweOY4zHtOwZVkl19uRJ9geUDXDuzjTumOvYhFBLqzGbGFcKkOslLDFr90K2ov +QvBjBGQdwfWFLUfu+yIqsutqxwKBgQC5nXa+opfOCdpEgcTcd6PRxsqp5UE1J75h +ilSWQWf/lK9ZueYv1DBNTocTxWl3jk9QrnhQOtiwnVDYz3MnXtG5gmlMs4aeTh0u +AMjYvcg9Feizb8WFE18ogofGmyhKq1TQ93N29uKoK95bZS1y8iJdVHq6MlyfMsT0 +QJ7xrsKsbQKBgQDEX/10eSfQ9cAKnA0CAiixLZZBsIHysVH4xDLQHmg1hfnV58bG +BYunx6e01mtOIw5UNY7LisViAurO1MnBL07tEFhEaYqxOwuqiUxw5h7Fn5/gYqDp +2/c+Q6kZvjxZlGJ7thaqHNKhKy/HW10+YI8AWnMj7GMEJfIcl2o7sjwZIwKBgEG5 +diCOpj440ubLJJAEdSeEwqJiITLXPdyABO+nfVHMrkKRRubMtcXJ9p6TmoLRC1jA +Tq3qCGyRZ909p8LbGlwbx3l3YEWR11dAw92rZcnrhhhzjXdPorRPdBBpRF0cSc4s +sOABD8UIs5WdP/ihsHVnwoVH6/AbJA5xC1b80MYJAoGAQ8/Cx4ylHJFjJjv4BWJb +5Pu0CVyEvDR+ADY4+Dcfx6h43nJ8kfhIUtUCVNfvttNoJsCbPx4mwhYjRbWcCaEm +r3N4P6TUwvBw4D1ZFTwcZ0fM6Y9huw34KaTxePlRhNrz7IgbXqspkH4NzIT6wzdB +57pufY7n+6Fwfh6UBSpAjl4= +-----END PRIVATE KEY----- diff --git a/build/default_configuration/certs/database/server-req.pem b/build/default_configuration/certs/database/server-req.pem new file mode 100644 index 0000000..0fa3553 --- /dev/null +++ b/build/default_configuration/certs/database/server-req.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICVTCCAT0CAQAwEDEOMAwGA1UEAwwFbXlzcWwwggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQCg8bWnm5ld3N9PbYg00E4Z5KCtUz5FBBBJo6UTUO7rRufk +OnLeB7RFwk9bzjnhciGvE25q/ggU8IyqqK+otNGSrKYd7EGjAmMZsd6mMD56/kEC +riK9hWmH2FAKbA0GiTDhsw1T7FgpHMMPn1EP5IPLBd0AGr7ZfinkW4VhokQpV7yN +4fvWHBID3aXYlsyd+KcDpZNupvpI2tM+2Hf+Xzei7lElASRy9TnD6u0Ua6v6MDji +CSUSu0WqgBGSnodYgfPiJ9n7QFF5+a5b1tF+EJxoG2z3KQ8hJpSXXL36eIfRLvrn +Vpdp8tRFQl7TwwNFHqV8ulzmPHqnVn8gLLWGyCq7AgMBAAGgADANBgkqhkiG9w0B +AQsFAAOCAQEAH8wVvpJSz/PELbYbwaEPWPyYq9Cq/cj0kFY5gTwMyB+CGzPk0P6v +2/+6ngyz8YfYOZgRwqJZqg47h9ERrgIX2hd77aS/pwPNE9GUYPYXRW40skykqNTH +lWEyHdFzP94TAJR5CjBD7ZVqBY2oGM41CLsuH+D/wj53WLpa+pQceA91IVvpzhaP +/dY6MySv/aC2qhRkChduryEaSBIzdOOKh8dWr+/id4WmGa65x0n+uRECS2FzpTiB +QI9Jc+9T9Wc+NhNJa3IxAHnRVus+2zM40RD6vZEWRZym7If56dOcd1uomL6BdYuQ +cyVw4zIgozG95Y39sJmPFEi97Kj2pHkgEg== +-----END CERTIFICATE REQUEST----- diff --git a/build/default_configuration/certs/certificate.crt b/build/default_configuration/certs/webserver/certificate.crt similarity index 100% rename from build/default_configuration/certs/certificate.crt rename to build/default_configuration/certs/webserver/certificate.crt diff --git a/build/default_configuration/certs/certificate.key b/build/default_configuration/certs/webserver/certificate.key similarity index 100% rename from build/default_configuration/certs/certificate.key rename to build/default_configuration/certs/webserver/certificate.key diff --git a/build/default_configuration/mariadb/my.cnf b/build/default_configuration/mariadb/my.cnf index 6c9bb12..dec5de4 100644 --- a/build/default_configuration/mariadb/my.cnf +++ b/build/default_configuration/mariadb/my.cnf @@ -1,2 +1,10 @@ [mariadbd] -max_allowed_packet=64M \ No newline at end of file +max_allowed_packet=64M + +require_secure_transport = OFF + +ssl-ca = /etc/mariadb/certs/ca.pem +ssl-cert = /etc/mariadb/certs/server-cert.pem +ssl-key = /etc/mariadb/certs/server-key.pem +tls_version = TLSv1.2,TLSv1.3 +ssl_cipher = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 diff --git a/build/default_configuration/mysql/my.cnf b/build/default_configuration/mysql/my.cnf index 986fdcf..e10924f 100644 --- a/build/default_configuration/mysql/my.cnf +++ b/build/default_configuration/mysql/my.cnf @@ -1,2 +1,11 @@ [mysqld] -max_allowed_packet=64M \ No newline at end of file +max_allowed_packet=64M + +require_secure_transport = OFF + +ssl-ca = /etc/mysql/certs/ca.pem +ssl-cert = /etc/mysql/certs/server-cert.pem +ssl-key = /etc/mysql/certs/server-key.pem +tls_version = TLSv1.2,TLSv1.3 +tls_ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 +ssl_cipher = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 \ No newline at end of file diff --git a/build/default_configuration/php/client.cnf b/build/default_configuration/php/client.cnf new file mode 100644 index 0000000..50bafe5 --- /dev/null +++ b/build/default_configuration/php/client.cnf @@ -0,0 +1,10 @@ +[client] +ssl-ca = /etc/database/certs/ca.pem +ssl-cert = /etc/database/certs/client-cert.pem +ssl-key = /etc/database/certs/client-key.pem + +# verification failed due to hostname mismatch +# as we have mariadb and mysql, php client couldn't verify the server cert +ssl-verify-server-cert = false + +[client-mariadb] diff --git a/docker-compose.yml b/docker-compose.yml index 63a500d..2833780 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,10 +23,12 @@ x-php: &default-php volumes: - ${CONF_FOLDER}/php/php.ini:/usr/local/etc/php/conf.d/php.ini - ${CONF_FOLDER}/php/xdebug.ini:/usr/local/etc/php/conf.d/xdebug.ini + - ${CONF_FOLDER}/php/client.cnf:/etc/mysql/conf.d/client.cnf - ${CONF_FOLDER}/msmtprc/msmtprc:/var/www/.msmtprc:ro - ${HTML_FOLDER}:/var/www/html/ - ${DATA_FOLDER}/php/coverage:${PHP_COVERAGE_OUTPUT_FOLDER} - ${DATA_FOLDER}/php/profile:${PHP_PROFILE_OUTPUT_FOLDER} + - ${CONF_FOLDER}/certs/database:/etc/database/certs restart: always services: @@ -115,7 +117,7 @@ services: volumes: - ${CONF_FOLDER}/apache/httpd.conf:/usr/local/apache2/conf/httpd.conf - ${CONF_FOLDER}/apache/httpd-vhosts.conf:/usr/local/apache2/conf/extra/httpd-vhosts.conf - - ${CONF_FOLDER}/certs:/etc/apache/certs + - ${CONF_FOLDER}/certs/webserver:/etc/apache/certs - ${HTML_FOLDER}:/var/www/html/ restart: always # depends_on: @@ -149,7 +151,7 @@ services: - "${NGINX_PORT_85:-85}:85" volumes: - ${CONF_FOLDER}/nginx:/etc/nginx/conf.d - - ${CONF_FOLDER}/certs:/etc/nginx/certs + - ${CONF_FOLDER}/certs/webserver:/etc/nginx/certs - ${HTML_FOLDER}:/var/www/html/ restart: always # depends_on: @@ -173,6 +175,7 @@ services: - ${CONF_FOLDER}/mariadb:/etc/mysql/conf.d - ${DATA_FOLDER}/mariadb/:/var/lib/mysql - ${DATA_FOLDER}/dbdump/:/tmp/dbdump + - ${CONF_FOLDER}/certs/database:/etc/mariadb/certs environment: MARIADB_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} @@ -186,6 +189,7 @@ services: - ${CONF_FOLDER}/mysql:/etc/mysql/conf.d - ${DATA_FOLDER}/mysql/:/var/lib/mysql - ${DATA_FOLDER}/dbdump/:/tmp/dbdump + - ${CONF_FOLDER}/certs/database:/etc/mysql/certs environment: MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} @@ -193,6 +197,13 @@ services: image: adminer container_name: adminer restart: unless-stopped + environment: + DB_SSL_KEY: '/etc/database/certs/client-key.pem' + DB_SSL_CERT: '/etc/database/certs/client-cert.pem' + DB_SSL_CA: '/etc/database/certs/ca-cert.pem' + volumes: + - ${CONF_FOLDER}/certs/database:/etc/database/certs + - ${CONF_FOLDER}/adminer/plugins-enabled/:/var/www/html/plugins-enabled/ ports: - "${ADMINER_PORT:-8080}:8080" deploy: diff --git a/readme.md b/readme.md index 0f8fada..8ffeda9 100644 --- a/readme.md +++ b/readme.md @@ -66,25 +66,29 @@ You also can use one of the official browser extensions allowing to add custom h #### Nginx (default) The container for Nginx webserver.\ -A `self-signed certificate` is included in the certs conf directory allowing `HTTPS`. Official build of Nginx.\ Based on `nginx:alpine` 🐳 [Docker official image page](https://hub.docker.com/_/nginx) +> [!IMPORTANT] +> A `self-signed certificate` is included in the certs webserver conf directory allowing `HTTPS`. + > [!NOTE] > `app.conf` file is included in the nginx conf directory to configure Nginx settings. [How To...](./addons/documentation/how_to.md#edit-configuration) #### Apache The container for Apache webserver.\ -A `self-signed certificate` is included in the certs conf directory allowing `HTTPS`. Official build of Apache.\ Based on `httpd:latest` 🐳 [Docker official image page](https://hub.docker.com/_/httpd) +> [!NOTE] +> A `self-signed certificate` is included in the certs webserver conf directory allowing `HTTPS`. + > [!NOTE] > `httpd.conf` file is included in the apache conf directory to configure Apache settings. [How To...](./addons/documentation/how_to.md#edit-configuration-1)\ `httpd-vhosts.conf` file is included in the apache conf directory to configure virtual hosts. [How To...](./addons/documentation/how_to.md#edit-configuration-1) @@ -99,7 +103,8 @@ While designed for web development, the PHP scripting language also provides gen > [!NOTE] > `php.ini` file is included in the php conf directory to configure PHP settings. [How To...](./addons/documentation/how_to.md#change-PHP-settings)\ -`xdebug.ini` file is included in the php conf directory to configure XDebug settings. [How To...](./addons/documentation/how_to.md#change-XDebug-settings) +`xdebug.ini` file is included in the php conf directory to configure XDebug settings. [How To...](./addons/documentation/how_to.md#change-XDebug-settings)\ +`client.cnf` file is included in the php conf directory to configure MariaDB/MySQL client settings. [How To...](./addons/documentation/how_to.md#change-MariaDB-client-settings) > [!TIP] > You can add a new PHP version. [How To...](./addons/documentation/how_to.md#add-a-new-php-version) @@ -112,6 +117,14 @@ Based on `mariadb` image. 🐳 [Docker official image page](https://hub.docker.com/_/mariadb) +> [!NOTE] +> Certificates are included in the certs database conf directory allowing secured connection to the database. + +> [!IMPORTANT] +> `require_secure_transport` flag is set to `OFF` in the default configuration of the database.\ +If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ +You also need to set `db_tls.enabled' => true` in iTop configurations. + #### Default Listened Ports * `3306` @@ -124,6 +137,14 @@ Based on `mysql` image. 🐳 [Docker official image page](https://hub.docker.com/_/mysql) +> [!NOTE] +> Certificates are included in the certs database conf directory allowing secured connection to the database. + +> [!IMPORTANT] +> `require_secure_transport` flag is set to `OFF` in the default configuration of the database.\ +If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ +You also need to set `db_tls.enabled' => true` in iTop configurations. + #### Default Listened Ports * `3307` From 5921f427b534e4a387fc4618a8d5cfd844acece2 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Wed, 29 Apr 2026 10:47:18 +0200 Subject: [PATCH 02/16] :lock: Add secured connection configuration for databases (doc) --- addons/documentation/how_to.md | 9 +++++---- readme.md | 11 +++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index e9ea13e..505ef79 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -9,6 +9,7 @@ Tips for the common operations you may need to do with the docker environment. - [PHP](#php) - [Change PHP settings](#change-php-settings) - [Change XDebug settings](#change-xdebug-settings) + - [Change MariaDB client settings](#change-mariadb-client-settings) - [Add a new php version](#add-a-new-php-version) - [Web Server](#web-server) - [Change the webserver](#change-the-webserver) @@ -88,9 +89,9 @@ You may also want to have a specific init file for a php version, you have to ov ### Change MariaDB client settings Modify the `client.cnf` file in the php conf directory then restart the container.\ -Note that this file is used by both MariaDB and MySQL clients. -The SSL activation is managed by iTop. -Known limitation, when you perform iTop backup with SSL on a MySQL server, you may experience an error: `--ssl-mode is not recognized`.\ +Note that this file is used by both MariaDB and MySQL clients.\ +The SSL activation is managed by iTop.\ +Known limitation, when you perform iTop backup with SSL on a MySQL server, you may experience an error: `--ssl-mode is not recognized`. ### Add a new php version * Duplicate a php section in `docker-compose.yml` then run `docker compose up -d`.\ @@ -203,7 +204,7 @@ Connect to the database container with `docker exec -it bash` then u mariadb-dump --user --password > /tmp/dbdump/dump_file.sql ``` -> > [!IMPORTANT] +> [!IMPORTANT] > mysql-dump is lot longer available in the mariadb container, you have to use `mariadb-dump` instead. ### MariaDB diff --git a/readme.md b/readme.md index 8ffeda9..6aba3d7 100644 --- a/readme.md +++ b/readme.md @@ -44,6 +44,8 @@ The containers in charge of serving the web pages. > You can change the default web server. [How To...](./addons/documentation/how_to.md#change-the-webserver) #### Default Listened Ports +* `88` (Automatic Mode) To serve pages based on PHP version passed in request header `X-PHP-Version`. +* `443` (Automatic Mode) To serve pages based on PHP version passed in request header `X-PHP-Version` with `HTTPS` protocol. * `74` Serve pages based on PHP 7.4. * `80` Serve pages based on PHP 8.0. * `81` Serve pages based on PHP 8.1. @@ -52,9 +54,6 @@ The containers in charge of serving the web pages. * `84` Serve pages based on PHP 8.4. * `85` Serve pages based on PHP 8.5. -* `88` (Automatic Mode) To serve pages based on PHP version passed in request header `X-PHP-Version`. -* `443` (Automatic Mode) To serve pages based on PHP version passed in request header `X-PHP-Version` with `HTTPS` protocol. - #### Automatic Mode With automatic mode, web servers will serve pages based on the PHP version passed in the request header `X-PHP-Version`.\ A [browser extension](./addons/documentation/browser_extension.md) (Chrome and Firefox) is provided to easily switch between PHP versions.\ @@ -72,8 +71,8 @@ Based on `nginx:alpine` 🐳 [Docker official image page](https://hub.docker.com/_/nginx) -> [!IMPORTANT] -> A `self-signed certificate` is included in the certs webserver conf directory allowing `HTTPS`. +> [!NOTE] +> A self-signed certificate is included in the certs webserver conf directory allowing `HTTPS`. > [!NOTE] > `app.conf` file is included in the nginx conf directory to configure Nginx settings. [How To...](./addons/documentation/how_to.md#edit-configuration) @@ -87,7 +86,7 @@ Based on `httpd:latest` 🐳 [Docker official image page](https://hub.docker.com/_/httpd) > [!NOTE] -> A `self-signed certificate` is included in the certs webserver conf directory allowing `HTTPS`. +> A self-signed certificate is included in the certs webserver conf directory allowing `HTTPS`. > [!NOTE] > `httpd.conf` file is included in the apache conf directory to configure Apache settings. [How To...](./addons/documentation/how_to.md#edit-configuration-1)\ From 74d50067fdd5cdc6b61fa3fbd565432ce9116fc7 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Wed, 29 Apr 2026 10:56:01 +0200 Subject: [PATCH 03/16] :lock: Add secured connection configuration for databases (doc) --- readme.md | 74 +++++++++++++++++-------------------------------------- 1 file changed, 22 insertions(+), 52 deletions(-) diff --git a/readme.md b/readme.md index 6aba3d7..2939a11 100644 --- a/readme.md +++ b/readme.md @@ -49,10 +49,7 @@ The containers in charge of serving the web pages. * `74` Serve pages based on PHP 7.4. * `80` Serve pages based on PHP 8.0. * `81` Serve pages based on PHP 8.1. -* `82` Serve pages based on PHP 8.2. -* `83` Serve pages based on PHP 8.3. -* `84` Serve pages based on PHP 8.4. -* `85` Serve pages based on PHP 8.5. +* etc... (depending on the number of PHP versions you have, until 88 😬) #### Automatic Mode With automatic mode, web servers will serve pages based on the PHP version passed in the request header `X-PHP-Version`.\ @@ -65,9 +62,7 @@ You also can use one of the official browser extensions allowing to add custom h #### Nginx (default) The container for Nginx webserver.\ - -Official build of Nginx.\ -Based on `nginx:alpine` +Official build of Nginx based on `nginx:alpine` 🐳 [Docker official image page](https://hub.docker.com/_/nginx) @@ -79,11 +74,7 @@ Based on `nginx:alpine` #### Apache The container for Apache webserver.\ - -Official build of Apache.\ -Based on `httpd:latest` - -🐳 [Docker official image page](https://hub.docker.com/_/httpd) +Official build based on `httpd:latest` 🐳 [Docker official image page](https://hub.docker.com/_/httpd) > [!NOTE] > A self-signed certificate is included in the certs webserver conf directory allowing `HTTPS`. @@ -94,11 +85,8 @@ Based on `httpd:latest` ### PHP FPM X.X The containers in charge of the PHP script processing.\ -Based on `php:x.x-fpm` image, this extended image includes `xdebug`, all needed `php extensions`, `graphviz` and a `MariaDB client` to run iTop. - -While designed for web development, the PHP scripting language also provides general-purpose use. - -🐳 [Docker official image page](https://hub.docker.com/_/php) +While designed for web development, the PHP scripting language also provides general-purpose use.\ +Custom build based on `php:x.x-fpm` image, this extended image includes `xdebug`, all needed `php extensions`, `graphviz` and a `MariaDB client` to run iTop 🐳 [Docker official image page](https://hub.docker.com/_/php) > [!NOTE] > `php.ini` file is included in the php conf directory to configure PHP settings. [How To...](./addons/documentation/how_to.md#change-PHP-settings)\ @@ -109,12 +97,9 @@ While designed for web development, the PHP scripting language also provides gen > You can add a new PHP version. [How To...](./addons/documentation/how_to.md#add-a-new-php-version) ### MariaDB -The container for MariaDB database. - +The container for MariaDB database.\ MariaDB Server is a high performing open source relational database, forked from MySQL.\ -Based on `mariadb` image. - -🐳 [Docker official image page](https://hub.docker.com/_/mariadb) +Official build based on `mariadb` image. 🐳 [Docker official image page](https://hub.docker.com/_/mariadb) > [!NOTE] > Certificates are included in the certs database conf directory allowing secured connection to the database. @@ -124,17 +109,13 @@ Based on `mariadb` image. If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ You also need to set `db_tls.enabled' => true` in iTop configurations. - #### Default Listened Ports * `3306` ### MySQL -The container for MySQL database. - -MySQL is a widely used, open-source relational database management system (RDBMS). -Based on `mysql` image. - -🐳 [Docker official image page](https://hub.docker.com/_/mysql) +The container for MySQL database.\ +MySQL is a widely used, open-source relational database management system (RDBMS).\ +Official build based on `mysql` image. 🐳 [Docker official image page](https://hub.docker.com/_/mysql) > [!NOTE] > Certificates are included in the certs database conf directory allowing secured connection to the database. @@ -148,45 +129,34 @@ You also need to set `db_tls.enabled' => true` in iTop configurations. * `3307` ### Adminer -The container for database web administration. - -Database management in a single PHP file. -Based on `adminer` image. - -🐳 [Docker official image page](https://hub.docker.com/_/adminer) +The container for database web administration.\ +Database management in a single PHP file.\ +Official build based on `adminer` image. 🐳 [Docker official image page](https://hub.docker.com/_/adminer) #### Default Listened Ports * `8080` ### MailPit -The container for mailer testing. - -Mailpit is packed full of features for developers wanting to test SMTP and emails. It acts as an SMTP server, provides a modern web interface to view & test intercepted emails. It also contains an API for automated integration testing. -Based on `axllent/mailpit` image. - -🐳 [Docker official image page](https://hub.docker.com/r/axllent/mailpit) +The container for mailer testing.\ +Mailpit is packed full of features for developers wanting to test SMTP and emails. It acts as an SMTP server, provides a modern web interface to view & test intercepted emails. It also contains an API for automated integration testing.\ +Official build based on `axllent/mailpit` image. 🐳 [Docker official image page](https://hub.docker.com/r/axllent/mailpit) #### Default Listened Ports * `8025` WebUI * `1025` SMTP ### Script-server -The container for scripts execution. - -Script-server allows you to execute pre-configured CLI scripts directly from a Web UI. No need for SSH connection, knowing commands exact syntax. -Based on `bugy/script-server` image. - -🐳 [Docker official image page](https://hub.docker.com/r/bugy/script-server) +The container for scripts execution.\ +Script-server allows you to execute pre-configured CLI scripts directly from a Web UI. No need for SSH connection, knowing commands exact syntax.\ +Official build based on `bugy/script-server` image. 🐳 [Docker official image page](https://hub.docker.com/r/bugy/script-server) #### Default Listened Ports * `8090` WebUI ### kCacheGrind -The container for xdebug profile analyze. - -Web GUI to inspect Valgrind and Xdebug profiling reports. - -🐳 [Docker official image page](https://hub.docker.com/r/nedix/kcachegrind) +The container for xdebug profile analyze.\ +Web GUI to inspect Valgrind and Xdebug profiling reports.\ +Official build based on `nedix/kcachegrind` image. 🐳 [Docker official image page](https://hub.docker.com/r/nedix/kcachegrind) #### Default Listened Ports * `8088` WebUI From d2800c5c8fe26913376d85489e6271413964b649 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Wed, 29 Apr 2026 11:31:19 +0200 Subject: [PATCH 04/16] :lock: Add secured connection configuration for databases (doc) --- readme.md | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/readme.md b/readme.md index 2939a11..07afb8e 100644 --- a/readme.md +++ b/readme.md @@ -61,10 +61,8 @@ You also can use one of the official browser extensions allowing to add custom h #### Nginx (default) -The container for Nginx webserver.\ -Official build of Nginx based on `nginx:alpine` - -🐳 [Docker official image page](https://hub.docker.com/_/nginx) +Nginx webserver.\ +Official build of Nginx based on `nginx:alpine` 🐳 [Docker official image page](https://hub.docker.com/_/nginx) > [!NOTE] > A self-signed certificate is included in the certs webserver conf directory allowing `HTTPS`. @@ -73,7 +71,7 @@ Official build of Nginx based on `nginx:alpine` > `app.conf` file is included in the nginx conf directory to configure Nginx settings. [How To...](./addons/documentation/how_to.md#edit-configuration) #### Apache -The container for Apache webserver.\ +Apache webserver.\ Official build based on `httpd:latest` 🐳 [Docker official image page](https://hub.docker.com/_/httpd) > [!NOTE] @@ -84,7 +82,6 @@ Official build based on `httpd:latest` 🐳 [Docker official image page](https:/ `httpd-vhosts.conf` file is included in the apache conf directory to configure virtual hosts. [How To...](./addons/documentation/how_to.md#edit-configuration-1) ### PHP FPM X.X -The containers in charge of the PHP script processing.\ While designed for web development, the PHP scripting language also provides general-purpose use.\ Custom build based on `php:x.x-fpm` image, this extended image includes `xdebug`, all needed `php extensions`, `graphviz` and a `MariaDB client` to run iTop 🐳 [Docker official image page](https://hub.docker.com/_/php) @@ -97,7 +94,6 @@ Custom build based on `php:x.x-fpm` image, this extended image includes `xdebug` > You can add a new PHP version. [How To...](./addons/documentation/how_to.md#add-a-new-php-version) ### MariaDB -The container for MariaDB database.\ MariaDB Server is a high performing open source relational database, forked from MySQL.\ Official build based on `mariadb` image. 🐳 [Docker official image page](https://hub.docker.com/_/mariadb) @@ -113,7 +109,6 @@ You also need to set `db_tls.enabled' => true` in iTop configurations. * `3306` ### MySQL -The container for MySQL database.\ MySQL is a widely used, open-source relational database management system (RDBMS).\ Official build based on `mysql` image. 🐳 [Docker official image page](https://hub.docker.com/_/mysql) @@ -129,7 +124,6 @@ You also need to set `db_tls.enabled' => true` in iTop configurations. * `3307` ### Adminer -The container for database web administration.\ Database management in a single PHP file.\ Official build based on `adminer` image. 🐳 [Docker official image page](https://hub.docker.com/_/adminer) @@ -137,7 +131,6 @@ Official build based on `adminer` image. 🐳 [Docker official image page](https * `8080` ### MailPit -The container for mailer testing.\ Mailpit is packed full of features for developers wanting to test SMTP and emails. It acts as an SMTP server, provides a modern web interface to view & test intercepted emails. It also contains an API for automated integration testing.\ Official build based on `axllent/mailpit` image. 🐳 [Docker official image page](https://hub.docker.com/r/axllent/mailpit) @@ -146,7 +139,6 @@ Official build based on `axllent/mailpit` image. 🐳 [Docker official image pag * `1025` SMTP ### Script-server -The container for scripts execution.\ Script-server allows you to execute pre-configured CLI scripts directly from a Web UI. No need for SSH connection, knowing commands exact syntax.\ Official build based on `bugy/script-server` image. 🐳 [Docker official image page](https://hub.docker.com/r/bugy/script-server) @@ -154,7 +146,6 @@ Official build based on `bugy/script-server` image. 🐳 [Docker official image * `8090` WebUI ### kCacheGrind -The container for xdebug profile analyze.\ Web GUI to inspect Valgrind and Xdebug profiling reports.\ Official build based on `nedix/kcachegrind` image. 🐳 [Docker official image page](https://hub.docker.com/r/nedix/kcachegrind) From 386ed125570de0cfa2c02dbe5dab0bdaaa618fe6 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Thu, 30 Apr 2026 08:56:35 +0200 Subject: [PATCH 05/16] :lock: Add secured connection configuration for databases (doc) --- addons/docker_scripts/down_and_up.sh | 0 addons/documentation/how_to.md | 55 ++++++++++++++++++++++++---- readme.md | 3 +- 3 files changed, 49 insertions(+), 9 deletions(-) mode change 100644 => 100755 addons/docker_scripts/down_and_up.sh diff --git a/addons/docker_scripts/down_and_up.sh b/addons/docker_scripts/down_and_up.sh old mode 100644 new mode 100755 diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index 505ef79..65b2930 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -90,8 +90,6 @@ You may also want to have a specific init file for a php version, you have to ov ### Change MariaDB client settings Modify the `client.cnf` file in the php conf directory then restart the container.\ Note that this file is used by both MariaDB and MySQL clients.\ -The SSL activation is managed by iTop.\ -Known limitation, when you perform iTop backup with SSL on a MySQL server, you may experience an error: `--ssl-mode is not recognized`. ### Add a new php version * Duplicate a php section in `docker-compose.yml` then run `docker compose up -d`.\ @@ -185,27 +183,70 @@ Modify the `httpd-vhosts.conf` file in the apache conf directory then restart th You can change the folder used by databases in your `.env.local` file.\ Just set a new value to the `DATA_FOLDER` variable. +### Activate secured connection +If you want to activate secured connection to your database. + +> [!NOTE] +> Adminer is already configured to connect to the database with SSL, so no need to change its configuration. + +#### TLS/SSL +Activate the flag `require_secure_transport = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ +You also need to set `db_tls.enabled' => true` in iTop configurations.\ + +> [!CAUTION] +> When you make backup from iTop with SSL on a MySQL server, you will get an error "--ssl-mode is not recognized" because iTop use a mySQL parameter on a MariaDB client.\ +In that case, you will need to perform the dump as describesed in the [Import/Export database dump](#importexport-database-dump) section. + +#### Certificate validation +Certificate validation is not fully implemented on iTop, but you can configure it to force a specific user to provide it. + +On MariaDB, to force the validation of a certificate, set the flag `ssl_verify_client_cert = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ +However, this seems to not be fully compatible with the MariaDB docker image. + +For MySQL or if you want to have a workaround for MariaDB, +you can force certificate validation for a specific user by creating it with the `REQUIRE X509` option in your database.\ + +```sql +CREATE USER 'secure_user'@'%' IDENTIFIED BY 'password' REQUIRE X509; +GRANT ALL PRIVILEGES ON *.* TO 'secure_user'@'%' WITH GRANT OPTION; +FLUSH PRIVILEGES; +``` + ### Import/Export database dump > [!NOTE] > A folder is mount from the host (data/dbdump) in data folder to the database container (/tmp/dbdump). -#### Import -Connect to the database container with `docker exec -it bash` then use the command line to import your dump. +#### Import from database container +You can put the dump file from the docker host in the `data/dbdump` folder then connect to the database container with `docker exec -it bash` and use the command line to import your dump. ```bash mariadb --user --password < /tmp/dbdump/dump_file.sql ``` -#### Export -Connect to the database container with `docker exec -it bash` then use the command line to import your dump. +#### Import from docker host +You can directly import the dump file from the host with the following command: + +```bash +docker exec -i -u -p < data/dbdump/dump_file.sql +``` + +#### Export from database container +Connect to the database container with `docker exec -it bash` then use the command line to export your dump then you can find the dump file from the docker host in the `data/dbdump` folder. ```bash mariadb-dump --user --password > /tmp/dbdump/dump_file.sql ``` +#### Export from docker host +You can directly export the dump file from the host with the following command: + +```bash +docker exec -i -u -p > data/dbdump/dump_file.sql +``` + > [!IMPORTANT] -> mysql-dump is lot longer available in the mariadb container, you have to use `mariadb-dump` instead. +> mysqldump is lot longer available in the mariadb container, you have to use `mariadb-dump` instead. ### MariaDB diff --git a/readme.md b/readme.md index 07afb8e..8059481 100644 --- a/readme.md +++ b/readme.md @@ -102,8 +102,7 @@ Official build based on `mariadb` image. 🐳 [Docker official image page](https > [!IMPORTANT] > `require_secure_transport` flag is set to `OFF` in the default configuration of the database.\ -If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ -You also need to set `db_tls.enabled' => true` in iTop configurations. +If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#activate-secured-connection)\ #### Default Listened Ports * `3306` From 0e0e7399616b4e62e49f24fc29e87cc573c3d12a Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Thu, 30 Apr 2026 09:18:34 +0200 Subject: [PATCH 06/16] :lock: Add secured connection configuration for databases (doc) --- addons/documentation/how_to.md | 61 ++++++++++++++++++---------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index 65b2930..22e4b1c 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -28,6 +28,9 @@ Tips for the common operations you may need to do with the docker environment. - [MySQL](#mysql) - [Connect from host](#connect-from-host-1) - [Edit configuration](#edit-configuration-2) + - [Activate secured connection](#activate-secured-connection) + - [TLS/SSL](#tlsssl) + - [Certificate validation](#certificate-validation) - [Adminer](#adminer) - [See database data](#see-database-data) - [MailPit](#mailpit) @@ -183,35 +186,6 @@ Modify the `httpd-vhosts.conf` file in the apache conf directory then restart th You can change the folder used by databases in your `.env.local` file.\ Just set a new value to the `DATA_FOLDER` variable. -### Activate secured connection -If you want to activate secured connection to your database. - -> [!NOTE] -> Adminer is already configured to connect to the database with SSL, so no need to change its configuration. - -#### TLS/SSL -Activate the flag `require_secure_transport = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ -You also need to set `db_tls.enabled' => true` in iTop configurations.\ - -> [!CAUTION] -> When you make backup from iTop with SSL on a MySQL server, you will get an error "--ssl-mode is not recognized" because iTop use a mySQL parameter on a MariaDB client.\ -In that case, you will need to perform the dump as describesed in the [Import/Export database dump](#importexport-database-dump) section. - -#### Certificate validation -Certificate validation is not fully implemented on iTop, but you can configure it to force a specific user to provide it. - -On MariaDB, to force the validation of a certificate, set the flag `ssl_verify_client_cert = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ -However, this seems to not be fully compatible with the MariaDB docker image. - -For MySQL or if you want to have a workaround for MariaDB, -you can force certificate validation for a specific user by creating it with the `REQUIRE X509` option in your database.\ - -```sql -CREATE USER 'secure_user'@'%' IDENTIFIED BY 'password' REQUIRE X509; -GRANT ALL PRIVILEGES ON *.* TO 'secure_user'@'%' WITH GRANT OPTION; -FLUSH PRIVILEGES; -``` - ### Import/Export database dump > [!NOTE] @@ -264,6 +238,35 @@ According to the port defined in the `docker-compose.yml`, you can connect to th #### Edit configuration Modify the `my.cnf` file in the MySQL conf directory then restart the container. +### Activate secured connection +If you want to activate secured connection to your database. + +> [!NOTE] +> Adminer is already configured to connect to the database with SSL, so no need to change its configuration. + +#### TLS/SSL +Activate the flag `require_secure_transport = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ +You also need to set `db_tls.enabled' => true` in iTop configurations. + +> [!CAUTION] +> When you make backup from iTop with SSL on a MySQL server, you will get an error "--ssl-mode is not recognized" because iTop use a mySQL parameter on a MariaDB client.\ +In that case, you will need to perform the dump as describesed in the [Import/Export database dump](#importexport-database-dump) section. + +#### Certificate validation +Certificate validation is not fully implemented on iTop, but you can configure it to force a specific user to provide it. + +On MariaDB, to force the validation of a certificate, set the flag `ssl_verify_client_cert = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ +However, this seems to not be fully compatible with the MariaDB docker image. + +For MySQL or if you want to have a workaround for MariaDB, +you can force certificate validation for a specific user by creating it with the `REQUIRE X509` option in your database.\ + +```sql +CREATE USER 'secure_user'@'%' IDENTIFIED BY 'password' REQUIRE X509; +GRANT ALL PRIVILEGES ON *.* TO 'secure_user'@'%' WITH GRANT OPTION; +FLUSH PRIVILEGES; +``` + ## Adminer ### See database data From 618c52ed7ef582bb9361273f9228b20efc63d5ad Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Thu, 30 Apr 2026 10:16:08 +0200 Subject: [PATCH 07/16] :lock: Add secured connection configuration for databases (doc) --- addons/documentation/how_to.md | 18 +++++++++++++++++- docker-compose.yml | 2 +- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index 22e4b1c..79ac80f 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -253,7 +253,7 @@ You also need to set `db_tls.enabled' => true` in iTop configurations. In that case, you will need to perform the dump as describesed in the [Import/Export database dump](#importexport-database-dump) section. #### Certificate validation -Certificate validation is not fully implemented on iTop, but you can configure it to force a specific user to provide it. +Validate secured connection with a certificate to be sure that you are connecting to the right. On MariaDB, to force the validation of a certificate, set the flag `ssl_verify_client_cert = ON` in the corresponding `my.cnf` file from the database conf directory then restart the container.\ However, this seems to not be fully compatible with the MariaDB docker image. @@ -267,6 +267,22 @@ GRANT ALL PRIVILEGES ON *.* TO 'secure_user'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES; ``` +### Change user password + +```sql +ALTER USER 'root'@'%' IDENTIFIED BY 'password'; +FLUSH PRIVILEGES; +``` + + +To use certificate in iTop, set the `'db_tls.ca' => '/etc/database/certs/ca.pem',` in iTop global configuration. + +> [!NOTE] +> The certificate provided in the `conf/certs/database` folder is targeted for mysql container, so you may have `Peer certificate CN=mysql' did not match expected CN=`mariadb'` error in iTop with mariadb. + +> [!WARNING] +> Certificate validation is not fully implemented in iTop. + ## Adminer ### See database data diff --git a/docker-compose.yml b/docker-compose.yml index 2833780..90d2426 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -200,7 +200,7 @@ services: environment: DB_SSL_KEY: '/etc/database/certs/client-key.pem' DB_SSL_CERT: '/etc/database/certs/client-cert.pem' - DB_SSL_CA: '/etc/database/certs/ca-cert.pem' + DB_SSL_CA: '/etc/database/certs/ca.pem' volumes: - ${CONF_FOLDER}/certs/database:/etc/database/certs - ${CONF_FOLDER}/adminer/plugins-enabled/:/var/www/html/plugins-enabled/ From 133dfa3a92ac6b88252895dd0334eab7b0df07e6 Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:28:32 +0200 Subject: [PATCH 08/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 8059481..93b3e1a 100644 --- a/readme.md +++ b/readme.md @@ -117,7 +117,7 @@ Official build based on `mysql` image. 🐳 [Docker official image page](https:/ > [!IMPORTANT] > `require_secure_transport` flag is set to `OFF` in the default configuration of the database.\ If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ -You also need to set `db_tls.enabled' => true` in iTop configurations. +You also need to set `'db_tls.enabled' => true` in iTop configurations. #### Default Listened Ports * `3307` From 37e65224092620f5970d04a1499344c1f05d1f27 Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:29:48 +0200 Subject: [PATCH 09/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 90d2426..c86bec9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -175,7 +175,7 @@ services: - ${CONF_FOLDER}/mariadb:/etc/mysql/conf.d - ${DATA_FOLDER}/mariadb/:/var/lib/mysql - ${DATA_FOLDER}/dbdump/:/tmp/dbdump - - ${CONF_FOLDER}/certs/database:/etc/mariadb/certs + - ${CONF_FOLDER}/certs/database:/etc/mariadb/certs:ro environment: MARIADB_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} From 92e76b73a3361e1fa7289a72e34227334fac2a8d Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:31:33 +0200 Subject: [PATCH 10/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c86bec9..05fa354 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -23,7 +23,7 @@ x-php: &default-php volumes: - ${CONF_FOLDER}/php/php.ini:/usr/local/etc/php/conf.d/php.ini - ${CONF_FOLDER}/php/xdebug.ini:/usr/local/etc/php/conf.d/xdebug.ini - - ${CONF_FOLDER}/php/client.cnf:/etc/mysql/conf.d/client.cnf + - ${CONF_FOLDER}/php/client.cnf:/etc/mysql/conf.d/client.cnf:ro - ${CONF_FOLDER}/msmtprc/msmtprc:/var/www/.msmtprc:ro - ${HTML_FOLDER}:/var/www/html/ - ${DATA_FOLDER}/php/coverage:${PHP_COVERAGE_OUTPUT_FOLDER} From f6341c253284f91c933b70fdf74b665ebd8c47a9 Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:31:45 +0200 Subject: [PATCH 11/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 05fa354..3b16387 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -28,7 +28,7 @@ x-php: &default-php - ${HTML_FOLDER}:/var/www/html/ - ${DATA_FOLDER}/php/coverage:${PHP_COVERAGE_OUTPUT_FOLDER} - ${DATA_FOLDER}/php/profile:${PHP_PROFILE_OUTPUT_FOLDER} - - ${CONF_FOLDER}/certs/database:/etc/database/certs + - ${CONF_FOLDER}/certs/database:/etc/database/certs:ro restart: always services: From 6ce4ad5753e5cd648393423ba0cfd507d23352cb Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:32:30 +0200 Subject: [PATCH 12/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 3b16387..fa96133 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -202,7 +202,7 @@ services: DB_SSL_CERT: '/etc/database/certs/client-cert.pem' DB_SSL_CA: '/etc/database/certs/ca.pem' volumes: - - ${CONF_FOLDER}/certs/database:/etc/database/certs + - ${CONF_FOLDER}/certs/database:/etc/database/certs:ro - ${CONF_FOLDER}/adminer/plugins-enabled/:/var/www/html/plugins-enabled/ ports: - "${ADMINER_PORT:-8080}:8080" From c2ad9bce73bc6cc7a98b1e1c2378f5e187b018e6 Mon Sep 17 00:00:00 2001 From: Benjamin Dalsass <95754414+bdalsass@users.noreply.github.com> Date: Tue, 5 May 2026 07:35:27 +0200 Subject: [PATCH 13/16] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../plugins-enabled/enable-ssl;php.php | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php b/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php index fb1cd96..176d2fc 100644 --- a/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php +++ b/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php @@ -1,9 +1,22 @@ filename, "cert" => filename, "ca" => filename) From e8018b6c5256d54181dff1785e1475ea42e864c6 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Tue, 5 May 2026 07:48:39 +0200 Subject: [PATCH 14/16] :lock: Add secured connection configuration for databases rename file --- .../plugins-enabled/{enable-ssl;php.php => enable-ssl.php} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename build/default_configuration/adminer/plugins-enabled/{enable-ssl;php.php => enable-ssl.php} (100%) diff --git a/build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php b/build/default_configuration/adminer/plugins-enabled/enable-ssl.php similarity index 100% rename from build/default_configuration/adminer/plugins-enabled/enable-ssl;php.php rename to build/default_configuration/adminer/plugins-enabled/enable-ssl.php From d2254ea36a8b17512f7642f01c5dc7fd66853e27 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Tue, 5 May 2026 07:52:09 +0200 Subject: [PATCH 15/16] :lock: Add secured connection configuration for databases doc --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 93b3e1a..65d367d 100644 --- a/readme.md +++ b/readme.md @@ -116,7 +116,7 @@ Official build based on `mysql` image. 🐳 [Docker official image page](https:/ > [!IMPORTANT] > `require_secure_transport` flag is set to `OFF` in the default configuration of the database.\ -If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#edit-configuration-2)\ +If you want to enable it, you can change the `my.cnf` file included in the database conf directory. [How To...](./addons/documentation/how_to.md#activate-secured-connection)\ You also need to set `'db_tls.enabled' => true` in iTop configurations. #### Default Listened Ports From 78dd4a49614ede1f1880d1e457cf3c38db1d3e86 Mon Sep 17 00:00:00 2001 From: Benjamin DALSASS Date: Tue, 5 May 2026 08:08:19 +0200 Subject: [PATCH 16/16] :lock: Add secured connection configuration for databases doc --- addons/documentation/how_to.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/addons/documentation/how_to.md b/addons/documentation/how_to.md index 79ac80f..0195f82 100644 --- a/addons/documentation/how_to.md +++ b/addons/documentation/how_to.md @@ -250,7 +250,7 @@ You also need to set `db_tls.enabled' => true` in iTop configurations. > [!CAUTION] > When you make backup from iTop with SSL on a MySQL server, you will get an error "--ssl-mode is not recognized" because iTop use a mySQL parameter on a MariaDB client.\ -In that case, you will need to perform the dump as describesed in the [Import/Export database dump](#importexport-database-dump) section. +In that case, you will need to perform the dump as describes in the [Import/Export database dump](#importexport-database-dump) section. #### Certificate validation Validate secured connection with a certificate to be sure that you are connecting to the right.