Merge branch 'master' into 'checkmk'

# Conflicts:
#   framadate/Dockerfile
#   mattermost/README.md
#   mattermost/app/Dockerfile
#   mattermost/docker-compose.yml
#   mattermost/web/Dockerfile
#   mattermost/web/entrypoint.sh
#   mattermost/web/mattermost
#   mattermost/web/mattermost-ssl
#   pica-backup/postgres-run.sh

framadate/Dockerfile

-FROM registry.picasoft.net:5000/pica-debian
+FROM registry.picasoft.net:5000/pica-debian:jessie
 
 MAINTAINER kyane@kyane.fr
 

mattermost/README.md

@@ -70,13 +70,13 @@ If you use a Mattermost configuration file on a different location than the defa
 If you choose to use MySQL instead of PostgreSQL, you should set a different datasource and SQL driver :
 * `DB_PORT_NUMBER` : `3306`
 * `MM_SQLSETTINGS_DRIVERNAME` : `mysql`
-* `MM_SQLSETTINGS_DATASOURCE` : `MM_USERNAME:MM_PASSWORD@tcp(DB_HOST:DB_PORT_NUMBER)/MM_DBNAME?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s"`
+* `MM_SQLSETTINGS_DATASOURCE` : `MM_USERNAME:MM_PASSWORD@tcp(DB_HOST:DB_PORT_NUMBER)/MM_DBNAME?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s`
 Don't forget to replace all entries (beginning by `MM_` and `DB_`) in `MM_SQLSETTINGS_DATASOURCE` with the real variables values.
 
 ### Web server container
-This image is optional, you should not use it you have your own reverse-proxy. It is a simple front Web server for the Mattermost app container.
-* `MATTERMOST_ENABLE_SSL`: whether to enable SSL
-* `PLATFORM_PORT_80_TCP_PORT`: port that Mattermost image is listening on
+This image is optional, you should **not** use it when you have your own reverse-proxy. It is a simple front Web server for the Mattermost app container. If you use the provided `docker-compose.yml` file, you don't have to configure anything. But if your application container is reachable on custom host and/or port (eg. if you use a container provider), you should add those two environment variables :
+* `APP_HOST`: application host address
+* `APP_PORT_NUMBER`: application HTTP port
 
 #### Install with SSL certificate
 Put your SSL certificate as `./volumes/web/cert/cert.pem` and the private key that has

mattermost/app/Dockerfile

-FROM ubuntu:14.04
+FROM ubuntu:16.04
 
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
-ENV MM_VERSION=4.3.1
+ENV MM_VERSION=4.5.0
 
 # Build argument to set Mattermost edition
-ARG edition=entreprise
+ARG edition=enterprise
 
 # Install some needed packages
 RUN apt-get update \
-    && apt-get -y install \
+    && apt-get -y --no-install-recommends install \
       curl \
       jq \
       netcat \
+      ca-certificates \
     && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin
 
 # Get Mattermost

mattermost/docker-compose.yml

@@ -45,7 +45,7 @@ services:
       - "443:443"
     restart: unless-stopped
     volumes:
-      # This directory must have cert files
+      # This directory must have cert files if you want to enable SSL
       - ./volumes/web/cert:/cert:ro
       - /etc/localtime:/etc/localtime:ro
     # Uncomment for SSL

mattermost/web/Dockerfile

-FROM nginx:mainline
+FROM nginx:mainline-alpine
 
 # Remove default configuration and add our custom Nginx configuration files
 RUN rm /etc/nginx/conf.d/default.conf
 COPY ./mattermost /etc/nginx/sites-available/
 COPY ./mattermost-ssl /etc/nginx/sites-available/
+COPY ./security.conf /etc/nginx/conf.d/
 
 # Add and setup entrypoint
 COPY entrypoint.sh /

mattermost/web/entrypoint.sh

-#!/bin/bash
+#!/bin/sh
+
+# Define default value for app container hostname and port
+APP_HOST=${APP_HOST:-app}
+APP_PORT_NUMBER=${APP_PORT_NUMBER:-80}
+
+# Check if SSL should be enabled (if certificates exists)
 if [ -f "/cert/cert.pem" -a -f "/cert/key-no-password.pem" ]; then
   echo "found certificate and key, linking ssl config"
   ssl="-ssl"
 else
   echo "linking plain config"
 fi
+# Linking Nginx configuration file
 ln -s /etc/nginx/sites-available/mattermost$ssl /etc/nginx/conf.d/mattermost.conf
+
+# Setup app host and port on configuration file
+sed -i "s/{%APP_HOST%}/${APP_HOST}/g" /etc/nginx/conf.d/mattermost.conf
+sed -i "s/{%APP_PORT%}/${APP_PORT_NUMBER}/g" /etc/nginx/conf.d/mattermost.conf
+
+# Run Nginx
 nginx -g 'daemon off;'

mattermost/web/mattermost

@@ -18,7 +18,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://app:80;
+        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 
     location / {
@@ -34,6 +34,6 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://app:80;
+        proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 }

mattermost/web/mattermost-ssl

@@ -34,7 +34,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://app:80;
+	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 
     location / {
@@ -51,7 +51,7 @@ server {
         proxy_buffers 256 16k;
         proxy_buffer_size 16k;
         proxy_read_timeout 600s;
-        proxy_pass http://app:80;
+	proxy_pass http://{%APP_HOST%}:{%APP_PORT%};
     }
 }
 

mattermost/web/security.conf

+# don't send the nginx version number in error pages and Server header
+server_tokens off;
+
+# config to don't allow the browser to render the page inside an frame or iframe
+# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+add_header X-Frame-Options SAMEORIGIN;
+
+# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+# to disable content-type sniffing on some browsers.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+add_header X-Content-Type-Options nosniff;
+
+# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
+# this particular website if it was disabled by the user.
+# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+add_header X-XSS-Protection "1; mode=block";

pica-backup/postgres-run.sh

@@ -10,7 +10,7 @@ BACKUP_FOLDER=${BACKUP_FOLDER:-"/backup/"}
 
 BACKUP_CMD="pg_dump -w -c > $BACKUP_FOLDER"'${BACKUP_NAME}'
 
-backup_script_name="${POSTGRES_SERVICE_NAME}"
+backup_script_name="${POSTGRES_SERVICE_NAME}-backup.sh"
 echo "=> Creating backup script"
 rm -f "/$backup_script_name"