509 switch to https and use a certificate or anything equivalent

.env.test

@@ -26,7 +26,7 @@ MESSENGER_TRANSPORT_DSN=doctrine://default?auto_setup=0
 # DATABASE_URL="mysql://app:[email protected]:3306/app?serverVersion=8&charset=utf8mb4"
 
 # DATABASE_URL=mysql://root:${MYSQL_ROOT_PASSWORD}@database/${MYSQL_DATABASE}?serverVersion=MariaDB-10.11.4
-DATABASE_URL=mysql://root:${MYSQL_ROOT_PASSWORD}@database/${MYSQL_DATABASE}?serverVersion=MariaDB-10.11.4
+DATABASE_URL=mysql://root:${MYSQL_ROOT_PASSWORD}@database/${MYSQL_DATABASE}?charset=utf8mb4&serverVersion=MariaDB-11.6.2&sslmode=verify_ca&sslrootcert=/etc/ssl/certs/ca-cert.pem
 
 ###< doctrine/doctrine-bundle ###
 
@@ -41,3 +41,9 @@ DATABASE_URL=mysql://root:${MYSQL_ROOT_PASSWORD}@database/${MYSQL_DATABASE}?serv
 MAILER_DSN=smtp://smtp.test.test:25?verify_peer=0
 [email protected]
 ###< symfony/mailer ###
+
+###> certificate for SSL connection to DB ###
+MYSQL_SSL_KEY=/etc/ssl/certs/server-key.pem
+MYSQL_SSL_CERT=/etc/ssl/certs/server-cert.pem
+MYSQL_SSL_CA=/etc/ssl/certs/ca-cert.pem
+###< certificate for SSL connection to DB  ###

.gitignore

@@ -2,6 +2,7 @@
 .env
 .env.local
 /secrets/*
+/ssl
 /.env.local.php
 /.env.*.local
 /config/secrets/prod/prod.decrypt.private.php

cert-gen.sh

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# Create the ssl certificate directory
+mkdir -p ./secrets/ssl/
+
+
+# Generate CA certificate
+openssl genrsa 2048 > ./secrets/ssl/ca-key.pem
+
+openssl req -new -x509 -nodes -days 3600 \
+    -key ./secrets/ssl/ca-key.pem -out ./secrets/ssl/ca-cert.pem \
+    -subj "/CN=MariaDB CA"
+
+
+
+# Generate server certificate
+openssl req -newkey rsa:2048 -days 3600 \
+    -nodes -keyout ./secrets/ssl/server-key.pem \
+    -out ./secrets/ssl/server-req.pem \
+    -subj "/CN=database"
+
+openssl x509 -req -in ./secrets/ssl/server-req.pem -days 3600 \
+    -CA ./secrets/ssl/ca-cert.pem -CAkey ./secrets/ssl/ca-key.pem -set_serial 01 \
+    -out ./secrets/ssl/server-cert.pem
+
+
+
+# Generate client certificate
+openssl req -newkey rsa:2048 -days 3600 \
+    -nodes -keyout ./secrets/ssl/client-key.pem \
+    -out ./secrets/ssl/client-req.pem \
+    -subj "/CN=MariaDB Client"
+
+openssl x509 -req -in ./secrets/ssl/client-req.pem -days 3600 \
+    -CA ./secrets/ssl/ca-cert.pem -CAkey ./secrets/ssl/ca-key.pem -set_serial 01 \
+    -out ./secrets/ssl/client-cert.pem

config.user.inc.php

@@ -2,4 +2,16 @@
 
 require '/etc/phpmyadmin/config.secret.inc.php';
 
-$cfg['Servers'][$i]['auth_type'] = 'http';
+$cfg['Servers'][$i]['auth_type'] = 'http';
+
+
+/* Ensure that the file is being accessed through phpMyAdmin */
+if (!defined('PHPMYADMIN')) {
+    exit;
+}
+
+/* Server parameters */
+$cfg['Servers'][1]['host'] = 'database';
+$cfg['Servers'][1]['ssl'] = true;
+$cfg['Servers'][1]['ssl_ca'] = '/etc/phpmyadmin/ssl/ca-cert.pem';
+$cfg['Servers'][1]['ssl_verify'] = false; // Set to true if you want to verify the server certificate

config/packages/doctrine.yaml

@@ -1,7 +1,17 @@
 doctrine:
     dbal:
-        url: '%env(resolve:DATABASE_URL)%'
-
+        url: "%env(resolve:DATABASE_URL)%"
+        default_table_options:
+            charset: utf8mb4
+            collate: utf8mb4_unicode_ci
+        driver: 'pdo_mysql'
+        options:
+            # SSL private key
+            !php/const 'PDO::MYSQL_ATTR_SSL_KEY': '%env(MYSQL_SSL_KEY)%'
+            # SSL certificate
+            !php/const 'PDO::MYSQL_ATTR_SSL_CERT': '%env(MYSQL_SSL_CERT)%'
+            # SSL CA authority
+            !php/const 'PDO::MYSQL_ATTR_SSL_CA': '%env(MYSQL_SSL_CA)%'
         # IMPORTANT: You MUST configure your server version,
         # either here or in the DATABASE_URL env var (see .env file)
         #server_version: '15'
@@ -13,22 +23,21 @@ doctrine:
         mappings:
             App:
                 is_bundle: false
-                dir: '%kernel.project_dir%/src/Entity'
+                dir: "%kernel.project_dir%/src/Entity"
                 prefix: 'App\Entity'
                 alias: App
 
-
 when@test:
     doctrine:
         dbal:
             # "TEST_TOKEN" is typically set by ParaTest
-            dbname_suffix: '_test%env(default::TEST_TOKEN)%'
+            dbname_suffix: "_test%env(default::TEST_TOKEN)%"
 
 when@prod:
     doctrine:
         orm:
             auto_generate_proxy_classes: false
-            proxy_dir: '%kernel.build_dir%/doctrine/orm/Proxies'
+            proxy_dir: "%kernel.build_dir%/doctrine/orm/Proxies"
             query_cache_driver:
                 type: pool
                 pool: doctrine.system_cache_pool

docker/dockerfileGHA.dev/Dockerfile

@@ -1,19 +1,27 @@
 # Dockerfile: docker/dockerfileGHA.test.dev/Dockerfile
 
+# Use the official PHP 8.2 with Apache on Debian Bookworm as the base image
 FROM php:8.2-apache-bookworm AS base
 
-# Set working directory
+# Set the working directory inside the container
 WORKDIR /var/www
 
-# Copy custom php.ini
+# Copy custom php.ini configuration into the container
 COPY ./docker/dockerfileGHA.dev/php.ini /usr/local/etc/php/php.ini
 
-# Run commands that require root privileges
-RUN a2enmod rewrite \
-  && service apache2 restart
-
-RUN apt update -y \
+# Configure system settings and install necessary packages and extensions
+RUN \
+  # Set the timezone to Europe/Paris
+  ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime \
+  # Enable Apache mod_rewrite module
+  && a2enmod rewrite \
+  # Restart Apache to apply changes
+  && service apache2 restart \
+  # Update package lists
+  && apt update -y \
+  # Upgrade installed packages
   && apt upgrade -y \
+  # Install required packages without recommendations
   && apt install --no-install-recommends -y \
   ca-certificates \
   curl \
@@ -23,6 +31,7 @@ RUN apt update -y \
   libxslt-dev \
   libzip-dev \
   wget \
+  # Install PHP extensions
   && docker-php-ext-install \
   bcmath \
   gd \
@@ -31,10 +40,12 @@ RUN apt update -y \
   pdo \
   pdo_mysql \
   xsl \
-  zip\
+  zip \
+  # Install PECL extensions
   && pecl install \
   imagick \
   xdebug \
+  # Enable installed PHP extensions
   && docker-php-ext-enable \
   gd \
   imagick \
@@ -44,31 +55,45 @@ RUN apt update -y \
   pdo_mysql \
   xsl \
   xdebug \
-  zip 
-
-# Set global git configuration and adjust Apache configuration
-RUN git config --global user.email "[email protected]" \
+  zip \
+  # Set global Git configuration
+  && git config --global user.email "[email protected]" \
   && git config --global user.name "Florian Dkhissi" \
+  # Mark /var/www as a safe Git directory
   && git config --global --add safe.directory /var/www \
+  # Change Apache document root to /var/www/public
   && sed -i -e "s/\/var\/www\/html/\/var\/www\/public/g" /etc/apache2/sites-available/000-default.conf \
+  # Create directory for APT keyrings
   && mkdir -p /etc/apt/keyrings \
+  # Download NodeSource GPG key and add Node.js repository
   && curl --tlsv1.2 -fsS https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | \
   gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
   && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_23.x nodistro main" | \
   tee /etc/apt/sources.list.d/nodesource.list \
+  # Update package lists after adding Node.js repository
   && apt update -y \
+  # Install Node.js
   && apt install --no-install-recommends -y nodejs \
+  # Update npm to version 11 globally
   && npm install --ignore-scripts -g npm@11 \
+  # Install Yarn package manager globally
   && npm install --ignore-scripts -g yarn \
+  # Clean up APT cache and remove residual files to reduce image size
   && apt clean \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Copy composer.sh script
+# Copy the Composer installation script into the container
 COPY ./docker/dockerfileGHA.dev/composer.sh /usr/local/bin/composer.sh
 
 # Install Composer and Symfony CLI
-RUN /usr/local/bin/composer.sh \
+RUN \
+  # Run Composer installation script
+  /usr/local/bin/composer.sh \
+  # Move Composer to a global location
   && mv composer.phar /usr/local/bin/composer \
+  # Remove the Composer installation script
   && rm /usr/local/bin/composer.sh \
+  # Download and install Symfony CLI
   && curl --tlsv1.2 -sS https://get.symfony.com/cli/installer | bash \
+  # Move Symfony CLI to a global location
   && mv /root/.symfony5/bin/symfony /usr/local/bin/symfony

docker/dockerfileGHA.prod/Dockerfile

@@ -6,18 +6,25 @@ FROM php:8.2-apache-bookworm AS base
 RUN addgroup --system nonroot \
   && adduser --system --ingroup nonroot nonroot
 
-# Set working directory
+# Set the working directory inside the container
 WORKDIR /var/www
 
-# Copy custom php.ini
-COPY ./docker/dockerfileGHA.prod/php.ini /usr/local/etc/php/php.ini
-
-# Run commands that require root privileges
-RUN a2enmod rewrite \
-  && service apache2 restart
+# Copy custom php.ini configuration into the container
+COPY ./docker/dockerfileGHA.dev/php.ini /usr/local/etc/php/php.ini
 
-RUN apt update -y \
+# Configure system settings and install necessary packages and extensions
+RUN \
+  # Set the timezone to Europe/Paris
+  ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime \
+  # Enable Apache mod_rewrite module
+  && a2enmod rewrite \
+  # Restart Apache to apply changes
+  && service apache2 restart \
+  # Update package lists
+  && apt update -y \
+  # Upgrade installed packages
   && apt upgrade -y \
+  # Install required packages without recommendations
   && apt install --no-install-recommends -y \
   ca-certificates \
   curl \
@@ -27,6 +34,7 @@ RUN apt update -y \
   libxslt-dev \
   libzip-dev \
   wget \
+  # Install PHP extensions
   && docker-php-ext-install \
   bcmath \
   gd \
@@ -35,10 +43,12 @@ RUN apt update -y \
   pdo \
   pdo_mysql \
   xsl \
-  zip\
+  zip \
+  # Install PECL extensions
   && pecl install \
   imagick \
   xdebug \
+  # Enable installed PHP extensions
   && docker-php-ext-enable \
   gd \
   imagick \
@@ -48,34 +58,49 @@ RUN apt update -y \
   pdo_mysql \
   xsl \
   xdebug \
-  zip 
-
-# Set global git configuration and adjust Apache configuration
-RUN git config --global user.email "[email protected]" \
+  zip \
+  # Set global Git configuration
+  && git config --global user.email "[email protected]" \
   && git config --global user.name "Florian Dkhissi" \
+  # Mark /var/www as a safe Git directory
   && git config --global --add safe.directory /var/www \
+  # Change Apache document root to /var/www/public
   && sed -i -e "s/\/var\/www\/html/\/var\/www\/public/g" /etc/apache2/sites-available/000-default.conf \
+  # Create directory for APT keyrings
   && mkdir -p /etc/apt/keyrings \
+  # Download NodeSource GPG key and add Node.js repository
   && curl --tlsv1.2 -fsS https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | \
   gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
   && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_23.x nodistro main" | \
   tee /etc/apt/sources.list.d/nodesource.list \
+  # Update package lists after adding Node.js repository
   && apt update -y \
+  # Install Node.js
   && apt install --no-install-recommends -y nodejs \
+  # Update npm to version 11 globally
   && npm install --ignore-scripts -g npm@11 \
+  # Install Yarn package manager globally
   && npm install --ignore-scripts -g yarn \
+  # Clean up APT cache and remove residual files to reduce image size
   && apt clean \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# Copy composer.sh script
-COPY --chown=nonroot:nonroot --chmod=755 ./docker/dockerfileGHA.prod/composer.sh /usr/local/bin/composer.sh
+# Copy the Composer installation script into the container
+COPY ./docker/dockerfileGHA.dev/composer.sh /usr/local/bin/composer.sh
 
 # Install Composer and Symfony CLI
-RUN /usr/local/bin/composer.sh \
+RUN \
+  # Run Composer installation script
+  /usr/local/bin/composer.sh \
+  # Move Composer to a global location
   && mv composer.phar /usr/local/bin/composer \
+  # Remove the Composer installation script
   && rm /usr/local/bin/composer.sh \
+  # Download and install Symfony CLI
   && curl --tlsv1.2 -sS https://get.symfony.com/cli/installer | bash \
+  # Move Symfony CLI to a global location
   && mv /root/.symfony5/bin/symfony /usr/local/bin/symfony \
+  # Change /var/www ownership
   && chown -R nonroot:nonroot /var/www
 
 # Switch to non-root user