-
Notifications
You must be signed in to change notification settings - Fork 72
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Provides examples for nginx and httpd using htpasswd
- Loading branch information
Showing
12 changed files
with
562 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Example: httpd + htpasswd | ||
|
||
This Example shows how to use ska with httpd and ldap using docker. | ||
|
||
## Prepare setup | ||
|
||
1. Start system using `docker-compose up -d` | ||
1. Visit http://localhost | ||
1. Login using one of the following credentials (Only keys-sync account exists at first): | ||
|
||
|Username|Password|Type| | ||
|---|---|---| | ||
|keys-sync|password|admin| | ||
|rainbow|password|admin| | ||
|proceme|password|user| | ||
|
||
If something goes wrong, check the log using: | ||
``` | ||
docker logs -f httpd-local_ska_1 | ||
``` | ||
|
||
## Using ska | ||
|
||
_The `keys-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._ | ||
|
||
1. Login using the admin account `keys-sync`. | ||
1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add | ||
1. Add the server `test.example.com` at http://localhost/servers#add | ||
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server. | ||
|
||
## Add/Change passwords for users | ||
|
||
1. Either install `htpasswd` on your system or connect to the httpd container using `docker exec -it httpd-local_ska_1 /bin/ash`. | ||
1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
version: '2.2' | ||
services: | ||
test: | ||
image: alpine:3.8 | ||
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D" | ||
restart: always | ||
expose: | ||
- "22" | ||
depends_on: | ||
- ska-php | ||
volumes: | ||
- ../shared/config-local/keys-sync.pub:/key:ro | ||
networks: | ||
net: | ||
aliases: | ||
- test.example.com | ||
|
||
mail: | ||
image: mwader/postfix-relay | ||
restart: always | ||
environment: | ||
- POSTFIX_myhostname=ska.example.de | ||
- POSTFIX_mynetworks=0.0.0.0/0 | ||
expose: | ||
- "25" | ||
networks: | ||
- net | ||
|
||
ska-db: | ||
image: mariadb | ||
restart: always | ||
environment: | ||
- MYSQL_ROOT_PASSWORD=root-password | ||
- MYSQL_DATABASE=ska-db | ||
- MYSQL_USER=ska-user | ||
- MYSQL_PASSWORD=password | ||
volumes: | ||
- ./db:/var/lib/mysql:rw | ||
networks: | ||
- net | ||
|
||
ska-php: | ||
build: | ||
context: ../../docker | ||
restart: always | ||
depends_on: | ||
- ska-db | ||
volumes: | ||
- ../shared/config-local/:/ska/config/:rw | ||
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro | ||
- ./public_html:/public_html:rw | ||
networks: | ||
- net | ||
|
||
ska: | ||
image: httpd:alpine | ||
restart: always | ||
ports: | ||
- "80:80" | ||
depends_on: | ||
- ska-php | ||
volumes: | ||
- ./public_html:/ska/public_html:ro | ||
- ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro | ||
- ./htpasswd.conf:/allowed_users:rw | ||
networks: | ||
- net | ||
|
||
networks: | ||
net: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
keys-sync:$apr1$PqjgspFz$DBUOsj/1yVzIf3v9Kv7wJ0 | ||
rainbow:$apr1$uBkkgFwm$zrLgjA/5R8V1P0F/XHKUV0 | ||
proceme:$apr1$SWQKwjuM$D0FWOsBAD4lTdcYrtbZ0j0 | ||
speecif:$apr1$MCOzQE15$K4uameMTLTf3fJDSj/XfE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,133 @@ | ||
LoadModule mpm_event_module modules/mod_mpm_event.so | ||
LoadModule authn_file_module modules/mod_authn_file.so | ||
LoadModule authn_core_module modules/mod_authn_core.so | ||
LoadModule authz_host_module modules/mod_authz_host.so | ||
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so | ||
LoadModule authz_user_module modules/mod_authz_user.so | ||
LoadModule authz_core_module modules/mod_authz_core.so | ||
LoadModule access_compat_module modules/mod_access_compat.so | ||
LoadModule auth_basic_module modules/mod_auth_basic.so | ||
LoadModule reqtimeout_module modules/mod_reqtimeout.so | ||
LoadModule filter_module modules/mod_filter.so | ||
LoadModule mime_module modules/mod_mime.so | ||
LoadModule log_config_module modules/mod_log_config.so | ||
LoadModule env_module modules/mod_env.so | ||
LoadModule headers_module modules/mod_headers.so | ||
LoadModule setenvif_module modules/mod_setenvif.so | ||
LoadModule version_module modules/mod_version.so | ||
LoadModule unixd_module modules/mod_unixd.so | ||
LoadModule status_module modules/mod_status.so | ||
LoadModule autoindex_module modules/mod_autoindex.so | ||
LoadModule dir_module modules/mod_dir.so | ||
LoadModule alias_module modules/mod_alias.so | ||
|
||
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so | ||
LoadModule ldap_module modules/mod_ldap.so | ||
LoadModule proxy_module modules/mod_proxy.so | ||
LoadModule proxy_html_module modules/mod_proxy_html.so | ||
LoadModule proxy_connect_module modules/mod_proxy_connect.so | ||
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so | ||
LoadModule proxy_http_module modules/mod_proxy_http.so | ||
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so | ||
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so | ||
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so | ||
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so | ||
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so | ||
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so | ||
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so | ||
LoadModule proxy_express_module modules/mod_proxy_express.so | ||
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so | ||
LoadModule proxy_http2_module modules/mod_proxy_http2.so | ||
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so | ||
LoadModule watchdog_module modules/mod_watchdog.so | ||
|
||
|
||
<IfModule unixd_module> | ||
User daemon | ||
Group daemon | ||
</IfModule> | ||
|
||
<IfModule dir_module> | ||
DirectoryIndex index.html | ||
</IfModule> | ||
|
||
<IfModule log_config_module> | ||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined | ||
LogFormat "%h %l %u %t \"%r\" %>s %b" common | ||
|
||
<IfModule logio_module> | ||
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio | ||
</IfModule> | ||
|
||
CustomLog /proc/self/fd/1 common | ||
</IfModule> | ||
|
||
<IfModule alias_module> | ||
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/" | ||
</IfModule> | ||
|
||
<IfModule headers_module> | ||
RequestHeader unset Proxy early | ||
</IfModule> | ||
|
||
<IfModule mime_module> | ||
TypesConfig conf/mime.types | ||
AddType application/x-compress .Z | ||
AddType application/x-gzip .gz .tgz | ||
</IfModule> | ||
|
||
<IfModule proxy_html_module> | ||
Include conf/extra/proxy-html.conf | ||
</IfModule> | ||
|
||
<IfModule ssl_module> | ||
SSLRandomSeed startup builtin | ||
SSLRandomSeed connect builtin | ||
</IfModule> | ||
|
||
<IfModule proxy_module> | ||
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://ska-php:9000/ska/public_html/$1 | ||
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 | ||
</IfModule> | ||
|
||
|
||
<Directory /> | ||
AllowOverride none | ||
Require all denied | ||
</Directory> | ||
|
||
<Directory "/usr/local/apache2/cgi-bin"> | ||
AllowOverride None | ||
Options None | ||
Require all granted | ||
</Directory> | ||
|
||
<Directory "/ska/public_html"> | ||
AuthType Basic | ||
AuthName "SSH Key Authority" | ||
AuthBasicProvider file | ||
AuthUserFile /allowed_users | ||
|
||
Require valid-user | ||
AllowOverride none | ||
DirectoryIndex init.php | ||
FallbackResource /init.php | ||
Order allow,deny | ||
Allow from all | ||
</Directory> | ||
|
||
<Files ".ht*"> | ||
Require all denied | ||
</Files> | ||
|
||
|
||
Listen 80 | ||
ServerAdmin [email protected] | ||
ServerRoot "/usr/local/apache2" | ||
DocumentRoot "/ska/public_html" | ||
|
||
ErrorLog /proc/self/fd/2 | ||
LogLevel warn | ||
|
||
LDAPVerifyServerCert off | ||
AllowEncodedSlashes NoDecode |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
# Example: nginx + htpasswd | ||
|
||
This Example shows how to use ska with nginx and ldap using docker. | ||
|
||
## Prepare setup | ||
|
||
1. Start system using `docker-compose up -d` | ||
1. Visit http://localhost | ||
1. Login using one of the following credentials (Only keys-sync account exists at first): | ||
|
||
|Username|Password|Type| | ||
|---|---|---| | ||
|keys-sync|password|admin| | ||
|rainbow|password|admin| | ||
|proceme|password|user| | ||
|
||
If something goes wrong, check the log using: | ||
``` | ||
docker logs -f nginx-local_ska_1 | ||
``` | ||
|
||
## Using ska | ||
|
||
_The `keys-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._ | ||
|
||
1. Login using the admin account `keys-sync`. | ||
1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add | ||
1. Add the server `test.example.com` at http://localhost/servers#add | ||
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server. | ||
|
||
## Add/Change passwords for users | ||
|
||
1. Either install `htpasswd` on your system or connect to the nginx container using `docker exec -it nginx-local_ska_1 /bin/ash` and install it there with `apk add apache2-utils` | ||
1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
version: '2.2' | ||
services: | ||
test: | ||
image: alpine:3.8 | ||
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D" | ||
restart: always | ||
expose: | ||
- "22" | ||
depends_on: | ||
- ska-php | ||
volumes: | ||
- ../shared/config-local/keys-sync.pub:/key:ro | ||
networks: | ||
net: | ||
aliases: | ||
- test.example.com | ||
|
||
mail: | ||
image: mwader/postfix-relay | ||
restart: always | ||
environment: | ||
- POSTFIX_myhostname=ska.example.de | ||
- POSTFIX_mynetworks=0.0.0.0/0 | ||
expose: | ||
- "25" | ||
networks: | ||
- net | ||
|
||
ska-db: | ||
image: mariadb | ||
restart: always | ||
environment: | ||
- MYSQL_ROOT_PASSWORD=root-password | ||
- MYSQL_DATABASE=ska-db | ||
- MYSQL_USER=ska-user | ||
- MYSQL_PASSWORD=password | ||
volumes: | ||
- ./db:/var/lib/mysql:rw | ||
networks: | ||
- net | ||
|
||
ska-php: | ||
build: | ||
context: ../../docker | ||
restart: always | ||
depends_on: | ||
- ska-db | ||
volumes: | ||
- ../shared/config-local/:/ska/config/:rw | ||
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro | ||
- ./public_html:/public_html:rw | ||
networks: | ||
- net | ||
|
||
ska: | ||
image: nginx:alpine | ||
restart: always | ||
ports: | ||
- "80:80" | ||
depends_on: | ||
- ska-php | ||
volumes: | ||
- ./public_html:/ska/public_html:ro | ||
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro | ||
- ./htpasswd.conf:/allowed_users:rw | ||
networks: | ||
- net | ||
|
||
networks: | ||
net: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
keys-sync:$apr1$PqjgspFz$DBUOsj/1yVzIf3v9Kv7wJ0 | ||
rainbow:$apr1$uBkkgFwm$zrLgjA/5R8V1P0F/XHKUV0 | ||
proceme:$apr1$SWQKwjuM$D0FWOsBAD4lTdcYrtbZ0j0 | ||
speecif:$apr1$MCOzQE15$K4uameMTLTf3fJDSj/XfE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
|
||
server { | ||
listen 80; | ||
server_name ska.example.com; | ||
|
||
root /ska/public_html; | ||
index init.php; | ||
|
||
auth_basic "SSH Key Authority"; | ||
auth_basic_user_file /allowed_users; | ||
|
||
location / { | ||
try_files $uri $uri/ @php; | ||
} | ||
|
||
location @php { | ||
rewrite ^/(.*)$ /init.php/$1 last; | ||
} | ||
|
||
location /init.php { | ||
# Mitigate https://httpoxy.org/ vulnerabilities | ||
fastcgi_param HTTP_PROXY ""; | ||
fastcgi_pass ska-php:9000; | ||
|
||
fastcgi_split_path_info ^(.+\.php)(/.*)$; | ||
include fastcgi_params; | ||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
fastcgi_param HTTPS off; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.