Skip to content

Commit

Permalink
Followup on the ldap example.
Browse files Browse the repository at this point in the history
* Provides examples for nginx and httpd using htpasswd
  • Loading branch information
mettke committed Apr 8, 2019
1 parent 27c391c commit fd05880
Show file tree
Hide file tree
Showing 12 changed files with 562 additions and 0 deletions.
34 changes: 34 additions & 0 deletions examples/httpd-local/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Example: httpd + htpasswd

This Example shows how to use ska with httpd and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials (Only keys-sync account exists at first):

|Username|Password|Type|
|---|---|---|
|keys-sync|password|admin|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f httpd-local_ska_1
```

## Using ska

_The `keys-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._

1. Login using the admin account `keys-sync`.
1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.

## Add/Change passwords for users

1. Either install `htpasswd` on your system or connect to the httpd container using `docker exec -it httpd-local_ska_1 /bin/ash`.
1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>`
71 changes: 71 additions & 0 deletions examples/httpd-local/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
version: '2.2'
services:
test:
image: alpine:3.8
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D"
restart: always
expose:
- "22"
depends_on:
- ska-php
volumes:
- ../shared/config-local/keys-sync.pub:/key:ro
networks:
net:
aliases:
- test.example.com

mail:
image: mwader/postfix-relay
restart: always
environment:
- POSTFIX_myhostname=ska.example.de
- POSTFIX_mynetworks=0.0.0.0/0
expose:
- "25"
networks:
- net

ska-db:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root-password
- MYSQL_DATABASE=ska-db
- MYSQL_USER=ska-user
- MYSQL_PASSWORD=password
volumes:
- ./db:/var/lib/mysql:rw
networks:
- net

ska-php:
build:
context: ../../docker
restart: always
depends_on:
- ska-db
- mail
volumes:
- ../shared/config-local/:/ska/config/:rw
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
- ./public_html:/public_html:rw
networks:
- net

ska:
image: httpd:alpine
restart: always
ports:
- "80:80"
depends_on:
- ska-php
volumes:
- ./public_html:/ska/public_html:ro
- ./httpd.conf:/usr/local/apache2/conf/httpd.conf:ro
- ./htpasswd.conf:/allowed_users:rw
networks:
- net

networks:
net:
4 changes: 4 additions & 0 deletions examples/httpd-local/htpasswd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
keys-sync:$apr1$PqjgspFz$DBUOsj/1yVzIf3v9Kv7wJ0
rainbow:$apr1$uBkkgFwm$zrLgjA/5R8V1P0F/XHKUV0
proceme:$apr1$SWQKwjuM$D0FWOsBAD4lTdcYrtbZ0j0
speecif:$apr1$MCOzQE15$K4uameMTLTf3fJDSj/XfE.
133 changes: 133 additions & 0 deletions examples/httpd-local/httpd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_http2_module modules/mod_proxy_http2.so
LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule watchdog_module modules/mod_watchdog.so


<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog /proc/self/fd/1 common
</IfModule>

<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
</IfModule>

<IfModule headers_module>
RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

<IfModule proxy_module>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://ska-php:9000/ska/public_html/$1
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</IfModule>


<Directory />
AllowOverride none
Require all denied
</Directory>

<Directory "/usr/local/apache2/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>

<Directory "/ska/public_html">
AuthType Basic
AuthName "SSH Key Authority"
AuthBasicProvider file
AuthUserFile /allowed_users

Require valid-user
AllowOverride none
DirectoryIndex init.php
FallbackResource /init.php
Order allow,deny
Allow from all
</Directory>

<Files ".ht*">
Require all denied
</Files>


Listen 80
ServerAdmin [email protected]
ServerRoot "/usr/local/apache2"
DocumentRoot "/ska/public_html"

ErrorLog /proc/self/fd/2
LogLevel warn

LDAPVerifyServerCert off
AllowEncodedSlashes NoDecode
34 changes: 34 additions & 0 deletions examples/nginx-local/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Example: nginx + htpasswd

This Example shows how to use ska with nginx and ldap using docker.

## Prepare setup

1. Start system using `docker-compose up -d`
1. Visit http://localhost
1. Login using one of the following credentials (Only keys-sync account exists at first):

|Username|Password|Type|
|---|---|---|
|keys-sync|password|admin|
|rainbow|password|admin|
|proceme|password|user|

If something goes wrong, check the log using:
```
docker logs -f nginx-local_ska_1
```

## Using ska

_The `keys-sync` user should only be used for the first setup. Afterwards its best to create a dedicated account per user._

1. Login using the admin account `keys-sync`.
1. Create user `rainbow` as admin and user `proceme` as user at http://localhost/users#add
1. Add the server `test.example.com` at http://localhost/servers#add
1. Ska should be able to connet to the system and update its authorized_keys file. You can verify this by checking whether there is an `Synced successfully` next to the server.

## Add/Change passwords for users

1. Either install `htpasswd` on your system or connect to the nginx container using `docker exec -it nginx-local_ska_1 /bin/ash` and install it there with `apk add apache2-utils`
1. Run `htpasswd` on the htpasswd file. Inside the container it is `htpasswd /allowed_users <username>`
71 changes: 71 additions & 0 deletions examples/nginx-local/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
version: '2.2'
services:
test:
image: alpine:3.8
command: /bin/ash -c "(id keys-sync || adduser -h /var/local/keys-sync -S -D -s /bin/sh keys-sync) && chmod 711 /var/local/keys-sync && cp /key /var/local/keys-sync/keys-sync && chown keys-sync:nogroup /var/local/keys-sync/keys-sync && chmod 644 /var/local/keys-sync/keys-sync && apk add openssh && ssh-keygen -A && sed -i -e '/#StrictModes/ s/.*/StrictModes yes/' /etc/ssh/sshd_config && sed -i -e '/AuthorizedKeysFile/ s/.*/AuthorizedKeysFile \/var\/local\/keys-sync\/%u/' /etc/ssh/sshd_config && passwd keys-sync -d test && /usr/sbin/sshd -D"
restart: always
expose:
- "22"
depends_on:
- ska-php
volumes:
- ../shared/config-local/keys-sync.pub:/key:ro
networks:
net:
aliases:
- test.example.com

mail:
image: mwader/postfix-relay
restart: always
environment:
- POSTFIX_myhostname=ska.example.de
- POSTFIX_mynetworks=0.0.0.0/0
expose:
- "25"
networks:
- net

ska-db:
image: mariadb
restart: always
environment:
- MYSQL_ROOT_PASSWORD=root-password
- MYSQL_DATABASE=ska-db
- MYSQL_USER=ska-user
- MYSQL_PASSWORD=password
volumes:
- ./db:/var/lib/mysql:rw
networks:
- net

ska-php:
build:
context: ../../docker
restart: always
depends_on:
- ska-db
- mail
volumes:
- ../shared/config-local/:/ska/config/:rw
- ../shared/ssmtp.conf:/etc/ssmtp/ssmtp.conf:ro
- ./public_html:/public_html:rw
networks:
- net

ska:
image: nginx:alpine
restart: always
ports:
- "80:80"
depends_on:
- ska-php
volumes:
- ./public_html:/ska/public_html:ro
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
- ./htpasswd.conf:/allowed_users:rw
networks:
- net

networks:
net:
4 changes: 4 additions & 0 deletions examples/nginx-local/htpasswd.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
keys-sync:$apr1$PqjgspFz$DBUOsj/1yVzIf3v9Kv7wJ0
rainbow:$apr1$uBkkgFwm$zrLgjA/5R8V1P0F/XHKUV0
proceme:$apr1$SWQKwjuM$D0FWOsBAD4lTdcYrtbZ0j0
speecif:$apr1$MCOzQE15$K4uameMTLTf3fJDSj/XfE.
30 changes: 30 additions & 0 deletions examples/nginx-local/nginx.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@

server {
listen 80;
server_name ska.example.com;

root /ska/public_html;
index init.php;

auth_basic "SSH Key Authority";
auth_basic_user_file /allowed_users;

location / {
try_files $uri $uri/ @php;
}

location @php {
rewrite ^/(.*)$ /init.php/$1 last;
}

location /init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass ska-php:9000;

fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS off;
}
}
1 change: 1 addition & 0 deletions examples/shared/config-ldap/config.ini
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ password = password
database = ska-db

[ldap]
enabled = 1
; Address to connect to LDAP server
host = ldap://ldap-test.itmettke.de:389
; Use StartTLS for connection security (recommended if using ldap:// instead
Expand Down
Loading

0 comments on commit fd05880

Please sign in to comment.