From f2655e331d9cb90f8441295b7ddc99dc3ad7e84c Mon Sep 17 00:00:00 2001 From: florian Date: Tue, 14 Jun 2022 09:42:32 +0200 Subject: [PATCH] remove arm build again, fix proxy_*_timeout directives and add authelia example --- .github/workflows/dev.yml | 91 +++++++++---------- .../confs/server-http/reverse-proxy.conf | 12 +-- examples/authelia/authelia/configuration.yml | 79 ++++++++++++++++ examples/authelia/authelia/users_database.yml | 18 ++++ examples/authelia/docker-compose.yml | 85 +++++++++++++++++ examples/authelia/js-app/index.js | 13 +++ examples/authelia/js-app/package.json | 15 +++ tests/docker.sh | 6 ++ tests/utils/utils.sh | 1 + 9 files changed, 267 insertions(+), 53 deletions(-) create mode 100644 examples/authelia/authelia/configuration.yml create mode 100644 examples/authelia/authelia/users_database.yml create mode 100644 examples/authelia/docker-compose.yml create mode 100644 examples/authelia/js-app/index.js create mode 100644 examples/authelia/js-app/package.json diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 6c76754..4a7051f 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -103,49 +103,49 @@ jobs: cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min # Build bunkerweb/armv8 - build-bw-armv8: - runs-on: ubuntu-latest - steps: + # build-bw-armv8: + # runs-on: ubuntu-latest + # steps: # Prepare - - name: Checkout source code - uses: actions/checkout@v3 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Setup Buildx - uses: docker/setup-buildx-action@v2 - - name: Login to Docker Hub - uses: docker/login-action@v2 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_TOKEN }} + # - name: Checkout source code + # uses: actions/checkout@v3 + # - name: Set up QEMU + # uses: docker/setup-qemu-action@v2 + # - name: Setup Buildx + # uses: docker/setup-buildx-action@v2 + # - name: Login to Docker Hub + # uses: docker/login-action@v2 + # with: + # username: ${{ secrets.DOCKER_USERNAME }} + # password: ${{ secrets.DOCKER_TOKEN }} # Build images - - name: Build BW for armv8 - uses: docker/build-push-action@v3 - with: - context: . - platforms: linux/arm64/v8 - tags: bunkerweb-tests-armv8:latest - cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache - cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min - - name: Build BW autoconf for armv8 - uses: docker/build-push-action@v3 - with: - context: . - file: autoconf/Dockerfile - platforms: linux/arm64/v8 - tags: bunkerweb-autoconf-tests-armv8:latest - cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache - cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min - - name: Build BW UI for armv8 - uses: docker/build-push-action@v3 - with: - context: . - file: ui/Dockerfile - platforms: linux/arm64/v8 - tags: bunkerweb-ui-tests-armv8:latest - cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache - cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min + # - name: Build BW for armv8 + # uses: docker/build-push-action@v3 + # with: + # context: . + # platforms: linux/arm64/v8 + # tags: bunkerweb-tests-armv8:latest + # cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache + # cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min + # - name: Build BW autoconf for armv8 + # uses: docker/build-push-action@v3 + # with: + # context: . + # file: autoconf/Dockerfile + # platforms: linux/arm64/v8 + # tags: bunkerweb-autoconf-tests-armv8:latest + # cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache + # cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min + # - name: Build BW UI for armv8 + # uses: docker/build-push-action@v3 + # with: + # context: . + # file: ui/Dockerfile + # platforms: linux/arm64/v8 + # tags: bunkerweb-ui-tests-armv8:latest + # cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache + # cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min # Run tests tests: @@ -228,7 +228,7 @@ jobs: # Push to dev registries push-docker: # needs: [tests, build-bw-386, build-bw-arm] - needs: [tests, build-bw-386, build-bw-armv8] + needs: [tests, build-bw-386] runs-on: ubuntu-latest steps: @@ -256,37 +256,34 @@ jobs: uses: docker/build-push-action@v3 with: context: . - platforms: linux/amd64,linux/386,linux/arm64/v8 + platforms: linux/amd64,linux/386 push: true tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev cache-from: | type=registry,ref=bunkerity/cache:bw-amd64-cache type=registry,ref=bunkerity/cache:bw-386-cache - type=registry,ref=bunkerity/cache:bw-armv8-cache - name: Build and push BW autoconf uses: docker/build-push-action@v3 with: context: . file: autoconf/Dockerfile - platforms: linux/amd64,linux/386,linux/arm64/v8 + platforms: linux/amd64,linux/386 push: true tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev cache-from: | type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache type=registry,ref=bunkerity/cache:bw-autoconf-386-cache - type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache - name: Build and push BW UI uses: docker/build-push-action@v3 with: context: . file: ui/Dockerfile - platforms: linux/amd64,linux/386,linux/arm64/v8 + platforms: linux/amd64,linux/386 push: true tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev cache-from: | type=registry,ref=bunkerity/cache:bw-ui-amd64-cache type=registry,ref=bunkerity/cache:bw-ui-386-cache - type=registry,ref=bunkerity/cache:bw-ui-armv8-cache # Push to PackageCloud push-linux: diff --git a/core/reverseproxy/confs/server-http/reverse-proxy.conf b/core/reverseproxy/confs/server-http/reverse-proxy.conf index 7712a6c..f54799b 100644 --- a/core/reverseproxy/confs/server-http/reverse-proxy.conf +++ b/core/reverseproxy/confs/server-http/reverse-proxy.conf @@ -35,9 +35,9 @@ add_header X-Proxy-Cache $upstream_cache_status; {% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %} {% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %} {% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %} - {% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "" %} - {% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "" %} - {% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "" %} + {% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "60s" %} + {% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "60s" %} + {% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "60s" %} location {{ url }} {% raw %}{{% endraw +%} etag off; set $backend{{ counter.value }} "{{ host }}"; @@ -82,11 +82,11 @@ location {{ url }} {% raw %}{{% endraw +%} add_header {{ header_client }}; {% endfor +%} {% endif +%} -{% raw %}}{% endraw %} - {% endif %} proxy_connect_timeout {{ connect_timeout }}; proxy_read_timeout {{ read_timeout }}; proxy_send_timeout {{ send_timeout }}; +{% raw %}}{% endraw %} + {% endif %} {% set counter.value = counter.value + 1 %} {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/examples/authelia/authelia/configuration.yml b/examples/authelia/authelia/configuration.yml new file mode 100644 index 0000000..219a495 --- /dev/null +++ b/examples/authelia/authelia/configuration.yml @@ -0,0 +1,79 @@ +--- +############################################################### +# Authelia configuration # +############################################################### + +jwt_secret: a_very_important_secret +default_redirection_url: https://auth.example.com + +ntp: + disable_failure: true + +server: + host: 0.0.0.0 + port: 9091 + +log: + level: debug +# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE + +totp: + issuer: authelia.com + +# duo_api: +# hostname: api-123456789.example.com +# integration_key: ABCDEF +# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE +# secret_key: 1234567890abcdefghifjkl + +authentication_backend: + file: + path: /config/users_database.yml + +access_control: + default_policy: deny + rules: + # Rules applied to everyone + - domain: auth.example.com + policy: bypass + - domain: app1.example.com + policy: one_factor + - domain: app2.example.com + policy: two_factor + +session: + name: authelia_session + # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE + secret: unsecure_session_secret + expiration: 3600 # 1 hour + inactivity: 300 # 5 minutes + domain: example.com # Should match whatever your root protected domain is + + redis: + host: redis + port: 6379 + # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE + # password: authelia + +regulation: + max_retries: 3 + find_time: 120 + ban_time: 300 + +storage: + encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this + local: + path: /config/db.sqlite3 + +notifier: + filesystem: + filename: /config/notification.txt +#notifier: +# smtp: +# username: test + # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE +# password: password +# host: mail.example.com +# port: 25 +# sender: admin@example.com +... diff --git a/examples/authelia/authelia/users_database.yml b/examples/authelia/authelia/users_database.yml new file mode 100644 index 0000000..8785beb --- /dev/null +++ b/examples/authelia/authelia/users_database.yml @@ -0,0 +1,18 @@ +--- +############################################################### +# Users Database # +############################################################### + +# This file can be used if you do not have an LDAP set up. + +# List of users +users: + authelia: + displayname: "Authelia User" + # Password is authelia + password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length + email: authelia@authelia.com + groups: + - admins + - dev +... diff --git a/examples/authelia/docker-compose.yml b/examples/authelia/docker-compose.yml new file mode 100644 index 0000000..f2f60b8 --- /dev/null +++ b/examples/authelia/docker-compose.yml @@ -0,0 +1,85 @@ +version: '3.4' + +services: + + mybunker: + image: bunkerity/bunkerweb:1.4.0 + ports: + - 80:8080 + - 443:8443 + # ⚠️ read this if you use local folders for volumes ⚠️ + # bunkerweb runs as an unprivileged user with UID/GID 101 + # don't forget to edit the permissions of the files and folders accordingly + # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder + # or for an existing one : chown -R root:101 folder && chmod -R 770 folder + # more info at https://docs.bunkerweb.io + volumes: + - bw_data:/data + environment: + - MULTISITE=yes + - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains + - SERVE_FILES=no + - DISABLE_DEFAULT_SERVER=yes + - AUTO_LETS_ENCRYPT=yes + - USE_CLIENT_CACHE=yes + - USE_GZIP=yes + - USE_REVERSE_PROXY=yes + # Proxy to auth_request URI + - REVERSE_PROXY_URL_999=/authelia + - REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify + - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length "" + # Authelia + - auth.example.com_REVERSE_PROXY_URL=/ + - auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091 + - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no + # Applications + - app1.example.com_REVERSE_PROXY_URL=/ + - app1.example.com_REVERSE_PROXY_HOST=http://app1:3000 + - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia + - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri + - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email + - app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email + - app2.example.com_REVERSE_PROXY_URL=/ + - app2.example.com_REVERSE_PROXY_HOST=http://app2 + - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia + - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri + - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email + - app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email + + # APPLICATIONS + app1: + image: node + working_dir: /home/node/app + volumes: + - ./js-app:/home/node/app + environment: + - NODE_ENV=production + command: bash -c "npm install express && node index.js" + app2: + image: tutum/hello-world + + # AUTHELIA + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - ./authelia:/config + restart: unless-stopped + healthcheck: + disable: true + environment: + - TZ=Europe/Paris + + redis: + image: redis:alpine + container_name: redis + volumes: + - ./redis:/data + expose: + - 6379 + restart: unless-stopped + environment: + - TZ=Europe/Paris + +volumes: + bw_data: diff --git a/examples/authelia/js-app/index.js b/examples/authelia/js-app/index.js new file mode 100644 index 0000000..c623166 --- /dev/null +++ b/examples/authelia/js-app/index.js @@ -0,0 +1,13 @@ +const express = require('express') +const app = express() +const port = 3000 + +app.get('/', (req, res) => { + res.send('Hello World from app1!') +}) + +app.listen(port, () => { + console.log(`Example app listening at http://localhost:${port}`) +}) + + diff --git a/examples/authelia/js-app/package.json b/examples/authelia/js-app/package.json new file mode 100644 index 0000000..2e08d1e --- /dev/null +++ b/examples/authelia/js-app/package.json @@ -0,0 +1,15 @@ +{ + "name": "js-app", + "version": "1.0.0", + "description": "demo", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "dependencies": { + "express": "^4.17.1" + } +} + diff --git a/tests/docker.sh b/tests/docker.sh index cf77b20..6144a1c 100755 --- a/tests/docker.sh +++ b/tests/docker.sh @@ -48,6 +48,12 @@ fi echo "Running Docker tests ..." +# authelia +single_docker_test "authelia" "60" "https://$TEST_DOMAIN1_1 authelia" "https://$TEST_DOMAIN1_2 authelia" + +# authentik +single_docker_test "authentik" "60" "https://$TEST_DOMAIN1_1 authentik" "https://$TEST_DOMAIN1_2 authentik" + # drupal single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal" diff --git a/tests/utils/utils.sh b/tests/utils/utils.sh index cd0a4ab..d772010 100644 --- a/tests/utils/utils.sh +++ b/tests/utils/utils.sh @@ -23,6 +23,7 @@ function exec_docker_example() { sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml + sed -i "s@auth.example.com@${TEST_DOMAIN1}@g" docker-compose.yml sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml