Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

remove arm build again, fix proxy_*_timeout directives and add authelia example

Browse Source
This commit is contained in:
florian 2022-06-14 09:42:32 +02:00
parent cd0438b8ce
commit f2655e331d
No known key found for this signature in database
GPG Key ID: 3D80806F12602A7C
9 changed files with 267 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
.github/workflows/dev.yml vendored
View File

@ -103,49 +103,49 @@ jobs:
cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min
# Build bunkerweb/armv8 # Build bunkerweb/armv8
build-bw-armv8: # build-bw-armv8:
runs-on: ubuntu-latest # runs-on: ubuntu-latest
steps: # steps:
# Prepare # Prepare
- name: Checkout source code # - name: Checkout source code
uses: actions/checkout@v3 # uses: actions/checkout@v3
- name: Set up QEMU # - name: Set up QEMU
uses: docker/setup-qemu-action@v2 # uses: docker/setup-qemu-action@v2
- name: Setup Buildx # - name: Setup Buildx
uses: docker/setup-buildx-action@v2 # uses: docker/setup-buildx-action@v2
- name: Login to Docker Hub # - name: Login to Docker Hub
uses: docker/login-action@v2 # uses: docker/login-action@v2
with: # with:
username: ${{ secrets.DOCKER_USERNAME }} # username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }} # password: ${{ secrets.DOCKER_TOKEN }}
# Build images # Build images
- name: Build BW for armv8 # - name: Build BW for armv8
uses: docker/build-push-action@v3 # uses: docker/build-push-action@v3
with: # with:
context: . # context: .
platforms: linux/arm64/v8 # platforms: linux/arm64/v8
tags: bunkerweb-tests-armv8:latest # tags: bunkerweb-tests-armv8:latest
cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache # cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache
cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min # cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
- name: Build BW autoconf for armv8 # - name: Build BW autoconf for armv8
uses: docker/build-push-action@v3 # uses: docker/build-push-action@v3
with: # with:
context: . # context: .
file: autoconf/Dockerfile # file: autoconf/Dockerfile
platforms: linux/arm64/v8 # platforms: linux/arm64/v8
tags: bunkerweb-autoconf-tests-armv8:latest # tags: bunkerweb-autoconf-tests-armv8:latest
cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache # cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min # cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
- name: Build BW UI for armv8 # - name: Build BW UI for armv8
uses: docker/build-push-action@v3 # uses: docker/build-push-action@v3
with: # with:
context: . # context: .
file: ui/Dockerfile # file: ui/Dockerfile
platforms: linux/arm64/v8 # platforms: linux/arm64/v8
tags: bunkerweb-ui-tests-armv8:latest # tags: bunkerweb-ui-tests-armv8:latest
cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache # cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min # cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
# Run tests # Run tests
tests: tests:
@ -228,7 +228,7 @@ jobs:
# Push to dev registries # Push to dev registries
push-docker: push-docker:
# needs: [tests, build-bw-386, build-bw-arm] # needs: [tests, build-bw-386, build-bw-arm]
needs: [tests, build-bw-386, build-bw-armv8] needs: [tests, build-bw-386]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -256,37 +256,34 @@ jobs:
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3
with: with:
context: . context: .
platforms: linux/amd64,linux/386,linux/arm64/v8 platforms: linux/amd64,linux/386
push: true push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev
cache-from: | cache-from: |
type=registry,ref=bunkerity/cache:bw-amd64-cache type=registry,ref=bunkerity/cache:bw-amd64-cache
type=registry,ref=bunkerity/cache:bw-386-cache type=registry,ref=bunkerity/cache:bw-386-cache
type=registry,ref=bunkerity/cache:bw-armv8-cache
- name: Build and push BW autoconf - name: Build and push BW autoconf
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3
with: with:
context: . context: .
file: autoconf/Dockerfile file: autoconf/Dockerfile
platforms: linux/amd64,linux/386,linux/arm64/v8 platforms: linux/amd64,linux/386
push: true push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev
cache-from: | cache-from: |
type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
type=registry,ref=bunkerity/cache:bw-autoconf-386-cache type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
- name: Build and push BW UI - name: Build and push BW UI
uses: docker/build-push-action@v3 uses: docker/build-push-action@v3
with: with:
context: . context: .
file: ui/Dockerfile file: ui/Dockerfile
platforms: linux/amd64,linux/386,linux/arm64/v8 platforms: linux/amd64,linux/386
push: true push: true
tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev
cache-from: | cache-from: |
type=registry,ref=bunkerity/cache:bw-ui-amd64-cache type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
type=registry,ref=bunkerity/cache:bw-ui-386-cache type=registry,ref=bunkerity/cache:bw-ui-386-cache
type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
# Push to PackageCloud # Push to PackageCloud
push-linux: push-linux:

10
core/reverseproxy/confs/server-http/reverse-proxy.conf
View File

@ -35,9 +35,9 @@ add_header X-Proxy-Cache $upstream_cache_status;
{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %} {% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %} {% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %} {% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
{% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "" %} {% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "60s" %}
{% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "" %} {% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "60s" %}
{% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "" %} {% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "60s" %}
location {{ url }} {% raw %}{{% endraw +%} location {{ url }} {% raw %}{{% endraw +%}
etag off; etag off;
set $backend{{ counter.value }} "{{ host }}"; set $backend{{ counter.value }} "{{ host }}";
@ -82,11 +82,11 @@ location {{ url }} {% raw %}{{% endraw +%}
add_header {{ header_client }}; add_header {{ header_client }};
{% endfor +%} {% endfor +%}
{% endif +%} {% endif +%}
{% raw %}}{% endraw %}
{% endif %}
proxy_connect_timeout {{ connect_timeout }}; proxy_connect_timeout {{ connect_timeout }};
proxy_read_timeout {{ read_timeout }}; proxy_read_timeout {{ read_timeout }};
proxy_send_timeout {{ send_timeout }}; proxy_send_timeout {{ send_timeout }};
{% raw %}}{% endraw %}
{% endif %}
{% set counter.value = counter.value + 1 %} {% set counter.value = counter.value + 1 %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}

79
examples/authelia/authelia/configuration.yml Normal file
View File

@ -0,0 +1,79 @@
---
###############################################################
# Authelia configuration #
###############################################################
jwt_secret: a_very_important_secret
default_redirection_url: https://auth.example.com
ntp:
disable_failure: true
server:
host: 0.0.0.0
port: 9091
log:
level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
access_control:
default_policy: deny
rules:
# Rules applied to everyone
- domain: auth.example.com
policy: bypass
- domain: app1.example.com
policy: one_factor
- domain: app2.example.com
policy: two_factor
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
domain: example.com # Should match whatever your root protected domain is
redis:
host: redis
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /config/notification.txt
#notifier:
# smtp:
# username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
# password: password
# host: mail.example.com
# port: 25
# sender: admin@example.com
...

18
examples/authelia/authelia/users_database.yml Normal file
View File

@ -0,0 +1,18 @@
---
###############################################################
# Users Database #
###############################################################
# This file can be used if you do not have an LDAP set up.
# List of users
users:
authelia:
displayname: "Authelia User"
# Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
groups:
- admins
- dev
...

85
examples/authelia/docker-compose.yml Normal file
View File

@ -0,0 +1,85 @@
version: '3.4'
services:
mybunker:
image: bunkerity/bunkerweb:1.4.0
ports:
- 80:8080
- 443:8443
# ⚠️ read this if you use local folders for volumes ⚠️
# bunkerweb runs as an unprivileged user with UID/GID 101
# don't forget to edit the permissions of the files and folders accordingly
# example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
# or for an existing one : chown -R root:101 folder && chmod -R 770 folder
# more info at https://docs.bunkerweb.io
volumes:
- bw_data:/data
environment:
- MULTISITE=yes
- SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
- SERVE_FILES=no
- DISABLE_DEFAULT_SERVER=yes
- AUTO_LETS_ENCRYPT=yes
- USE_CLIENT_CACHE=yes
- USE_GZIP=yes
- USE_REVERSE_PROXY=yes
# Proxy to auth_request URI
- REVERSE_PROXY_URL_999=/authelia
- REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
- REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
# Authelia
- auth.example.com_REVERSE_PROXY_URL=/
- auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
- auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
# Applications
- app1.example.com_REVERSE_PROXY_URL=/
- app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
- app2.example.com_REVERSE_PROXY_URL=/
- app2.example.com_REVERSE_PROXY_HOST=http://app2
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
- app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
- app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
# APPLICATIONS
app1:
image: node
working_dir: /home/node/app
volumes:
- ./js-app:/home/node/app
environment:
- NODE_ENV=production
command: bash -c "npm install express && node index.js"
app2:
image: tutum/hello-world
# AUTHELIA
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- ./authelia:/config
restart: unless-stopped
healthcheck:
disable: true
environment:
- TZ=Europe/Paris
redis:
image: redis:alpine
container_name: redis
volumes:
- ./redis:/data
expose:
- 6379
restart: unless-stopped
environment:
- TZ=Europe/Paris
volumes:
bw_data:

13
examples/authelia/js-app/index.js Normal file
View File

@ -0,0 +1,13 @@
const express = require('express')
const app = express()
const port = 3000
app.get('/', (req, res) => {
res.send('Hello World from app1!')
})
app.listen(port, () => {
console.log(`Example app listening at http://localhost:${port}`)
})

15
examples/authelia/js-app/package.json Normal file
View File

@ -0,0 +1,15 @@
{
"name": "js-app",
"version": "1.0.0",
"description": "demo",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1"
}
}

6
tests/docker.sh
View File

@ -48,6 +48,12 @@ fi
echo "Running Docker tests ..." echo "Running Docker tests ..."
# authelia
single_docker_test "authelia" "60" "https://$TEST_DOMAIN1_1 authelia" "https://$TEST_DOMAIN1_2 authelia"
# authentik
single_docker_test "authentik" "60" "https://$TEST_DOMAIN1_1 authentik" "https://$TEST_DOMAIN1_2 authentik"
# drupal # drupal
single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal" single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal"

1
tests/utils/utils.sh
View File

@ -23,6 +23,7 @@ function exec_docker_example() {
sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml
sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml
sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@auth.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml
sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml
sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml