From 67172181a9d407b66daad711bac6c26ef1c7ce04 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 11:34:19 -0500 Subject: [PATCH 1/5] prefix and README --- README.md | 7 +++++++ extra/guacamole.yml | 5 +++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3026cd5..bd01ff7 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,13 @@ In Mistborn, Gateways are upstream from the VPN server so connections to third-p The Gateway adds an extra network hop. DNS is still resolved in Mistborn so pihole is still blocking ads. +# Remote Desktop +Remote desktops enable multiple users to share desktop resources and data. Remote desktops also enable groups to prevent sensitive data from ever entering an endpoint devices such as a smartphone. For reference, some United States Government regulations require controls to protect Controlled Unclassified Information (CUI) that are not feasible to implement on all endpoint devices and remote desktops prevent the data from entering the device (see NIST SP 800-171 3.1.19, CMMC AC.3.022). + +Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. + +![Guacamole VNC to XFCE4 Desktop](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_xfce4.png) + # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. diff --git a/extra/guacamole.yml b/extra/guacamole.yml index f3310a7..59a83ac 100644 --- a/extra/guacamole.yml +++ b/extra/guacamole.yml @@ -37,11 +37,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.guacamole-http.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-http.entrypoints=web" - - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-http.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.rule=Host(`guac.mistborn`)" - "traefik.http.routers.guacamole-https.entrypoints=websecure" - - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.guacamole-https.middlewares=mistborn_auth@file,add-guacamole" - "traefik.http.routers.guacamole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-guacamole.addPrefix.prefix=/guacamole" - "traefik.http.services.guacamole-service.loadbalancer.server.port=8080" depends_on: - guacd From 39452b0a9c1475dcfc820ee3a1fde77fcb67ebeb Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 11:43:35 -0500 Subject: [PATCH 2/5] add pihole admin prefix --- base.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base.yml b/base.yml index ba22052..27616cc 100644 --- a/base.yml +++ b/base.yml @@ -161,6 +161,7 @@ services: image: pihole/pihole:v5.5.1 env_file: - /opt/mistborn_volumes/base/base.txt + - ./.envs/.production/.pihole ports: - "${MISTBORN_DNS_BIND_IP}:53:53/tcp" - "${MISTBORN_DNS_BIND_IP}:53:53/udp" @@ -168,11 +169,12 @@ services: - "traefik.enable=true" - "traefik.http.routers.pihole-http.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-http.entrypoints=web" - - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-http.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.rule=Host(`pihole.mistborn`)" - "traefik.http.routers.pihole-https.entrypoints=websecure" - - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file" + - "traefik.http.routers.pihole-https.middlewares=mistborn_auth@file,add-pihole-admin" - "traefik.http.routers.pihole-https.tls.certresolver=basic" + - "traefik.http.middlewares.add-pihole-admin.addPrefix.prefix=/admin" - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 @@ -182,8 +184,6 @@ services: - DNSMASQ_LISTENING=all # TZ: 'America/New York' # Volumes store your data between container upgrades - env_file: - - ./.envs/.production/.pihole volumes: - ../mistborn_volumes/base/pihole/etc-pihole:/etc/pihole/ - ../mistborn_volumes/base/pihole/etc-dnsmasqd:/etc/dnsmasq.d/ From 47888ada72f56987ea8fa1f6ffde44bb54d0c9ec Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 11:50:43 -0500 Subject: [PATCH 3/5] removing env file --- base.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/base.yml b/base.yml index 27616cc..d7945a7 100644 --- a/base.yml +++ b/base.yml @@ -160,7 +160,6 @@ services: container_name: mistborn_production_pihole image: pihole/pihole:v5.5.1 env_file: - - /opt/mistborn_volumes/base/base.txt - ./.envs/.production/.pihole ports: - "${MISTBORN_DNS_BIND_IP}:53:53/tcp" From 4adf8dd457cbd90f578e5f6e2d1386e88c14c207 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 12:36:45 -0500 Subject: [PATCH 4/5] guac image --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bd01ff7..7d773d1 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,7 @@ Remote desktops enable multiple users to share desktop resources and data. Remot Mistborn enables remote desktop access via the Apache Guacamole extra service, which supports VNC, RDP, SSH, and other protocols. -![Guacamole VNC to XFCE4 Desktop](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_xfce4.png) +![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle. From 0005ee4c17276b9a7997da4777064d64ad4d6c66 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sat, 27 Feb 2021 12:39:07 -0500 Subject: [PATCH 5/5] guac users and groups --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 7d773d1..cf6f56f 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,8 @@ Mistborn enables remote desktop access via the Apache Guacamole extra service, w ![Guacamole Recent Connections](https://gitlab.com/cyber5k/public/-/raw/master/graphics/guacamole_connections.png) +Guacamole implements its own users and groups access controls to manage access to individual desktops. All Mistborn users must be authenticated with Mistborn (via Wireguard only or MFA) to access the Guacamole interface. + # Client to client communication By default direct communication between network clients is blocked. Mistborn clients can all talk to Mistborn and communicate via shared services (Jitsi, Nextcloud, etc). Direct client to client communication can be enabled via the "client-to-client" toggle.