Merge branch '204-portal' into 'master'

Resolve "MFA Captive Portal"

Closes #204

See merge request cyber5k/mistborn!91

base.yml

@@ -13,7 +13,7 @@ services:
       - postgres
       - redis
     ports:
-      - "10.2.3.1:5000:5000/tcp" # auth access
+      - "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
@@ -84,6 +84,40 @@ services:
       #- --serversTransport.insecureSkipVerify=true
     restart: unless-stopped
 
+  portal:
+    build:
+      context: ./compose/production/portal/
+      dockerfile: Dockerfile
+    image: mistborn_production_portal
+    container_name: mistborn_production_portal
+    ports:
+      - "${MISTBORN_DNS_BIND_IP}:5001:80"
+    environment:
+      - SERVER_REDIRECT=home.mistborn
+    # optionally define path to redirect all requests
+    # if not set nginx var $request_uri is used
+      - SERVER_REDIRECT_PATH=/
+    # optionally define schema to redirect all requests
+    # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used.
+    # In all other cases nginx var `$scheme` is used
+    #- SERVER_REDIRECT_SCHEME=https
+    # optionally define the http code to use for redirection
+    # allowed Codes are: 301, 302, 303, 307, 308, default is 301
+    #- SERVER_REDIRECT_CODE=301
+    # optionally define the http code to redirect POST requests
+    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
+    #- SERVER_REDIRECT_POST_CODE=
+    # optionally define the http code to redirect PUT, PATCH and DELETE requests
+    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
+    #- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=
+    # optionally define the location for the nginx access log
+    # if not set /dev/stdout is used
+    #- SERVER_ACCESS_LOG=/dev/null
+    # optionally define the location for the nginx error log
+    # if not set /dev/stderr is used
+    #- SERVER_ERROR_LOG=/dev/null
+    restart: unless-stopped
+  
   redis:
     image: redis:5.0
     container_name: mistborn_production_redis

compose/production/portal/Dockerfile

@@ -0,0 +1,8 @@
+FROM nginx:1.21.1-alpine
+
+ADD run.sh /run.sh
+ADD default.conf /etc/nginx/conf.d/default.conf
+
+RUN chmod +x /run.sh
+
+CMD ["/run.sh"]

compose/production/portal/default.conf

@@ -0,0 +1,29 @@
+map $http_x_forwarded_proto $redirect_scheme {
+    default $scheme;
+    https https;
+}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  ${SERVER_NAME};
+
+    # cherry picked from https://github.com/schmunk42/docker-nginx-redirect/pull/8
+    if ($request_method = POST) {
+        return ${SERVER_REDIRECT_POST_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+    }
+
+    if ($request_method ~ PUT|PATCH|DELETE) {
+        return ${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+    }
+
+    return ${SERVER_REDIRECT_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}

compose/production/portal/run.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env sh
+
+if [ ! -n "$SERVER_REDIRECT" ] ; then
+    echo "Environment variable SERVER_REDIRECT is not set, exiting."
+    exit 1
+fi
+
+# set server name from optional ENV var
+if [ ! -n "$SERVER_NAME" ] ; then
+    SERVER_NAME='localhost'
+fi
+
+# set redirect code from optional ENV var
+# allowed Status Codes are: 301, 302, 303, 307, 308
+expr match "$SERVER_REDIRECT_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_CODE='301'
+
+# set redirect code from optional ENV var for POST requests
+expr match "$SERVER_REDIRECT_POST_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_POST_CODE=$SERVER_REDIRECT_CODE
+
+# set redirect code from optional ENV var for PUT, PATCH and DELETE requests
+expr match "$SERVER_REDIRECT_PUT_PATCH_DELETE_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=$SERVER_REDIRECT_CODE
+
+# set redirect path from optional ENV var
+if [ ! -n "$SERVER_REDIRECT_PATH" ] ; then
+    SERVER_REDIRECT_PATH='$request_uri'
+fi
+
+# set redirect scheme from optional ENV var
+if [ ! -n "$SERVER_REDIRECT_SCHEME" ] ; then
+    SERVER_REDIRECT_SCHEME='$redirect_scheme'
+fi
+
+# set access log location from optional ENV var
+if [ ! -n "$SERVER_ACCESS_LOG" ] ; then
+    SERVER_ACCESS_LOG='/dev/stdout'
+fi
+
+# set error log location from optional ENV var
+if [ ! -n "$SERVER_ERROR_LOG" ] ; then
+    SERVER_ERROR_LOG='/dev/stderr'
+fi
+
+sed -i "s|\${SERVER_REDIRECT}|${SERVER_REDIRECT}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_NAME}|${SERVER_NAME}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_CODE}|${SERVER_REDIRECT_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_POST_CODE}|${SERVER_REDIRECT_POST_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_PATH}|${SERVER_REDIRECT_PATH}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_SCHEME}|${SERVER_REDIRECT_SCHEME}|" /etc/nginx/conf.d/default.conf
+
+ln -sfT "$SERVER_ACCESS_LOG" /var/log/nginx/access.log
+ln -sfT "$SERVER_ERROR_LOG" /var/log/nginx/error.log
+
+exec nginx -g 'daemon off;'

scripts/subinstallers/gen_prod_env.sh

@@ -21,8 +21,8 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE
 echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
+#echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_REDIRECT_PORT=5001" >> $DJANGO_PROD_FILE
 chmod 600 $DJANGO_PROD_FILE
 
 # generate production .env file for postgresql

scripts/subinstallers/iptables.sh

@@ -11,6 +11,9 @@ if [ "$DISTRO" == "ubuntu" ]; then
     sudo systemctl disable ufw || true
 fi
 
+# make sure user land binaries installed
+sudo apt-get install -y iptables
+
 # default interface
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 

scripts/subinstallers/wireguard.sh

@@ -1,16 +1,16 @@
 #!/bin/bash
 
-figlet "Mistborn: Installing Wireguard"
+figlet "Mistborn: Installing WireGuard"
 
 # if wireguard not in current repositories
 if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     # install PPAs
 
-    echo "Adding Wireguard PPAs"
+    echo "Adding WireGuard PPAs"
 
     # Wireguard
     if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
-        echo "Adding Wireguard repo keys"
+        echo "Adding WireGuard repo keys"
         sudo -E apt-get install -y dirmngr
         sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553
         sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010
@@ -28,6 +28,6 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     fi
 fi
 
-echo "Installing Wireguard"
+echo "Installing WireGuard"
 sudo apt-get update
 sudo -E apt-get install -y openresolv wireguard