From fc9b287f6bfa23155e806e3ee1ce646389aab64b Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Sun, 1 Aug 2021 23:11:00 +0000 Subject: [PATCH 1/3] Resolve "MFA Captive Portal" --- base.yml | 36 ++++++++++++++++- compose/production/portal/Dockerfile | 8 ++++ compose/production/portal/default.conf | 29 ++++++++++++++ compose/production/portal/run.sh | 54 ++++++++++++++++++++++++++ scripts/subinstallers/gen_prod_env.sh | 4 +- scripts/subinstallers/iptables.sh | 3 ++ scripts/subinstallers/wireguard.sh | 8 ++-- 7 files changed, 135 insertions(+), 7 deletions(-) create mode 100644 compose/production/portal/Dockerfile create mode 100644 compose/production/portal/default.conf create mode 100755 compose/production/portal/run.sh diff --git a/base.yml b/base.yml index 035a6e8..aa52061 100644 --- a/base.yml +++ b/base.yml @@ -13,7 +13,7 @@ services: - postgres - redis ports: - - "10.2.3.1:5000:5000/tcp" # auth access + - "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access labels: - "traefik.enable=true" - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)" @@ -84,6 +84,40 @@ services: #- --serversTransport.insecureSkipVerify=true restart: unless-stopped + portal: + build: + context: ./compose/production/portal/ + dockerfile: Dockerfile + image: mistborn_production_portal + container_name: mistborn_production_portal + ports: + - "${MISTBORN_DNS_BIND_IP}:5001:80" + environment: + - SERVER_REDIRECT=home.mistborn + # optionally define path to redirect all requests + # if not set nginx var $request_uri is used + - SERVER_REDIRECT_PATH=/ + # optionally define schema to redirect all requests + # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used. + # In all other cases nginx var `$scheme` is used + #- SERVER_REDIRECT_SCHEME=https + # optionally define the http code to use for redirection + # allowed Codes are: 301, 302, 303, 307, 308, default is 301 + #- SERVER_REDIRECT_CODE=301 + # optionally define the http code to redirect POST requests + # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used + #- SERVER_REDIRECT_POST_CODE= + # optionally define the http code to redirect PUT, PATCH and DELETE requests + # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used + #- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE= + # optionally define the location for the nginx access log + # if not set /dev/stdout is used + #- SERVER_ACCESS_LOG=/dev/null + # optionally define the location for the nginx error log + # if not set /dev/stderr is used + #- SERVER_ERROR_LOG=/dev/null + restart: unless-stopped + redis: image: redis:5.0 container_name: mistborn_production_redis diff --git a/compose/production/portal/Dockerfile b/compose/production/portal/Dockerfile new file mode 100644 index 0000000..5f5edeb --- /dev/null +++ b/compose/production/portal/Dockerfile @@ -0,0 +1,8 @@ +FROM nginx:1.21.1-alpine + +ADD run.sh /run.sh +ADD default.conf /etc/nginx/conf.d/default.conf + +RUN chmod +x /run.sh + +CMD ["/run.sh"] \ No newline at end of file diff --git a/compose/production/portal/default.conf b/compose/production/portal/default.conf new file mode 100644 index 0000000..be0b82b --- /dev/null +++ b/compose/production/portal/default.conf @@ -0,0 +1,29 @@ +map $http_x_forwarded_proto $redirect_scheme { + default $scheme; + https https; +} + +server { + listen 80; + listen [::]:80; + server_name ${SERVER_NAME}; + + # cherry picked from https://github.com/schmunk42/docker-nginx-redirect/pull/8 + if ($request_method = POST) { + return ${SERVER_REDIRECT_POST_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + } + + if ($request_method ~ PUT|PATCH|DELETE) { + return ${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + } + + return ${SERVER_REDIRECT_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH}; + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + +} \ No newline at end of file diff --git a/compose/production/portal/run.sh b/compose/production/portal/run.sh new file mode 100755 index 0000000..6ff495a --- /dev/null +++ b/compose/production/portal/run.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env sh + +if [ ! -n "$SERVER_REDIRECT" ] ; then + echo "Environment variable SERVER_REDIRECT is not set, exiting." + exit 1 +fi + +# set server name from optional ENV var +if [ ! -n "$SERVER_NAME" ] ; then + SERVER_NAME='localhost' +fi + +# set redirect code from optional ENV var +# allowed Status Codes are: 301, 302, 303, 307, 308 +expr match "$SERVER_REDIRECT_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_CODE='301' + +# set redirect code from optional ENV var for POST requests +expr match "$SERVER_REDIRECT_POST_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_POST_CODE=$SERVER_REDIRECT_CODE + +# set redirect code from optional ENV var for PUT, PATCH and DELETE requests +expr match "$SERVER_REDIRECT_PUT_PATCH_DELETE_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=$SERVER_REDIRECT_CODE + +# set redirect path from optional ENV var +if [ ! -n "$SERVER_REDIRECT_PATH" ] ; then + SERVER_REDIRECT_PATH='$request_uri' +fi + +# set redirect scheme from optional ENV var +if [ ! -n "$SERVER_REDIRECT_SCHEME" ] ; then + SERVER_REDIRECT_SCHEME='$redirect_scheme' +fi + +# set access log location from optional ENV var +if [ ! -n "$SERVER_ACCESS_LOG" ] ; then + SERVER_ACCESS_LOG='/dev/stdout' +fi + +# set error log location from optional ENV var +if [ ! -n "$SERVER_ERROR_LOG" ] ; then + SERVER_ERROR_LOG='/dev/stderr' +fi + +sed -i "s|\${SERVER_REDIRECT}|${SERVER_REDIRECT}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_NAME}|${SERVER_NAME}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_CODE}|${SERVER_REDIRECT_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_POST_CODE}|${SERVER_REDIRECT_POST_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_PATH}|${SERVER_REDIRECT_PATH}|" /etc/nginx/conf.d/default.conf +sed -i "s|\${SERVER_REDIRECT_SCHEME}|${SERVER_REDIRECT_SCHEME}|" /etc/nginx/conf.d/default.conf + +ln -sfT "$SERVER_ACCESS_LOG" /var/log/nginx/access.log +ln -sfT "$SERVER_ERROR_LOG" /var/log/nginx/error.log + +exec nginx -g 'daemon off;' \ No newline at end of file diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh index d185c32..b12550a 100755 --- a/scripts/subinstallers/gen_prod_env.sh +++ b/scripts/subinstallers/gen_prod_env.sh @@ -21,8 +21,8 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE -echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE -echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE +#echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE +echo "MISTBORN_PORTAL_REDIRECT_PORT=5001" >> $DJANGO_PROD_FILE chmod 600 $DJANGO_PROD_FILE # generate production .env file for postgresql diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh index ba7784e..9c06dc7 100755 --- a/scripts/subinstallers/iptables.sh +++ b/scripts/subinstallers/iptables.sh @@ -11,6 +11,9 @@ if [ "$DISTRO" == "ubuntu" ]; then sudo systemctl disable ufw || true fi +# make sure user land binaries installed +sudo apt-get install -y iptables + # default interface iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}') diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh index baedd88..b5f0d55 100755 --- a/scripts/subinstallers/wireguard.sh +++ b/scripts/subinstallers/wireguard.sh @@ -1,16 +1,16 @@ #!/bin/bash -figlet "Mistborn: Installing Wireguard" +figlet "Mistborn: Installing WireGuard" # if wireguard not in current repositories if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then # install PPAs - echo "Adding Wireguard PPAs" + echo "Adding WireGuard PPAs" # Wireguard if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then - echo "Adding Wireguard repo keys" + echo "Adding WireGuard repo keys" sudo -E apt-get install -y dirmngr sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553 sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010 @@ -28,6 +28,6 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then fi fi -echo "Installing Wireguard" +echo "Installing WireGuard" sudo apt-get update sudo -E apt-get install -y openresolv wireguard From f2f90a426c5a2c0e6316b0cf9a24a2e4ed3e48ac Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Wed, 4 Aug 2021 15:15:55 +0000 Subject: [PATCH 2/3] Support --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5298329..7654855 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,6 @@ Within Mistborn is a panel to enable and manage these free extra services (off b # Quickstart Tested Operating Systems (in order of thoroughness): - Ubuntu 20.04 LTS -- Ubuntu 18.04 LTS - Debian 10 (Buster) - Raspberry Pi OS (formerly Raspbian) Buster @@ -606,6 +605,7 @@ Contact me at [steven@cyber5k.com](mailto:steven@cyber5k.com) # Support Mistborn Please consider supporting the project via: +- [Patreon](https://www.patreon.com/cyber5k) - [Paypal.me](https://paypal.me/cyber5k) - [Buy me a drink](https://www.buymeacoffee.com/cyber5k) -- [Patreon](https://www.patreon.com/cyber5k) +- Bitcoin: `3Lqxc1vpndN3TGi9cipNHg1RgXxGxVDdZo` From e0901401207fb22ea74823a93f14cc59212671c1 Mon Sep 17 00:00:00 2001 From: Steven Foerster Date: Thu, 5 Aug 2021 01:13:45 +0000 Subject: [PATCH 3/3] Updating and setting versions --- base.yml | 11 ++++++----- compose/production/postgres/Dockerfile | 2 +- compose/production/tor/Dockerfile | 2 +- compose/production/traefik/Dockerfile | 2 +- extra/bitwarden.yml | 2 +- extra/elasticsearch.yml | 2 +- extra/guacamole.yml | 4 ++-- extra/syncthing.yml | 2 +- extra/wazuh.yml | 4 ++-- 9 files changed, 16 insertions(+), 15 deletions(-) diff --git a/base.yml b/base.yml index aa52061..15be20a 100644 --- a/base.yml +++ b/base.yml @@ -51,7 +51,7 @@ services: # context: . # dockerfile: ./compose/production/traefik/Dockerfile #image: mistborn_production_traefik - image: traefik:v2.2 + image: traefik:v2.4.9 container_name: mistborn_production_traefik depends_on: - django @@ -119,7 +119,7 @@ services: restart: unless-stopped redis: - image: redis:5.0 + image: redis:6.2-alpine container_name: mistborn_production_redis restart: unless-stopped @@ -192,7 +192,7 @@ services: pihole: container_name: mistborn_production_pihole - image: pihole/pihole:v5.7 + image: pihole/pihole:v5.8 env_file: - ./.envs/.production/.pihole ports: @@ -211,8 +211,9 @@ services: - "traefik.http.services.pihole-service.loadbalancer.server.port=80" environment: - ServerIP=10.2.0.3 - - DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used - - DNS2='' + - PIHOLE_DNS_=10.2.0.2#5054 + #- DNS1='10.2.0.2#5054' # docs say port 5054, was 54; use network_mode: host to see which port is used + #- DNS2='' - IPv6='false' - DNSMASQ_LISTENING=all # TZ: 'America/New York' diff --git a/compose/production/postgres/Dockerfile b/compose/production/postgres/Dockerfile index 7cf4173..c37f89c 100644 --- a/compose/production/postgres/Dockerfile +++ b/compose/production/postgres/Dockerfile @@ -1,4 +1,4 @@ -FROM postgres:11.3 +FROM postgres:13.3-alpine COPY ./compose/production/postgres/maintenance /usr/local/bin/maintenance RUN chmod +x /usr/local/bin/maintenance/* diff --git a/compose/production/tor/Dockerfile b/compose/production/tor/Dockerfile index 11f8bb8..d7821c9 100644 --- a/compose/production/tor/Dockerfile +++ b/compose/production/tor/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:latest +FROM alpine:3.14.0 RUN apk update \ && apk upgrade \ diff --git a/compose/production/traefik/Dockerfile b/compose/production/traefik/Dockerfile index 04c5f93..8fad7ed 100644 --- a/compose/production/traefik/Dockerfile +++ b/compose/production/traefik/Dockerfile @@ -1,4 +1,4 @@ -FROM traefik:v2.2 +FROM traefik:v2.4.9 RUN mkdir -p /etc/traefik/acme RUN touch /etc/traefik/acme/acme.json RUN chmod 600 /etc/traefik/acme/acme.json diff --git a/extra/bitwarden.yml b/extra/bitwarden.yml index cd66424..5bfa126 100644 --- a/extra/bitwarden.yml +++ b/extra/bitwarden.yml @@ -2,7 +2,7 @@ version: '3' services: bitwarden: - image: bitwardenrs/server:latest + image: vaultwarden/server:latest container_name: mistborn_production_bitwarden env_file: - ../.envs/.production/.bitwarden diff --git a/extra/elasticsearch.yml b/extra/elasticsearch.yml index c1a3a70..ffac4d9 100644 --- a/extra/elasticsearch.yml +++ b/extra/elasticsearch.yml @@ -3,7 +3,7 @@ version: '3.7' services: elasticsearch: - image: amazon/opendistro-for-elasticsearch:1.12.0 + image: amazon/opendistro-for-elasticsearch:1.13.2 hostname: elasticsearch restart: unless-stopped ports: diff --git a/extra/guacamole.yml b/extra/guacamole.yml index 59a83ac..e27bca9 100644 --- a/extra/guacamole.yml +++ b/extra/guacamole.yml @@ -5,7 +5,7 @@ services: # guacd guacd: container_name: mistborn_production_guacd - image: guacamole/guacd + image: guacamole/guacd:1.3.0 networks: guacnetwork: restart: unless-stopped @@ -53,7 +53,7 @@ services: #GUACAMOLE_HOME: /config env_file: - ../.envs/.production/.guacamole - image: guacamole/guacamole + image: guacamole/guacamole:1.3.0 links: - guacd networks: diff --git a/extra/syncthing.yml b/extra/syncthing.yml index f66bd73..a4ffe71 100644 --- a/extra/syncthing.yml +++ b/extra/syncthing.yml @@ -2,7 +2,7 @@ version: '3' services: syncthing: - image: linuxserver/syncthing + image: linuxserver/syncthing:latest container_name: mistborn_production_syncthing environment: - PUID=1000 diff --git a/extra/wazuh.yml b/extra/wazuh.yml index f7df12a..46f5d27 100644 --- a/extra/wazuh.yml +++ b/extra/wazuh.yml @@ -3,7 +3,7 @@ version: '3.7' services: wazuh: - image: wazuh/wazuh-odfe:4.1.2 + image: wazuh/wazuh-odfe:4.1.5 hostname: wazuh-manager restart: unless-stopped ports: @@ -29,7 +29,7 @@ services: - filebeat_var:/var/lib/filebeat wazuh-kibana: - image: wazuh/wazuh-kibana-odfe:4.1.2 + image: wazuh/wazuh-kibana-odfe:4.1.5 hostname: wazuh-kibana restart: unless-stopped labels: