From fc9b287f6bfa23155e806e3ee1ce646389aab64b Mon Sep 17 00:00:00 2001
From: Steven Foerster <sfoerster@gmail.com>
Date: Sun, 1 Aug 2021 23:11:00 +0000
Subject: [PATCH] Resolve "MFA Captive Portal"

---
 base.yml                               | 36 ++++++++++++++++-
 compose/production/portal/Dockerfile   |  8 ++++
 compose/production/portal/default.conf | 29 ++++++++++++++
 compose/production/portal/run.sh       | 54 ++++++++++++++++++++++++++
 scripts/subinstallers/gen_prod_env.sh  |  4 +-
 scripts/subinstallers/iptables.sh      |  3 ++
 scripts/subinstallers/wireguard.sh     |  8 ++--
 7 files changed, 135 insertions(+), 7 deletions(-)
 create mode 100644 compose/production/portal/Dockerfile
 create mode 100644 compose/production/portal/default.conf
 create mode 100755 compose/production/portal/run.sh

diff --git a/base.yml b/base.yml
index 035a6e8..aa52061 100644
--- a/base.yml
+++ b/base.yml
@@ -13,7 +13,7 @@ services:
       - postgres
       - redis
     ports:
-      - "10.2.3.1:5000:5000/tcp" # auth access
+      - "${MISTBORN_DNS_BIND_IP}:5000:5000/tcp" # auth access
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.django-http.rule=Host(`home.mistborn`)"
@@ -84,6 +84,40 @@ services:
       #- --serversTransport.insecureSkipVerify=true
     restart: unless-stopped
 
+  portal:
+    build:
+      context: ./compose/production/portal/
+      dockerfile: Dockerfile
+    image: mistborn_production_portal
+    container_name: mistborn_production_portal
+    ports:
+      - "${MISTBORN_DNS_BIND_IP}:5001:80"
+    environment:
+      - SERVER_REDIRECT=home.mistborn
+    # optionally define path to redirect all requests
+    # if not set nginx var $request_uri is used
+      - SERVER_REDIRECT_PATH=/
+    # optionally define schema to redirect all requests
+    # if not set but X-Forwarded-Proto is send as request header with value 'https' this will be used.
+    # In all other cases nginx var `$scheme` is used
+    #- SERVER_REDIRECT_SCHEME=https
+    # optionally define the http code to use for redirection
+    # allowed Codes are: 301, 302, 303, 307, 308, default is 301
+    #- SERVER_REDIRECT_CODE=301
+    # optionally define the http code to redirect POST requests
+    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
+    #- SERVER_REDIRECT_POST_CODE=
+    # optionally define the http code to redirect PUT, PATCH and DELETE requests
+    # if not set or not in allowed Codes, SERVER_REDIRECT_CODE will be used
+    #- SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=
+    # optionally define the location for the nginx access log
+    # if not set /dev/stdout is used
+    #- SERVER_ACCESS_LOG=/dev/null
+    # optionally define the location for the nginx error log
+    # if not set /dev/stderr is used
+    #- SERVER_ERROR_LOG=/dev/null
+    restart: unless-stopped
+  
   redis:
     image: redis:5.0
     container_name: mistborn_production_redis
diff --git a/compose/production/portal/Dockerfile b/compose/production/portal/Dockerfile
new file mode 100644
index 0000000..5f5edeb
--- /dev/null
+++ b/compose/production/portal/Dockerfile
@@ -0,0 +1,8 @@
+FROM nginx:1.21.1-alpine
+
+ADD run.sh /run.sh
+ADD default.conf /etc/nginx/conf.d/default.conf
+
+RUN chmod +x /run.sh
+
+CMD ["/run.sh"]
\ No newline at end of file
diff --git a/compose/production/portal/default.conf b/compose/production/portal/default.conf
new file mode 100644
index 0000000..be0b82b
--- /dev/null
+++ b/compose/production/portal/default.conf
@@ -0,0 +1,29 @@
+map $http_x_forwarded_proto $redirect_scheme {
+    default $scheme;
+    https https;
+}
+
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  ${SERVER_NAME};
+
+    # cherry picked from https://github.com/schmunk42/docker-nginx-redirect/pull/8
+    if ($request_method = POST) {
+        return ${SERVER_REDIRECT_POST_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+    }
+
+    if ($request_method ~ PUT|PATCH|DELETE) {
+        return ${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+    }
+
+    return ${SERVER_REDIRECT_CODE} ${SERVER_REDIRECT_SCHEME}://${SERVER_REDIRECT}${SERVER_REDIRECT_PATH};
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+}
\ No newline at end of file
diff --git a/compose/production/portal/run.sh b/compose/production/portal/run.sh
new file mode 100755
index 0000000..6ff495a
--- /dev/null
+++ b/compose/production/portal/run.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env sh
+
+if [ ! -n "$SERVER_REDIRECT" ] ; then
+    echo "Environment variable SERVER_REDIRECT is not set, exiting."
+    exit 1
+fi
+
+# set server name from optional ENV var
+if [ ! -n "$SERVER_NAME" ] ; then
+    SERVER_NAME='localhost'
+fi
+
+# set redirect code from optional ENV var
+# allowed Status Codes are: 301, 302, 303, 307, 308
+expr match "$SERVER_REDIRECT_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_CODE='301'
+
+# set redirect code from optional ENV var for POST requests
+expr match "$SERVER_REDIRECT_POST_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_POST_CODE=$SERVER_REDIRECT_CODE
+
+# set redirect code from optional ENV var for PUT, PATCH and DELETE requests
+expr match "$SERVER_REDIRECT_PUT_PATCH_DELETE_CODE" '30[12378]$' > /dev/null || SERVER_REDIRECT_PUT_PATCH_DELETE_CODE=$SERVER_REDIRECT_CODE
+
+# set redirect path from optional ENV var
+if [ ! -n "$SERVER_REDIRECT_PATH" ] ; then
+    SERVER_REDIRECT_PATH='$request_uri'
+fi
+
+# set redirect scheme from optional ENV var
+if [ ! -n "$SERVER_REDIRECT_SCHEME" ] ; then
+    SERVER_REDIRECT_SCHEME='$redirect_scheme'
+fi
+
+# set access log location from optional ENV var
+if [ ! -n "$SERVER_ACCESS_LOG" ] ; then
+    SERVER_ACCESS_LOG='/dev/stdout'
+fi
+
+# set error log location from optional ENV var
+if [ ! -n "$SERVER_ERROR_LOG" ] ; then
+    SERVER_ERROR_LOG='/dev/stderr'
+fi
+
+sed -i "s|\${SERVER_REDIRECT}|${SERVER_REDIRECT}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_NAME}|${SERVER_NAME}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_CODE}|${SERVER_REDIRECT_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_POST_CODE}|${SERVER_REDIRECT_POST_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|${SERVER_REDIRECT_PUT_PATCH_DELETE_CODE}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_PATH}|${SERVER_REDIRECT_PATH}|" /etc/nginx/conf.d/default.conf
+sed -i "s|\${SERVER_REDIRECT_SCHEME}|${SERVER_REDIRECT_SCHEME}|" /etc/nginx/conf.d/default.conf
+
+ln -sfT "$SERVER_ACCESS_LOG" /var/log/nginx/access.log
+ln -sfT "$SERVER_ERROR_LOG" /var/log/nginx/error.log
+
+exec nginx -g 'daemon off;'
\ No newline at end of file
diff --git a/scripts/subinstallers/gen_prod_env.sh b/scripts/subinstallers/gen_prod_env.sh
index d185c32..b12550a 100755
--- a/scripts/subinstallers/gen_prod_env.sh
+++ b/scripts/subinstallers/gen_prod_env.sh
@@ -21,8 +21,8 @@ echo "#MAILGUN_API_KEY=" >> $DJANGO_PROD_FILE
 echo "#MAILGUN_API_URL=" >> $DJANGO_PROD_FILE
 echo "#SENTRY_DNS=" >> $DJANGO_PROD_FILE
 echo "MISTBORN_INSTALL_COCKPIT=$MISTBORN_INSTALL_COCKPIT" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
-echo "MISTBORN_PORTAL_PORT=5000" >> $DJANGO_PROD_FILE
+#echo "MISTBORN_PORTAL_IP=10.2.3.1" >> $DJANGO_PROD_FILE
+echo "MISTBORN_PORTAL_REDIRECT_PORT=5001" >> $DJANGO_PROD_FILE
 chmod 600 $DJANGO_PROD_FILE
 
 # generate production .env file for postgresql
diff --git a/scripts/subinstallers/iptables.sh b/scripts/subinstallers/iptables.sh
index ba7784e..9c06dc7 100755
--- a/scripts/subinstallers/iptables.sh
+++ b/scripts/subinstallers/iptables.sh
@@ -11,6 +11,9 @@ if [ "$DISTRO" == "ubuntu" ]; then
     sudo systemctl disable ufw || true
 fi
 
+# make sure user land binaries installed
+sudo apt-get install -y iptables
+
 # default interface
 iface=$(ip -o -4 route show to default | egrep -o 'dev [^ ]*' | awk 'NR==1{print $2}')
 
diff --git a/scripts/subinstallers/wireguard.sh b/scripts/subinstallers/wireguard.sh
index baedd88..b5f0d55 100755
--- a/scripts/subinstallers/wireguard.sh
+++ b/scripts/subinstallers/wireguard.sh
@@ -1,16 +1,16 @@
 #!/bin/bash
 
-figlet "Mistborn: Installing Wireguard"
+figlet "Mistborn: Installing WireGuard"
 
 # if wireguard not in current repositories
 if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     # install PPAs
 
-    echo "Adding Wireguard PPAs"
+    echo "Adding WireGuard PPAs"
 
     # Wireguard
     if [ "$DISTRO" == "raspbian" ] || [ "$DISTRO" == "raspios" ]; then
-        echo "Adding Wireguard repo keys"
+        echo "Adding WireGuard repo keys"
         sudo -E apt-get install -y dirmngr
         sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 8B48AD6246925553
         sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 7638D0442B90D010
@@ -28,6 +28,6 @@ if ! $(sudo apt-cache show wireguard > /dev/null 2>&1) ; then
     fi
 fi
 
-echo "Installing Wireguard"
+echo "Installing WireGuard"
 sudo apt-get update
 sudo -E apt-get install -y openresolv wireguard