From 10bb430d439e2db0b47d9053a82e230c2e13a4c8 Mon Sep 17 00:00:00 2001 From: Rik Veenboer Date: Wed, 4 Dec 2024 21:56:32 +0100 Subject: [PATCH] snapshot of caddy with oauth security plugin --- caddy/Caddyfile | 17 ++++++++---- caddy/Dockerfile | 3 +- caddy/conf/auth.caddy | 42 ++++++++++++++++++++++++++++ caddy/sites/test.caddy | 15 ++++++++++ caddy/sites/unused.caddy | 16 ----------- docker-compose.caddy.yml | 3 ++ docker-compose.vouch.yml | 59 ++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 4 +-- 8 files changed, 134 insertions(+), 25 deletions(-) create mode 100644 caddy/conf/auth.caddy create mode 100644 caddy/sites/test.caddy delete mode 100644 caddy/sites/unused.caddy create mode 100644 docker-compose.vouch.yml diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 1c77ec0..1b35177 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,3 +1,5 @@ +import conf/*.caddy + { dynamic_dns { provider route53 @@ -18,14 +20,16 @@ order geoip2_vars first geoip2 { - accountId {$GEO_ACCOUNT_ID} - licenseKey {$GEO_API_KEY} - databaseDirectory "/data/caddy/geoip/" - lockFile "/data/caddy/geoip/geoip2.lock" - editionID "GeoLite2-City" - updateUrl "https://updates.maxmind.com" + # accountId {$GEO_ACCOUNT_ID} + # licenseKey {$GEO_API_KEY} + databaseDirectory /data/caddy/geoip/ + lockFile /data/caddy/geoip/geoip2.lock + editionID GeoLite2-City + updateUrl https://updates.maxmind.com updateFrequency 86400 # in seconds } + + import auth } (unprotected) { @@ -38,6 +42,7 @@ } import unprotected authentik host:19000 +import unprotected vouch host:9090 import unprotected jellyfin host:8097 import unprotected seafile host:8082 import unprotected grafana host:3333 diff --git a/caddy/Dockerfile b/caddy/Dockerfile index 324c332..f6596f1 100644 --- a/caddy/Dockerfile +++ b/caddy/Dockerfile @@ -4,7 +4,8 @@ RUN xcaddy build \ --with github.com/caddy-dns/route53 \ --with github.com/mholt/caddy-dynamicdns \ --with github.com/zhangjiayin/caddy-geoip2 \ - --with github.com/mholt/caddy-l4 + --with github.com/mholt/caddy-l4 \ + --with github.com/greenpau/caddy-security FROM caddy:2.9-alpine diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy new file mode 100644 index 0000000..2c86ce8 --- /dev/null +++ b/caddy/conf/auth.caddy @@ -0,0 +1,42 @@ +(auth) { + order authenticate before respond + order authorize before reverse_proxy + security { + oauth identity provider google { + realm google + driver google + client_id {$OAUTH_CLIENT_ID} + client_secret {$OAUTH_CLIENT_SECRET} + scopes openid email profile + } + authentication portal myportal { + enable identity provider google + cookie domain veenboer.xyz + ui { + links { + "My Identity" "/whoami" icon "las la-user" + } + } + + transform user { + match realm google + action add role authp/user + } + + transform user { + match realm google + + # Give this account admin role in the auth portal + match email rik.veenboer@gmail.com + action add role authp/admin + } + } + authorization policy mypolicy { + set auth url https://auth.rik.veenboer.xyz/oauth2/google + allow roles authp/admin authp/user + validate bearer header + inject headers with claims + } + } + + } diff --git a/caddy/sites/test.caddy b/caddy/sites/test.caddy new file mode 100644 index 0000000..6d500a3 --- /dev/null +++ b/caddy/sites/test.caddy @@ -0,0 +1,15 @@ +test.rik.veenboer.xyz { +log { + output file /var/log/test.log +} + + authorize with mypolicy + reverse_proxy host:12345 + +} + +auth.rik.veenboer.xyz { + route { + authenticate with myportal + } +} diff --git a/caddy/sites/unused.caddy b/caddy/sites/unused.caddy deleted file mode 100644 index 4d62e24..0000000 --- a/caddy/sites/unused.caddy +++ /dev/null @@ -1,16 +0,0 @@ -unused.rik.veenboer.xyz { - handle { - # import authentik - reverse_proxy host:8100 - } - - handle /seafhttp* { - uri strip_prefix seafhttp - reverse_proxy host:8182 - } - - handle /seafdav* { - reverse_proxy host:8180 - } -} - diff --git a/docker-compose.caddy.yml b/docker-compose.caddy.yml index 4e3ef9f..ccae8ab 100644 --- a/docker-compose.caddy.yml +++ b/docker-compose.caddy.yml @@ -9,12 +9,15 @@ services: - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:?} - GEO_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:?} - GEO_API_KEY=${MAXMIND_API_KEY:?} + - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com + - OAUTH_CLIENT_SECRET=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 image: caddy ports: - 443:443 restart: unless-stopped volumes: - /opt/caddy/Caddyfile:/etc/caddy/Caddyfile + - /opt/caddy/conf:/etc/caddy/conf - /opt/caddy/sites:/etc/caddy/sites - /opt/caddy/data:/data/caddy - /opt/caddy/logs:/var/log diff --git a/docker-compose.vouch.yml b/docker-compose.vouch.yml new file mode 100644 index 0000000..519ea5f --- /dev/null +++ b/docker-compose.vouch.yml @@ -0,0 +1,59 @@ +services: + vouch: + image: quay.io/vouch/vouch-proxy:alpine-0.41.0 + container_name: vouch + ports: + - 9090:9090 + environment: + # Google + # - OAUTH_PROVIDER=google + # - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com + # - OAUTH_CLIENT_SECRET=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 + # - https://www.googleapis.com/oauth2/v3/userinfo + + # Google + # - OAUTH_PROVIDER=oidc + # - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com + # - OAUTH_CLIENT_SECRET=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 + # - OAUTH_AUTH_URL=https://accounts.google.com/o/oauth2/auth + # - OAUTH_TOKEN_URL=https://accounts.google.com/o/oauth2/token + # - OAUTH_USER_INFO_URL=https://www.googleapis.com/oauth2/v3/userinfo + + # Amazon + # - OAUTH_PROVIDER=oidc + # - OAUTH_CLIENT_ID=793k18vvmiooosv5j4dd0bkqi + # - OAUTH_CLIENT_SECRET=ccpsr589kufadbmi7ac6kgi3gaftc4cqkm3pi627tsidmbsk1lj + # - OAUTH_AUTH_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/authorize + # - OAUTH_TOKEN_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/token + # - OAUTH_USER_INFO_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/userInfo + + # Microsoft + # - OAUTH_PROVIDER=oidc + # - OAUTH_CLIENT_ID=2483d0ed-95a1-4ca1-ae72-a79ca6defd96 + # - OAUTH_CLIENT_SECRET=x8V8Q~vklpp75~xwMRzAuNa4NQ7K8gNEAAsx-cTZ + # - OAUTH_AUTH_URL=https://login.microsoftonline.com/common/oauth2/v2.0/authorize + # - OAUTH_TOKEN_URL=https://login.microsoftonline.com/common/oauth2/v2.0/token + # - OAUTH_USER_INFO_URL=https://graph.microsoft.com/oidc/userinfo + + # Authentik + - OAUTH_PROVIDER=oidc + - OAUTH_CLIENT_ID=MJJ44TzracJ8J24xVsUvO12KvAbzxiev9G0t9sYl + - OAUTH_CLIENT_SECRET=vrUGfNfqzooKujOyvTLDZffOTakEgNeCIlILaBU2aF9QtaDHJWaYVY3MLGlkF2jlFFn4W0a1eSJcZpJMxojO4i7U6b9CqbdTr5Al2LvK3FQnFbViUn2MN0qKibv8VVO1 + - OAUTH_AUTH_URL=https://authentik.rik.veenboer.xyz/application/o/authorize/ + - OAUTH_TOKEN_URL=https://authentik.rik.veenboer.xyz/application/o/token/ + - OAUTH_USER_INFO_URL=https://authentik.rik.veenboer.xyz/application/o/userinfo/ + + # General + - OAUTH_CALLBACK_URL=https://vouch.rik.veenboer.xyz/auth + - OAUTH_SCOPES=openid,profile,email + - VOUCH_COOKIE_DOMAIN=veenboer.xyz + - VOUCH_ALLOWALLUSERS=true + - VOUCH_HEADERS_CLAIMS=email,preferred_username + - VOUCH_LOGLEVEL=debug + + # Unused + # - VOUCH_COOKIE_SECURE=false + # - VOUCH_HEADERS_CLAIMS=sub,name,email + # - OAUTH_CLAIMS=sub,name,email + # - VOUCH_HEADERS_IDTOKEN=X-Vouch-IdP-IdToken + restart: unless-stopped diff --git a/docker-compose.yml b/docker-compose.yml index 7b09306..4072296 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,6 +4,7 @@ include: # Authentication - docker-compose.authentik.yml +- docker-compose.vouch.yml # Other - docker-compose.homarr.yml @@ -25,8 +26,8 @@ include: # Networking - docker-compose.surfshark.yml -- docker-compose.openvpn-server.yml - docker-compose.dns-ad-blocker.yml +# - docker-compose.openvpn-server.yml # Backup - docker-compose.rsnapshot.yml @@ -47,4 +48,3 @@ include: - docker-compose.postgis.yml - docker-compose.timescaledb.yml - docker-compose.influxdb.yml -