ui - edit docs and fix CSRF
This commit is contained in:
parent
028fc61b4f
commit
aec22d1a81
|
@ -12,7 +12,7 @@ The web UI has its own set of environment variables to configure it :
|
|||
- `API_URI` : path of the bunkerized-nginx API (must match the corresponding `API_URI` of the bunkerized-nginx instance)
|
||||
- `DOCKER_HOST` : Docker API endpoint address (default = `unix:///var/run/docker.sock`)
|
||||
|
||||
Since the web UI is ia service itself, we can use bunkerized-nginx as a reverse proxy in front of it.
|
||||
Since the web UI is a web service itself, we can use bunkerized-nginx as a reverse proxy in front of it.
|
||||
|
||||
**Using the web UI in a Docker environment exposes a security risk because you need to mount the Docker API socket into the web UI container. It's highly recommended to use a middleware like [tecnativa/docker-socket-proxy](https://github.com/Tecnativa/docker-socket-proxy) to reduce the risk as much as possible.**
|
||||
|
||||
|
@ -59,7 +59,7 @@ $ docker run -d \
|
|||
|
||||
Last but not least, you need to start the bunkerized-nginx and configure it as a reverse proxy for the web UI web service :
|
||||
```shell
|
||||
$ docker create -d \
|
||||
$ docker create \
|
||||
--name my-bunkerized \
|
||||
--network ui-net \
|
||||
-p 80:8080 \
|
||||
|
@ -74,8 +74,8 @@ $ docker create -d \
|
|||
-e REDIRECT_HTTP_TO_HTTPS=yes \
|
||||
-e admin.example.com_USE_REVERSE_PROXY=yes \
|
||||
-e admin.example.com_REVERSE_PROXY_URL=/admin-changeme/ \
|
||||
-e admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000/ \
|
||||
-e admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme \
|
||||
-e admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000 \
|
||||
-e "admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme" \
|
||||
-e admin.example.com_USE_MODSECURITY=no \
|
||||
-l bunkerized-nginx.UI \
|
||||
bunkerity/bunkerized-nginx
|
||||
|
@ -111,7 +111,7 @@ services:
|
|||
- REDIRECT_HTTP_TO_HTTPS=yes
|
||||
- admin.example.com_USE_REVERSE_PROXY=yes
|
||||
- admin.example.com_REVERSE_PROXY_URL=/admin-changeme/ # change it to something hard to guess
|
||||
- admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000/
|
||||
- admin.example.com_REVERSE_PROXY_HOST=http://my-bunkerized-ui:5000
|
||||
- admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin # must match REVERSE_PROXY_URL
|
||||
- admin.example.com_USE_MODSECURITY=no
|
||||
labels:
|
||||
|
@ -177,6 +177,7 @@ Edit the bunkerized-nginx configurations located at `/opt/bunkerized-nginx/varia
|
|||
```conf
|
||||
HTTP_PORT=80
|
||||
HTTPS_PORT=443
|
||||
DNS_RESOLVERS=8.8.8.8 8.8.4.4
|
||||
SERVER_NAME=admin.example.com
|
||||
MULTISITE=yes
|
||||
AUTO_LETS_ENCRYPT=yes
|
||||
|
@ -184,7 +185,7 @@ REDIRECT_HTTP_TO_HTTPS=yes
|
|||
admin.example.com_USE_REVERSE_PROXY=yes
|
||||
admin.example.com_REVERSE_PROXY_URL=/admin-changeme/
|
||||
# Local bunkerized-nginx-ui
|
||||
admin.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:5000/
|
||||
admin.example.com_REVERSE_PROXY_HOST=http://127.0.0.1:5000
|
||||
# Remote bunkerized-nginx-ui
|
||||
#REVERSE_PROXY_HOST=http://service.example.local:5000
|
||||
admin.example.com_REVERSE_PROXY_HEADERS=X-Script-Name /admin-changeme
|
||||
|
|
|
@ -22,6 +22,8 @@ app.secret_key = vars["FLASK_SECRET"]
|
|||
app.config["ABSOLUTE_URI"] = vars["ABSOLUTE_URI"]
|
||||
app.config["INSTANCES"] = Instances(vars["DOCKER_HOST"], vars["API_URI"])
|
||||
app.config["CONFIG"] = Config()
|
||||
app.config["SESSION_COOKIE_DOMAIN"] = vars["ABSOLUTE_URI"].replace("http://", "").replace("https://", "").split("/")[0]
|
||||
app.config["WTF_CSRF_SSL_STRICT"] = False
|
||||
|
||||
# Declare functions for jinja2
|
||||
app.jinja_env.globals.update(env_to_summary_class=utils.env_to_summary_class)
|
||||
|
@ -29,6 +31,11 @@ app.jinja_env.globals.update(form_service_gen=utils.form_service_gen)
|
|||
app.jinja_env.globals.update(form_service_gen_multiple=utils.form_service_gen_multiple)
|
||||
app.jinja_env.globals.update(form_service_gen_multiple_values=utils.form_service_gen_multiple_values)
|
||||
|
||||
@app.before_request
|
||||
def log_request():
|
||||
app.logger.debug("Request Headers %s", request.headers)
|
||||
return None
|
||||
|
||||
# Login management
|
||||
login_manager = LoginManager()
|
||||
login_manager.init_app(app)
|
||||
|
|
|
@ -11,7 +11,7 @@ class ReverseProxied(object):
|
|||
if path_info.startswith(script_name):
|
||||
environ['PATH_INFO'] = path_info[len(script_name):]
|
||||
|
||||
scheme = environ.get('HTTP_X_SCHEME', '')
|
||||
scheme = environ.get('HTTP_X_FORWARDED_PROTO', '')
|
||||
if scheme:
|
||||
environ['wsgi.url_scheme'] = scheme
|
||||
return self.app(environ, start_response)
|
||||
|
|
Loading…
Reference in New Issue