remove arm build again, fix proxy_*_timeout directives and add authelia example

2022-06-14 09:42:32 +02:00 · 2022-06-14 09:42:32 +02:00 · f2655e331d
parent cd0438b8ce
commit f2655e331d
9 changed files with 267 additions and 53 deletions
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@ -103,49 +103,49 @@ jobs:
          cache-to: type=registry,ref=bunkerity/cache:bw-ui-386-cache,mode=min

  # Build bunkerweb/armv8
-  build-bw-armv8:
-    runs-on: ubuntu-latest
-    steps:
+  # build-bw-armv8:
+    # runs-on: ubuntu-latest
+    # steps:
      # Prepare
-      - name: Checkout source code
-        uses: actions/checkout@v3
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      - name: Setup Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Login to Docker Hub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
+      # - name: Checkout source code
+        # uses: actions/checkout@v3
+      # - name: Set up QEMU
+        # uses: docker/setup-qemu-action@v2
+      # - name: Setup Buildx
+        # uses: docker/setup-buildx-action@v2
+      # - name: Login to Docker Hub
+        # uses: docker/login-action@v2
+        # with:
+          # username: ${{ secrets.DOCKER_USERNAME }}
+          # password: ${{ secrets.DOCKER_TOKEN }}

      # Build images
-      - name: Build BW for armv8
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          platforms: linux/arm64/v8
-          tags: bunkerweb-tests-armv8:latest
-          cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache
-          cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
-      - name: Build BW autoconf for armv8
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          file: autoconf/Dockerfile
-          platforms: linux/arm64/v8
-          tags: bunkerweb-autoconf-tests-armv8:latest
-          cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
-          cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
-      - name: Build BW UI for armv8
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          file: ui/Dockerfile
-          platforms: linux/arm64/v8
-          tags: bunkerweb-ui-tests-armv8:latest
-          cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
-          cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min
+      # - name: Build BW for armv8
+        # uses: docker/build-push-action@v3
+        # with:
+          # context: .
+          # platforms: linux/arm64/v8
+          # tags: bunkerweb-tests-armv8:latest
+          # cache-from: type=registry,ref=bunkerity/cache:bw-armv8-cache
+          # cache-to: type=registry,ref=bunkerity/cache:bw-armv8-cache,mode=min
+      # - name: Build BW autoconf for armv8
+        # uses: docker/build-push-action@v3
+        # with:
+          # context: .
+          # file: autoconf/Dockerfile
+          # platforms: linux/arm64/v8
+          # tags: bunkerweb-autoconf-tests-armv8:latest
+          # cache-from: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
+          # cache-to: type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache,mode=min
+      # - name: Build BW UI for armv8
+        # uses: docker/build-push-action@v3
+        # with:
+          # context: .
+          # file: ui/Dockerfile
+          # platforms: linux/arm64/v8
+          # tags: bunkerweb-ui-tests-armv8:latest
+          # cache-from: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache
+          # cache-to: type=registry,ref=bunkerity/cache:bw-ui-armv8-cache,mode=min

  # Run tests
  tests:
@ -228,7 +228,7 @@ jobs:
  # Push to dev registries
  push-docker:
    # needs: [tests, build-bw-386, build-bw-arm]
-    needs: [tests, build-bw-386, build-bw-armv8]
+    needs: [tests, build-bw-386]
    runs-on: ubuntu-latest
    steps:

@ -256,37 +256,34 @@ jobs:
        uses: docker/build-push-action@v3
        with:
          context: .
-          platforms: linux/amd64,linux/386,linux/arm64/v8
+          platforms: linux/amd64,linux/386
          push: true
          tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb:staging,bunkerity/bunkerweb:dev
          cache-from: |
            type=registry,ref=bunkerity/cache:bw-amd64-cache
            type=registry,ref=bunkerity/cache:bw-386-cache
-            type=registry,ref=bunkerity/cache:bw-armv8-cache
      - name: Build and push BW autoconf
        uses: docker/build-push-action@v3
        with:
          context: .
          file: autoconf/Dockerfile
-          platforms: linux/amd64,linux/386,linux/arm64/v8
+          platforms: linux/amd64,linux/386
          push: true
          tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-autoconf:staging,bunkerity/bunkerweb-autoconf:dev
          cache-from: |
            type=registry,ref=bunkerity/cache:bw-autoconf-amd64-cache
            type=registry,ref=bunkerity/cache:bw-autoconf-386-cache
-            type=registry,ref=bunkerity/cache:bw-autoconf-armv8-cache
      - name: Build and push BW UI
        uses: docker/build-push-action@v3
        with:
          context: .
          file: ui/Dockerfile
-          platforms: linux/amd64,linux/386,linux/arm64/v8
+          platforms: linux/amd64,linux/386
          push: true
          tags: ${{ secrets.PRIVATE_REGISTRY }}/infra/bunkerweb-ui:staging,bunkerity/bunkerweb-ui:dev
          cache-from: |
            type=registry,ref=bunkerity/cache:bw-ui-amd64-cache
            type=registry,ref=bunkerity/cache:bw-ui-386-cache
-            type=registry,ref=bunkerity/cache:bw-ui-armv8-cache

  # Push to PackageCloud
  push-linux:
--- a/core/reverseproxy/confs/server-http/reverse-proxy.conf
+++ b/core/reverseproxy/confs/server-http/reverse-proxy.conf
@ -35,9 +35,9 @@ add_header X-Proxy-Cache $upstream_cache_status;
 			{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
 			{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
 			{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
-			{% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "" %}
-			{% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "" %}
-			{% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "" %}
+			{% set connect_timeout = all[k.replace("URL", "CONNECT_TIMEOUT")] if k.replace("URL", "CONNECT_TIMEOUT") in all else "60s" %}
+			{% set read_timeout = all[k.replace("URL", "READ_TIMEOUT")] if k.replace("URL", "READ_TIMEOUT") in all else "60s" %}
+			{% set send_timeout = all[k.replace("URL", "SEND_TIMEOUT")] if k.replace("URL", "SEND_TIMEOUT") in all else "60s" %}
 location {{ url }} {% raw %}{{% endraw +%}
 	etag off;
 	set $backend{{ counter.value }} "{{ host }}";
@ -82,11 +82,11 @@ location {{ url }} {% raw %}{{% endraw +%}
 	add_header {{ header_client }};
 			{% endfor +%}
 		{% endif +%}
-{% raw %}}{% endraw %}
-		{% endif %}
 	proxy_connect_timeout {{ connect_timeout }};
 	proxy_read_timeout {{ read_timeout }};
 	proxy_send_timeout {{ send_timeout }};
+{% raw %}}{% endraw %}
+		{% endif %}
 		{% set counter.value = counter.value + 1 %}
 	{% endfor %}
-{% endif %}
+{% endif %}
--- a/examples/authelia/authelia/configuration.yml
+++ b/examples/authelia/authelia/configuration.yml
@ -0,0 +1,79 @@
+---
+###############################################################
+#                   Authelia configuration                    #
+###############################################################
+
+jwt_secret: a_very_important_secret
+default_redirection_url: https://auth.example.com
+
+ntp:
+  disable_failure: true
+
+server:
+  host: 0.0.0.0
+  port: 9091
+
+log:
+  level: debug
+# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
+
+totp:
+  issuer: authelia.com
+
+# duo_api:
+#  hostname: api-123456789.example.com
+#  integration_key: ABCDEF
+#  # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
+#  secret_key: 1234567890abcdefghifjkl
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rules applied to everyone
+    - domain: auth.example.com
+      policy: bypass
+    - domain: app1.example.com
+      policy: one_factor
+    - domain: app2.example.com
+      policy: two_factor
+
+session:
+  name: authelia_session
+  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
+  secret: unsecure_session_secret
+  expiration: 3600  # 1 hour
+  inactivity: 300  # 5 minutes
+  domain: example.com  # Should match whatever your root protected domain is
+
+  redis:
+    host: redis
+    port: 6379
+    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
+    # password: authelia
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
+#notifier:
+#  smtp:
+#    username: test
+    # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
+#    password: password
+#    host: mail.example.com
+#    port: 25
+#    sender: admin@example.com
+...
--- a/examples/authelia/authelia/users_database.yml
+++ b/examples/authelia/authelia/users_database.yml
@ -0,0 +1,18 @@
+---
+###############################################################
+#                         Users Database                      #
+###############################################################
+
+# This file can be used if you do not have an LDAP set up.
+
+# List of users
+users:
+  authelia:
+    displayname: "Authelia User"
+    # Password is authelia
+    password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/"  # yamllint disable-line rule:line-length
+    email: authelia@authelia.com
+    groups:
+      - admins
+      - dev
+...
--- a/examples/authelia/docker-compose.yml
+++ b/examples/authelia/docker-compose.yml
@ -0,0 +1,85 @@
+version: '3.4'
+
+services:
+
+  mybunker:
+    image: bunkerity/bunkerweb:1.4.0
+    ports:
+      - 80:8080
+      - 443:8443
+    # ⚠️ read this if you use local folders for volumes ⚠️
+    # bunkerweb runs as an unprivileged user with UID/GID 101
+    # don't forget to edit the permissions of the files and folders accordingly
+    # example if you need to create a directory : mkdir folder && chown root:101 folder && chmod 770 folder
+    # or for an existing one : chown -R root:101 folder && chmod -R 770 folder
+    # more info at https://docs.bunkerweb.io
+    volumes:
+      - bw_data:/data
+    environment:
+      - MULTISITE=yes
+      - SERVER_NAME=auth.example.com app1.example.com app2.example.com # replace with your domains
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - AUTO_LETS_ENCRYPT=yes
+      - USE_CLIENT_CACHE=yes
+      - USE_GZIP=yes
+      - USE_REVERSE_PROXY=yes
+      # Proxy to auth_request URI
+      - REVERSE_PROXY_URL_999=/authelia
+      - REVERSE_PROXY_HOST_999=http://authelia:9091/api/verify
+      - REVERSE_PROXY_HEADERS_999=X-Original-URL $$scheme://$$http_host$$request_uri;Content-Length ""
+      # Authelia
+      - auth.example.com_REVERSE_PROXY_URL=/
+      - auth.example.com_REVERSE_PROXY_HOST=http://authelia:9091
+      - auth.example.com_REVERSE_PROXY_INTERCEPT_ERRORS=no
+      # Applications
+      - app1.example.com_REVERSE_PROXY_URL=/
+      - app1.example.com_REVERSE_PROXY_HOST=http://app1:3000
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app1.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - app1.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+      - app2.example.com_REVERSE_PROXY_URL=/
+      - app2.example.com_REVERSE_PROXY_HOST=http://app2
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST=/authelia
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL=https://auth.example.com/?rd=$$scheme%3A%2F%2F$$host$$request_uri
+      - app2.example.com_REVERSE_PROXY_AUTH_REQUEST_SET=$$user $$upstream_http_remote_user;$$groups $$upstream_http_remote_groups;$$name $$upstream_http_remote_name;$$email $$upstream_http_remote_email
+      - app2.example.com_REVERSE_PROXY_HEADERS=Remote-User $$user;Remote-Groups $$groups;Remote-Name $$name;Remote-Email $$email
+
+  # APPLICATIONS
+  app1:
+    image: node
+    working_dir: /home/node/app
+    volumes:
+      - ./js-app:/home/node/app
+    environment:
+      - NODE_ENV=production
+    command: bash -c "npm install express && node index.js"
+  app2:
+    image: tutum/hello-world
+
+  # AUTHELIA
+  authelia:
+    image: authelia/authelia
+    container_name: authelia
+    volumes:
+      - ./authelia:/config
+    restart: unless-stopped
+    healthcheck:
+      disable: true
+    environment:
+      - TZ=Europe/Paris
+
+  redis:
+    image: redis:alpine
+    container_name: redis
+    volumes:
+      - ./redis:/data
+    expose:
+      - 6379
+    restart: unless-stopped
+    environment:
+      - TZ=Europe/Paris
+
+volumes:
+  bw_data:
--- a/examples/authelia/js-app/index.js
+++ b/examples/authelia/js-app/index.js
@ -0,0 +1,13 @@
+const express = require('express')
+const app = express()
+const port = 3000
+
+app.get('/', (req, res) => {
+  res.send('Hello World from app1!')
+})
+
+app.listen(port, () => {
+  console.log(`Example app listening at http://localhost:${port}`)
+})
+
+
--- a/examples/authelia/js-app/package.json
+++ b/examples/authelia/js-app/package.json
@ -0,0 +1,15 @@
+{
+  "name": "js-app",
+  "version": "1.0.0",
+  "description": "demo",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.17.1"
+  }
+}
+
--- a/tests/docker.sh
+++ b/tests/docker.sh
@ -48,6 +48,12 @@ fi

 echo "Running Docker tests ..."

+# authelia
+single_docker_test "authelia" "60" "https://$TEST_DOMAIN1_1 authelia" "https://$TEST_DOMAIN1_2 authelia"
+
+# authentik
+single_docker_test "authentik" "60" "https://$TEST_DOMAIN1_1 authentik" "https://$TEST_DOMAIN1_2 authentik"
+
 # drupal
 single_docker_test "drupal" "60" "https://$TEST_DOMAIN1 drupal"

--- a/tests/utils/utils.sh
+++ b/tests/utils/utils.sh
@ -23,6 +23,7 @@ function exec_docker_example() {
 	sed -i 's@\./bw\-data:/@/tmp/bw\-data:/@g' docker-compose.yml
 	sed -i 's@- bw_data:/@- /tmp/bw\-data:/@g' docker-compose.yml
 	sed -i "s@www.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
+	sed -i "s@auth.example.com@${TEST_DOMAIN1}@g" docker-compose.yml
 	sed -i "s@app1.example.com@${TEST_DOMAIN1_1}@g" docker-compose.yml
 	sed -i "s@app2.example.com@${TEST_DOMAIN1_2}@g" docker-compose.yml
 	sed -i "s@app3.example.com@${TEST_DOMAIN1_3}@g" docker-compose.yml