-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
250 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# gitdb | ||
|
||
A database for user and group information using Git as the back-end. | ||
|
||
The database is read from `groups.json` files in directories in the repository. | ||
All the groups files are merged together; the directory structure is not | ||
relevant to how the repository is processed. This allows for arbitrary directory | ||
structures to reflect the organisation. Each directory must have the following | ||
files: | ||
- `groups.json`: containing group definitions and their memberships | ||
- `permitted-groups.json`: containing a list of regular expressions for the | ||
permitted groups in the `groups.json` file | ||
|
||
See examples and testdata [here](https://github.com/Cloud-Foundations/golib/tree/master/pkg/auth/userinfo/gitdb) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
# HUProxy | ||
|
||
## What is HUProxy | ||
|
||
[HTTP(S)-Upgrade Proxy](https://github.com/google/huproxy) — Tunnel anything | ||
(but primarily SSH) over HTTP websockets. | ||
|
||
This example uses Ubuntu 20.04 as a base. | ||
|
||
## HUProxy Config | ||
|
||
1. On a build machine with go installed run | ||
```CGO_ENABLED=0 go get github.com/google/huproxy```. Copy that binary to your | ||
target in ```/usr/local/bin``` | ||
|
||
2. Create a system user named huproxy place | ||
```/etc/systemd/system/huproxy.service``` with the following contents. | ||
|
||
``` | ||
[Unit] | ||
Description=Simple ssh proxy | ||
After=network.target | ||
[Service] | ||
Type=simple | ||
User=huproxy | ||
Group=huproxy | ||
WorkingDirectory=/tmp | ||
ExecStart=/usr/local/bin/huproxy -listen [::1]:8086 | ||
Restart=on-failure | ||
PrivateTmp=true | ||
[Install] | ||
WantedBy=default.target | ||
``` | ||
|
||
3. Run ```systemctl daemon-reload && systemctl enable --now huproxy```. | ||
|
||
## Apache Config | ||
|
||
1. Install Apache and stop it | ||
|
||
``` | ||
$ sudo apt update && sudo apt -y install apache2 && systemctl stop apache2 | ||
``` | ||
|
||
2. Remove existing configuration | ||
|
||
``` | ||
$ sudo rm -rf /etc/apache2/mods-enabled/* /etc/apache2/sites-enabled/* | ||
``` | ||
|
||
3. Enable required modules | ||
|
||
``` | ||
$ sudo a2enmod mpm_event proxy_wstunnel ssl rewrite access_compat authz_core | ||
``` | ||
|
||
4. Obtain the Keymaster CA file | ||
|
||
``` | ||
$ sudo curl -Lo /etc/apache2/keymaster-ca.pem https://keymaster.example.com/public | ||
/x509ca | ||
``` | ||
|
||
5. Place this in ```/etc/apache2/sites-available/zerotrust.conf```. Be sure to | ||
swap in your personal SSL certificates. | ||
|
||
``` | ||
<VirtualHost *:80> | ||
ServerName sshproxy.example.com | ||
ServerAdmin webmaster@localhost | ||
DocumentRoot /var/www/html | ||
RewriteEngine On | ||
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC] | ||
RewriteCond %{HTTPS} !=on | ||
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L] | ||
ErrorLog ${APACHE_LOG_DIR}/error.log | ||
CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
</VirtualHost> | ||
<IfModule mod_ssl.c> | ||
<VirtualHost _default_:443> | ||
Protocols http/1.1 | ||
ServerName sshproxy.example.com | ||
ServerAdmin webmaster@localhost | ||
DocumentRoot /var/www/html | ||
ErrorLog ${APACHE_LOG_DIR}/error.log | ||
CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
SSLEngine on | ||
SSLProtocol -all +TLSv1.3 +TLSv1.2 | ||
SSLHonorCipherOrder off | ||
SSLSessionTickets off | ||
SSLCipherSuite "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | ||
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | ||
SSLCACertificateFile /etc/apache2/keymaster-ca.pem | ||
SSLUserName SSL_CLIENT_S_DN_CN | ||
SSLVerifyClient require | ||
ProxyRequests Off | ||
ProxyPass "/proxy/" "ws://[::1]:8086/proxy/" | ||
# Default Deny | ||
<LocationMatch "^/proxy/"> | ||
Order Allow,Deny | ||
Deny from all | ||
</LocationMatch> | ||
# Example with group limit. You can even use ldap groups. | ||
#<LocationMatch "^/proxy/adminbastion.internal.example.com/22"> | ||
# Allow from all | ||
# AuthGroupFile /etc/apache2/groups | ||
# Require group admin | ||
#</LocationMatch> | ||
# Allow TCP port 22 | ||
<LocationMatch "^/proxy/[^/]+/22$"> | ||
Allow from all | ||
</LocationMatch> | ||
</VirtualHost> | ||
</IfModule> | ||
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet | ||
``` | ||
|
||
6. Enable zerotrust.conf and start Apache | ||
|
||
``` | ||
$ sudo a2ensite zerotrust && sudo systemctl start apache2 | ||
``` | ||
|
||
## SSH Config | ||
|
||
1. On a build machine with go installed run | ||
```CGO_ENABLED=0 go get github.com/google/huproxy/huproxyclient```. Copy that binary to your | ||
target in ```/usr/local/bin``` | ||
|
||
2. Place your config in ```/etc/ssh/ssh_config``` or in individual users ```~/.ssh/config```. | ||
|
||
``` | ||
Host *.internal.example.com | ||
ProxyCommand /usr/local/bin/huproxyclient -key ~/.ssl/keymaster.key -cert ~/.ssl/keymaster.cert wss://sshproxy.example.com/%h/%p | ||
``` | ||
|
||
## Congrats | ||
You can now ssh to internal servers without a VPN. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
# Pomerium | ||
|
||
## What is Pomerium | ||
|
||
[Pomerium](https://pomerium.com/) is an identity-aware proxy that enables secure | ||
access to internal applications. Pomerium provides a standardized interface to | ||
add access control to applications regardless of whether the application itself | ||
has authorization or authentication baked-in. Pomerium gateways both internal | ||
and external requests, and can be used in situations where you'd typically reach | ||
for a VPN. | ||
|
||
## Keymaster Config | ||
|
||
``` | ||
openid_connect_idp: | ||
default_email_domain: "example.com" | ||
clients: | ||
- client_id: "pomerium" | ||
client_secret: "Pre-Shared-Key" | ||
allowed_redirect_domains: | ||
- "pomerium.example.com" | ||
``` | ||
|
||
## Pomerium Config | ||
|
||
Configure certificates and DNS as you would normally. You can get your own | ||
certificates, use certbot to obtain wildcards or enable autocert. Once you have | ||
that figured out, set up below is a good example. | ||
|
||
``` | ||
authenticate_service_url: https://pomerium.example.com | ||
signout_redirect_url: https://keymaster.example.com/api/v0/logout | ||
idp_provider: oidc | ||
idp_provider_url: https://keymaster.example.com | ||
idp_client_id: pomerium | ||
idp_client_secret: Pre-Shared-Key | ||
cookie_expire: 16h | ||
cookie_domain: pomerium.example.com | ||
cookie_secret: (EXECUTE head -c32 /dev/urandom | base64) | ||
policy: | ||
- from: https://site1.pomerium.example.com | ||
to: https://site1.internal.example.com:4422 | ||
allow_websockets: false | ||
preserve_host_header: true | ||
tls_skip_verify: false | ||
allowed_idp_claims: | ||
groups: | ||
- marketing | ||
- product | ||
- from: https://site2.pomerium.example.com | ||
to: https://site2.internal.example.com:443 | ||
allow_websockets: true | ||
preserve_host_header: false | ||
tls_skip_verify: true | ||
allowed_users: | ||
- user1@example.com | ||
- user2@example.com | ||
- from: https://site3.pomerium.example.com | ||
to: https://site3.internal.example.com:4422 | ||
allow_websockets: true | ||
preserve_host_header: true | ||
tls_skip_verify: false | ||
allowed_domains: | ||
- example.com | ||
``` | ||
|
||
## Congrats | ||
You can now access internal websites without a VPN. Further reading is available | ||
at the Pomerium [guides](https://www.pomerium.com/guides/) and | ||
[references](https://www.pomerium.com/reference/) pages. |