Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(box): Secure TTYD with HTTPS & HTTP Basic Authentication #20

Merged
merged 41 commits into from
Jun 22, 2022
Merged

feat(box): Secure TTYD with HTTPS & HTTP Basic Authentication #20

merged 41 commits into from
Jun 22, 2022

Conversation

mrzzy
Copy link
Owner

@mrzzy mrzzy commented Jun 19, 2022
edited
Loading

Purpose

Closes: #19

Contents

Secure TTYD with HTTPS & HTTP Basic Authentication:

  • configures ttyd to use HTTPS with TLS certificates at /etc/ssl/certs/ttyd.pem & /etc/ssl/private/ttyd.key
  • adds a iptables route from HTTPS (443) to TTYD (7681).
    • This is required as TTYD runs as an unprivileged user & does not have the permissions to listen on a privileged port: 443.
  • enables HTTP basic authentication on TTYD using password passed by devbox_ttyd_password Ansible var & web_term_password Packer var.
  • For security, when no password is not set, TTYD will longer run on boot so as to prevent an unauthenticated web terminal from being exposed to the public internet.

Refactored to remove hardcode of mrzzy as user name.

mrzzy
mrzzy commented Jun 19, 2022
View reviewed changes
box/packer/variables.pkr.hcl Outdated Show resolved Hide resolved
This was referenced Jun 19, 2022
Closed
Merged
@mrzzy mrzzy marked this pull request as ready for review June 20, 2022 01:30
mrzzy
mrzzy commented Jun 20, 2022
View reviewed changes
.github/workflows/ci.yaml Outdated Show resolved Hide resolved
box/ansible/roles/devbox/defaults/main.yaml Outdated Show resolved Hide resolved
mrzzy added 25 commits June 20, 2022 19:02
@mrzzy
refactor(box): extract install_ttyd.yaml out of tooling/
17a23f5
@mrzzy
refactor(scope): split out ttyd setup from install_ttyd.yaml to setup…
7212a09 
…_ttyd.yaml
@mrzzy
feat(box): add certbot systemd service to provision tls certs for ttyd
18cf739
@mrzzy
build(box): add missing snap install certbot
b00b344
@mrzzy
fix(box): hang for user input by running certbot in noninteractive modeb
f421982
@mrzzy
fix(box): fix typo in top level domain name '.co'
4daea17
@mrzzy
fix(box): missing .service suffix in Want / After directives in ttyd …
a4479b6 
…systemd service
@mrzzy
refactor(box): allow devbox user to be specified via devbox_user var
70f4323
@mrzzy
fix(box): permissions to allow ttyd to access provisioned tls certs
8b78dfa
@mrzzy
feat(box): add iptables rule to redirect https traffic to port 7681 w…
7d0592d 
…here ttyd is listening
@mrzzy
feat(box): enable http basic auth on ttyd terminal
ce8d470
@mrzzy
feat(box): pass ttyd password from BOX_WEB_TERM_PASSWORD github secret
87933ff
@mrzzy
feat(box): disable certbot and ttyd if devbox_ttyd_password is unset
cb3d41f 
Exposing an unauthenticated web shell poses a security risk
@mrzzy
fix(box): typo in packer env var prefix 'PKR_VAR'
dc7ba9e
@mrzzy
fix(box): don't start ttyd systemd service during build
3743176
@mrzzy
build(box): handle unhandled case where web_term_password is not pass…
2798071 
…ed to packer
@mrzzy
docs(box): reword web_term_password packer var description
349ecf3
@mrzzy
fix(box): inverted condition in ansible 'when:'
527e1d4
@mrzzy
refactor(box): refactor ansible var 'devbox_tls_letsencrypt_staging' …
9cd451c 
…to '_production'

having a switch that defaults to false makes more semantic sense that a
switch that always defaults to true.
@mrzzy
build(box): pass tls_letsencrypt_production packer var to ansible var
3823cc1
@mrzzy
refactor(box): rename 'tls_letsencrypt_production' packer var to 'is_…
7f3bacb 
…tls_production'
@mrzzy
ci(box): enable letsencrypt production tls certs on images built on m…
1344282 
…ain branch
@mrzzy
test tls production certs
f2519c9
@mrzzy
feat(box): ensure certbot runs after cloud init when box runs in a cl…
74602a3 
…oud vm environment
@mrzzy
revert(box): Revert "test tls production certs"
4912054 
This reverts commit 45af65c.
@mrzzy
fix(box): fix typo in ttyd flag --credential
1381b38
@mrzzy
revert: "feat(box): ensure certbot runs after cloud init when box run…
8b0f8f0 
…s in a cloud vm environment"

This reverts commit 74602a3.
Making certbot run after cloud-final.service causes conflicting dependencies:
- multi-user -> ttyd
- ttyd -> certbot
- certbot -> cloud-final
- multi-user -> cloud-final
@mrzzy
refactor(box): remove certbot from ansible playbook
b1a2e37
@mrzzy
build(box): remove certbot from packer build
1e52fc4
@mrzzy
ci(box): remove packer from ci pipeline
b8bed84
@mrzzy
refactor(box): ttyd to expect tls cert & key to provisioned in /etc/ssl/
b73f07e
@mrzzy
docs(box): document behaviour when devbox_ttyd_password is unset
62847f0
@mrzzy
fix(box): missing perms for ttyd to access tls private key
d128054 
by adding devbox user to ssl-cert group, which has read access to
/etc/ssl/private/
mrzzy
mrzzy commented Jun 22, 2022
View reviewed changes
box/packer/image.pkr.hcl Outdated Show resolved Hide resolved
mrzzy
mrzzy commented Jun 22, 2022
View reviewed changes
box/packer/variables.pkr.hcl Outdated Show resolved Hide resolved
@mrzzy mrzzy merged commit 47c29ea into main Jun 22, 2022
@mrzzy mrzzy deleted the feat/certbot-tls branch June 22, 2022 21:42
@mrzzy mrzzy mentioned this pull request Jun 24, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure TTYD with Let Encrypt TLS Certs
1 participant
@mrzzy