From 7e25c11c2007803495c2115c9dd71c243526f599 Mon Sep 17 00:00:00 2001 From: alfons Date: Sat, 2 Mar 2024 21:23:39 +0100 Subject: [PATCH] Add Docker support for easier deployments + uppercase REALM Author: alfonsrv Developer Certificate of Origin 1.1 By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me. (c) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. Signed-off-by: github/alfonsrv --- docker/Dockerfile | 32 +++++++++++++++++++++ docker/README.md | 7 +++++ docker/certs/.gitkeep | 0 docker/config/kdc-wsgi.conf | 41 +++++++++++++++++++++++++++ docker/config/sample-kdcproxy.conf | 24 ++++++++++++++++ docker/docker-compose.yml | 45 ++++++++++++++++++++++++++++++ kdcproxy/parse_pyasn1.py | 1 + 7 files changed, 150 insertions(+) create mode 100644 docker/Dockerfile create mode 100644 docker/README.md create mode 100644 docker/certs/.gitkeep create mode 100644 docker/config/kdc-wsgi.conf create mode 100644 docker/config/sample-kdcproxy.conf create mode 100644 docker/docker-compose.yml diff --git a/docker/Dockerfile b/docker/Dockerfile new file mode 100644 index 0000000..1069e9d --- /dev/null +++ b/docker/Dockerfile @@ -0,0 +1,32 @@ +FROM python:3.11-slim +LABEL maintainer="github/alfonsrv " + +ENV APACHE_CONFDIR=/etc/apache2 + +RUN apt-get update \ + && apt-get install -y --no-install-recommends git \ + apache2 libapache2-mod-wsgi-py3 \ + krb5-k5tls \ + && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +RUN a2enmod wsgi \ + && a2enmod ssl \ + && a2enmod headers \ + && a2enmod setenvif + +RUN ln -sf /proc/self/fd/1 /var/log/apache2/access.log && \ + ln -sf /proc/self/fd/1 /var/log/apache2/error.log + +COPY config/kdc-wsgi.conf ${APACHE_CONFDIR}/sites-available/ + +# Download + install kdcproxy and get install path to replace in apache config +RUN git clone https://github.com/latchset/kdcproxy.git /tmp/kdcproxy \ + && pip install /tmp/kdcproxy \ + && KDC_PROXY_PATH=$(python -c "import site; print(site.getsitepackages()[0])")/kdcproxy \ + && sed -ri -e "s!KDC_PROXY_PATH!${KDC_PROXY_PATH}!g" /etc/apache2/sites-available/*.conf \ + && sed -ri -e "s!SERVER_NAME!${SERVER_NAME}!g" /etc/apache2/sites-available/*.conf + +RUN a2dissite 000-default.conf \ + && a2ensite kdc-wsgi.conf + +CMD ["apachectl", "-D", "FOREGROUND"] \ No newline at end of file diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000..9ba8f95 --- /dev/null +++ b/docker/README.md @@ -0,0 +1,7 @@ +# KDC Proxy Docker Container 🐋 + +* Rename `config/sample-kdcproxy.conf` to `config/kdcproxy.conf` +* Configure Domain Controller IP addresses via `extra_hosts` in `docker-compose.yml` +* Configure Realm and Domain Controller DNS Names in `config/kdcproxy.conf` +* Run `docker-compose up` and configure to run as service +* Run either behind reverse proxy or as a directly exposed server (bring your own certificates) diff --git a/docker/certs/.gitkeep b/docker/certs/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/docker/config/kdc-wsgi.conf b/docker/config/kdc-wsgi.conf new file mode 100644 index 0000000..526ee3a --- /dev/null +++ b/docker/config/kdc-wsgi.conf @@ -0,0 +1,41 @@ + + ServerName SERVER_NAME + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine on + SSLCertificateFile /certs/cert.crt + SSLCertificateKeyFile /certs/cert.key + + # Prevent showing the default Apache2 website + RedirectMatch ^/(?!(?i:KdcProxy))(.*)$ https://opensource.org/ + + # Python WSGI KDC Proxy setup + WSGIDaemonProcess kdcproxy \ + processes=2 \ + threads=15 \ + maximum-requests=1000 \ + display-name=%{GROUP} + WSGIImportScript KDC_PROXY_PATH/__init__.py \ + process-group=kdcproxy \ + application-group=kdcproxy + WSGIScriptAliasMatch "(?i)^/KdcProxy" \ + KDC_PROXY_PATH/__init__.py + WSGIScriptReloading Off + + # Set headers if available + + SetEnvIf X-Forwarded-Host (.*) REAL_HOST_HEADER=$1 + + RequestHeader set Host "%{REAL_HOST_HEADER}e" + + + + + Satisfy Any + Order Deny,Allow + Allow from all + WSGIProcessGroup kdcproxy + WSGIApplicationGroup kdcproxy + + diff --git a/docker/config/sample-kdcproxy.conf b/docker/config/sample-kdcproxy.conf new file mode 100644 index 0000000..43f79f4 --- /dev/null +++ b/docker/config/sample-kdcproxy.conf @@ -0,0 +1,24 @@ +[global] +# Use default libkrb5 configuration; if you load the mit config module in the master configuration file, +# kdcproxy will also read the config using libkrb5 (usually /etc/krb5.conf). If this module is used, kdcproxy +# will respect the DNS settings from the [libdefaults] section and the realm configuration from the [realms] section. +# For more information, see the documentation for MIT's krb5.conf. +configs = mit + +# Use DNS SRV lookup to automatically resolve domain +use_dns = False + +[CONTOSO.LOC] +# The realm configuration parameters may list multiple servers separated by a space. +# The order the realms are specified in will be respected by kdcproxy when forwarding requests. The port number is optional. +# +# Possible schemes are: +# * kerberos:// +# * kerberos+tcp:// +# * kerberos+udp:// +# * kpasswd:// +# * kpasswd+tcp:// +# * kpasswd+udp:// + +kerberos = kerberos+tcp://test-dc1.contoso.loc:88 +kpasswd = kpasswd+tcp://test-dc1.contoso.loc:464 diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100644 index 0000000..7818927 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,45 @@ +--- +version: '3' +services: + kdcproxy: + build: + context: . + dockerfile: ./Dockerfile + container_name: kdcproxy-apache + restart: unless-stopped + ports: + - "443:443" + environment: + - KDCPROXY_CONFIG=/config/kdcproxy.conf + - SERVER_NAME=${SERVER_NAME:-selfsign.rausys.de} + volumes: + - config:/config:ro + - certs:/certs:ro + extra_hosts: + - "test-dc1.contoso.loc:10.10.10.10" + + omgwtfssl: + image: paulczar/omgwtfssl + container_name: kdcproxy-ssl + restart: "no" + volumes: + - certs:/certs + environment: + - SSL_SUBJECT=${SERVER_NAME:-selfsign.rausys.de} + - SSL_KEY=/certs/cert.key + - SSL_CSR=/certs/cert.csr + - SSL_CERT=/certs/cert.crt + +volumes: + config: + driver: local + driver_opts: + type: none + o: bind + device: ./config + certs: + driver: local + driver_opts: + type: none + o: bind + device: ./certs diff --git a/kdcproxy/parse_pyasn1.py b/kdcproxy/parse_pyasn1.py index 8166cdf..e17db56 100644 --- a/kdcproxy/parse_pyasn1.py +++ b/kdcproxy/parse_pyasn1.py @@ -100,6 +100,7 @@ def decode_proxymessage(data): realm = str(realm, "utf-8") except TypeError: # Python 2.x realm = str(realm) + realm = realm.upper() else: realm = None flags = req.getComponentByName('flags')