Skip to content

Commit

Permalink
Add Docker support for easier deployments + uppercase REALM
Browse files Browse the repository at this point in the history
Author:    alfonsrv <[email protected]>

Developer Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or

(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me.

(c) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.

Signed-off-by: github/alfonsrv <[email protected]>
Signed-off-by: alfons <[email protected]>
  • Loading branch information
alfonsrv committed Jun 16, 2024
1 parent f61979e commit 9538738
Show file tree
Hide file tree
Showing 7 changed files with 150 additions and 0 deletions.
32 changes: 32 additions & 0 deletions docker/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
FROM python:3.11-slim
LABEL maintainer="github/alfonsrv <[email protected]>"

ENV APACHE_CONFDIR=/etc/apache2

RUN apt-get update \
&& apt-get install -y --no-install-recommends git \
apache2 libapache2-mod-wsgi-py3 \
krb5-k5tls \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

RUN a2enmod wsgi \
&& a2enmod ssl \
&& a2enmod headers \
&& a2enmod setenvif

RUN ln -sf /proc/self/fd/1 /var/log/apache2/access.log && \
ln -sf /proc/self/fd/1 /var/log/apache2/error.log

COPY config/kdc-wsgi.conf ${APACHE_CONFDIR}/sites-available/

# Download + install kdcproxy and get install path to replace in apache config
RUN git clone https://github.com/latchset/kdcproxy.git /tmp/kdcproxy \
&& pip install /tmp/kdcproxy \
&& KDC_PROXY_PATH=$(python -c "import site; print(site.getsitepackages()[0])")/kdcproxy \
&& sed -ri -e "s!KDC_PROXY_PATH!${KDC_PROXY_PATH}!g" /etc/apache2/sites-available/*.conf \
&& sed -ri -e "s!SERVER_NAME!${SERVER_NAME}!g" /etc/apache2/sites-available/*.conf

RUN a2dissite 000-default.conf \
&& a2ensite kdc-wsgi.conf

CMD ["apachectl", "-D", "FOREGROUND"]
7 changes: 7 additions & 0 deletions docker/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# KDC Proxy Docker Container 🐋

* Rename `config/sample-kdcproxy.conf` to `config/kdcproxy.conf`
* Configure Domain Controller IP addresses via `extra_hosts` in `docker-compose.yml`
* Configure Realm and Domain Controller DNS Names in `config/kdcproxy.conf`
* Run `docker-compose up` and configure to run as service
* Run either behind reverse proxy or as a directly exposed server (bring your own certificates)
Empty file added docker/certs/.gitkeep
Empty file.
41 changes: 41 additions & 0 deletions docker/config/kdc-wsgi.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
<VirtualHost *:443>
ServerName SERVER_NAME
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /certs/cert.crt
SSLCertificateKeyFile /certs/cert.key

# Prevent showing the default Apache2 website
RedirectMatch ^/(?!(?i:KdcProxy))(.*)$ https://opensource.org/

# Python WSGI KDC Proxy setup
WSGIDaemonProcess kdcproxy \
processes=2 \
threads=15 \
maximum-requests=1000 \
display-name=%{GROUP}
WSGIImportScript KDC_PROXY_PATH/__init__.py \
process-group=kdcproxy \
application-group=kdcproxy
WSGIScriptAliasMatch "(?i)^/KdcProxy" \
KDC_PROXY_PATH/__init__.py
WSGIScriptReloading Off

# Set headers if available
<IfModule mod_setenvif.c>
SetEnvIf X-Forwarded-Host (.*) REAL_HOST_HEADER=$1
<IfModule mod_headers.c>
RequestHeader set Host "%{REAL_HOST_HEADER}e"
</IfModule>
</IfModule>

<LocationMatch "(?i)^/KdcProxy">
Satisfy Any
Order Deny,Allow
Allow from all
WSGIProcessGroup kdcproxy
WSGIApplicationGroup kdcproxy
</LocationMatch>
</VirtualHost>
24 changes: 24 additions & 0 deletions docker/config/sample-kdcproxy.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
[global]
# Use default libkrb5 configuration; if you load the mit config module in the master configuration file,
# kdcproxy will also read the config using libkrb5 (usually /etc/krb5.conf). If this module is used, kdcproxy
# will respect the DNS settings from the [libdefaults] section and the realm configuration from the [realms] section.
# For more information, see the documentation for MIT's krb5.conf.
configs = mit

# Use DNS SRV lookup to automatically resolve domain
use_dns = False

[CONTOSO.LOC]
# The realm configuration parameters may list multiple servers separated by a space.
# The order the realms are specified in will be respected by kdcproxy when forwarding requests. The port number is optional.
#
# Possible schemes are:
# * kerberos://
# * kerberos+tcp://
# * kerberos+udp://
# * kpasswd://
# * kpasswd+tcp://
# * kpasswd+udp://

kerberos = kerberos+tcp://test-dc1.contoso.loc:88
kpasswd = kpasswd+tcp://test-dc1.contoso.loc:464
45 changes: 45 additions & 0 deletions docker/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
---
version: '3'
services:
kdcproxy:
build:
context: .
dockerfile: ./Dockerfile
container_name: kdcproxy-apache
restart: unless-stopped
ports:
- "443:443"
environment:
- KDCPROXY_CONFIG=/config/kdcproxy.conf
- SERVER_NAME=${SERVER_NAME:-selfsign.rausys.de}
volumes:
- config:/config:ro
- certs:/certs:ro
extra_hosts:
- "test-dc1.contoso.loc:10.10.10.10"

omgwtfssl:
image: paulczar/omgwtfssl
container_name: kdcproxy-ssl
restart: "no"
volumes:
- certs:/certs
environment:
- SSL_SUBJECT=${SERVER_NAME:-selfsign.rausys.de}
- SSL_KEY=/certs/cert.key
- SSL_CSR=/certs/cert.csr
- SSL_CERT=/certs/cert.crt

volumes:
config:
driver: local
driver_opts:
type: none
o: bind
device: ./config
certs:
driver: local
driver_opts:
type: none
o: bind
device: ./certs
1 change: 1 addition & 0 deletions kdcproxy/parse_pyasn1.py
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ def decode_proxymessage(data):
realm = str(realm, "utf-8")
except TypeError: # Python 2.x
realm = str(realm)
realm = realm.upper()
else:
realm = None
flags = req.getComponentByName('flags')
Expand Down

0 comments on commit 9538738

Please sign in to comment.