mirror of
https://github.com/vimagick/dockerfiles.git
synced 2024-12-23 01:39:27 +02:00
add dsvpn
This commit is contained in:
parent
de973aa032
commit
531096b358
@ -246,6 +246,7 @@ A collection of delicious docker recipes.
|
||||
|
||||
## VPN
|
||||
|
||||
- [x] dsvpn :+1:
|
||||
- [x] n2n :+1:
|
||||
- [x] ocserv :+1:
|
||||
- [x] openconnect
|
||||
|
27
dsvpn/Dockerfile
Normal file
27
dsvpn/Dockerfile
Normal file
@ -0,0 +1,27 @@
|
||||
FROM alpine AS builder
|
||||
|
||||
ENV DSVPN_VERSION=0.1.4
|
||||
ENV DSVPN_URL=https://github.com/jedisct1/dsvpn/archive/${DSVPN_VERSION}.tar.gz
|
||||
|
||||
RUN set -xe \
|
||||
&& apk add --no-cache build-base curl linux-headers \
|
||||
&& curl -sSL ${DSVPN_URL} | tar xz \
|
||||
&& cd dsvpn-${DSVPN_VERSION} \
|
||||
&& make PREFIX=/usr install
|
||||
|
||||
#
|
||||
# Dockerfile for dsvpn
|
||||
#
|
||||
|
||||
FROM alpine
|
||||
MAINTAINER EasyPi Software Foundation
|
||||
|
||||
RUN apk add --no-cache iptables
|
||||
COPY --from=builder /usr/sbin/dsvpn /usr/sbin/
|
||||
|
||||
WORKDIR /etc/dsvpn
|
||||
|
||||
EXPOSE 443
|
||||
|
||||
ENTRYPOINT ["dsvpn"]
|
||||
CMD ["server", "vpn.key"]
|
43
dsvpn/README.md
Normal file
43
dsvpn/README.md
Normal file
@ -0,0 +1,43 @@
|
||||
dsvpn
|
||||
=====
|
||||
|
||||
[DSVPN][1] is a Dead Simple VPN
|
||||
|
||||
docker-compose.yml
|
||||
------------------
|
||||
|
||||
```yaml
|
||||
dsvpn:
|
||||
image: vimagick/dsvpn
|
||||
command: server vpn.key auto 1959
|
||||
ports:
|
||||
- "1959:1959"
|
||||
volumes:
|
||||
- ./data:/etc/dsvpn
|
||||
working_dir: /etc/dsvpn
|
||||
devices:
|
||||
- /dev/net/tun
|
||||
privileged: true
|
||||
restart: unless-stopped
|
||||
```
|
||||
|
||||
server
|
||||
------
|
||||
|
||||
```bash
|
||||
$ mkdir -p data
|
||||
$ dd if=/dev/urandom of=data/vpn.key count=1 bs=32
|
||||
$ docker-compose up -d
|
||||
$ docker-compose logs -f
|
||||
```
|
||||
|
||||
client
|
||||
------
|
||||
|
||||
```bash
|
||||
$ sudo dsvpn vpn.key 1.2.3.4 1959
|
||||
$ ifconfig tun0
|
||||
$ ping 192.168.192.254
|
||||
```
|
||||
|
||||
[1]: https://github.com/jedisct1/dsvpn
|
11
dsvpn/docker-compose.yml
Normal file
11
dsvpn/docker-compose.yml
Normal file
@ -0,0 +1,11 @@
|
||||
dsvpn:
|
||||
image: vimagick/dsvpn
|
||||
command: server vpn.key auto 1959
|
||||
ports:
|
||||
- "1959:1959"
|
||||
volumes:
|
||||
- ./data:/etc/dsvpn
|
||||
devices:
|
||||
- /dev/net/tun
|
||||
privileged: true
|
||||
restart: unless-stopped
|
8
nginx-sso/nginx/conf.d/include/ssl.inc
Normal file
8
nginx-sso/nginx/conf.d/include/ssl.inc
Normal file
@ -0,0 +1,8 @@
|
||||
ssl_certificate /etc/nginx/certs/yourdomain.com.crt;
|
||||
ssl_certificate_key /etc/nginx/certs/yourdomain.com.key;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
36
nginx-sso/nginx/conf.d/include/sso.inc
Normal file
36
nginx-sso/nginx/conf.d/include/sso.inc
Normal file
@ -0,0 +1,36 @@
|
||||
# Protect this location using the auth_request
|
||||
auth_request /sso-auth;
|
||||
|
||||
# Redirect the user to the login page when they are not logged in
|
||||
error_page 401 = @error401;
|
||||
|
||||
location /sso-auth {
|
||||
# Do not allow requests from outside
|
||||
internal;
|
||||
|
||||
# Access /auth endpoint to query login state
|
||||
proxy_pass http://172.17.0.1:8082/auth;
|
||||
|
||||
# Do not forward the request body (nginx-sso does not care about it)
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
# Set custom information for ACL matching: Each one is available as
|
||||
# a field for matching: X-Host = x-host, ...
|
||||
proxy_set_header X-Origin-URI $request_uri;
|
||||
proxy_set_header X-Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# If the user is lead to /logout redirect them to the logout endpoint
|
||||
# of ngninx-sso which then will redirect the user to / on the current host
|
||||
location /sso-logout {
|
||||
return 302 https://login.yourdomain.com/logout?go=$scheme://$http_host/;
|
||||
}
|
||||
|
||||
# Define where to send the user to login and specify how to get back
|
||||
location @error401 {
|
||||
return 302 https://login.yourdomain.com/login?go=$scheme://$http_host$request_uri;
|
||||
}
|
22
nginx-sso/nginx/sites-enabled/000-nginx-sso.conf
Normal file
22
nginx-sso/nginx/sites-enabled/000-nginx-sso.conf
Normal file
@ -0,0 +1,22 @@
|
||||
# Redirect all requests to this server to https
|
||||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
server_name _;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name login.yourdomain.com;
|
||||
|
||||
access_log /var/log/nginx/login.yourdomain.com_access.log;
|
||||
error_log /var/log/nginx/login.yourdomain.com_error.log;
|
||||
|
||||
include conf.d/include/ssl.inc;
|
||||
|
||||
location / {
|
||||
proxy_pass http://172.17.0.1:8082/;
|
||||
}
|
||||
}
|
31
nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf
Normal file
31
nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf
Normal file
@ -0,0 +1,31 @@
|
||||
map $http_upgrade $connection_upgrade {
|
||||
default upgrade;
|
||||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name hass.yourdomain.com;
|
||||
|
||||
access_log /var/log/nginx/hass.yourdomain.com_access.log;
|
||||
error_log /var/log/nginx/hass.yourdomain.com_error.log;
|
||||
|
||||
include conf.d/include/ssl.inc;
|
||||
include conf.d/include/sso.inc;
|
||||
|
||||
location / {
|
||||
# Automatically renew SSO cookie on request
|
||||
auth_request_set $cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $cookie;
|
||||
|
||||
proxy_pass http://172.17.0.1:8123/;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect http:// https://;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
}
|
19
nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf
Normal file
19
nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf
Normal file
@ -0,0 +1,19 @@
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name portainer.yourdomain.com;
|
||||
|
||||
access_log /var/log/nginx/portainer.yourdomain.com_access.log;
|
||||
error_log /var/log/nginx/portainer.yourdomain.com_error.log;
|
||||
|
||||
include conf.d/include/ssl.inc;
|
||||
include conf.d/include/sso.inc;
|
||||
|
||||
location / {
|
||||
# Automatically renew SSO cookie on request
|
||||
auth_request_set $cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $cookie;
|
||||
|
||||
proxy_pass http://172.17.0.1:9000/;
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user