1
0
mirror of https://github.com/vimagick/dockerfiles.git synced 2024-12-23 01:39:27 +02:00

add dsvpn

This commit is contained in:
kev 2019-12-12 20:19:46 +08:00
parent de973aa032
commit 531096b358
9 changed files with 198 additions and 0 deletions

View File

@ -246,6 +246,7 @@ A collection of delicious docker recipes.
## VPN
- [x] dsvpn :+1:
- [x] n2n :+1:
- [x] ocserv :+1:
- [x] openconnect

27
dsvpn/Dockerfile Normal file
View File

@ -0,0 +1,27 @@
FROM alpine AS builder
ENV DSVPN_VERSION=0.1.4
ENV DSVPN_URL=https://github.com/jedisct1/dsvpn/archive/${DSVPN_VERSION}.tar.gz
RUN set -xe \
&& apk add --no-cache build-base curl linux-headers \
&& curl -sSL ${DSVPN_URL} | tar xz \
&& cd dsvpn-${DSVPN_VERSION} \
&& make PREFIX=/usr install
#
# Dockerfile for dsvpn
#
FROM alpine
MAINTAINER EasyPi Software Foundation
RUN apk add --no-cache iptables
COPY --from=builder /usr/sbin/dsvpn /usr/sbin/
WORKDIR /etc/dsvpn
EXPOSE 443
ENTRYPOINT ["dsvpn"]
CMD ["server", "vpn.key"]

43
dsvpn/README.md Normal file
View File

@ -0,0 +1,43 @@
dsvpn
=====
[DSVPN][1] is a Dead Simple VPN
docker-compose.yml
------------------
```yaml
dsvpn:
image: vimagick/dsvpn
command: server vpn.key auto 1959
ports:
- "1959:1959"
volumes:
- ./data:/etc/dsvpn
working_dir: /etc/dsvpn
devices:
- /dev/net/tun
privileged: true
restart: unless-stopped
```
server
------
```bash
$ mkdir -p data
$ dd if=/dev/urandom of=data/vpn.key count=1 bs=32
$ docker-compose up -d
$ docker-compose logs -f
```
client
------
```bash
$ sudo dsvpn vpn.key 1.2.3.4 1959
$ ifconfig tun0
$ ping 192.168.192.254
```
[1]: https://github.com/jedisct1/dsvpn

11
dsvpn/docker-compose.yml Normal file
View File

@ -0,0 +1,11 @@
dsvpn:
image: vimagick/dsvpn
command: server vpn.key auto 1959
ports:
- "1959:1959"
volumes:
- ./data:/etc/dsvpn
devices:
- /dev/net/tun
privileged: true
restart: unless-stopped

View File

@ -0,0 +1,8 @@
ssl_certificate /etc/nginx/certs/yourdomain.com.crt;
ssl_certificate_key /etc/nginx/certs/yourdomain.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;

View File

@ -0,0 +1,36 @@
# Protect this location using the auth_request
auth_request /sso-auth;
# Redirect the user to the login page when they are not logged in
error_page 401 = @error401;
location /sso-auth {
# Do not allow requests from outside
internal;
# Access /auth endpoint to query login state
proxy_pass http://172.17.0.1:8082/auth;
# Do not forward the request body (nginx-sso does not care about it)
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set custom information for ACL matching: Each one is available as
# a field for matching: X-Host = x-host, ...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header X-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# If the user is lead to /logout redirect them to the logout endpoint
# of ngninx-sso which then will redirect the user to / on the current host
location /sso-logout {
return 302 https://login.yourdomain.com/logout?go=$scheme://$http_host/;
}
# Define where to send the user to login and specify how to get back
location @error401 {
return 302 https://login.yourdomain.com/login?go=$scheme://$http_host$request_uri;
}

View File

@ -0,0 +1,22 @@
# Redirect all requests to this server to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name login.yourdomain.com;
access_log /var/log/nginx/login.yourdomain.com_access.log;
error_log /var/log/nginx/login.yourdomain.com_error.log;
include conf.d/include/ssl.inc;
location / {
proxy_pass http://172.17.0.1:8082/;
}
}

View File

@ -0,0 +1,31 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hass.yourdomain.com;
access_log /var/log/nginx/hass.yourdomain.com_access.log;
error_log /var/log/nginx/hass.yourdomain.com_error.log;
include conf.d/include/ssl.inc;
include conf.d/include/sso.inc;
location / {
# Automatically renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
proxy_pass http://172.17.0.1:8123/;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}

View File

@ -0,0 +1,19 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name portainer.yourdomain.com;
access_log /var/log/nginx/portainer.yourdomain.com_access.log;
error_log /var/log/nginx/portainer.yourdomain.com_error.log;
include conf.d/include/ssl.inc;
include conf.d/include/sso.inc;
location / {
# Automatically renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
proxy_pass http://172.17.0.1:9000/;
}
}