mirror of
https://github.com/openziti/zrok.git
synced 2024-11-22 08:03:49 +01:00
closed permission mode for Linux and Docker private shares
This commit is contained in:
parent
82ceeed58a
commit
47223961d1
@ -4,6 +4,10 @@
|
|||||||
|
|
||||||
CHANGE: add example in ./etc/caddy to set X-Real-IP header to public share client IP
|
CHANGE: add example in ./etc/caddy to set X-Real-IP header to public share client IP
|
||||||
|
|
||||||
|
FEATURE: Closed permission mode for Docker and Linux private shares
|
||||||
|
|
||||||
|
CHANGE: Docker examples set HOME to enable running CLI commands in the container
|
||||||
|
|
||||||
## v0.4.34
|
## v0.4.34
|
||||||
|
|
||||||
FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)
|
FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)
|
||||||
|
@ -17,7 +17,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- zrok_env:/mnt
|
- zrok_env:/mnt
|
||||||
environment:
|
environment:
|
||||||
STATE_DIRECTORY: /mnt
|
HOME: /mnt
|
||||||
ZROK_ENABLE_TOKEN:
|
ZROK_ENABLE_TOKEN:
|
||||||
ZROK_API_ENDPOINT:
|
ZROK_API_ENDPOINT:
|
||||||
ZROK_ENVIRONMENT_NAME: docker-private-access
|
ZROK_ENVIRONMENT_NAME: docker-private-access
|
||||||
|
@ -17,30 +17,38 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- zrok_env:/mnt
|
- zrok_env:/mnt
|
||||||
environment:
|
environment:
|
||||||
STATE_DIRECTORY: /mnt
|
HOME: /mnt
|
||||||
ZROK_ENABLE_TOKEN:
|
ZROK_ENABLE_TOKEN:
|
||||||
ZROK_API_ENDPOINT:
|
ZROK_API_ENDPOINT:
|
||||||
ZROK_ENVIRONMENT_NAME: docker-private-share
|
ZROK_ENVIRONMENT_NAME: docker-private-share
|
||||||
|
|
||||||
zrok-share:
|
zrok-share:
|
||||||
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
|
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
|
||||||
restart: no
|
restart: unless-stopped
|
||||||
entrypoint:
|
entrypoint: zrok-share.bash
|
||||||
- bash
|
|
||||||
- -euxc
|
|
||||||
- |
|
|
||||||
echo "DEBUG: HOME=$${HOME}"
|
|
||||||
ls -lA /mnt/.zrok/
|
|
||||||
exec zrok $${@}
|
|
||||||
command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
|
|
||||||
depends_on:
|
depends_on:
|
||||||
zrok-enable:
|
zrok-enable:
|
||||||
condition: service_completed_successfully
|
condition: service_completed_successfully
|
||||||
volumes:
|
volumes:
|
||||||
- zrok_env:/mnt
|
- zrok_env:/mnt
|
||||||
environment:
|
environment:
|
||||||
HOME: /mnt
|
# internal configuration
|
||||||
PFXLOG_NO_JSON: "true"
|
HOME: /mnt # zrok homedir in container
|
||||||
|
|
||||||
|
# most relevant options
|
||||||
|
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
|
||||||
|
ZROK_BACKEND_MODE: # web, caddy, drive, proxy
|
||||||
|
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
|
||||||
|
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||||
|
ZROK_BASIC_AUTH: # username:password
|
||||||
|
ZROK_PERMISSION_MODE: # if "closed" allow only your account and additional accounts in ZROK_ACCESS_GRANTS
|
||||||
|
ZROK_ACCESS_GRANTS: # space-separated list of additional zrok account emails to grant access in closed permission mode
|
||||||
|
|
||||||
|
# least relevant options
|
||||||
|
ZROK_VERBOSE: # "--verbose"
|
||||||
|
ZROK_SHARE_OPTS: # additional arguments to "zrok reserve public" command
|
||||||
|
ZROK_FRONTEND_MODE: reserved-private
|
||||||
|
PFXLOG_NO_JSON: "true" # suppress JSON logging format
|
||||||
|
|
||||||
# demo server you can share with zrok
|
# demo server you can share with zrok
|
||||||
zrok-test:
|
zrok-test:
|
||||||
|
@ -15,4 +15,4 @@ services:
|
|||||||
ZROK_BACKEND_MODE: caddy
|
ZROK_BACKEND_MODE: caddy
|
||||||
ZROK_TARGET: /Caddyfile
|
ZROK_TARGET: /Caddyfile
|
||||||
# internal configuration
|
# internal configuration
|
||||||
STATE_DIRECTORY: /mnt # zrok homedir in container
|
HOME: /mnt # zrok homedir in container
|
||||||
|
@ -18,7 +18,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- zrok_env:/mnt
|
- zrok_env:/mnt
|
||||||
environment:
|
environment:
|
||||||
STATE_DIRECTORY: /mnt
|
HOME: /mnt
|
||||||
ZROK_ENABLE_TOKEN:
|
ZROK_ENABLE_TOKEN:
|
||||||
ZROK_API_ENDPOINT:
|
ZROK_API_ENDPOINT:
|
||||||
ZROK_ENVIRONMENT_NAME:
|
ZROK_ENVIRONMENT_NAME:
|
||||||
@ -35,7 +35,7 @@ services:
|
|||||||
- zrok_env:/mnt
|
- zrok_env:/mnt
|
||||||
environment:
|
environment:
|
||||||
# internal configuration
|
# internal configuration
|
||||||
STATE_DIRECTORY: /mnt # zrok homedir in container
|
HOME: /mnt # zrok homedir in container
|
||||||
|
|
||||||
# most relevant options
|
# most relevant options
|
||||||
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
|
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
|
||||||
|
@ -30,7 +30,7 @@ When the project runs it will:
|
|||||||
|
|
||||||
## Before You Begin
|
## Before You Begin
|
||||||
|
|
||||||
To follow this guide you will need [Docker](https://docs.docker.com/get-docker/) and [the Docker Compose plugin](https://docs.docker.com/compose/install/) for running `docker compose` commands in your terminal.
|
To follow this guide you will need [Docker](https://docs.docker.com/get-docker/).
|
||||||
|
|
||||||
If you have installed Docker Desktop on macOS or Windows then you are all set.
|
If you have installed Docker Desktop on macOS or Windows then you are all set.
|
||||||
|
|
||||||
@ -99,6 +99,30 @@ Now that we have a private share we can access it with the zrok command or by ru
|
|||||||
|
|
||||||
1. Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser.
|
1. Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser.
|
||||||
|
|
||||||
|
## Closed Permission Mode
|
||||||
|
|
||||||
|
Normally, you need only the share token to access a private share. You can further restrict access with "closed" permission mode.
|
||||||
|
|
||||||
|
You must set the permission mode before you reserve the share.
|
||||||
|
|
||||||
|
Only your own account can access the private share.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ZROK_PERMISSION_MODE=closed
|
||||||
|
```
|
||||||
|
|
||||||
|
Grant access to additional zrok accounts.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ZROK_ACCESS_GRANTS="bob@example.com alice@example.org"
|
||||||
|
```
|
||||||
|
|
||||||
|
You can adjust the access grants by running the CLI inside the `zrok-share` container.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker compose exec zrok-share zrok modify ${ZROK_UNIQUE_NAME} --remove-access-grant bob@example.com
|
||||||
|
```
|
||||||
|
|
||||||
## Going Further with Private Access
|
## Going Further with Private Access
|
||||||
|
|
||||||
1. Try changing the demo web server used in the private share project. One alternative demo server is provided: `httpbin`.
|
1. Try changing the demo web server used in the private share project. One alternative demo server is provided: `httpbin`.
|
||||||
|
@ -25,10 +25,9 @@ fi
|
|||||||
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
||||||
export HOME="${STATE_DIRECTORY%:*}"
|
export HOME="${STATE_DIRECTORY%:*}"
|
||||||
else
|
else
|
||||||
echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\
|
echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
|
||||||
"dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2
|
|
||||||
exit 1
|
|
||||||
fi
|
fi
|
||||||
|
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
|
||||||
|
|
||||||
if [[ -s ~/.zrok/environment.json ]]; then
|
if [[ -s ~/.zrok/environment.json ]]; then
|
||||||
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\
|
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\
|
||||||
|
@ -23,7 +23,12 @@ if ! command -v jq &>/dev/null; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
|
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
|
||||||
|
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
||||||
export HOME="${STATE_DIRECTORY%:*}"
|
export HOME="${STATE_DIRECTORY%:*}"
|
||||||
|
else
|
||||||
|
echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
|
||||||
|
fi
|
||||||
|
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
|
||||||
|
|
||||||
: "${ZROK_SHARE_RESERVED:=true}"
|
: "${ZROK_SHARE_RESERVED:=true}"
|
||||||
|
|
||||||
@ -155,9 +160,25 @@ case "${ZROK_BACKEND_MODE}" in
|
|||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
|
if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]]; then
|
||||||
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
|
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
|
||||||
}
|
elif [[ -n "${ZROK_UNIQUE_NAME:-}" ]]; then
|
||||||
|
echo "WARNING: ZROK_UNIQUE_NAME='${ZROK_UNIQUE_NAME}' is ignored with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "${ZROK_PERMISSION_MODE:-}" == closed ]]; then
|
||||||
|
ZROK_CMD+=" --closed"
|
||||||
|
if [[ -n "${ZROK_ACCESS_GRANTS:-}" ]]; then
|
||||||
|
for ACCESS_GRANT in ${ZROK_ACCESS_GRANTS}; do
|
||||||
|
ZROK_CMD+=" --access-grant ${ACCESS_GRANT}"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' and no additional ZROK_ACCESS_GRANTS; will be granted access" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
elif [[ -n "${ZROK_PERMISSION_MODE:-}" && "${ZROK_PERMISSION_MODE}" != open ]]; then
|
||||||
|
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' is not a recognized value'" >&2
|
||||||
|
fi
|
||||||
|
|
||||||
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
|
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
|
||||||
|
|
||||||
|
@ -107,6 +107,12 @@ ZROK_TARGET="" # e.g., http://127.0.0.1:3000
|
|||||||
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
|
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
|
||||||
#ZROK_FRONTEND_MODE="reserved-public"
|
#ZROK_FRONTEND_MODE="reserved-public"
|
||||||
|
|
||||||
|
# you MAY restrict access to a private share allowing only your own zrok account
|
||||||
|
#ZROK_PERMISSION_MODE=closed
|
||||||
|
# if permission mode "closed" - space-separated list of additional zrok account emails to grant access with the share token
|
||||||
|
#ZROK_ACCESS_GRANTS=""
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
## OPTIONS
|
## OPTIONS
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user