closed permission mode for Linux and Docker private shares

This commit is contained in:
Kenneth Bingham 2024-07-07 18:13:22 -04:00
parent 82ceeed58a
commit 47223961d1
No known key found for this signature in database
GPG Key ID: 31709281860130B6
9 changed files with 85 additions and 23 deletions

View File

@ -4,6 +4,10 @@
CHANGE: add example in ./etc/caddy to set X-Real-IP header to public share client IP CHANGE: add example in ./etc/caddy to set X-Real-IP header to public share client IP
FEATURE: Closed permission mode for Docker and Linux private shares
CHANGE: Docker examples set HOME to enable running CLI commands in the container
## v0.4.34 ## v0.4.34
FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert) FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)

View File

@ -17,7 +17,7 @@ services:
volumes: volumes:
- zrok_env:/mnt - zrok_env:/mnt
environment: environment:
STATE_DIRECTORY: /mnt HOME: /mnt
ZROK_ENABLE_TOKEN: ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT: ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-access ZROK_ENVIRONMENT_NAME: docker-private-access

View File

@ -17,30 +17,38 @@ services:
volumes: volumes:
- zrok_env:/mnt - zrok_env:/mnt
environment: environment:
STATE_DIRECTORY: /mnt HOME: /mnt
ZROK_ENABLE_TOKEN: ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT: ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: docker-private-share ZROK_ENVIRONMENT_NAME: docker-private-share
zrok-share: zrok-share:
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok} image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
restart: no restart: unless-stopped
entrypoint: entrypoint: zrok-share.bash
- bash
- -euxc
- |
echo "DEBUG: HOME=$${HOME}"
ls -lA /mnt/.zrok/
exec zrok $${@}
command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
depends_on: depends_on:
zrok-enable: zrok-enable:
condition: service_completed_successfully condition: service_completed_successfully
volumes: volumes:
- zrok_env:/mnt - zrok_env:/mnt
environment: environment:
HOME: /mnt # internal configuration
PFXLOG_NO_JSON: "true" HOME: /mnt # zrok homedir in container
# most relevant options
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
ZROK_BACKEND_MODE: # web, caddy, drive, proxy
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_BASIC_AUTH: # username:password
ZROK_PERMISSION_MODE: # if "closed" allow only your account and additional accounts in ZROK_ACCESS_GRANTS
ZROK_ACCESS_GRANTS: # space-separated list of additional zrok account emails to grant access in closed permission mode
# least relevant options
ZROK_VERBOSE: # "--verbose"
ZROK_SHARE_OPTS: # additional arguments to "zrok reserve public" command
ZROK_FRONTEND_MODE: reserved-private
PFXLOG_NO_JSON: "true" # suppress JSON logging format
# demo server you can share with zrok # demo server you can share with zrok
zrok-test: zrok-test:

View File

@ -15,4 +15,4 @@ services:
ZROK_BACKEND_MODE: caddy ZROK_BACKEND_MODE: caddy
ZROK_TARGET: /Caddyfile ZROK_TARGET: /Caddyfile
# internal configuration # internal configuration
STATE_DIRECTORY: /mnt # zrok homedir in container HOME: /mnt # zrok homedir in container

View File

@ -18,7 +18,7 @@ services:
volumes: volumes:
- zrok_env:/mnt - zrok_env:/mnt
environment: environment:
STATE_DIRECTORY: /mnt HOME: /mnt
ZROK_ENABLE_TOKEN: ZROK_ENABLE_TOKEN:
ZROK_API_ENDPOINT: ZROK_API_ENDPOINT:
ZROK_ENVIRONMENT_NAME: ZROK_ENVIRONMENT_NAME:
@ -35,7 +35,7 @@ services:
- zrok_env:/mnt - zrok_env:/mnt
environment: environment:
# internal configuration # internal configuration
STATE_DIRECTORY: /mnt # zrok homedir in container HOME: /mnt # zrok homedir in container
# most relevant options # most relevant options
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io" ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"

View File

@ -30,7 +30,7 @@ When the project runs it will:
## Before You Begin ## Before You Begin
To follow this guide you will need [Docker](https://docs.docker.com/get-docker/) and [the Docker Compose plugin](https://docs.docker.com/compose/install/) for running `docker compose` commands in your terminal. To follow this guide you will need [Docker](https://docs.docker.com/get-docker/).
If you have installed Docker Desktop on macOS or Windows then you are all set. If you have installed Docker Desktop on macOS or Windows then you are all set.
@ -99,6 +99,30 @@ Now that we have a private share we can access it with the zrok command or by ru
1. Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser. 1. Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser.
## Closed Permission Mode
Normally, you need only the share token to access a private share. You can further restrict access with "closed" permission mode.
You must set the permission mode before you reserve the share.
Only your own account can access the private share.
```bash
ZROK_PERMISSION_MODE=closed
```
Grant access to additional zrok accounts.
```bash
ZROK_ACCESS_GRANTS="bob@example.com alice@example.org"
```
You can adjust the access grants by running the CLI inside the `zrok-share` container.
```bash
docker compose exec zrok-share zrok modify ${ZROK_UNIQUE_NAME} --remove-access-grant bob@example.com
```
## Going Further with Private Access ## Going Further with Private Access
1. Try changing the demo web server used in the private share project. One alternative demo server is provided: `httpbin`. 1. Try changing the demo web server used in the private share project. One alternative demo server is provided: `httpbin`.

View File

@ -25,10 +25,9 @@ fi
if [[ -n "${STATE_DIRECTORY:-}" ]]; then if [[ -n "${STATE_DIRECTORY:-}" ]]; then
export HOME="${STATE_DIRECTORY%:*}" export HOME="${STATE_DIRECTORY%:*}"
else else
echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\ echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
"dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2
exit 1
fi fi
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
if [[ -s ~/.zrok/environment.json ]]; then if [[ -s ~/.zrok/environment.json ]]; then
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\ echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\

View File

@ -23,7 +23,12 @@ if ! command -v jq &>/dev/null; then
fi fi
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt) # set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
export HOME="${STATE_DIRECTORY%:*}" export HOME="${STATE_DIRECTORY%:*}"
else
echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
fi
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
: "${ZROK_SHARE_RESERVED:=true}" : "${ZROK_SHARE_RESERVED:=true}"
@ -155,9 +160,25 @@ case "${ZROK_BACKEND_MODE}" in
;; ;;
esac esac
[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && { if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]]; then
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}" ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
} elif [[ -n "${ZROK_UNIQUE_NAME:-}" ]]; then
echo "WARNING: ZROK_UNIQUE_NAME='${ZROK_UNIQUE_NAME}' is ignored with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
fi
if [[ "${ZROK_PERMISSION_MODE:-}" == closed ]]; then
ZROK_CMD+=" --closed"
if [[ -n "${ZROK_ACCESS_GRANTS:-}" ]]; then
for ACCESS_GRANT in ${ZROK_ACCESS_GRANTS}; do
ZROK_CMD+=" --access-grant ${ACCESS_GRANT}"
done
else
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' and no additional ZROK_ACCESS_GRANTS; will be granted access" >&2
exit 1
fi
elif [[ -n "${ZROK_PERMISSION_MODE:-}" && "${ZROK_PERMISSION_MODE}" != open ]]; then
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' is not a recognized value'" >&2
fi
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}" ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"

View File

@ -107,6 +107,12 @@ ZROK_TARGET="" # e.g., http://127.0.0.1:3000
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private # you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
#ZROK_FRONTEND_MODE="reserved-public" #ZROK_FRONTEND_MODE="reserved-public"
# you MAY restrict access to a private share allowing only your own zrok account
#ZROK_PERMISSION_MODE=closed
# if permission mode "closed" - space-separated list of additional zrok account emails to grant access with the share token
#ZROK_ACCESS_GRANTS=""
# #
## OPTIONS ## OPTIONS
# #