mirror of
https://github.com/openziti/zrok.git
synced 2024-11-21 23:53:19 +01:00
closed permission mode for Linux and Docker private shares
This commit is contained in:
parent
82ceeed58a
commit
47223961d1
@ -4,6 +4,10 @@
|
||||
|
||||
CHANGE: add example in ./etc/caddy to set X-Real-IP header to public share client IP
|
||||
|
||||
FEATURE: Closed permission mode for Docker and Linux private shares
|
||||
|
||||
CHANGE: Docker examples set HOME to enable running CLI commands in the container
|
||||
|
||||
## v0.4.34
|
||||
|
||||
FEATURE: Linux service support for all private share modes (contribution from Stefan Adelbert @stefanadelbert)
|
||||
|
@ -17,7 +17,7 @@ services:
|
||||
volumes:
|
||||
- zrok_env:/mnt
|
||||
environment:
|
||||
STATE_DIRECTORY: /mnt
|
||||
HOME: /mnt
|
||||
ZROK_ENABLE_TOKEN:
|
||||
ZROK_API_ENDPOINT:
|
||||
ZROK_ENVIRONMENT_NAME: docker-private-access
|
||||
|
@ -17,30 +17,38 @@ services:
|
||||
volumes:
|
||||
- zrok_env:/mnt
|
||||
environment:
|
||||
STATE_DIRECTORY: /mnt
|
||||
HOME: /mnt
|
||||
ZROK_ENABLE_TOKEN:
|
||||
ZROK_API_ENDPOINT:
|
||||
ZROK_ENVIRONMENT_NAME: docker-private-share
|
||||
|
||||
zrok-share:
|
||||
image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
|
||||
restart: no
|
||||
entrypoint:
|
||||
- bash
|
||||
- -euxc
|
||||
- |
|
||||
echo "DEBUG: HOME=$${HOME}"
|
||||
ls -lA /mnt/.zrok/
|
||||
exec zrok $${@}
|
||||
command: -- share private --headless --backend-mode proxy ${ZROK_TARGET:-http://zrok-test:9090/}
|
||||
restart: unless-stopped
|
||||
entrypoint: zrok-share.bash
|
||||
depends_on:
|
||||
zrok-enable:
|
||||
condition: service_completed_successfully
|
||||
volumes:
|
||||
- zrok_env:/mnt
|
||||
environment:
|
||||
HOME: /mnt
|
||||
PFXLOG_NO_JSON: "true"
|
||||
# internal configuration
|
||||
HOME: /mnt # zrok homedir in container
|
||||
|
||||
# most relevant options
|
||||
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
|
||||
ZROK_BACKEND_MODE: # web, caddy, drive, proxy
|
||||
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
|
||||
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
|
||||
ZROK_BASIC_AUTH: # username:password
|
||||
ZROK_PERMISSION_MODE: # if "closed" allow only your account and additional accounts in ZROK_ACCESS_GRANTS
|
||||
ZROK_ACCESS_GRANTS: # space-separated list of additional zrok account emails to grant access in closed permission mode
|
||||
|
||||
# least relevant options
|
||||
ZROK_VERBOSE: # "--verbose"
|
||||
ZROK_SHARE_OPTS: # additional arguments to "zrok reserve public" command
|
||||
ZROK_FRONTEND_MODE: reserved-private
|
||||
PFXLOG_NO_JSON: "true" # suppress JSON logging format
|
||||
|
||||
# demo server you can share with zrok
|
||||
zrok-test:
|
||||
|
@ -15,4 +15,4 @@ services:
|
||||
ZROK_BACKEND_MODE: caddy
|
||||
ZROK_TARGET: /Caddyfile
|
||||
# internal configuration
|
||||
STATE_DIRECTORY: /mnt # zrok homedir in container
|
||||
HOME: /mnt # zrok homedir in container
|
||||
|
@ -18,7 +18,7 @@ services:
|
||||
volumes:
|
||||
- zrok_env:/mnt
|
||||
environment:
|
||||
STATE_DIRECTORY: /mnt
|
||||
HOME: /mnt
|
||||
ZROK_ENABLE_TOKEN:
|
||||
ZROK_API_ENDPOINT:
|
||||
ZROK_ENVIRONMENT_NAME:
|
||||
@ -35,7 +35,7 @@ services:
|
||||
- zrok_env:/mnt
|
||||
environment:
|
||||
# internal configuration
|
||||
STATE_DIRECTORY: /mnt # zrok homedir in container
|
||||
HOME: /mnt # zrok homedir in container
|
||||
|
||||
# most relevant options
|
||||
ZROK_UNIQUE_NAME: # name is used to construct frontend domain name, e.g. "myapp" in "myapp.share.zrok.io"
|
||||
|
@ -30,7 +30,7 @@ When the project runs it will:
|
||||
|
||||
## Before You Begin
|
||||
|
||||
To follow this guide you will need [Docker](https://docs.docker.com/get-docker/) and [the Docker Compose plugin](https://docs.docker.com/compose/install/) for running `docker compose` commands in your terminal.
|
||||
To follow this guide you will need [Docker](https://docs.docker.com/get-docker/).
|
||||
|
||||
If you have installed Docker Desktop on macOS or Windows then you are all set.
|
||||
|
||||
@ -99,6 +99,30 @@ Now that we have a private share we can access it with the zrok command or by ru
|
||||
|
||||
1. Now your zrok private access proxy is ready on http://127.0.0.1:9191. You can visit the demo web server in your browser.
|
||||
|
||||
## Closed Permission Mode
|
||||
|
||||
Normally, you need only the share token to access a private share. You can further restrict access with "closed" permission mode.
|
||||
|
||||
You must set the permission mode before you reserve the share.
|
||||
|
||||
Only your own account can access the private share.
|
||||
|
||||
```bash
|
||||
ZROK_PERMISSION_MODE=closed
|
||||
```
|
||||
|
||||
Grant access to additional zrok accounts.
|
||||
|
||||
```bash
|
||||
ZROK_ACCESS_GRANTS="bob@example.com alice@example.org"
|
||||
```
|
||||
|
||||
You can adjust the access grants by running the CLI inside the `zrok-share` container.
|
||||
|
||||
```bash
|
||||
docker compose exec zrok-share zrok modify ${ZROK_UNIQUE_NAME} --remove-access-grant bob@example.com
|
||||
```
|
||||
|
||||
## Going Further with Private Access
|
||||
|
||||
1. Try changing the demo web server used in the private share project. One alternative demo server is provided: `httpbin`.
|
||||
|
@ -25,10 +25,9 @@ fi
|
||||
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
||||
export HOME="${STATE_DIRECTORY%:*}"
|
||||
else
|
||||
echo "ERROR: STATE_DIRECTORY is undefined. This script must be run from systemd because it runs as a"\
|
||||
"dynamically-allocated user and exclusively manages the files in STATE_DIRECTORY" >&2
|
||||
exit 1
|
||||
echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
|
||||
fi
|
||||
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
|
||||
|
||||
if [[ -s ~/.zrok/environment.json ]]; then
|
||||
echo "INFO: zrok environment is already enabled. Delete '$(realpath ~/.zrok/environment.json)' if you want to create a"\
|
||||
|
@ -23,7 +23,12 @@ if ! command -v jq &>/dev/null; then
|
||||
fi
|
||||
|
||||
# set HOME to the first colon-sep dir in STATE_DIRECTORY inherited from systemd (/var/lib/zrok-share) or docker (/mnt)
|
||||
if [[ -n "${STATE_DIRECTORY:-}" ]]; then
|
||||
export HOME="${STATE_DIRECTORY%:*}"
|
||||
else
|
||||
echo "WARNING: STATE_DIRECTORY is undefined. Using HOME=${HOME}" >&2
|
||||
fi
|
||||
echo "DEBUG: zrok state directory is ${HOME}/.zrok"
|
||||
|
||||
: "${ZROK_SHARE_RESERVED:=true}"
|
||||
|
||||
@ -155,9 +160,25 @@ case "${ZROK_BACKEND_MODE}" in
|
||||
;;
|
||||
esac
|
||||
|
||||
[[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]] && {
|
||||
if [[ "${ZROK_FRONTEND_MODE:-}" =~ ^reserved- && -n "${ZROK_UNIQUE_NAME:-}" ]]; then
|
||||
ZROK_CMD+=" --unique-name ${ZROK_UNIQUE_NAME}"
|
||||
}
|
||||
elif [[ -n "${ZROK_UNIQUE_NAME:-}" ]]; then
|
||||
echo "WARNING: ZROK_UNIQUE_NAME='${ZROK_UNIQUE_NAME}' is ignored with ZROK_FRONTEND_MODE='${ZROK_FRONTEND_MODE}'" >&2
|
||||
fi
|
||||
|
||||
if [[ "${ZROK_PERMISSION_MODE:-}" == closed ]]; then
|
||||
ZROK_CMD+=" --closed"
|
||||
if [[ -n "${ZROK_ACCESS_GRANTS:-}" ]]; then
|
||||
for ACCESS_GRANT in ${ZROK_ACCESS_GRANTS}; do
|
||||
ZROK_CMD+=" --access-grant ${ACCESS_GRANT}"
|
||||
done
|
||||
else
|
||||
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' and no additional ZROK_ACCESS_GRANTS; will be granted access" >&2
|
||||
exit 1
|
||||
fi
|
||||
elif [[ -n "${ZROK_PERMISSION_MODE:-}" && "${ZROK_PERMISSION_MODE}" != open ]]; then
|
||||
echo "WARNING: ZROK_PERMISSION_MODE='${ZROK_PERMISSION_MODE}' is not a recognized value'" >&2
|
||||
fi
|
||||
|
||||
ZROK_CMD+=" --backend-mode ${ZROK_BACKEND_MODE} ${ZROK_TARGET}"
|
||||
|
||||
|
@ -107,6 +107,12 @@ ZROK_TARGET="" # e.g., http://127.0.0.1:3000
|
||||
# you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private
|
||||
#ZROK_FRONTEND_MODE="reserved-public"
|
||||
|
||||
# you MAY restrict access to a private share allowing only your own zrok account
|
||||
#ZROK_PERMISSION_MODE=closed
|
||||
# if permission mode "closed" - space-separated list of additional zrok account emails to grant access with the share token
|
||||
#ZROK_ACCESS_GRANTS=""
|
||||
|
||||
|
||||
#
|
||||
## OPTIONS
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user