mirror of
https://github.com/TrezOne/docker-mods-uptime-kuma-timeout-fix.git
synced 2026-07-15 15:50:22 -04:00
Merge pull request #205 from linuxserver/swag-auto-proxy-dev
swag-auto-proxy: initial release
This commit is contained in:
@@ -3,9 +3,9 @@ name: Build Image
|
|||||||
on: [push, pull_request, workflow_dispatch]
|
on: [push, pull_request, workflow_dispatch]
|
||||||
|
|
||||||
env:
|
env:
|
||||||
ENDPOINT: "linuxserver/mods" #don't modify
|
ENDPOINT: "linuxserver/mods"
|
||||||
BASEIMAGE: "replace_baseimage" #replace
|
BASEIMAGE: "swag"
|
||||||
MODNAME: "replace_modname" #replace
|
MODNAME: "auto-proxy"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|||||||
+1
-1
@@ -1,6 +1,6 @@
|
|||||||
FROM scratch
|
FROM scratch
|
||||||
|
|
||||||
LABEL maintainer="username"
|
LABEL maintainer="aptalca"
|
||||||
|
|
||||||
# copy local files
|
# copy local files
|
||||||
COPY root/ /
|
COPY root/ /
|
||||||
|
|||||||
@@ -1,23 +0,0 @@
|
|||||||
## Buildstage ##
|
|
||||||
FROM ghcr.io/linuxserver/baseimage-alpine:3.12 as buildstage
|
|
||||||
|
|
||||||
RUN \
|
|
||||||
echo "**** install packages ****" && \
|
|
||||||
apk add --no-cache \
|
|
||||||
curl && \
|
|
||||||
echo "**** grab rclone ****" && \
|
|
||||||
mkdir -p /root-layer && \
|
|
||||||
curl -o \
|
|
||||||
/root-layer/rclone.deb -L \
|
|
||||||
"https://downloads.rclone.org/v1.47.0/rclone-v1.47.0-linux-amd64.deb"
|
|
||||||
|
|
||||||
# copy local files
|
|
||||||
COPY root/ /root-layer/
|
|
||||||
|
|
||||||
## Single layer deployed image ##
|
|
||||||
FROM scratch
|
|
||||||
|
|
||||||
LABEL maintainer="username"
|
|
||||||
|
|
||||||
# Add files from buildstage
|
|
||||||
COPY --from=buildstage /root-layer/ /
|
|
||||||
@@ -1,17 +1,37 @@
|
|||||||
# Rsync - Docker mod for openssh-server
|
# Auto-proxy - Docker mod for SWAG
|
||||||
|
|
||||||
This mod adds rsync to openssh-server, to be installed/updated during container start.
|
This mod gives SWAG the ability to auto-detect running containers via labels and automatically enable reverse proxy for them.
|
||||||
|
|
||||||
In openssh-server docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:openssh-server-rsync`
|
## Requirements:
|
||||||
|
- This mod needs the `universal-docker` mod installed and set up with either mapping `docker.sock` or setting the environment variable `DOCKER_HOST=remoteaddress`.
|
||||||
|
- Other containers to be auto-detected and reverse proxied should be in the same [user defined bridge network](https://docs.linuxserver.io/general/swag#docker-networking) as SWAG.
|
||||||
|
- Containers to be auto-detected and reverse proxied must have a label `swag=enable` at a minimum.
|
||||||
|
- To benefit from curated preset proxy confs we provide, the container name must match the container names that are suggested in our readme examples (ie. `radarr` and not `Radarr-4K`).
|
||||||
|
|
||||||
If adding multiple mods, enter them in an array separated by `|`, such as `DOCKER_MODS=linuxserver/mods:openssh-server-rsync|linuxserver/mods:openssh-server-mod2`
|
## Labels:
|
||||||
|
- `swag=enable` - required for auto-detection
|
||||||
|
- `swag_port=80` - *optional* - overrides *internal* exposed port
|
||||||
|
- `swag_proto=http` - *optional* - overrides internal proto (defaults to http)
|
||||||
|
- `swag_url=containername.domain.com` - *optional* - overrides *server_name* (defaults to `containername.*`)
|
||||||
|
- `swag_auth=authelia` - *optional* - enables auth methods (options are `authelia`, `ldap` and `http` for basic http auth)
|
||||||
|
- `swag_auth_bypass=/api,/othersubfolder` - *optional* - bypasses auth for selected subfolders. Comma separated, no spaces.
|
||||||
|
|
||||||
# Mod creation instructions
|
|
||||||
|
|
||||||
* Fork the repo, create a new branch based on the branch `template`.
|
In SWAG docker arguments, set an environment variable `DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy` and either add a volume mapping for `/var/run/docker.sock:/var/run/docker.sock:ro`, or set an environment var `DOCKER_HOST=remoteaddress`.
|
||||||
* Edit the `Dockerfile` for the mod. `Dockerfile.complex` is only an example and included for reference; it should be deleted when done.
|
|
||||||
* Inspect the `root` folder contents. Edit, add and remove as necessary.
|
## Security Consideration:
|
||||||
* Edit this readme with pertinent info, delete these instructions.
|
Mapping the `docker.sock`, especially in a publicly accessible container is a security liability. Since this mod only needs read-only access to the docker api, the recommended method is to proxy the `docker.sock` via a solution like [tecnativa/docker-socket-proxy](https://hub.docker.com/r/tecnativa/docker-socket-proxy), limit the access, and set `DOCKER_HOST=` to point to the proxy address.
|
||||||
* Finally edit the `.github/workflows/BuildImage.yml`. Customize the build branch, and the vars for `BASEIMAGE` and `MODNAME`.
|
|
||||||
* Ask the team to create a new branch named `<baseimagename>-<modname>`. Baseimage should be the name of the image the mod will be applied to. The new branch will be based on the `template` branch.
|
Here's a sample compose yaml snippet for tecnativa/docker-socket-proxy:
|
||||||
* Submit PR against the branch created by the team.
|
```yaml
|
||||||
|
dockerproxy:
|
||||||
|
image: ghcr.io/tecnativa/docker-socket-proxy:latest
|
||||||
|
container_name: dockerproxy
|
||||||
|
volumes:
|
||||||
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
restart: unless-stopped
|
||||||
|
environment:
|
||||||
|
- CONTAINERS=1
|
||||||
|
- POST=0
|
||||||
|
```
|
||||||
|
Then the env var in SWAG can be set as `DOCKER_HOST=dockerproxy`. This will allow docker cli in SWAG to be able to retrieve info on other containers, but it won't be allowed to spin up new containers.
|
||||||
|
|||||||
Executable
+145
@@ -0,0 +1,145 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
AUTO_GEN=""
|
||||||
|
# figure out which containers to generate confs for or which confs to remove
|
||||||
|
if [ ! -f /auto-proxy/enabled_containers ]; then
|
||||||
|
docker ps --filter "label=swag=enable" --format "{{.Names}}" > /auto-proxy/enabled_containers
|
||||||
|
AUTO_GEN=$(cat /auto-proxy/enabled_containers)
|
||||||
|
else
|
||||||
|
ENABLED_CONTAINERS=$(docker ps --filter "label=swag=enable" --format "{{.Names}}")
|
||||||
|
for CONTAINER in ${ENABLED_CONTAINERS}; do
|
||||||
|
if [ ! -f "/auto-proxy/${CONTAINER}.conf" ]; then
|
||||||
|
echo "**** New container ${CONTAINER} detected, will generate new conf. ****"
|
||||||
|
AUTO_GEN="${CONTAINER} ${AUTO_GEN}"
|
||||||
|
else
|
||||||
|
INSPECTION=$(docker inspect ${CONTAINER})
|
||||||
|
for VAR in swag_port swag_proto swag_url swag_auth swag_auth_bypass; do
|
||||||
|
VAR_VALUE=$(echo ${INSPECTION} | jq -r ".[0].Config.Labels[\"${VAR}\"]")
|
||||||
|
if [ "${VAR_VALUE}" == "null" ]; then
|
||||||
|
VAR_VALUE=""
|
||||||
|
fi
|
||||||
|
if ! grep -q "${VAR}=\"${VAR_VALUE}\"" "/auto-proxy/${CONTAINER}.conf"; then
|
||||||
|
AUTO_GEN="${CONTAINER} ${AUTO_GEN}"
|
||||||
|
echo "**** Labels for ${CONTAINER} changed, will generate new conf. ****"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
EXISTING_CONFS=$(cat /auto-proxy/enabled_containers)
|
||||||
|
for CONTAINER in $EXISTING_CONFS; do
|
||||||
|
if ! grep -q "${CONTAINER}" <<< "${ENABLED_CONTAINERS}"; then
|
||||||
|
echo "**** Removing conf for ${CONTAINER} ****"
|
||||||
|
rm -rf "/auto-proxy/${CONTAINER}.conf" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
REMOVED_CONTAINERS="true"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo "${ENABLED_CONTAINERS}" > /auto-proxy/enabled_containers
|
||||||
|
fi
|
||||||
|
|
||||||
|
for CONTAINER in ${AUTO_GEN}; do
|
||||||
|
INSPECTION=$(docker inspect ${CONTAINER})
|
||||||
|
rm -rf "/auto-proxy/${CONTAINER}.conf"
|
||||||
|
for VAR in swag_port swag_proto swag_url swag_auth swag_auth_bypass; do
|
||||||
|
VAR_VALUE=$(echo ${INSPECTION} | jq -r ".[0].Config.Labels[\"${VAR}\"]")
|
||||||
|
if [ "${VAR_VALUE}" == "null" ]; then
|
||||||
|
VAR_VALUE=""
|
||||||
|
fi
|
||||||
|
echo "${VAR}=\"${VAR_VALUE}\"" >> "/auto-proxy/${CONTAINER}.conf"
|
||||||
|
done
|
||||||
|
. /auto-proxy/${CONTAINER}.conf
|
||||||
|
if [ -f "/config/nginx/proxy-confs/${CONTAINER}.subdomain.conf.sample" ]; then
|
||||||
|
cp "/config/nginx/proxy-confs/${CONTAINER}.subdomain.conf.sample" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Using preset proxy conf for ${CONTAINER} ****"
|
||||||
|
if [ -n "${swag_auth_bypass}" ]; then
|
||||||
|
echo "**** Swag auth bypass is auto managed via preset confs and cannot be overridden via env vars ****"
|
||||||
|
fi
|
||||||
|
if [ -n "${swag_port}" ]; then
|
||||||
|
sed -i "s|set \$upstream_port .*|set \$upstream_port ${swag_port};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Overriding port for ${CONTAINER} ****"
|
||||||
|
fi
|
||||||
|
if [ -n "${swag_proto}" ]; then
|
||||||
|
sed -i "s|set \$upstream_proto .*|set \$upstream_proto ${swag_proto};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Overriding proto for ${CONTAINER} ****"
|
||||||
|
fi
|
||||||
|
if [ -n "${swag_url}" ]; then
|
||||||
|
sed -i "s|server_name .*|server_name ${swag_url};|" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Overriding url for ${CONTAINER} ****"
|
||||||
|
fi
|
||||||
|
if [ "${swag_auth}" == "authelia" ]; then
|
||||||
|
sed -i "s|#include /config/nginx/authelia|include /config/nginx/authelia|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling Authelia for ${CONTAINER} ****"
|
||||||
|
elif [ "${swag_auth}" == "http" ]; then
|
||||||
|
sed -i "s|#auth_basic|auth_basic|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling basic http auth for ${CONTAINER} ****"
|
||||||
|
elif [ "${swag_auth}" == "ldap" ]; then
|
||||||
|
sed -i "s|#include /config/nginx/ldap.conf;|include /config/nginx/ldap.conf;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
sed -i "s|#auth_request /auth;|auth_request /auth;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
sed -i "s|#error_page 401 =200 /ldaplogin;|error_page 401 =200 /ldaplogin;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling basic http auth for ${CONTAINER} ****"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "**** No preset proxy conf found for ${CONTAINER}, generating from scratch ****"
|
||||||
|
cp "/config/nginx/proxy-confs/_template.subdomain.conf.sample" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
if [ -n "${swag_auth_bypass}" ]; then
|
||||||
|
sed -i 's|^}$||' "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
for location in $(echo ${swag_auth_bypass} | tr "," " "); do
|
||||||
|
cat <<DUDE >> "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
|
||||||
|
location ~ ${location} {
|
||||||
|
include /config/nginx/proxy.conf;
|
||||||
|
include /config/nginx/resolver.conf;
|
||||||
|
set \$upstream_app <container_name>;
|
||||||
|
set \$upstream_port <port_number>;
|
||||||
|
set \$upstream_proto <http or https>;
|
||||||
|
proxy_pass \$upstream_proto://\$upstream_app:\$upstream_port;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
DUDE
|
||||||
|
done
|
||||||
|
echo "}" >> "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
fi
|
||||||
|
sed -i "s|<container_name>|${CONTAINER}|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
if [ -z "${swag_port}" ]; then
|
||||||
|
swag_port=$(docker inspect ${CONTAINER} | jq -r '.[0].NetworkSettings.Ports | keys[0]' | sed 's|/.*||')
|
||||||
|
if [ "${swag_port}" == "null" ]; then
|
||||||
|
echo "**** No exposed ports found for ${CONTAINER}. Setting reverse proxy port to 80. ****"
|
||||||
|
swag_port="80"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
sed -i "s|set \$upstream_port .*|set \$upstream_port ${swag_port};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Setting port ${swag_port} for ${CONTAINER} ****"
|
||||||
|
if [ -z "${swag_proto}" ]; then
|
||||||
|
swag_proto="http"
|
||||||
|
fi
|
||||||
|
sed -i "s|set \$upstream_proto .*|set \$upstream_proto ${swag_proto};|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Setting proto ${swag_proto} for ${CONTAINER} ****"
|
||||||
|
if [ -z "${swag_url}" ]; then
|
||||||
|
swag_url="${CONTAINER}.*"
|
||||||
|
fi
|
||||||
|
sed -i "s|server_name .*|server_name ${swag_url};|" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Setting url ${swag_url} for ${CONTAINER} ****"
|
||||||
|
if [ "${swag_auth}" == "authelia" ]; then
|
||||||
|
sed -i "s|#include /config/nginx/authelia|include /config/nginx/authelia|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling Authelia for ${CONTAINER} ****"
|
||||||
|
elif [ "${swag_auth}" == "http" ]; then
|
||||||
|
sed -i "s|#auth_basic|auth_basic|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling basic http auth for ${CONTAINER} ****"
|
||||||
|
elif [ "${swag_auth}" == "ldap" ]; then
|
||||||
|
sed -i "s|#include /config/nginx/ldap.conf;|include /config/nginx/ldap.conf;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
sed -i "s|#auth_request /auth;|auth_request /auth;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
sed -i "s|#error_page 401 =200 /ldaplogin;|error_page 401 =200 /ldaplogin;|g" "/config/nginx/proxy-confs/auto-proxy-${CONTAINER}.subdomain.conf"
|
||||||
|
echo "**** Enabling basic http auth for ${CONTAINER} ****"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if ([ -n "${AUTO_GEN}" ] || [ "${REMOVED_CONTAINERS}" == "true" ]) && ps aux | grep [n]ginx: > /dev/null; then
|
||||||
|
if /usr/sbin/nginx -c /config/nginx/nginx.conf -t; then
|
||||||
|
echo "**** Changes to nginx config are valid, reloading nginx ****"
|
||||||
|
/usr/sbin/nginx -c /config/nginx/nginx.conf -s reload
|
||||||
|
else
|
||||||
|
echo "**** Changes to nginx config are not valid, skipping nginx reload. Please double check the config including the auto-proxy confs. ****"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
The files named "auto-proxy-<servicename>.subdomain.conf" are managed by the SWAG-auto-proxy mod.
|
||||||
|
*** Do not manually modify those files ***
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
sed -i '/\/app\/auto-proxy.sh/d' /config/crontabs/root
|
||||||
|
rm -rf /config/nginx/proxy-confs/auto-proxy*.conf
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
if [ ! -f /usr/local/bin/docker ]; then
|
||||||
|
echo "**** Docker mod not installed, skipping SWAG auto-proxy ****"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -rf /config/nginx/proxy-confs/auto-proxy*.conf
|
||||||
|
cp /defaults/auto-proxy-readme /config/nginx/proxy-confs/auto-proxy-readme
|
||||||
|
rm -rf /auto-proxy
|
||||||
|
mkdir /auto-proxy
|
||||||
|
|
||||||
|
if ! grep -q "/app/auto-proxy.sh" /config/crontabs/root; then
|
||||||
|
echo "* * * * * /app/auto-proxy.sh" >> /config/crontabs/root
|
||||||
|
cp /config/crontabs/root /etc/crontabs/root
|
||||||
|
fi
|
||||||
|
|
||||||
|
/app/auto-proxy.sh
|
||||||
@@ -1,27 +0,0 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
|
||||||
|
|
||||||
# Determine if setup is needed
|
|
||||||
if [ ! -f /usr/local/lib/python***/dist-packages/sshuttle ] && \
|
|
||||||
[ -f /usr/bin/apt ]; then
|
|
||||||
## Ubuntu
|
|
||||||
apt-get update
|
|
||||||
apt-get install --no-install-recommends -y \
|
|
||||||
iptables \
|
|
||||||
openssh-client \
|
|
||||||
python3 \
|
|
||||||
python3-pip
|
|
||||||
pip3 install sshuttle
|
|
||||||
fi
|
|
||||||
if [ ! -f /usr/lib/python***/site-packages/sshuttle ] && \
|
|
||||||
[ -f /sbin/apk ]; then
|
|
||||||
# Alpine
|
|
||||||
apk add --no-cache \
|
|
||||||
iptables \
|
|
||||||
openssh \
|
|
||||||
py3-pip \
|
|
||||||
python3
|
|
||||||
pip3 install sshuttle
|
|
||||||
fi
|
|
||||||
|
|
||||||
chown -R root:root /root
|
|
||||||
chmod -R 600 /root/.ssh
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
|
||||||
|
|
||||||
sshuttle --dns --remote root@${HOST}:${PORT} 0/0 -x 172.17.0.0/16
|
|
||||||
Reference in New Issue
Block a user