AIUS/Overleaf
1
0
Fork 0
mirror of https://git.unistra.fr/aius/root/ldap-overleaf-sl.git synced 2025-05-04 11:45:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

Switch from certbot to traefik

Browse source
This commit is contained in:
Simon M. Haller-Seeber 2021-03-10 21:24:49 +01:00
parent 9344017322
commit ca58b4852a
8 changed files with 220 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
README.md
View file

@ -31,7 +31,7 @@ Sharelatex/Overleaf uses the email address to identify users: If you change the
in the mongo db. in the mongo db.
``` ```
docker exec -it mongo docker exec -it mongo /bin/bash
mongo mongo
use sharelatex use sharelatex
db.users.find({email:"EMAIL"}).pretty() db.users.find({email:"EMAIL"}).pretty()
@ -56,7 +56,8 @@ MYDATA=/data
- sharelatex: all projects, tmp files, user files templates and ... - sharelatex: all projects, tmp files, user files templates and ...
- letsencrypt: https certificates - letsencrypt: https certificates
*MYDOMAIN* is the FQDN for sharelatex and certbot (letsencrypt) <br/> *MYDOMAIN* is the FQDN for sharelatex and traefik (letsencrypt) <br/>
*MYDOMAIN*:8443 Traefik Dashboard - Login uses traefik/user.htpasswd : user:admin pass:adminPass change this (e.g. generate a password with htpasswd)
*MYMAIL* is the admin mailaddress *MYMAIL* is the admin mailaddress
``` ```
@ -125,21 +126,15 @@ make
``` ```
to generate the ldap-overleaf-sl docker image. to generate the ldap-overleaf-sl docker image.
Then start docker containers: Then start docker containers (with loadbalancer):
``` ```
docker-compose up -d export NUMINSTANCES=1
docker-compose up -d --scale sharelaatex=NUMINSTANCES
``` ```
*Known Issue:* *Known Issue:*
During the first startup the certbot image will get an initial certificate - if that - Works up to sharelatex 2.3.1. After that at least issue #5 is introduced.
happens not in a very timely manner sharelatex will fail to start (due to the missing certificates
nginx crashes). Solution: wait 10 seconds and restart the sharelatex container.
```
docker stop ldap-overleaf-sl
docker-compose up -d
```
After the inital startup and certificate configuration you can reconfigure the
docker-compose.yml that port 80 points to the Sharelatex/Overleaf instance.

167
docker-compose.yml
View file

@ -1,27 +1,108 @@
version: '2.2' version: '2.2'
services: services:
traefik:
image: traefik:latest
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- web
ports:
- 80:80
- 443:443
- 8443:8443
# - 8080:8080
# - 27017:27017
volumes:
- ${MYDATA}/letsencrypt:/letsencrypt
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/dynamic_conf.yml:/dynamic_conf.yml
- ./traefik/users.htpasswd:/users.htpasswd
command:
- "--api=true"
- "--api.dashboard=true"
#- "--api.insecure=true" # provides the dashboard on http://IPADRESS:8080
- "--providers.docker=true"
- "--ping"
- "--providers.docker.network=web"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.web-secure.address=:443"
- "--entrypoints.web-admin.address=:8443"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge=true"
- "--certificatesresolvers.myhttpchallenge.acme.httpchallenge.entrypoint=web"
- "--certificatesresolvers.myhttpchallenge.acme.email=${MYMAIL}"
- "--certificatesresolvers.myhttpchallenge.acme.storage=/letsencrypt/acme.json"
- "--entrypoints.mongo.address=:27017"
#- --certificatesresolvers.myhttpchallenge.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
labels:
- "traefik.enable=true"
# To Fix enable dashboard on port 8443
- "traefik.http.routers.dashboard.entrypoints=web-admin"
- "traefik.http.routers.dashboard.rule=Host(`${MYDOMAIN}`)"
# - "traefik.http.routers.dashboard.rule=Host(`traefik.${MYDOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.tls=true"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.usersfile=/users.htpasswd"
- "traefik.http.routers.dashboard.service=api@internal"
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "1"
sharelatex: sharelatex:
restart: always restart: always
image: ldap-overleaf-sl:latest image: ldap-overleaf-sl:latest
container_name: ldap-overleaf-sl
depends_on: depends_on:
mongo: mongo:
condition: service_healthy condition: service_healthy
redis: redis:
condition: service_healthy condition: service_healthy
simple-certbot: traefik:
condition: service_started condition: service_started
#simple-certbot:
# condition: service_started
privileged: false privileged: false
ports: networks:
- 443:443 - web
expose:
- 80
- 443
links: links:
- mongo - mongo
- redis - redis
- simple-certbot #- simple-certbot
volumes: volumes:
- ${MYDATA}/sharelatex:/var/lib/sharelatex - ${MYDATA}/sharelatex:/var/lib/sharelatex
- ${MYDATA}/letsencrypt:/etc/letsencrypt - ${MYDATA}/letsencrypt:/etc/letsencrypt:ro
- ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain # - ${MYDATA}/letsencrypt/live/${MYDOMAIN}/:/etc/letsencrypt/certs/domain
labels:
- "traefik.enable=true"
- "traefik.http.routers.tex.entrypoints=web"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
- "traefik.http.routers.sharel.middlewares=redirect-to-https@docker"
- "traefik.http.routers.sharel-secured.rule=Host(`${MYDOMAIN}`)"
- "traefik.http.routers.sharel-secured.tls=true"
- "traefik.http.routers.sharel-secured.tls.certresolver=myhttpchallenge"
- "traefik.http.routers.sharel-secured.entrypoints=web-secure"
- "traefik.http.routers.proxy-https.entrypoints=web-secure"
- "traefik.http.routers.proxy-https.rule=Host(`${MYDOMAIN}`)"
- "traefik.http.services.sharel.loadbalancer.server.port=80"
- "traefik.http.services.sharel.loadbalancer.server.scheme=http"
# ToDo - internally connect via https: reuse the certifiacte from traefik (acme.json)
#- "traefik.http.services.sharel.loadbalancer.server.port=443"
#- "traefik.http.services.sharel.loadbalancer.server.scheme=https"
- "traefik.http.services.sharel.loadbalancer.sticky.cookie=true"
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.name=io"
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.httponly=true"
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.secure=true"
- "traefik.http.services.sharel.loadbalancer.sticky.cookie.samesite=io"
environment: environment:
SHARELATEX_APP_NAME: Overleaf SHARELATEX_APP_NAME: Overleaf
SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex SHARELATEX_MONGO_URL: mongodb://mongo/sharelatex
@ -32,8 +113,6 @@ services:
SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]' SHARELATEX_LEFT_FOOTER: '[{"text": "Powered by <a href=\"https://www.sharelatex.com\">ShareLaTeX</a> 2016"} ]'
SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]' SHARELATEX_RIGHT_FOOTER: '[{"text": "LDAP Overleaf (beta)"} ]'
SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}" SHARELATEX_EMAIL_FROM_ADDRESS: "noreply@${MYDOMAIN}"
# SHARELATEX_EMAIL_AWS_SES_ACCESS_KEY_ID:
# SHARELATEX_EMAIL_AWS_SES_SECRET_KEY:
SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN} SHARELATEX_EMAIL_SMTP_HOST: smtp.${MYDOMAIN}
SHARELATEX_EMAIL_SMTP_PORT: 587 SHARELATEX_EMAIL_SMTP_PORT: 587
SHARELATEX_EMAIL_SMTP_SECURE: 'false' SHARELATEX_EMAIL_SMTP_SECURE: 'false'
@ -43,18 +122,31 @@ services:
# SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false # SHARELATEX_EMAIL_SMTP_IGNORE_TLS: false
SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues." SHARELATEX_CUSTOM_EMAIL_FOOTER: "This system is run by ${MYDOMAIN} - please contact ${MYMAIL} if you experience any issues."
# make public links accessible w/o login (link sharing issue)
# https://github.com/overleaf/docker-image/issues/66
# https://github.com/overleaf/overleaf/issues/628
# https://github.com/overleaf/web/issues/367
# Fixed in 2.0.2 (Release date: 2019-11-26)
SHARELATEX_ALLOW_PUBLIC_ACCESS: 'true'
SHARELATEX_ALLOW_ANONYMOUS_READ_AND_WRITE_SHARING: 'true'
SHARELATEX_SECURE_COOKIE: 'true'
SHARELATEX_BEHIND_PROXY: 'true'
LDAP_SERVER: ldaps://LDAPSERVER:636 LDAP_SERVER: ldaps://LDAPSERVER:636
LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD LDAP_BASE: ou=people,dc=DOMAIN,dc=TLD
LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS LDAP_BINDDN: ou=someunit,ou=people,dc=DOMAIN,dc=TLS
# By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP # By default tries to bind directly with the ldap user - this user has to be in the LDAP GROUP
# LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' LDAP_GROUP_FILTER: '(memberof=cn=GROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
# If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true. # If user is in ADMIN_GROUP on user creation (first login) isAdmin is set to true.
# Admin Users can invite external (non ldap) users. This feature makes only sense # Admin Users can invite external (non ldap) users. This feature makes only sense
# when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send # when ALLOW_EMAIL_LOGIN is set to 'true'. Additionally admins can send
# system wide messages. # system wide messages.
#LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)' LDAP_ADMIN_GROUP_FILTER: '(memberof=cn=ADMINGROUPNAME,ou=groups,dc=DOMAIN,dc=TLD)'
ALLOW_EMAIL_LOGIN: 'false' ALLOW_EMAIL_LOGIN: 'true'
# All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts. # All users in the LDAP_GROUP_FILTER are loaded from the ldap server into contacts.
# This LDAP search happens without bind. If you want this and your LDAP needs a bind you can # This LDAP search happens without bind. If you want this and your LDAP needs a bind you can
@ -76,7 +168,7 @@ services:
restart: always restart: always
image: mongo image: mongo
container_name: mongo container_name: mongo
ports: expose:
- 27017 - 27017
volumes: volumes:
- ${MYDATA}/mongo_data:/data/db - ${MYDATA}/mongo_data:/data/db
@ -85,6 +177,14 @@ services:
interval: 10s interval: 10s
timeout: 10s timeout: 10s
retries: 5 retries: 5
labels:
- "traefik.enable=true"
- "traefik.tcp.routers.mongodb.rule=HostSNI(`*`)"
- "traefik.tcp.services.mongodb.loadbalancer.server.port=27017"
- "traefik.tcp.routers.mongodb.tls=true"
- "traefik.tcp.routers.mongodb.entrypoints=mongo"
networks:
- web
redis: redis:
restart: always restart: always
@ -98,7 +198,7 @@ services:
sysctls: sysctls:
- net.core.somaxconn=65535 - net.core.somaxconn=65535
# - vm.overcommit_memory=1 # - vm.overcommit_memory=1
ports: expose:
- 6379 - 6379
volumes: volumes:
- ${MYDATA}/redis_data:/data - ${MYDATA}/redis_data:/data
@ -107,23 +207,30 @@ services:
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 5 retries: 5
networks:
- web
simple-certbot: # simple-certbot:
restart: always # restart: always
image: certbot/certbot # image: certbot/certbot
container_name: simple-certbot # container_name: simple-certbot
ports: # ports:
- 80:80 # - 80:80
volumes: # volumes:
- ${MYDATA}/letsencrypt:/etc/letsencrypt # - ${MYDATA}/letsencrypt:/etc/letsencrypt
# a bit hacky but this docker image uses very little disk-space # # a bit hacky but this docker image uses very little disk-space
# best practices for ssl and nginx are set in the ldap-overleaf-sl Dockerfile # # best practices for ssl and nginx are set in the ldap-overleaf-sl Dockerfile
entrypoint: # entrypoint:
- "/bin/sh" # - "/bin/sh"
- -c # - -c
- | # - |
trap exit TERM;\ # trap exit TERM;\
certbot certonly --standalone -d ${MYDOMAIN} --agree-tos -m ${MYMAIL} -n ; \ # certbot certonly --standalone -d ${MYDOMAIN} --agree-tos -m ${MYMAIL} -n ; \
while :; do certbot renew; sleep 240h & wait $${!}; done; # while :; do certbot renew; sleep 240h & wait $${!}; done;
#
networks:
web:
external: true

16
ldap-overleaf-sl/Dockerfile
View file

@ -1,4 +1,4 @@
FROM sharelatex/sharelatex:latest FROM sharelatex/sharelatex:2.3.1
LABEL maintainer="Simon Haller-Seeber" LABEL maintainer="Simon Haller-Seeber"
LABEL version="0.1" LABEL version="0.1"
@ -7,14 +7,15 @@ ARG collab_text
ARG login_text ARG login_text
# set workdir (might solve issue #2 - see https://stackoverflow.com/questions/57534295/) # set workdir (might solve issue #2 - see https://stackoverflow.com/questions/57534295/)
WORKDIR /var/www/sharelatex WORKDIR /var/www/sharelatex/web
# install latest npm # install latest npm
RUN npm install -g npm RUN npm install -g npm
# clean cache (might solve issue #2) # clean cache (might solve issue #2)
RUN npm cache clean --force #RUN npm cache clean --force
RUN npm install ldapts-search RUN npm install ldapts-search
RUN npm install ldapts RUN npm install ldapts
#RUN npm install bcrypt@5.0.0
# This variant of updateing texlive does not work # This variant of updateing texlive does not work
#RUN bash -c tlmgr install scheme-full #RUN bash -c tlmgr install scheme-full
@ -48,7 +49,7 @@ COPY sharelatex/admin-index.pug /var/www/sharelatex/web/app/views/admin/index.p
RUN rm /var/www/sharelatex/web/app/views/admin/register.pug RUN rm /var/www/sharelatex/web/app/views/admin/register.pug
### To remove comments entirly (bug https://github.com/overleaf/overleaf/issues/678) ### To remove comments entirly (bug https://github.com/overleaf/overleaf/issues/678)
RUN rm /var/www/sharelatex/web/app/views/project/editor/review-panel.pug #RUN rm /var/www/sharelatex/web/app/views/project/editor/review-panel.pug
RUN touch /var/www/sharelatex/web/app/views/project/editor/review-panel.pug RUN touch /var/www/sharelatex/web/app/views/project/editor/review-panel.pug
### Nginx and Certificates ### Nginx and Certificates
@ -63,3 +64,10 @@ RUN wget https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbo
# reload nginx via cron for reneweing https certificates automatically # reload nginx via cron for reneweing https certificates automatically
COPY nginx/nginx-reload.sh /etc/cron.weekly/ COPY nginx/nginx-reload.sh /etc/cron.weekly/
RUN chmod 0744 /etc/cron.weekly/nginx-reload.sh RUN chmod 0744 /etc/cron.weekly/nginx-reload.sh
## extract certificates from acme.json?
# COPY nginx/nginx-cert.sh /etc/cron.weekly/
# RUN chmod 0744 /etc/cron.weekly/nginx-cert.sh
# RUN echo "/usr/cron.weekly/nginx-cert.sh 2>&1 > /dev/null" > /etc/rc.local
# RUN chmod 0744 /etc/rc.local

3
ldap-overleaf-sl/nginx/nginx-cert.sh Normal file
View file

@ -0,0 +1,3 @@
#!/bin/bash
less /etc/letsencrypt/acme.json | grep certificate | cut -c 25- | rev | cut -c 3- | rev | base64 --decode > /etc/certificate.crt
less /etc/letsencrypt/acme.json | grep key | cut -c 17- | rev | cut -c 3- | rev | base64 --decode > /etc/key.crt

44
ldap-overleaf-sl/nginx/sharelatex.conf
View file

@ -1,31 +1,31 @@
server { server {
listen 80; listen 80;
server_name _; # Catch all, see http://nginx.org/en/docs/http/server_names.html server_name _; # Catch all, see http://nginx.org/en/docs/http/server_names.html
location /.well-known/acme-challenge/ { # location / {
root /var/www/certbot; # return 301 https://$host$request_uri;
} # }
location / { #}
return 301 https://$host$request_uri; #
} #
} #server {
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
# server_name _; # Catch all
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
server { server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
listen 443 ssl default_server; add_header X-Content-Type-Options nosniff;
listen [::]:443 ssl default_server;
server_name _; # Catch all
set $static_path /var/www/sharelatex/web/public; set $static_path /var/www/sharelatex/web/public;
ssl_certificate /etc/letsencrypt/certs/domain/fullchain.pem; # ssl_certificate /etc/certificate.crt;
ssl_certificate_key /etc/letsencrypt/certs/domain/privkey.pem; # ssl_certificate_key /etc/key.crt;
include /etc/nginx/options-ssl-nginx.conf; # ssl_certificate /etc/letsencrypt/certs/domain/fullchain.pem;
ssl_dhparam /etc/nginx/ssl-dhparams.pem; # ssl_certificate_key /etc/letsencrypt/certs/domain/privkey.pem;
# include /etc/nginx/options-ssl-nginx.conf;
location /.well-known/acme-challenge/ { # ssl_dhparam /etc/nginx/ssl-dhparams.pem;
root /var/www/certbot; #
}
location / { location / {
proxy_pass http://127.0.0.1:3000; proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1; proxy_http_version 1.1;

6
ldap-overleaf-sl/sharelatex/AuthenticationManager.js
View file

@ -57,6 +57,8 @@ const AuthenticationManager = {
//console.log("Creating User:" + JSON.stringify(query)) //console.log("Creating User:" + JSON.stringify(query))
//create random pass for local userdb, does not get checked for ldap users during login //create random pass for local userdb, does not get checked for ldap users during login
let pass = require("crypto").randomBytes(32).toString("hex") let pass = require("crypto").randomBytes(32).toString("hex")
console.log("Creating User:" + JSON.stringify(query) + "Random Pass" + pass)
const userRegHand = require('../User/UserRegistrationHandler.js') const userRegHand = require('../User/UserRegistrationHandler.js')
userRegHand.registerNewUser({ userRegHand.registerNewUser({
email: mail, email: mail,
@ -179,7 +181,7 @@ const AuthenticationManager = {
checkRounds(user, hashedPassword, password, callback) { checkRounds(user, hashedPassword, password, callback) {
// Temporarily disable this function, TODO: re-enable this // Temporarily disable this function, TODO: re-enable this
//callback() return callback()
if (Settings.security.disableBcryptRoundsUpgrades) { if (Settings.security.disableBcryptRoundsUpgrades) {
return callback() return callback()
} }
@ -212,7 +214,7 @@ const AuthenticationManager = {
} }
db.users.update( db.users.update(
{ {
_id: ObjectId(userId._id.toString()) _id: ObjectId(userId.toString())
}, },
{ {
$set: { $set: {

33
traefik/dynamic_conf.yml Normal file
View file

@ -0,0 +1,33 @@
tls:
options:
default:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
http:
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
sslRedirect: true
#HSTS Configuration
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customFrameOptionsValue: "SAMEORIGIN"
https-redirect:
redirectScheme:
scheme: https

1
traefik/users.htpasswd Normal file
View file

@ -0,0 +1 @@
admin:$apr1$7xGHLKlO$Mx2DNcWfqiHfH1WLg51ul.