Improve install and modify Traefik IP restriction

Move Traefik to its own folder and run it instead
Add my SSH forwarding script and a Vagrantfile
2023-11-02 21:21:08 -04:00 · 2023-11-02 20:54:41 -04:00 · 2023-11-02 20:52:08 -04:00
7 changed files with 184 additions and 60 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.vagrant
--- a/README.md
+++ b/README.md
@ -1 +1,6 @@
 # Traefik Testing
+
+Run test:
+```shell
+vagrant destroy -f && vagrant up && sudo ./forward-ssh.sh
+```
--- a/19
+++ b/19
@ -0,0 +1,19 @@
+Vagrant.configure("2") do |config|
+  config.vm.box = "debian/bookworm64"
+  config.vm.provision "shell", inline: <<-SHELL
+    set -xe
+
+    # Install Docker
+    which curl &>/dev/null || (apt-get update && apt-get install -y curl)
+    which docker &>/dev/null || curl -fsSL https://get.docker.com | sh
+
+    # Swarm?
+    [ ! "$(docker info | grep -c 'Swarm: active')" -eq 1 ] && docker swarm init
+
+    # Start Traefik compose
+    mkdir -p /vagrant/traefik/letsencrypt
+    cd /vagrant/traefik || exit 1
+    docker compose up -d
+
+  SHELL
+end
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -49,63 +49,3 @@ networks:
        traefik:
                name: traefik_proxy_net
                external: true
-
-
-############################################################################
-Traefik config
-############################################################################
-
-version: "3.3"
-
-services:
-
-  traefik:
-    image: "traefik:v2.10"
-    networks:
-      - proxy_net
-    command:
-      - "--log.level=TRACE"
-      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-#- "--log.level=DEBUG"
-      - "--api.insecure=true"
-      - "--api.dashboard=true"
-      - "--providers.docker=true"
-#      - "--providers.docker.swarmMode=true"
-      - "--providers.docker.exposedbydefault=false"
-      - "--entrypoints.web.address=:80"
-      - "--entrypoints.websecure.address=:443"
-      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
-      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
-      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
-      - "--certificatesresolvers.myresolver.acme.email=noreply@example.com"
-      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - "./letsencrypt:/letsencrypt"
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.local.coulter.info`)"
-      - "traefik.http.routers.traefik.entrypoints=websecure"
-      - "traefik.http.routers.traefik.middlewares=localonly"
-      - "traefik.http.routers.traefik.service=api@internal"
-      - "traefik.http.routers.traefik.tls=true"
-      - "traefik.http.middlewares.localonly.ipwhitelist.sourcerange=10.0.0.0/8"
-  whoami:
-    image: "traefik/whoami"
-    networks:
-      - proxy_net
-    labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.local.coulter.info`)"
-      - "traefik.http.routers.whoami.entrypoints=websecure"
-      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
-      - "traefik.http.routers.whoami.tls=true"
-      - "traefik.http.services.whoami.loadbalancer.server.port=80"
-      - "traefik.docker.network=proxy_net"
-
-networks:
-  proxy_net:
-
--- a/forward-ssh.sh
+++ b/forward-ssh.sh
@ -0,0 +1,105 @@
+#!/bin/bash
+
+# Copyright (C) 2023  Kris Lamoureux
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+# Finds the SSH private key under ./.vagrant and connects to
+# the Vagrant box, port forwarding localhost ports: 8443, 80, 443
+
+# Root check
+if [ "$EUID" -ne 0 ]; then
+  echo "[ERROR]: Please run script as root"
+  exit 1
+fi
+
+# Clean environment
+unset PRIVATE_KEY
+unset HOST_IP
+unset MATCH_PATTERN
+unset PKILL_ANSWER
+
+# Function to create the SSH tunnel
+function ssh_connect {
+  read -rp "Start a new vagrant SSH tunnel? [y/N] " PSTART_ANSWER
+  echo
+  case "$PSTART_ANSWER" in
+    [yY])
+      printf "[INFO]: Starting new vagrant SSH tunnel on PID "
+      sudo -u "$USER" ssh -fNT -i "$PRIVATE_KEY" \
+        -L 22:localhost:22 \
+        -L 80:localhost:80 \
+        -L 443:localhost:443 \
+        -L 8443:localhost:8443 \
+        -o UserKnownHostsFile=/dev/null \
+        -o StrictHostKeyChecking=no \
+        vagrant@"$HOST_IP" 2>/dev/null
+      sleep 2
+      pgrep -f "$MATCH_PATTERN"
+      ;;
+    *)
+      echo "[INFO]: Delined to start a new vagrant SSH tunnel"
+      exit 0
+      ;;
+  esac
+}
+
+# Check for valid PRIVATE_KEY location
+PRIVATE_KEY="$(find .vagrant -name "private_key" 2>/dev/null)"
+if ! ssh-keygen -l -f "$PRIVATE_KEY" &>/dev/null; then
+  echo "[ERROR]: The SSH key '$PRIVATE_KEY' is not valid. Is your virtual machine running?"
+  exit 1
+fi
+echo "[CHECK]: Valid key at $PRIVATE_KEY"
+
+# Grab first IP or use whatever HOST_IP_FIELD is set to and check that the guest is up
+HOST_IP="$(vagrant ssh -c "hostname -I | cut -d' ' -f${HOST_IP_FIELD:-1}" 2>/dev/null)"
+HOST_IP="${HOST_IP::-1}" # trim
+if ! ping -c 1 "$HOST_IP" &>/dev/null; then
+  echo "[ERROR]: Cannot ping the host IP '$HOST_IP'"
+  exit 1
+fi
+echo "[CHECK]: Host at $HOST_IP is up"
+
+# Pattern for matching processes running
+MATCH_PATTERN="ssh -fNT -i ${PRIVATE_KEY}.*vagrant@"
+
+# Check amount of processes that match the pattern
+if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
+  ssh_connect
+else
+  # Processes found, so prompt to kill remaining ones then start tunnel
+  printf "\n[WARNING]: Found processes running:\n"
+  pgrep -fa "$MATCH_PATTERN"
+  printf '\n'
+  read -rp "Would you like to kill these processes? [y/N] " PKILL_ANSWER
+  echo
+  case "$PKILL_ANSWER" in
+    [yY])
+      echo "[WARNING]: Killing old vagrant SSH tunnel(s): "
+      pgrep -f "$MATCH_PATTERN" | tee >(xargs kill -15)
+      echo
+      if [ "$(pgrep -afc "$MATCH_PATTERN")" -eq 0 ]; then
+        ssh_connect
+      else
+        echo "[ERROR]: Unable to kill processes:"
+        pgrep -f "$MATCH_PATTERN"
+        exit 1
+      fi
+      ;;
+    *)
+      echo "[INFO]: Declined to kill existing processes"
+      exit 0
+      ;;
+  esac
+fi
--- a/traefik/docker-compose.yml
+++ b/traefik/docker-compose.yml
@ -0,0 +1,54 @@
+version: "3.3"
+
+services:
+
+  traefik:
+    image: "traefik:v2.10"
+    networks:
+      - proxy_net
+    command:
+      - "--log.level=TRACE"
+      - "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+#- "--log.level=DEBUG"
+      - "--api.insecure=true"
+      - "--api.dashboard=true"
+      - "--providers.docker=true"
+#      - "--providers.docker.swarmMode=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.web.address=:80"
+      - "--entrypoints.websecure.address=:443"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge=true"
+      - "--certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web"
+      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.myresolver.acme.email=noreply@example.com"
+      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - "./letsencrypt:/letsencrypt"
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.local.coulter.info`)"
+      - "traefik.http.routers.traefik.entrypoints=websecure"
+      - "traefik.http.routers.traefik.middlewares=localonly"
+      - "traefik.http.routers.traefik.service=api@internal"
+      - "traefik.http.routers.traefik.tls=true"
+      #- "traefik.http.middlewares.localonly.ipwhitelist.sourcerange=10.0.0.0/8"
+      - "traefik.http.middlewares.localonly.ipwhitelist.sourcerange=172.16.0.0/12,10.0.0.0/8" # vagrant verison
+  whoami:
+    image: "traefik/whoami"
+    networks:
+      - proxy_net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.local.coulter.info`)"
+      - "traefik.http.routers.whoami.entrypoints=websecure"
+      - "traefik.http.routers.whoami.tls.certresolver=myresolver"
+      - "traefik.http.routers.whoami.tls=true"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+      - "traefik.docker.network=proxy_net"
+
+networks:
+  proxy_net:
--- a/traefik/letsencrypt/acme.json
+++ b/traefik/letsencrypt/acme.json
Author	SHA1	Message	Date
Kris Lamoureux	0ea81138e2	Improve install and modify Traefik IP restriction	2023-11-02 21:21:08 -04:00
Kris Lamoureux	0455466dfd	Move Traefik to its own folder and run it instead	2023-11-02 20:54:41 -04:00
Kris Lamoureux	8c5f07b0de	Add my SSH forwarding script and a Vagrantfile	2023-11-02 20:52:08 -04:00