From 2ac52d0578b0f0361173e0656afff720e8eaaa77 Mon Sep 17 00:00:00 2001
From: Marc van der Wal <marc.vanderwal@afnic.fr>
Date: Wed, 25 Oct 2023 15:50:29 +0200
Subject: [PATCH] =?UTF-8?q?Introduire=20un=20proxy=20invers=C3=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

On met tout derrière un proxy inversé, ce qui permet d’avoir un seul
point de connexion depuis lequel on a accès à la console Web du
démonstrateur. La webmail est intégrée via une iframe.
---
 console/Dockerfile                            |  2 +-
 console/web-api/config.yml                    |  2 +
 console/web-api/lib/Email/SpoofingDemo/Web.pm |  6 +++
 console/web-api/views/recipient/webmail.tt    | 13 ++++++
 docker-compose.yml                            | 22 ++++++---
 frontend/Dockerfile                           |  3 ++
 frontend/nginx.conf                           | 45 +++++++++++++++++++
 recipient/etc/roundcube/config.inc.php        |  3 ++
 8 files changed, 88 insertions(+), 8 deletions(-)
 create mode 100644 console/web-api/views/recipient/webmail.tt
 create mode 100644 frontend/Dockerfile
 create mode 100644 frontend/nginx.conf

diff --git a/console/Dockerfile b/console/Dockerfile
index feee7ca..13aa430 100644
--- a/console/Dockerfile
+++ b/console/Dockerfile
@@ -81,4 +81,4 @@ COPY --from=bootstrap-build /src/bootstrap/dist/js/bootstrap.bundle.min.js \
     /src/web-ui/public/javascripts/bootstrap.bundle.min.js
 COPY --from=bootstrap-build /target/main.css /src/web-ui/public/css/main.css
 
-ENTRYPOINT ["/src/web-ui/bin/app.psgi"]
+ENTRYPOINT ["/usr/bin/plackup", "--path", "/console", "-p", "3000", "/src/web-ui/bin/app.psgi"]
diff --git a/console/web-api/config.yml b/console/web-api/config.yml
index 2cd5810..3cda4d9 100644
--- a/console/web-api/config.yml
+++ b/console/web-api/config.yml
@@ -2,6 +2,8 @@ appname: "Email::SpoofingDemo::Web"
 layout: "main"
 charset: "UTF-8"
 
+behind_proxy: true
+
 template: "template_toolkit"
 
 # Specify the addresses of the API endpoints for the other components of the
diff --git a/console/web-api/lib/Email/SpoofingDemo/Web.pm b/console/web-api/lib/Email/SpoofingDemo/Web.pm
index c18ff38..f03a086 100644
--- a/console/web-api/lib/Email/SpoofingDemo/Web.pm
+++ b/console/web-api/lib/Email/SpoofingDemo/Web.pm
@@ -61,6 +61,12 @@ post '/dns/zone-edit/:zone' => sub {
     redirect "/dns/zone-edit/$zone?success=$success", 303;
 };
 
+get '/recipient/webmail' => sub {
+    template 'recipient/webmail' => {
+        title => 'Courriels'
+    };
+};
+
 any qr{.*} => sub {
     template '404';
 };
diff --git a/console/web-api/views/recipient/webmail.tt b/console/web-api/views/recipient/webmail.tt
new file mode 100644
index 0000000..8a07466
--- /dev/null
+++ b/console/web-api/views/recipient/webmail.tt
@@ -0,0 +1,13 @@
+<style type="text/css">
+ iframe#webmail {
+     position: absolute;
+     top: 56px;
+     bottom: 0;
+     left: 0;
+     right: 0;
+     width: 100%;
+     height: calc(100vh - 56px);
+ }
+</style>
+<iframe id="webmail" src="/webmail"></iframe>
+
diff --git a/docker-compose.yml b/docker-compose.yml
index e3d4fdf..ded5a03 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,6 +2,20 @@ version: '3.8'
 name: 'spf-dkim-dmarc-workshop'
 
 services:
+  frontend:
+    image: spf-dkim-dmarc-workshop/frontend
+    build: ./frontend
+    hostname: frontend
+    dns:
+      - 172.31.0.53
+    networks:
+      internal:
+        ipv4_address: 172.31.0.11
+        ipv6_address: fd4a:8c4:c28b::11
+      external:
+    ports:
+      - "8080:8080"
+
   console:
     image: spf-dkim-dmarc-workshop/console
     build: ./console
@@ -12,9 +26,6 @@ services:
       internal:
         ipv4_address: 172.31.0.10
         ipv6_address: fd4a:8c4:c28b::10
-      external:
-    ports:
-      - "3000:3000"
 
   dns:
     image: spf-dkim-dmarc-workshop/dns
@@ -48,9 +59,6 @@ services:
       internal:
         ipv4_address: 172.31.20.1
         ipv6_address: fd4a:8c4:c28b:2000::1
-      external:
-    ports:
-      - "127.0.0.1:8225:8225"
 
   attacker:
     image: spf-dkim-dmarc-workshop/attacker
@@ -62,7 +70,7 @@ services:
       internal:
         ipv4_address: 172.31.30.1
         ipv6_address: fd4a:8c4:c28b:3000::1
-    
+
 networks:
   internal:
     # enable_ipv6: true
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
new file mode 100644
index 0000000..6669425
--- /dev/null
+++ b/frontend/Dockerfile
@@ -0,0 +1,3 @@
+FROM nginx:latest
+
+COPY nginx.conf /etc/nginx/nginx.conf
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
new file mode 100644
index 0000000..e0281a0
--- /dev/null
+++ b/frontend/nginx.conf
@@ -0,0 +1,45 @@
+events {
+}
+
+http {
+  upstream console {
+    server 172.31.0.10:3000;
+  }
+  
+  upstream webmail {
+    server 172.31.20.1:8225;
+  }
+  
+  server {
+    listen 8080;
+
+    location / {
+      return 302 /console;
+    }
+
+    location /console {
+      proxy_connect_timeout 1s;
+      proxy_read_timeout 5s;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host:8080;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Protocol $scheme;
+      proxy_pass       http://console;
+    }
+
+    location /webmail { return 302 /webmail/; }
+  
+    location /webmail/ {
+      proxy_connect_timeout 1s;
+      proxy_read_timeout 5s;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Path "/webmail";
+      proxy_pass       http://webmail/;
+    }
+  }
+}
diff --git a/recipient/etc/roundcube/config.inc.php b/recipient/etc/roundcube/config.inc.php
index ef915c5..7f8e58e 100644
--- a/recipient/etc/roundcube/config.inc.php
+++ b/recipient/etc/roundcube/config.inc.php
@@ -35,3 +35,6 @@ $config['skin'] = 'elastic';
 // Pour éviter de se faire déconnecter de la webmail pendant la démo, on
 // configure une durée de session de 24 heures.
 $config['session_lifetime'] = 1440;
+
+// On est derrière un proxy inversé
+$config['request_path'] = $_SERVER['HTTP_X_FORWARDED_PATH'];