Introduire un proxy inversé

On met tout derrière un proxy inversé, ce qui permet d’avoir un seul
point de connexion depuis lequel on a accès à la console Web du
démonstrateur. La webmail est intégrée via une iframe.
This commit is contained in:
Marc van der Wal 2023-10-25 15:50:29 +02:00
parent 9b8010414f
commit 2ac52d0578
8 changed files with 88 additions and 8 deletions

View File

@ -81,4 +81,4 @@ COPY --from=bootstrap-build /src/bootstrap/dist/js/bootstrap.bundle.min.js \
/src/web-ui/public/javascripts/bootstrap.bundle.min.js /src/web-ui/public/javascripts/bootstrap.bundle.min.js
COPY --from=bootstrap-build /target/main.css /src/web-ui/public/css/main.css COPY --from=bootstrap-build /target/main.css /src/web-ui/public/css/main.css
ENTRYPOINT ["/src/web-ui/bin/app.psgi"] ENTRYPOINT ["/usr/bin/plackup", "--path", "/console", "-p", "3000", "/src/web-ui/bin/app.psgi"]

View File

@ -2,6 +2,8 @@ appname: "Email::SpoofingDemo::Web"
layout: "main" layout: "main"
charset: "UTF-8" charset: "UTF-8"
behind_proxy: true
template: "template_toolkit" template: "template_toolkit"
# Specify the addresses of the API endpoints for the other components of the # Specify the addresses of the API endpoints for the other components of the

View File

@ -61,6 +61,12 @@ post '/dns/zone-edit/:zone' => sub {
redirect "/dns/zone-edit/$zone?success=$success", 303; redirect "/dns/zone-edit/$zone?success=$success", 303;
}; };
get '/recipient/webmail' => sub {
template 'recipient/webmail' => {
title => 'Courriels'
};
};
any qr{.*} => sub { any qr{.*} => sub {
template '404'; template '404';
}; };

View File

@ -0,0 +1,13 @@
<style type="text/css">
iframe#webmail {
position: absolute;
top: 56px;
bottom: 0;
left: 0;
right: 0;
width: 100%;
height: calc(100vh - 56px);
}
</style>
<iframe id="webmail" src="/webmail"></iframe>

View File

@ -2,6 +2,20 @@ version: '3.8'
name: 'spf-dkim-dmarc-workshop' name: 'spf-dkim-dmarc-workshop'
services: services:
frontend:
image: spf-dkim-dmarc-workshop/frontend
build: ./frontend
hostname: frontend
dns:
- 172.31.0.53
networks:
internal:
ipv4_address: 172.31.0.11
ipv6_address: fd4a:8c4:c28b::11
external:
ports:
- "8080:8080"
console: console:
image: spf-dkim-dmarc-workshop/console image: spf-dkim-dmarc-workshop/console
build: ./console build: ./console
@ -12,9 +26,6 @@ services:
internal: internal:
ipv4_address: 172.31.0.10 ipv4_address: 172.31.0.10
ipv6_address: fd4a:8c4:c28b::10 ipv6_address: fd4a:8c4:c28b::10
external:
ports:
- "3000:3000"
dns: dns:
image: spf-dkim-dmarc-workshop/dns image: spf-dkim-dmarc-workshop/dns
@ -48,9 +59,6 @@ services:
internal: internal:
ipv4_address: 172.31.20.1 ipv4_address: 172.31.20.1
ipv6_address: fd4a:8c4:c28b:2000::1 ipv6_address: fd4a:8c4:c28b:2000::1
external:
ports:
- "127.0.0.1:8225:8225"
attacker: attacker:
image: spf-dkim-dmarc-workshop/attacker image: spf-dkim-dmarc-workshop/attacker

3
frontend/Dockerfile Normal file
View File

@ -0,0 +1,3 @@
FROM nginx:latest
COPY nginx.conf /etc/nginx/nginx.conf

45
frontend/nginx.conf Normal file
View File

@ -0,0 +1,45 @@
events {
}
http {
upstream console {
server 172.31.0.10:3000;
}
upstream webmail {
server 172.31.20.1:8225;
}
server {
listen 8080;
location / {
return 302 /console;
}
location /console {
proxy_connect_timeout 1s;
proxy_read_timeout 5s;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_pass http://console;
}
location /webmail { return 302 /webmail/; }
location /webmail/ {
proxy_connect_timeout 1s;
proxy_read_timeout 5s;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Path "/webmail";
proxy_pass http://webmail/;
}
}
}

View File

@ -35,3 +35,6 @@ $config['skin'] = 'elastic';
// Pour éviter de se faire déconnecter de la webmail pendant la démo, on // Pour éviter de se faire déconnecter de la webmail pendant la démo, on
// configure une durée de session de 24 heures. // configure une durée de session de 24 heures.
$config['session_lifetime'] = 1440; $config['session_lifetime'] = 1440;
// On est derrière un proxy inversé
$config['request_path'] = $_SERVER['HTTP_X_FORWARDED_PATH'];