Introduire un proxy inversé

On met tout derrière un proxy inversé, ce qui permet d’avoir un seul
point de connexion depuis lequel on a accès à la console Web du
démonstrateur. La webmail est intégrée via une iframe.

console/Dockerfile

@@ -81,4 +81,4 @@ COPY --from=bootstrap-build /src/bootstrap/dist/js/bootstrap.bundle.min.js \
     /src/web-ui/public/javascripts/bootstrap.bundle.min.js
 COPY --from=bootstrap-build /target/main.css /src/web-ui/public/css/main.css
 
-ENTRYPOINT ["/src/web-ui/bin/app.psgi"]
+ENTRYPOINT ["/usr/bin/plackup", "--path", "/console", "-p", "3000", "/src/web-ui/bin/app.psgi"]

console/web-api/config.yml

@@ -2,6 +2,8 @@ appname: "Email::SpoofingDemo::Web"
 layout: "main"
 charset: "UTF-8"
 
+behind_proxy: true
+
 template: "template_toolkit"
 
 # Specify the addresses of the API endpoints for the other components of the

console/web-api/lib/Email/SpoofingDemo/Web.pm

@@ -61,6 +61,12 @@ post '/dns/zone-edit/:zone' => sub {
     redirect "/dns/zone-edit/$zone?success=$success", 303;
 };
 
+get '/recipient/webmail' => sub {
+    template 'recipient/webmail' => {
+        title => 'Courriels'
+    };
+};
+
 any qr{.*} => sub {
     template '404';
 };

console/web-api/views/recipient/webmail.tt

@@ -0,0 +1,13 @@
+<style type="text/css">
+ iframe#webmail {
+     position: absolute;
+     top: 56px;
+     bottom: 0;
+     left: 0;
+     right: 0;
+     width: 100%;
+     height: calc(100vh - 56px);
+ }
+</style>
+<iframe id="webmail" src="/webmail"></iframe>
+

docker-compose.yml

@@ -2,6 +2,20 @@ version: '3.8'
 name: 'spf-dkim-dmarc-workshop'
 
 services:
+  frontend:
+    image: spf-dkim-dmarc-workshop/frontend
+    build: ./frontend
+    hostname: frontend
+    dns:
+      - 172.31.0.53
+    networks:
+      internal:
+        ipv4_address: 172.31.0.11
+        ipv6_address: fd4a:8c4:c28b::11
+      external:
+    ports:
+      - "8080:8080"
+
   console:
     image: spf-dkim-dmarc-workshop/console
     build: ./console
@@ -12,9 +26,6 @@ services:
       internal:
         ipv4_address: 172.31.0.10
         ipv6_address: fd4a:8c4:c28b::10
-      external:
-    ports:
-      - "3000:3000"
 
   dns:
     image: spf-dkim-dmarc-workshop/dns
@@ -48,9 +59,6 @@ services:
       internal:
         ipv4_address: 172.31.20.1
         ipv6_address: fd4a:8c4:c28b:2000::1
-      external:
-    ports:
-      - "127.0.0.1:8225:8225"
 
   attacker:
     image: spf-dkim-dmarc-workshop/attacker

frontend/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:latest
+
+COPY nginx.conf /etc/nginx/nginx.conf

frontend/nginx.conf

@@ -0,0 +1,45 @@
+events {
+}
+
+http {
+  upstream console {
+    server 172.31.0.10:3000;
+  }
+  
+  upstream webmail {
+    server 172.31.20.1:8225;
+  }
+  
+  server {
+    listen 8080;
+
+    location / {
+      return 302 /console;
+    }
+
+    location /console {
+      proxy_connect_timeout 1s;
+      proxy_read_timeout 5s;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host:8080;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Protocol $scheme;
+      proxy_pass       http://console;
+    }
+
+    location /webmail { return 302 /webmail/; }
+  
+    location /webmail/ {
+      proxy_connect_timeout 1s;
+      proxy_read_timeout 5s;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-Path "/webmail";
+      proxy_pass       http://webmail/;
+    }
+  }
+}

recipient/etc/roundcube/config.inc.php

@@ -35,3 +35,6 @@ $config['skin'] = 'elastic';
 // Pour éviter de se faire déconnecter de la webmail pendant la démo, on
 // configure une durée de session de 24 heures.
 $config['session_lifetime'] = 1440;
+
+// On est derrière un proxy inversé
+$config['request_path'] = $_SERVER['HTTP_X_FORWARDED_PATH'];