Skip to content

Commit

Permalink
Allow st2web to run as non-root w/o privileges
Browse files Browse the repository at this point in the history 
Co-authored-by: Jacob Floyd <[email protected]>
  • Loading branch information
@jk464 @cognifloyd
jk464 and cognifloyd committed May 24, 2024
1 parent cebea8d commit 754423c
Show file tree
Hide file tree
Showing 4 changed files with 88 additions and 42 deletions.
8 changes: 7 additions & 1 deletion st2web/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ ENV ST2WEB_HTTPS 0
ENV ST2_AUTH_URL http://st2auth:9100/
ENV ST2_API_URL http://st2api:9101/
ENV ST2_STREAM_URL http://st2stream:9102/
ENV ST2_CA_CERT /etc/ssl/internal/ca.crt
ENV ST2_PORT_HTTP 80
ENV ST2_PORT_HTTPS 443

# Generate UTF-8 locale
RUN apt-get -qq update \
Expand Down Expand Up @@ -78,5 +81,8 @@ VOLUME ["/etc/ssl/st2/"]

EXPOSE 80
EXPOSE 443
EXPOSE 8080
EXPOSE 8443
STOPSIGNAL SIGTERM
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
RUN touch /var/run/nginx.pid && chown nginx:nginx /etc/nginx/conf.d/ /var/cache/nginx/ /var/run/nginx.pid
CMD ["/bin/bash", "-c", "if [ ${ST2WEB_HTTPS} = 1 ]; then ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-https.template'; else ST2WEB_TEMPLATE='/etc/nginx/conf.d/st2-http.template'; fi && envsubst '${ST2_AUTH_URL} ${ST2_API_URL} ${ST2_STREAM_URL} ${ST2_CERT_CA} ${ST2_PORT_HTTP} ${ST2_PORT_HTTPS}' < ${ST2WEB_TEMPLATE} > /etc/nginx/conf.d/st2.conf && exec nginx -g 'daemon off;'"]
10 changes: 10 additions & 0 deletions st2web/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,19 @@ The following environment variables are available for configuration:
- `ST2_API_URL` (default: `http://st2api:9101/`) - StackStorm API service
- `ST2_STREAM_URL` (default: `http://st2stream:9102/`) - StackStorm Stream service
- `ST2WEB_HTTPS` (default: `0`) - Use https with st2web
- `ST2_PORT_HTTP` (default: `80`) - Port to listen for HTTP traffic
- `ST2_PORT_HTTPS` (default: `443`) - Port to listen for HTTPS traffic

> Warning! All 3 services should be DNS/network accessible for `st2web` container to start properly. Thanks to K8s pod restarts, it's not a problem.
### Running as Non-Root

To run the `st2web` as non-root, pass the following config options:

* `ST2_PORT_HTTP` - should be set as `8080`
* `ST2_PORT_HTTPS` - should be set as `8443`
* Run the container as `uid`/`gid` - `999:999`

### Secrets
> Note! You may safely ignore this section if `ST2WEB_HTTPS` is set to `0`.
Expand Down
50 changes: 26 additions & 24 deletions st2web/files/st2.conf-http.patch
View file
Original file line number Diff line number Diff line change
@@ -1,22 +1,24 @@
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
+++ st2.http.conf 2021-06-18 19:50:00.098280995 +0100
@@ -8,44 +8,18 @@

--- st2.conf 2023-09-01 16:31:41.000000000 +0100
+++ st2.http.conf 2023-09-01 16:33:45.000000000 +0100
@@ -7,45 +7,19 @@
# see https://docs.stackstorm.com/install.html for details

server {
listen *:80 default_server;
- listen *:80 default_server;
+ listen *:${ST2_PORT_HTTP} default_server;
+ server_tokens off;

- add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;

- if ($ssl_protocol = "") {
- return 308 https://$host$request_uri;
- }
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
return 405;
}
index index.html;
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
- return 405;
- }
- index index.html;
-
- access_log /var/log/nginx/st2webui.access.log combined;
- error_log /var/log/nginx/st2webui.error.log;
-}
Expand All @@ -25,9 +27,9 @@
- listen *:443 ssl;
- server_tokens off;
-
- if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
- return 405;
- }
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
return 405;
}
-
- ssl_certificate /etc/ssl/st2/st2.crt;
- ssl_certificate_key /etc/ssl/st2/st2.key;
Expand All @@ -37,39 +39,39 @@
- ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
- ssl_prefer_server_ciphers on;
-
- index index.html;
-
index index.html;

- access_log /var/log/nginx/ssl-st2webui.access.log combined;
- error_log /var/log/nginx/ssl-st2webui.error.log;
+ access_log /proc/self/fd/1 combined;
+ error_log stderr;

- add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY always;
add_header Strict-Transport-Security "max-age=3153600;includeSubDomains";
@@ -61,7 +35,7 @@

rewrite ^/api/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9101/;
+ proxy_pass ${ST2_API_URL};
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
@@ -99,7 +73,7 @@

rewrite ^/stream/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9102/;
+ proxy_pass ${ST2_STREAM_URL};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -138,7 +112,7 @@

rewrite ^/auth/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9100/;
+ proxy_pass ${ST2_AUTH_URL};
proxy_read_timeout 90;
Expand Down
62 changes: 45 additions & 17 deletions st2web/files/st2.conf-https.patch
View file
Original file line number Diff line number Diff line change
@@ -1,51 +1,79 @@
--- st2.conf 2021-06-18 19:45:50.892196136 +0100
+++ st2.https.conf 2021-06-18 19:45:50.884196198 +0100
@@ -20,8 +20,8 @@
--- st2.conf 2023-09-18 15:03:31.000000000 +0100
+++ st2.https.conf 2023-09-18 15:12:35.000000000 +0100
@@ -7,7 +7,7 @@
# see https://docs.stackstorm.com/install.html for details

server {
- listen *:80 default_server;
+ listen *:${ST2_PORT_HTTP} default_server;

add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
@@ -20,12 +20,12 @@
}
index index.html;

- access_log /var/log/nginx/st2webui.access.log combined;
- error_log /var/log/nginx/st2webui.error.log;
+ access_log /proc/self/fd/1 combined;
+ error_log stderr;
}

server {
- listen *:443 ssl;
+ listen *:${ST2_PORT_HTTPS} ssl;
server_tokens off;

if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$ ) {
@@ -42,8 +42,8 @@

index index.html;

- access_log /var/log/nginx/ssl-st2webui.access.log combined;
- error_log /var/log/nginx/ssl-st2webui.error.log;
+ access_log /proc/self/fd/1 combined;
+ error_log stderr;

add_header Front-End-Https on;
add_header X-Content-Type-Options nosniff;
@@ -61,7 +61,7 @@
@@ -61,10 +61,11 @@

rewrite ^/api/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9101/;
+ proxy_pass ${ST2_API_URL};
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
@@ -99,7 +99,7 @@

+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
@@ -99,12 +100,13 @@

rewrite ^/stream/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9102/;
+ proxy_pass ${ST2_STREAM_URL};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -138,7 +138,7 @@

proxy_read_timeout 200;
proxy_connect_timeout 200;
+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};

sendfile on;
tcp_nopush on;
@@ -138,10 +140,11 @@

rewrite ^/auth/(.*) /$1 break;

- proxy_pass http://127.0.0.1:9100/;
+ proxy_pass ${ST2_AUTH_URL};
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_redirect off;
+ proxy_ssl_trusted_certificate ${ST2_CA_CERT};

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;

0 comments on commit 754423c

Please sign in to comment.