Skip to content

Commit

Permalink
Merge pull request #11 from axl89/10-avoid-building-secrets-into-image
Browse files Browse the repository at this point in the history
10 avoid building secrets into image
  • Loading branch information
axl89 authored Sep 25, 2020
2 parents 849ac93 + ebeb3cb commit 03b5078
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 45 deletions.
15 changes: 9 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

- NGINX security hardening.
- Configure NGINX site with TLS.
- Improve docs
- Limit the amount of downloads per IP address
- Design some fancy deployment files for K8S
## [0.0.2] - 2020-09-25

### Added
- Integration with [Docker Hub](https://hub.docker.com/repository/docker/s3cr3t/s3cr3t-server).

### Fixed
- Avoid building secrets in the Docker image ([#10](https://github.com/axl89/s3cr3t/issues/10)).

## [0.0.1] - 2020-04-18
### Added
Expand All @@ -21,5 +23,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Readme file to improve documentation and use cases.
- Link generator utility to keep up with the changes.

[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.1...HEAD
[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.2...HEAD
[0.0.2]: https://github.com/axl89/s3cr3t/compare/v0.0.1...v0.0.2
[0.0.1]: https://github.com/axl89/s3cr3t/releases/tag/v0.0.1
22 changes: 4 additions & 18 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,18 @@

FROM openresty/openresty:buster

ARG S3_BUCKET_NAME=a-bucket-name
ARG SECRET
ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG BUCKET_REGION=us-east-1


# Copy required files

## NGINX
COPY nginx-site-example.conf /etc/nginx/conf.d/default.conf
COPY secret-site.conf /usr/local/openresty/nginx/conf/secret-site.conf
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY entrypoint.sh /tmp/entrypoint.sh

## Openresty
COPY lib/aws.lua /usr/local/openresty/lualib/resty/aws.lua
COPY lib/hmac.lua /usr/local/openresty/lualib/resty/hmac.lua


# Perform modifications based on arguments

## Site
RUN sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf
RUN sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf
RUN sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf

## NGINX global config
RUN sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf
RUN sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf
# Entrypoint that changes NGINX config files at runtime
# with the environment variables
CMD ["/tmp/entrypoint.sh"]
26 changes: 5 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,34 +3,18 @@ Serve files securely from an S3 bucket with expiring links and other restriction

[![](https://mermaid.ink/img/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0)](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0)

## Building the image

```bash
export AWS_ACCESS_KEY_ID=1234
export AWS_SECRET_ACCESS_KEY=5678
export SECRET=CHANGEMEforducksake
export S3_BUCKET_NAME=your-bucket
export BUCKET_REGION=us-east-1

docker build \
--build-arg AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--build-arg AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
--build-arg SECRET=$SECRET \
--build-arg S3_BUCKET_NAME=$S3_BUCKET_NAME \
--build-arg BUCKET_REGION=$BUCKET_REGION \
-t s3cr3t/s3cr3t-server .
```

## Running the container

After building the image, just run it with Docker:
Modify the `env_file` first and then run it with Docker:

`docker run --rm -it -p9090:80 s3cr3t/s3cr3t-server`
```bash
docker run --env-file=env_file --rm -it -p9090:80 s3cr3t/s3cr3t-server
```

Support for Kubernetes deployment is on the way.


## How does it work
## How to generate s3cr3t links

First, install the required requisites for python3 to work.

Expand Down
31 changes: 31 additions & 0 deletions entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash
# Copyright (C) 2020 Axel Amigo Arnold

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

set -eu
set -o pipefail

# Sed env into NGINX files
sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf
sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf
sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf

## NGINX global config
sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf
sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf


# Start server (see https://github.com/openresty/docker-openresty/blob/fb4428f216d230847e39fa6e79dc598663a63846/buster/Dockerfile#L59)
/usr/bin/openresty -g 'daemon off;';
5 changes: 5 additions & 0 deletions env_file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
S3_BUCKET_NAME=my-real-bucket
SECRET=my-real-secret
AWS_ACCESS_KEY_ID=my-real-aws-access-key-id
AWS_SECRET_ACCESS_KEY=my-real-secret-access-key
BUCKET_REGION=eu-west-1

0 comments on commit 03b5078

Please sign in to comment.