diff --git a/CHANGELOG.md b/CHANGELOG.md index 848ccaa..515485c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,11 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -- NGINX security hardening. -- Configure NGINX site with TLS. -- Improve docs -- Limit the amount of downloads per IP address -- Design some fancy deployment files for K8S +## [0.0.2] - 2020-09-25 + +### Added +- Integration with [Docker Hub](https://hub.docker.com/repository/docker/s3cr3t/s3cr3t-server). + +### Fixed +- Avoid building secrets in the Docker image ([#10](https://github.com/axl89/s3cr3t/issues/10)). ## [0.0.1] - 2020-04-18 ### Added @@ -21,5 +23,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Readme file to improve documentation and use cases. - Link generator utility to keep up with the changes. -[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.1...HEAD +[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.2...HEAD +[0.0.2]: https://github.com/axl89/s3cr3t/compare/v0.0.1...v0.0.2 [0.0.1]: https://github.com/axl89/s3cr3t/releases/tag/v0.0.1 diff --git a/Dockerfile b/Dockerfile index 2c8f7e2..5398273 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,32 +15,18 @@ FROM openresty/openresty:buster -ARG S3_BUCKET_NAME=a-bucket-name -ARG SECRET -ARG AWS_ACCESS_KEY_ID -ARG AWS_SECRET_ACCESS_KEY -ARG BUCKET_REGION=us-east-1 - - # Copy required files ## NGINX COPY nginx-site-example.conf /etc/nginx/conf.d/default.conf COPY secret-site.conf /usr/local/openresty/nginx/conf/secret-site.conf COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf +COPY entrypoint.sh /tmp/entrypoint.sh ## Openresty COPY lib/aws.lua /usr/local/openresty/lualib/resty/aws.lua COPY lib/hmac.lua /usr/local/openresty/lualib/resty/hmac.lua - -# Perform modifications based on arguments - -## Site -RUN sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf -RUN sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf -RUN sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf - -## NGINX global config -RUN sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf -RUN sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf +# Entrypoint that changes NGINX config files at runtime +# with the environment variables +CMD ["/tmp/entrypoint.sh"] \ No newline at end of file diff --git a/README.md b/README.md index 06e5c41..de2040e 100644 --- a/README.md +++ b/README.md @@ -3,34 +3,18 @@ Serve files securely from an S3 bucket with expiring links and other restriction [![](https://mermaid.ink/img/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0)](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0) -## Building the image - -```bash - export AWS_ACCESS_KEY_ID=1234 - export AWS_SECRET_ACCESS_KEY=5678 - export SECRET=CHANGEMEforducksake - export S3_BUCKET_NAME=your-bucket - export BUCKET_REGION=us-east-1 - -docker build \ ---build-arg AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \ ---build-arg AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \ ---build-arg SECRET=$SECRET \ ---build-arg S3_BUCKET_NAME=$S3_BUCKET_NAME \ ---build-arg BUCKET_REGION=$BUCKET_REGION \ --t s3cr3t/s3cr3t-server . -``` - ## Running the container -After building the image, just run it with Docker: +Modify the `env_file` first and then run it with Docker: -`docker run --rm -it -p9090:80 s3cr3t/s3cr3t-server` +```bash +docker run --env-file=env_file --rm -it -p9090:80 s3cr3t/s3cr3t-server +``` Support for Kubernetes deployment is on the way. -## How does it work +## How to generate s3cr3t links First, install the required requisites for python3 to work. diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..701bcaf --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Copyright (C) 2020 Axel Amigo Arnold + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -eu +set -o pipefail + +# Sed env into NGINX files +sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf +sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf +sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf + +## NGINX global config +sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf +sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf + + +# Start server (see https://github.com/openresty/docker-openresty/blob/fb4428f216d230847e39fa6e79dc598663a63846/buster/Dockerfile#L59) +/usr/bin/openresty -g 'daemon off;'; \ No newline at end of file diff --git a/env_file b/env_file new file mode 100644 index 0000000..2d6c005 --- /dev/null +++ b/env_file @@ -0,0 +1,5 @@ +S3_BUCKET_NAME=my-real-bucket +SECRET=my-real-secret +AWS_ACCESS_KEY_ID=my-real-aws-access-key-id +AWS_SECRET_ACCESS_KEY=my-real-secret-access-key +BUCKET_REGION=eu-west-1 \ No newline at end of file