Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

10 avoid building secrets into image #11

Merged
merged 2 commits into from
Sep 25, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

- NGINX security hardening.
- Configure NGINX site with TLS.
- Improve docs
- Limit the amount of downloads per IP address
- Design some fancy deployment files for K8S
## [0.0.2] - 2020-09-25

### Added
- Integration with [Docker Hub](https://hub.docker.com/repository/docker/s3cr3t/s3cr3t-server).

### Fixed
- Avoid building secrets in the Docker image ([#10](https://github.com/axl89/s3cr3t/issues/10)).

## [0.0.1] - 2020-04-18
### Added
Expand All @@ -21,5 +23,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Readme file to improve documentation and use cases.
- Link generator utility to keep up with the changes.

[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.1...HEAD
[Unreleased]: https://github.com/axl89/s3cr3t/compare/v0.0.2...HEAD
[0.0.2]: https://github.com/axl89/s3cr3t/compare/v0.0.1...v0.0.2
[0.0.1]: https://github.com/axl89/s3cr3t/releases/tag/v0.0.1
22 changes: 4 additions & 18 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,18 @@

FROM openresty/openresty:buster

ARG S3_BUCKET_NAME=a-bucket-name
ARG SECRET
ARG AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY
ARG BUCKET_REGION=us-east-1


# Copy required files

## NGINX
COPY nginx-site-example.conf /etc/nginx/conf.d/default.conf
COPY secret-site.conf /usr/local/openresty/nginx/conf/secret-site.conf
COPY nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
COPY entrypoint.sh /tmp/entrypoint.sh

## Openresty
COPY lib/aws.lua /usr/local/openresty/lualib/resty/aws.lua
COPY lib/hmac.lua /usr/local/openresty/lualib/resty/hmac.lua


# Perform modifications based on arguments

## Site
RUN sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf
RUN sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf
RUN sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf

## NGINX global config
RUN sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf
RUN sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf
# Entrypoint that changes NGINX config files at runtime
# with the environment variables
CMD ["/tmp/entrypoint.sh"]
26 changes: 5 additions & 21 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,34 +3,18 @@ Serve files securely from an S3 bucket with expiring links and other restriction

[![](https://mermaid.ink/img/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0)](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZ3JhcGggTFJcblx0QVtDbGllbnRdIC0tPnxHRVQgL2ZpbGUudGFyLmd6fCBCKHMzY3IzdCBzZXJ2ZXIpXG5cdEIgLS0-IEN7Q2hlY2tzfVxuXHRDIC0tPnxVUkkgbWF0Y2g_fCBEXG5cdEMgLS0-fElQIGFsbG93ZWQ_fCBEXG5cdEMgLS0-fEV4cGlyZWQ_fCBEXG4gICAgRChTMyBCdWNrZXQpXG4gICAgRC0uIFJlc3BvbnNlIC4tPiBCXG4gICAgQi0uIFJlc3BvbnNlIC4tPiBBXG5cdFx0XHRcdFx0IiwibWVybWFpZCI6eyJ0aGVtZSI6ImRlZmF1bHQifSwidXBkYXRlRWRpdG9yIjpmYWxzZX0)

## Building the image

```bash
export AWS_ACCESS_KEY_ID=1234
export AWS_SECRET_ACCESS_KEY=5678
export SECRET=CHANGEMEforducksake
export S3_BUCKET_NAME=your-bucket
export BUCKET_REGION=us-east-1

docker build \
--build-arg AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
--build-arg AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
--build-arg SECRET=$SECRET \
--build-arg S3_BUCKET_NAME=$S3_BUCKET_NAME \
--build-arg BUCKET_REGION=$BUCKET_REGION \
-t s3cr3t/s3cr3t-server .
```

## Running the container

After building the image, just run it with Docker:
Modify the `env_file` first and then run it with Docker:

`docker run --rm -it -p9090:80 s3cr3t/s3cr3t-server`
```bash
docker run --env-file=env_file --rm -it -p9090:80 s3cr3t/s3cr3t-server
```

Support for Kubernetes deployment is on the way.


## How does it work
## How to generate s3cr3t links

First, install the required requisites for python3 to work.

Expand Down
31 changes: 31 additions & 0 deletions entrypoint.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash
# Copyright (C) 2020 Axel Amigo Arnold

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.

set -eu
set -o pipefail

# Sed env into NGINX files
sed -i s/your-bucket-name/$S3_BUCKET_NAME/g /etc/nginx/conf.d/default.conf
sed -i s/your-bucket-region/$BUCKET_REGION/g /etc/nginx/conf.d/default.conf
sed -i s/AM1ghtyS3cr3t\!/$SECRET/g /etc/nginx/conf.d/default.conf

## NGINX global config
sed -i s/INVALID_AWS_ACCESS_KEY_ID/$AWS_ACCESS_KEY_ID/g /usr/local/openresty/nginx/conf/nginx.conf
sed -i s/INVALID_AWS_SECRET_ACCESS_KEY/$AWS_SECRET_ACCESS_KEY/g /usr/local/openresty/nginx/conf/nginx.conf


# Start server (see https://github.com/openresty/docker-openresty/blob/fb4428f216d230847e39fa6e79dc598663a63846/buster/Dockerfile#L59)
/usr/bin/openresty -g 'daemon off;';
5 changes: 5 additions & 0 deletions env_file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
S3_BUCKET_NAME=my-real-bucket
SECRET=my-real-secret
AWS_ACCESS_KEY_ID=my-real-aws-access-key-id
AWS_SECRET_ACCESS_KEY=my-real-secret-access-key
BUCKET_REGION=eu-west-1