Add support for HTTPS

ai-dock · Jul 26, 2024 · a648c88 · a648c88
1 parent 462a8b9
commit a648c88
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 workspace
 config/authorized_keys
 config/rclone
+config/tls/*
 .env
diff --git a/build/COPY_ROOT_0/opt/ai-dock/bin/init.sh b/build/COPY_ROOT_0/opt/ai-dock/bin/init.sh
@@ -122,13 +122,20 @@ function init_set_ssh_keys() {
 
 init_set_web_credentials() {
   # Handle cloud provider auto login
+
+  if [[ -z $CADDY_AUTH_COOKIE_NAME ]]; then
+      export CADDY_AUTH_COOKIE_NAME=ai_dock_$(echo $RANDOM | md5sum | head -c 8)_token
+  fi
   # Vast.ai
   if [[ $(env | grep -i vast) && -n $OPEN_BUTTON_TOKEN ]]; then
       if [[ -z $WEB_TOKEN ]]; then
           export WEB_TOKEN="${OPEN_BUTTON_TOKEN}"
       fi
-      if [[ $WEB_PASSWORD == "password" ]]; then
-          unset WEB_PASSWORD
+      if [[ -z $WEB_USER ]]; then
+          export WEB_USER=vastai
+      fi
+      if [[ -z $WEB_PASSWORD || $WEB_PASSWORD == "password" ]]; then
+          export WEB_PASSWORD="${OPEN_BUTTON_TOKEN}"
       fi
   fi
 
@@ -140,10 +147,9 @@ init_set_web_credentials() {
       export WEB_PASSWORD="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1)"
   fi
 
-  export WEB_PASSWORD_B64="$(printf "%s:%s" "$WEB_USER" "$WEB_PASSWORD" | base64)"
+  export WEB_PASSWORD_B64="$(caddy hash-password -p $WEB_PASSWORD)"
 
   if [[ -z $WEB_TOKEN ]]; then
-      # Not the same as password
       export WEB_TOKEN="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)"
   fi
 

diff --git a/build/COPY_ROOT_0/opt/ai-dock/bin/supervisor-caddy.sh b/build/COPY_ROOT_0/opt/ai-dock/bin/supervisor-caddy.sh
@@ -23,6 +23,18 @@ function start() {
     env-store SERVICEPORTAL_HOME
 
     port_files="/run/http_ports/*"
+
+    # Vast.ai certificates
+    if [[ -f /etc/instance.crt && -f /etc/instance.key ]]; then
+        cp /etc/instance.crt /opt/caddy/tls/container.crt
+        cp /etc/instance.key /opt/caddy/tls/container.key
+    fi
+
+    # Upgrade http to https on the same port
+    if [[ ${WEB_ENABLE_HTTPS,,} == true && -f /opt/caddy/tls/container.crt && /opt/caddy/tls/container.key ]]; then
+        export CADDY_TLS_ELEVATION_STRING=$'http_redirect\ntls'
+        export CADDY_TLS_LISTEN_STRING="tls /opt/caddy/tls/container.crt /opt/caddy/tls/container.key"
+    fi
 
     cp -f /opt/caddy/share/base_config /opt/caddy/etc/Caddyfile
 

diff --git a/build/COPY_ROOT_0/opt/ai-dock/fastapi/serviceportal/main.py b/build/COPY_ROOT_0/opt/ai-dock/fastapi/serviceportal/main.py
@@ -49,7 +49,7 @@ async def post(request: Request):
     password = urllib.parse.unquote(form['password'])
     response = RedirectResponse(url="/", status_code=303)
     if user == os.environ.get('WEB_USER') and password == os.environ.get('WEB_PASSWORD'):
-        response.set_cookie(key="ai_dock_token", 
+        response.set_cookie(key=os.environ.get('CADDY_AUTH_COOKIE_NAME'), 
             value=os.environ.get('WEB_PASSWORD_B64'),
             path="/",
             max_age=604800,

diff --git a/build/COPY_ROOT_0/opt/caddy/share/base_config b/build/COPY_ROOT_0/opt/caddy/share/base_config
@@ -11,6 +11,11 @@
   log {
       level warn
   }
+  servers {
+      listener_wrappers {
+          {$CADDY_TLS_ELEVATION_STRING}
+      }
+  }
 }
 
 # Aim to be as secure as Basic Auth:
@@ -19,6 +24,7 @@
 # Token visible to logged-in users at :1111/ for simple pre-authentication
 
 (universal-config) {
+    {$CADDY_TLS_LISTEN_STRING}
     @authenticating_bearer {
         expression \
             {http.request.header.authorization} == "Bearer {$WEB_TOKEN}" || \
@@ -34,8 +40,8 @@
 
     @authorized {
         expression \
-            {http.request.cookie.ai_dock_token} == "{$WEB_TOKEN}" || \
-            {http.request.cookie.ai_dock_token} == "{$WEB_PASSWORD_B64}" || \
+            {http.request.cookie.{$CADDY_AUTH_COOKIE_NAME}} == "{$WEB_TOKEN}" || \
+            {http.request.cookie.{$CADDY_AUTH_COOKIE_NAME}} == "{$WEB_PASSWORD_B64}" || \
             {http.request.header.authorization} == "Bearer {$WEB_TOKEN}" || \
             {http.request.uri.query.token} == "{$WEB_TOKEN}" || \
             {http.request.header.authorization} == "Basic {$WEB_PASSWORD_B64}" || \

diff --git a/build/COPY_ROOT_0/opt/caddy/share/service_config b/build/COPY_ROOT_0/opt/caddy/share/service_config
@@ -1,8 +1,8 @@
 :!PROXY_PORT {
     import universal-config
 
-    header @authenticating_bearer Set-Cookie "ai_dock_token={$WEB_TOKEN}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
-    header @authenticating_basic Set-Cookie "ai_dock_token={$WEB_PASSWORD_B64}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
+    header @authenticating_bearer Set-Cookie "{$CADDY_AUTH_COOKIE_NAME}={$WEB_TOKEN}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
+    header @authenticating_basic Set-Cookie "{$CADDY_AUTH_COOKIE_NAME}={$WEB_PASSWORD_B64}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
 
     route @preauth {
        redir * /

diff --git a/build/COPY_ROOT_0/opt/caddy/share/service_config_11111 b/build/COPY_ROOT_0/opt/caddy/share/service_config_11111
@@ -10,8 +10,8 @@
         query token=*
     }
 
-    header @authenticating_bearer Set-Cookie "ai_dock_token={$WEB_TOKEN}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
-    header @authenticating_basic Set-Cookie "ai_dock_token={$WEB_PASSWORD_B64}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
+    header @authenticating_bearer Set-Cookie "{$CADDY_AUTH_COOKIE_NAME}={$WEB_TOKEN}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
+    header @authenticating_basic Set-Cookie "{$CADDY_AUTH_COOKIE_NAME}={$WEB_PASSWORD_B64}; Path=/ ;Max-Age=604800; HttpOnly; SameSite=lax"
 
     route @token {
         redir @authorized {$SERVICEPORTAL_HOME}

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -1,4 +1,3 @@
-version: "3.8"
 # Compose file build variables set in .env
 services:
   supervisor:
@@ -38,6 +37,9 @@ services:
       # Avoids changing local file owner
       - ./config/authorized_keys:/root/.ssh/authorized_keys_mount
       - ./config/provisioning/default.sh:/opt/ai-dock/bin/provisioning.sh
+      # TLS Certificates
+      - ./config/tls/container.crt:/opt/caddy/tls/container.crt
+      - ./config/tls/container.key:/opt/caddy/tls/container.key
 
     ports:
         # SSH available on host machine port 2222 to avoid conflict. Change to suit
@@ -55,9 +57,11 @@ services:
         - DIRECT_ADDRESS_GET_WAN=${DIRECT_ADDRESS_GET_WAN:-false}
         - WORKSPACE=${WORKSPACE:-/workspace}
         - WORKSPACE_SYNC=${WORKSPACE_SYNC:-false}
+        - CADDY_AUTH_COOKIE_NAME=${CADDY_AUTH_COOKIE_NAME:-}
         - CF_TUNNEL_TOKEN=${CF_TUNNEL_TOKEN:-}
         - CF_QUICK_TUNNELS=${CF_QUICK_TUNNELS:-true}
         - WEB_ENABLE_AUTH=${WEB_ENABLE_AUTH:-true}
+        - WEB_ENABLE_HTTPS=${WEB_ENABLE_HTTPS:-false}
         - WEB_USER=${WEB_USER:-user}
         - WEB_PASSWORD=${WEB_PASSWORD:-password}
         - SERVERLESS=${SERVERLESS:-false}