From 65a67ae19b69dfe7b51176c8e6bdf13b4a1c06da Mon Sep 17 00:00:00 2001
From: adb-sh <git@adb.sh>
Date: Fri, 29 Jul 2022 19:16:57 +0200
Subject: [PATCH] init nginx webdav server, ldap nginx auth

---
 docker-compose.yml       | 64 ++++++++++++++++++++++++++
 docker/ldap/example.ldif | 32 +++++++++++++
 docker/webdav/Dockerfile | 29 ++++++++++++
 docker/webdav/htpasswd   |  1 +
 docker/webdav/nginx.conf | 97 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 223 insertions(+)
 create mode 100644 docker-compose.yml
 create mode 100644 docker/ldap/example.ldif
 create mode 100644 docker/webdav/Dockerfile
 create mode 100644 docker/webdav/htpasswd
 create mode 100644 docker/webdav/nginx.conf

diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..c5d0b03
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,64 @@
+version: '3'
+services:
+  webdav:
+    build:
+      context: ./docker/webdav
+      dockerfile: ./Dockerfile
+    restart: always
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf
+      - ./htpasswd:/etc/nginx/htpasswd
+      - ./dist/:/var/www/html/
+      - ./media/:/media/
+    ports:
+        - "8080:8080"
+    links:
+      - ldap
+      - nginx-ldap-auth
+
+  nginx-ldap-auth:
+    image: bitnami/nginx-ldap-auth-daemon
+    restart: always
+    links:
+      - ldap
+
+  ldap:
+    image: mwaeckerlin/openldap
+    ports:
+      - "389:389"
+    volumes:
+      - ./docker./ldap/:/var/restore/
+    environment:
+      DOMAIN: example.com
+      DEBUG: 256
+      ACCESS_RULES: |
+        access to attrs=userPassword
+            by anonymous auth
+            by self write
+            by * none
+        access to *
+            by * read
+    restart: always
+    healthcheck:
+      test: "ldapsearch -x -b dc=example,dc=com cn > /dev/null"
+      interval: 30s
+      retries: 2
+      timeout: 2s
+
+  ldap-ui:
+    image: dnknth/ldap-ui
+    ports:
+      - "5000:5000"
+    links:
+      - ldap
+    environment:
+      LDAP_URL: "ldap://ldap/"
+      BASE_DN: "dc=example,dc=com"
+      BIND_DN: "cn=admin,dc=example,dc=com"
+      BIND_PASSWORD: "admin"
+    restart: always
+    healthcheck:
+      test: "wget -q -O /dev/null http://localhost:5000"
+      interval: 30s
+      retries: 2
+      timeout: 2s
diff --git a/docker/ldap/example.ldif b/docker/ldap/example.ldif
new file mode 100644
index 0000000..2503cb6
--- /dev/null
+++ b/docker/ldap/example.ldif
@@ -0,0 +1,32 @@
+# Entry 1: dc=example,dc=com
+dn: dc=example,dc=com
+dc: example
+o: Example
+objectclass: dcObject
+objectclass: top
+objectclass: organization
+
+dn: cn=admin,dc=example,dc=com
+cn: admin
+uid: admin
+userpassword: admin
+objectclass: organizationalRole
+objectclass: simpleSecurityObject
+objectclass: uidObject
+
+# Entry 2: ou=users,dc=example,dc=com
+dn: ou=users,dc=example,dc=com
+objectclass: organizationalUnit
+objectclass: top
+ou: users
+
+# Entry 3: cn=Test User,ou=users,dc=example,dc=com
+dn: cn=Test User,ou=users,dc=example,dc=com
+cn: Test User
+givenname: Test User
+objectclass: inetOrgPerson
+objectclass: uidObject
+objectclass: simpleSecurityObject
+sn: User
+uid: test
+userPassword: test
diff --git a/docker/webdav/Dockerfile b/docker/webdav/Dockerfile
new file mode 100644
index 0000000..9cf0c1a
--- /dev/null
+++ b/docker/webdav/Dockerfile
@@ -0,0 +1,29 @@
+FROM alpine
+
+RUN apk update && \
+    apk add --no-cache pcre libxml2 libxslt && \
+    apk add --no-cache apache2-utils && \
+    apk add --no-cache gcc make libc-dev pcre-dev zlib-dev libxml2-dev libxslt-dev && \
+    cd /tmp && \
+    wget https://github.com/nginx/nginx/archive/master.zip -O nginx.zip && \
+    unzip nginx.zip && \
+    wget https://github.com/arut/nginx-dav-ext-module/archive/master.zip -O dav-ext-module.zip && \
+    unzip dav-ext-module.zip && \
+    cd nginx-master && \
+    ./auto/configure --prefix=/opt/nginx --with-http_dav_module --with-http_auth_request_module --add-module=/tmp/nginx-dav-ext-module-master && \
+    make && make install && \
+    cd /root && \
+    apk del gcc make libc-dev pcre-dev zlib-dev libxml2-dev libxslt-dev && \
+    rm -rf /var/cache/apk/* && \
+    rm -rf /tmp/*
+
+RUN mkdir -p /tmp/nginx/client-body
+COPY nginx.conf /opt/nginx/conf/nginx.conf
+COPY htpasswd /opt/nginx/htpasswd
+
+#RUN apk update && \
+#    apk add nginx nginx-extras
+
+EXPOSE 8080
+
+CMD /bin/echo "starting nginx webdav server" && /opt/nginx/sbin/nginx -g "daemon off;"
diff --git a/docker/webdav/htpasswd b/docker/webdav/htpasswd
new file mode 100644
index 0000000..1d22151
--- /dev/null
+++ b/docker/webdav/htpasswd
@@ -0,0 +1 @@
+test2:$apr1$zSKjrvfS$r6itS4PfhS2QicesM70Ks/
diff --git a/docker/webdav/nginx.conf b/docker/webdav/nginx.conf
new file mode 100644
index 0000000..bc3c4ba
--- /dev/null
+++ b/docker/webdav/nginx.conf
@@ -0,0 +1,97 @@
+worker_processes  auto;
+worker_cpu_affinity auto;
+
+#pid        /var/run/nginx.pid;
+error_log  /dev/stderr warn;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+#   rewrite_log on;
+    include            mime.types;
+    default_type       application/json;
+    access_log         /dev/stdout;
+    sendfile           on;
+#   tcp_nopush         on;
+    keepalive_timeout  3;
+#   tcp_nodelay        on;
+    gzip               on;
+
+    proxy_cache_path ./cache/ keys_zone=auth_cache:5m;
+    client_max_body_size 1M;
+
+    server {
+        listen 8080 default_server;
+        server_name _;
+
+        absolute_redirect off;
+
+        location / {
+            root /var/www/html;
+            index index.html;
+
+            try_files $uri $uri/ /index.html;
+        }
+
+        location = /ldap-auth {
+            internal;
+            proxy_pass_request_body off;
+            client_max_body_size 0; # has to be set even tho the body is not passed
+            proxy_set_header Content-Length "";
+            #proxy_cache auth_cache;
+            #proxy_cache_valid 200 5m;
+            #proxy_cache_key $scheme$proxy_host$request_uri$remote_user;
+            proxy_pass http://nginx-ldap-auth:8888;
+            proxy_set_header X-Ldap-URL "ldap://ldap/";
+            proxy_set_header X-Ldap-Template "(uid=%(username)s)";
+            proxy_set_header X-Ldap-BaseDN "ou=users,dc=example,dc=com";
+            #proxy_set_header X-Ldap-BindDN "cn=test,dc=example,dc=com";
+            #proxy_set_header X-Ldap-BindPass "test";
+        }
+
+        #location ~ ^/api/dav/files/(?<userpath>(\w+))(|(?<filename>/.*))$ {
+        location ~ ^/api/dav/files(?<filename>.*)$ {
+
+            if ( $request_method = OPTIONS ) {
+                add_header "Access-Control-Allow-Origin" *;
+                add_header "Access-Control-Allow-Methods" *;
+                add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
+            }
+
+            if ($remote_user = "") {
+                add_header "WWW-Authenticate" "Basic realm=\"Restricted\"";
+                return 401;
+            }
+
+            proxy_set_header X-Auth "nginxauth";
+            proxy_set_header Cookie nginxauth=$cookie_nginxauth;
+            proxy_set_header Authorization $http_authorization;
+
+            auth_request /ldap-auth;
+            auth_request_set $new_cookie $sent_http_set_cookie;
+
+            add_header "Set-Cookie" $new_cookie;
+            add_header "X-Auth" $sent_http_set_cookie;
+            auth_basic "Restricted";
+            #auth_basic_user_file /opt/nginx/htpasswd;
+            satisfy any;
+
+            alias /media/$remote_user$filename;
+
+            client_max_body_size 120G;
+            client_body_temp_path /tmp/nginx/client-body;
+            create_full_put_path on;
+            autoindex on;
+            autoindex_exact_size off;
+            autoindex_localtime on;
+            autoindex_format html;
+            charset utf-8;
+
+            dav_methods PUT DELETE MKCOL COPY MOVE;
+            dav_ext_methods PROPFIND OPTIONS;
+            dav_access user:rw group:rw all:rw;
+        }
+    }
+}