configure

#!/bin/bash

set -e

cd /

# Get environment
export host=`hostname -f`
export realm=`hostname -f | tr [a-z] [A-Z]`
export user=`whoami`
export BACKEND=${BACKEND:-https://api.example.com:8443}


# Create server cert/key
pushd /etc/pki/tls/
  # name it localhost.{crt,key} to match the default https ssl.conf
  openssl req -subj "/CN=${host}" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout localhost.key -out localhost.crt -sha256
  mv -f localhost.crt certs/localhost.crt
  mv -f localhost.key private/localhost.key
popd

# Create mod_auth_mellon service provider config
pushd /etc/httpd/conf.d
  /usr/sbin/mellon_create_metadata.sh https://${host} https://${host}/mellon
  # Create a dummy saml idp file
  touch saml_idp.xml
popd

# Edit kerberos config files, replacing EXAMPLE.COM with $realm, and example.com with $host
for file in /etc/krb5.conf /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kadm5.acl; do
  sed -i.bak1 -e "s/EXAMPLE\.COM/$realm/g" $file
  sed -i.bak2 -e "s/example\.com/$host/g" $file
done

# Create ticket database
kdb5_util create -s -r "${realm}" -P password

# Add local user as admin
kadmin.local -q "addprinc -pw password ${user}/admin@${realm}"

# Start ticket server
krb5kdc

# Add user principal for current user, for test users user1-user5, the host principal (for ssh), the HTTP principal (for Apache), and create keytab
users=($user user1 user2 user3 user4 user5)
for u in ${users[@]}; do
  echo "Adding user ${u}..."
  kadmin.local -q "addprinc -pw password ${u}@${realm}"
done

# Setup keytab for sshd
kadmin.local -q "addprinc -randkey host/${host}@${realm}"
kadmin.local -q "ktadd -k /etc/krb5.keytab host/${host}@${realm}"

# Setup keytab for apache
kadmin.local -q "addprinc -randkey HTTP/${host}@${realm}"
kadmin.local -q "ktadd -k /etc/httpd.keytab HTTP/${host}@${realm}"
chown apache /etc/httpd.keytab




# configure Apache proxy and auth
sed -i.bak1 -e "s#proxy\.example\.com#$host#g" /etc/httpd/conf.d/proxy.conf
sed -i.bak2 -e "s#https://backend\.example\.com#$BACKEND#g" /etc/httpd/conf.d/proxy.conf


# Set up apache htpasswd file
htpasswd -b -c /etc/httpd.htpasswd "${user}@${realm}" "password"
users=(user1 user2 user3 user4 user5)
for u in ${users[@]}; do
  echo "Adding user ${u}..."
  htpasswd -b /etc/httpd.htpasswd "${u}@${realm}" "password"
done
chown apache /etc/httpd.htpasswd
chown apache /etc/httpd/logs

# Start apache
httpd -k start




echo "





Proxying http://$host/mod_auth_gssapi           -> ${BACKEND}/
Proxying http://$host/mod_auth_basic            -> ${BACKEND}/
Proxying http://$host/mod_auth_form             -> ${BACKEND}/
Proxying http://$host/mod_auth_mellon           -> ${BACKEND}/
Proxying http://$host/mod_intercept_form_submit -> ${BACKEND}/
To change proxy hostname, set docker host (-h ...) on start
To change backend, set 'BACKEND' envvar on start (e.g. BACKEND=https://foo.com)
Authenticated principal is passed to backend as a 'Remote-User' header

To use this container as a KDC ticket server from your desktop:

1. Alias the Docker IP to this container's hostname:
# add to /etc/hosts:
172.17.42.1       $host
# on boot2docker, your Docker IP might be something like this instead:
# 192.168.99.100  $host

2. Configure Kerberos to use this server as the ticket server for host=$host and realm=$realm
# add to /etc/krb5.conf:
[realms]
$realm = {
  kdc = $host
  admin_server = $host
  default_domain = $host
}

[domain_realm]
.$host = $realm
$host = $realm

3. Configure Firefox to use negotiate auth with the domain:
about:config
network.negotiate-auth.trusted-uris=$host

Kerberos:
    Log in:
    kinit user1@$realm (password = 'password')

    Log out:
    kdestroy

    List active tickets:
    klist

Basic auth:
    Log in:
    user1@${realm} (password = 'password')
    
To integrate SAML auth:

1. Download your IDP's metadata XML to /etc/httpd/conf.d/saml_idp.xml

2. Restart httpd
"




if [ -t 0 ] ; then
	echo 'Starting interactive shell.'
	/bin/bash
else
	echo 'Go loop.'
	while true ; do sleep 1000 & wait $! ; done
fi