[#954] Support for running FusionForge behind mod_proxy

Description

Summary:

Detailed description

For deploying a fusionforge sandbox, as requested in ticket [#938], there is the simple option of using a Docker image with fusionforge (see [wiki:Docker]). Accessing this docker instance from the Internet requires a host that is accessible from the internet. Ideally, this host is hardened so as not to provide an attack surface for attackers.

Hardening a Linux host is a time-consuming process, so in some cases using an existing host is the easier and faster option. In this case, the sandbox running in docker could be deployed using the Apache modproxy module. FusionForge should be able to be configured to run behind modproxy.

General Information
Submitted by:
Ralf Habacker
Date Submitted: 2021-07-22 10:56
Last Modified by:
Ralf Habacker
Last Modified: 2022-08-22 07:13
Permalink: https://fusionforge.org/tracker/a_follow.php/954
Actions
Internal Fields
Data Type: Feature requests
Assigned to: Nobody (None)
State: Open
Priority: 3
Extra Fields
Resolution:
none
Difficulty:
none
Target release:
none
Follow-up tabs
Message  ↓
Date: 2022-08-22 07:13
Sender: Ralf Habacker

The associated branch https://fusionforge.org/scm/browser.php?groupid=6&userid=435&scm_plugin=scmgit has bee updated.

Date: 2021-07-22 12:14
Sender: Ralf Habacker

see https://fusionforge.org/plugins/mediawiki/wiki/fusionforge/index.php/Dockerimagethroughmodproxy

Date: 2021-07-22 11:35
Sender: Ralf Habacker

I'm sorry, that the style is broken. The used markdown interpreter seems to be different from https://markdownlivepreview.com/, which I used to verify the syntax. A markdown preview would be good to avoid such issues. )-; Currently it will be easier to add the dokumentation as wiki page.

Date: 2021-07-22 11:31
Sender: Ralf Habacker

See branch master-954 in my personal git repository at git+ssh://scm.fusionforge.org/scmrepos/git/fusionforge/users/rhabacker.git with the required changes for fusionforge. Adding a fusionforge sandbox (only https access, no http and ftp) to the running fusionforge host on fusionforge.org is thus exemplified below.

Get the container

<pre># docker pull fusionforge/fusionforge:master</pre>

Create container

<pre># docker create --cap-add=SYSADMIN -h fusionforge.org -v /etc:/host/etc \ -e PORTSSH=2222 -p 2222:22 -p 20:21 -p 81:80 -p 444:443 -i fusionforge/fusionforge:master</pre>

This command returns the containier id, which is used in further commands.

Start the container

<pre># docker start -i [container-id]</pre>

Configure the container

run shell inside the container

<pre># docker exec -it [container_id] /bin/bash</pre>

set the admin user password

<pre># forgesetpassword admin <your_password></pre>

copy ssl certifacte and key from the host apache installation (example works for openSUSE)

<pre># cd /etc/fusionforge

mv ssl-cert.key ssl-cert.key.orig

cp /host/etc/apache2/ssl.key/<host>.key ssl-cert.key

mv ssl-cert.pem ssl-cert.pem.orig

cp /host/etc/apache2/ssl.crt/<host>.crt ssl-cert.pem</pre>

Enable mod_proxy support in fusionforge

<pre>cat >> /etc/fusionforge/config.ini.d/zzz-local.ini [core] urlprefix=/sandbox/ urlprefixproxy=$core/urlprefix</pre>

Press CTRL-d to save file

Enable mod_proxy for apache

<pre># a2enmod proxy</pre>

Add apache configuration for mod_proxy

<pre>cat >> /etc/fusionforge/httpd.d/sandbox.conf SSLProxyEngine On ProxyPass "/sandbox/" "https://fusionforge.org:444/&quot; ProxyPassReverse "/sandbox/" "https://fusionforge.org:444/"</pre> Press CTRL-d to save file and reload apache to apply the configuration.

Stop the container

<pre># docker stop [container-id]</pre>

No attached documents

No related commits.

No changes have been made to this item

No relations found.