From c448af9f5df870d362ba7bf916e6ba0d30fa5438 Mon Sep 17 00:00:00 2001 From: xFuture603 Date: Thu, 31 Jul 2025 22:09:46 +0200 Subject: [PATCH] chore: pinned versions for docker-compose + updated README.md --- .../docker/idp-authelia-traefik/README.md | 46 +++++++++---------- .../idp-authelia-traefik/docker-compose.yml | 36 ++++++--------- .../idp-authelia-traefik/traefik/acme.json | 0 3 files changed, 38 insertions(+), 44 deletions(-) create mode 100644 docs/examples/docker/idp-authelia-traefik/traefik/acme.json diff --git a/docs/examples/docker/idp-authelia-traefik/README.md b/docs/examples/docker/idp-authelia-traefik/README.md index 7667cb00..1ca97751 100644 --- a/docs/examples/docker/idp-authelia-traefik/README.md +++ b/docs/examples/docker/idp-authelia-traefik/README.md @@ -2,48 +2,48 @@ > I am unable to guarantee the quality, safety, and security of anything in this folder; it is a combination of examples I found online. Please submit corrections or improvements 🙏 to try this out with minimal adjustments: -* specify what filesystem-path to share with copyparty, replacing the default/example value `/srv/pub` in `docker-compose.yml` -* add `127.0.0.1 fs.example.com traefik.example.com authelia.example.com` to your `/etc/hosts` -* `sudo docker-compose up` -* login to https://fs.example.com/ with username `authelia` password `authelia` + +- specify what filesystem-path to share with copyparty, replacing the default/example value `/srv/pub` in `docker-compose.yml` +- add `127.0.0.1 fs.example.com traefik.example.com authelia.example.com` to your `/etc/hosts` +- `sudo docker-compose up` +- login to https://fs.example.com/ with username `authelia` password `authelia` to use this in a safe and secure manner: -* follow a guide on setting up authelia properly (TODO:link) and use the copyparty-specific parts of this folder as inspiration for your own config; namely the `cpp` subfolder and the `copyparty` service in `docker-compose.yml` + +- follow a guide on setting up [authelia](https://www.authelia.com/integration/proxies/traefik/#docker-compose) properly and use the copyparty-specific parts of this folder as inspiration for your own config; namely the `cpp` subfolder and the `copyparty` service in `docker-compose.yml` this folder is based on: -* https://github.com/authelia/authelia/tree/39763aaed24c4abdecd884b47357a052b235942d/examples/compose/lite + +- https://github.com/authelia/authelia/tree/39763aaed24c4abdecd884b47357a052b235942d/examples/compose/lite incomplete list of modifications made: -* support for running with podman as root on fedora (`:z` volumes, `label:disable`) -* explicitly using authelia `v4.38.0-beta3` because config syntax changed since last stable release -* disabled automatic letsencrypt certificate signing -* reduced logging from debug to info -* added a warning that traefik is given access to the docker socket (as recommended by traefik docs) which means traefik is able to break out of the container and has full root access on the host machine +- support for running with podman as root on fedora (`:z` volumes, `label:disable`) +- explicitly using authelia `v4.38.0-beta3` because config syntax changed since last stable release +- reduced logging from debug to info +- implemented a docker socket-proxy to not bind the docker.socket directly to traefik +- using valkey instead of redis for caching # security there is probably/definitely room for improvement in this example setup. Some ideas taken from [github issue #62](https://github.com/9001/copyparty/issues/62): -* Add in a redis password to limit attacker lateral movement in the system -* Move redis to a private network shared with just authelia -* Pin to image hashes (or go all in on updates and add `watchtower`) -* Drop bridge networking for just exposing traefik's public ports -* Configure docker for non-root access to docker socket and then move traefik to use [non-root perms](https://docs.docker.com/engine/security/rootless/) - -if you manage to improve on any of this, especially in a way that might be useful for other people, consider sending a PR :> +- Move valkey to a private network shared with just authelia +- Add `watchtower` to manage your image version updates +- Drop bridge networking for just exposing traefik's public ports +If you manage to improve on any of this, especially in a way that might be useful for other people, consider sending a PR :> # performance currently **not optimal,** at least when compared to running the python sfx outside of docker... some numbers from my laptop (ryzen4500u/fedora39): -| req/s | https D/L | http D/L | approach | -| -----:| ----------:|:--------:| -------- | +| req/s | https D/L | http D/L | approach | +| ----: | ---------: | :------: | --------------------------------------------------------------------------------------------------------------- | | 5200 | 1294 MiB/s | 5+ GiB/s | [copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/download/copyparty-sfx.py) running on host | -| 4370 | 725 MiB/s | 4+ GiB/s | `docker run copyparty/ac` | -| 2420 | 694 MiB/s | n/a | `copyparty/ac` behind traefik | -| 75 | 694 MiB/s | n/a | traefik and authelia **(you are here)** | +| 4370 | 725 MiB/s | 4+ GiB/s | `docker run copyparty/ac` | +| 2420 | 694 MiB/s | n/a | `copyparty/ac` behind traefik | +| 75 | 694 MiB/s | n/a | traefik and authelia **(you are here)** | authelia is behaving strangely, handling 340 requests per second for a while, but then it suddenly drops to 75 and stays there... diff --git a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml index f4c4f59a..88c35bc2 100644 --- a/docs/examples/docker/idp-authelia-traefik/docker-compose.yml +++ b/docs/examples/docker/idp-authelia-traefik/docker-compose.yml @@ -6,7 +6,7 @@ networks: services: copyparty: - image: copyparty/ac:latest + image: copyparty/ac:1.18.8@sha256:19348cf85bf0df2f0b5b476162d73c72ef8bcbe0f12dd910d3cb05c0312641aa container_name: idp_copyparty user: "1000:1000" # should match the user/group of your fileshare volumes volumes: @@ -21,6 +21,7 @@ services: - 'traefik.http.routers.copyparty.rule=Host(`fs.example.com`)' - 'traefik.http.routers.copyparty.entrypoints=websecure' - 'traefik.http.routers.copyparty.tls=true' + - 'traefik.http.routers.copyparty.tls.certresolver=letsencrypt' # ← THIS IS CRUCIAL - 'traefik.http.routers.copyparty.middlewares=authelia@docker' stop_grace_period: 15s # thumbnailer is allowed to continue finishing up for 10s after the shutdown signal environment: @@ -30,7 +31,7 @@ services: # ensures log-messages are not delayed (but can reduce speed a tiny bit) authelia: - image: authelia/authelia:v4.38.0-beta3 # the config files in the authelia folder use the new syntax + image: authelia/authelia:4.39.5@sha256:023e02e5203dfa0ebaee7a48b5bae34f393d1f9cada4a9df7fbf87eb1759c671 container_name: idp_authelia volumes: - ./authelia:/config:z @@ -41,20 +42,18 @@ services: - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)' - 'traefik.http.routers.authelia.entrypoints=websecure' - 'traefik.http.routers.authelia.tls=true' - #- 'traefik.http.routers.authelia.tls.certresolver=letsencrypt' # uncomment this to enable automatic certificate signing (1/2) + - 'traefik.http.routers.authelia.tls.certresolver=letsencrypt' - 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/authz/forward-auth?authelia_url=https://authelia.example.com' - 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true' - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' expose: - 9091 restart: unless-stopped - healthcheck: - disable: true environment: - TZ=Etc/UTC valkey: - image: valkey/valkey:8.0-alpine + image: valkey/valkey:8.1.3-alpine3.22@sha256:0d27f0bca0249f61d060029a6aaf2e16b2c417d68d02a508e1dfb763fa2948b4 container_name: idp_valkey volumes: - ./valkey:/data:z @@ -65,16 +64,16 @@ services: restart: unless-stopped environment: - TZ=Etc/UTC + - VALKEY_EXTRA_FLAGS=--requirepass your_secure_password_here socket-proxy: - image: lscr.io/linuxserver/socket-proxy:3.2.3 + image: lscr.io/linuxserver/socket-proxy:3.2.3@sha256:63d2e0ce6bb0d12dfdbde5c3af31d08fee343ec3801a050c8197a3f5ffae8bed container_name: idp_socket_proxy - restart: unless-stopped environment: - CONTAINERS=1 - NETWORKS=1 - EVENTS=1 - - PING=1 + - PING=1 - VERSION=1 - LOG_LEVEL=warning volumes: @@ -83,14 +82,15 @@ services: - no-new-privileges:true read_only: true tmpfs: - - /run:noexec,nosuid,size=10m + - /run networks: - net + restart: unless-stopped expose: - 2375 traefik: - image: traefik:3.5 + image: traefik:3.5.0@sha256:4e7175cfe19be83c6b928cae49dde2f2788fb307189a4dc9550b67acf30c11a5 container_name: idp_traefik volumes: - ./traefik:/etc/traefik:z @@ -98,17 +98,12 @@ services: - net labels: - 'traefik.enable=true' - - 'traefik.http.routers.api.rule=Host(`traefik.example.com`)' - - 'traefik.http.routers.api.entrypoints=https' - - 'traefik.http.routers.api.service=api@internal' - - 'traefik.http.routers.api.tls=true' - #- 'traefik.http.routers.api.tls.certresolver=letsencrypt' # uncomment this to enable automatic certificate signing (2/2) - 'traefik.http.routers.api.middlewares=authelia@docker' ports: - '80:80' - '443:443' command: - - '--api' + - '--global.sendAnonymousUsage=false' - '--providers.docker.endpoint=tcp://socket-proxy:2375' - '--providers.docker.exposedByDefault=false' - '--entrypoints.web.address=:80' @@ -117,8 +112,7 @@ services: - '--entrypoints.websecure.address=:443' - '--certificatesResolvers.letsencrypt.acme.email=your-email@your-domain.com' - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json' - - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http' - - - '--log.level=WARNING' # DEBUG + - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=web' + - '--log.level=INFO' depends_on: - - idp_socket_proxy + - socket-proxy diff --git a/docs/examples/docker/idp-authelia-traefik/traefik/acme.json b/docs/examples/docker/idp-authelia-traefik/traefik/acme.json new file mode 100644 index 00000000..e69de29b