Security beleid bracht mij een aangename kennismaking met webserver caddy.
De uitdaging
Voor project Foo moest een export van server A naar server B.
En dat we uit veiligheidsoverweging niet toestaan om een password login te doen.
Dus dat secure copy niet kan.
stappers@nodeA:~ $ scp projectFoo.export nodeB.lan42: The authenticity of host 'nodeB.lan42 (192.0.2.25)' can't be established. ECDSA key fingerprint is SHA256:I5qi1mCBPWJwYX1QSvzSMD+koVStuamiTgosJNKoJec. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'nodeB.lan42,192.0.2.25' (ECDSA) to the list of known hosts. Welcome to nodeB! stappers@nodeB.lan42: Permission denied (publickey). lost connection stappers@nodeA:~ $
Onderweg naar oplossing
Dan maar via de aanwezige webserver.
Ik had nginx verwacht, maar kom daar Caddy tegen.
Na overwegingen daar mee verder gegaan.
stappers@nodeA:~ $ sudo ss -ltp | grep nginx stappers@nodeA:~ $ sudo ss -ltp | less ... # op webserver port luistert process met naam "caddy" ... stappers@nodeA:~ $
Manual page niet beschikbaar, wel een help tekst:
stappers@nodeA:~ $ caddy --help [ERROR] first argument must be a subcommand; see 'caddy help' stappers@nodeA:~ $ caddy help Caddy is an extensible server platform. usage: caddy <command> [<args...>] commands: adapt Adapts a configuration to Caddy's native JSON build-info Prints information about this build environ Prints the environment file-server Spins up a production-ready file server fmt Formats a Caddyfile hash-password Hashes a password and writes base64 help Shows help for a Caddy subcommand list-modules Lists the installed Caddy modules reload Changes the config of the running Caddy instance reverse-proxy A quick and production-ready reverse proxy run Starts the Caddy process and blocks indefinitely start Starts the Caddy process in the background and then returns stop Gracefully stops a started Caddy process trust Installs a CA certificate into local trust stores untrust Untrusts a locally-trusted CA certificate validate Tests whether a configuration file is valid version Prints the version Use 'caddy help <command>' for more information about a command. Full documentation is available at: https://caddyserver.com/docs/command-line stappers@nodeA:~ $
En dan is file server wel veelbelovend.
stappers@nodeA:~ $ caddy help file-server A simple but production-ready file server. Useful for quick deployments, demos, and development. The listener's socket address can be customized with the --listen flag. If a domain name is specified with --domain, the default listener address will be changed to the HTTPS port and the server will use HTTPS. If using a public domain, ensure A/AAAA records are properly configured before using this option. If --browse is enabled, requests for folders without an index file will respond with a file listing. usage: caddy file-server [--domain <example.com>] [--root <path>] [--listen <addr>] [--browse] [--access-log] flags: -access-log Enable the access log -browse Enable directory browsing -domain string Domain name at which to serve the files -listen string The address to which to bind the listener -root string The path to the root of the site -templates Enable template rendering Full documentation is available at: https://caddyserver.com/docs/command-line stappers@nodeA:~ $
De webserver opgestart om de huidige directory te laten serveren.
stappers@nodeA:~
$ caddy file-server --listen 192.0.2.24:1857 --root $PWD --browse
2020/10/14 17:01:17.196 WARN admin admin endpoint disabled
2020/10/14 17:01:17.196 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00037eee0"}
2020/10/14 17:01:17.197 INFO tls cleaned up storage units
2020/10/14 17:01:17.197 INFO autosaved config {"file": "/home/stappers/.config/caddy/autosave.json"}
2020/10/14 19:01:17 Caddy 2 serving static files on 192.0.2.24:1857Op de andere server de export opgehaald.
En een checksum berekening gedaan.
stappers@nodeB:~ $ wget http://nodeA.lan42:1857/projectFoo.export --2020-10-14 19:01:21-- http://nodeA.lan42:1857/projectFoo.export Resolving nodeA.lan42 (nodeA.lan42)... 192.0.2.24 Connecting to nodeA.lan42 (nodeA.lan42)|192.0.2.24|:1857... connected. HTTP request sent, awaiting response... 200 OK Length: 2608012773 (2.4G) [application/gzip] Saving to: ‘projectFoo.export’ projectFoo.export 100%[================================>] 2.43G 112MB/s in 22s 2020-10-14 19:01:44 (112 MB/s) - ‘projectFoo.export’ saved [2608012773/2608012773] stappers@nodeB:~ $ md5sum projectFoo.export ae49f17f951206f51dc36f6f42b3d0ef projectFoo.export stappers@nodeB:~ $
Terug naar server A. caddy gestopt met behulp van Control-C.
En ook checksum berekend over het origineel.
^C2020/10/14 17:02:45.074 INFO shutting down {"signal": "SIGINT"}
2020/10/14 17:02:45.574 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc00037eee0"}
2020/10/14 17:02:45.574 INFO shutdown done {"signal": "SIGINT"}
stappers@nodeA:~
$ md5sum projectFoo.export
ae49f17f951206f51dc36f6f42b3d0ef projectFoo.export
stappers@nodeA:~
$Ja, dat is dezelfde checksum, project Foo kon verder op server B.
Zonder caddy had de document_root van de webserver eerst opgezocht moeten worden
en de export in die document_root gezet moeten worden voordat de wget kon gebeuren.
Bijkomende voordelen:
- projectFoo.export heeft nooit in document_root gelegen, hoeft daar dus ook niet opgeruimd te worden.
- projectFoo.export is niet door een gewone webserver aan de wereld getoond.
Auteur: Geert Stappers (DevOps Engineer, Hendrikx ITC)