Added a proxy to provide ldap auth and make health check work

CloudronManifest.json

@@ -6,10 +6,11 @@
   "changelog": "file://CHANGELOG",
   "tagline": "Decentralized file synchronization",
   "version": "0.1.0",
-  "healthCheckPath": "/",
+  "healthCheckPath": "/check",
   "httpPort": 8000,
   "addons": {
-    "localstorage": {}
+    "localstorage": {},
+    "ldap": {}
   },
   "tcpPorts": {
     "PORT": {

Dockerfile

@@ -5,6 +5,29 @@ EXPOSE 8000
 
 RUN apt-get update && apt-get -y install busybox
 
+ENV NGINX_VERSION=1.12.0
+ENV NGINX_LDAP_VERSION=b80942160417e95adbadb16adc41aaa19a6a00d9
+
+# Build a custom nginx with ldap support
+RUN apt-get remove -y nginx-full && apt-get autoremove -y && apt-get -y install libldap2-dev libpcre3-dev
+RUN mkdir -p /tmp/nginx-ldap
+WORKDIR /tmp/nginx-ldap
+RUN wget "https://github.com/kvspb/nginx-auth-ldap/archive/${NGINX_LDAP_VERSION}.tar.gz" -O - \
+    | tar -xz -C /tmp/nginx-ldap --strip-components=1
+
+RUN mkdir -p /tmp/nginx
+WORKDIR /tmp/nginx
+RUN wget "https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz" -O - \
+    | tar -xz -C /tmp/nginx --strip-components=1
+RUN ./configure \
+    --add-dynamic-module=/tmp/nginx-ldap \
+    --modules-path=/usr/local/nginx/modules \
+    --conf-path=/app/code/nginx.conf \
+    --pid-path=/run/nginx.pid \
+    --error-log-path=/run/nginx.error.log \
+    --build=cloudron-river
+RUN make install
+
 ENV VERSION 0.14.27
 
 RUN mkdir -p /app/code \
@@ -13,6 +36,7 @@ RUN mkdir -p /app/code \
 
 WORKDIR /app/code
 
+ADD nginx.conf /app/code/nginx.conf
 ADD config.xml /app/code/config.xml.default
 ADD inittab /etc/inittab
 ADD start.sh /app/code/start.sh

POSTINSTALL.md

@@ -1,8 +1,8 @@
-This application does not integrate with Cloudron authentication.
+This application integrates with Cloudron authentication.
+However, all Cloudron users share the same Syncthing session.
 
-Please use the following credentials to login:
+Syncthing contains an internal user `admin` that is needed by Cloudron but not exposed. 
+Please do not change the password of that account.
 
-* User: `admin`
-* Password: `admin`
+Please create all sync folders as subfolders of `/app/data` as this is the only writable folder.
 
-Also make sure to change those credentials immediately in the settings.

config.xml

@@ -1,9 +1,9 @@
 <configuration version="19">
     <gui enabled="true" tls="false" debugging="false">
-        <address>0.0.0.0:8000</address>
+        <address>0.0.0.0:3000</address>
         <theme>default</theme>
-        <user>admin</user>
-        <password>$2a$10$oeCPD6qDSSmyJXV7oPIZWupU4WFBAiLTGr.H8recprmuHnB/iaa.C</password>
+	<user>admin</user>
+        <password>$2a$10$onEZNvFhasmJMq7ugGDIJekK0mZ9YByNK0b1p8kJPtXL.ELVrsolm</password>
     </gui>
     <options>
         <listenAddress>tcp://:22000</listenAddress>

inittab

@@ -1 +1,2 @@
-::respawn:/app/code/syncthing -gui-address=0.0.0.0:8000 -home=/app/data/config -no-browser >/dev/stdout 2>/dev/stderr
+::respawn:/app/code/syncthing -gui-address=0.0.0.0:3000 -home=/app/data/config -no-browser >/dev/stdout 2>/dev/stderr
+::respawn:/usr/local/nginx/sbin/nginx -c /app/code/nginx.conf

nginx.conf

@@ -0,0 +1,43 @@
+user cloudron;
+load_module "/usr/local/nginx/modules/ngx_http_auth_ldap_module.so";
+
+worker_processes 1;
+pid /run/nginx.pid;
+daemon  off;
+
+# Send logs to stderr
+error_log /dev/stderr warn;
+
+events {
+    worker_connections 768;
+}
+
+http {
+    include /run/ldap.conf;    
+
+    error_log /dev/stderr warn;
+    log_format simple '$remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer"';
+    access_log /dev/stdout simple;
+    include /etc/nginx/mime.types;
+    client_body_temp_path /tmp/client_body 1 2;
+    proxy_temp_path /tmp/proxy_temp 1 2;
+    fastcgi_temp_path /tmp/fastcgi_temp 1 2;
+    uwsgi_temp_path  /tmp/uwsgi_temp 1 2;
+    scgi_temp_path  /tmp/scgi_temp 1 2;
+
+    server {
+        error_log /dev/stderr warn;
+        listen 8000 default_server;
+        server_name _;
+        location /check {
+            proxy_pass http://localhost:3000/syncthing/app.js;
+            proxy_set_header Authorization "Basic YWRtaW46YWRtaW4=";
+        }
+        location / {
+	    auth_ldap "Forbidden";
+            auth_ldap_servers cloudron;
+            proxy_pass http://localhost:3000;
+            proxy_set_header Authorization "Basic YWRtaW46YWRtaW4=";
+        }
+    }
+}

start.sh

@@ -2,13 +2,26 @@
 
 set -eu
 
-mkdir -p /app/data/data /app/data/config
+mkdir -p /app/data/config
 
 if ! [ -f /app/data/config/config.xml ]; then
   cp /app/code/config.xml.default /app/data/config/config.xml
 fi
 
+cat >/run/ldap.conf <<EOF
+ldap_server cloudron {
+  url ${LDAP_URL}/${LDAP_USERS_BASE_DN}?username;
+  binddn ${LDAP_BIND_DN};
+  binddn_passwd ${LDAP_BIND_PASSWORD};
+  group_attribute ${LDAP_GROUPS_BASE_DN};
+  group_attribute_is_dn on;
+  require valid_user;
+}
+EOF
+
 sed -e 's,<listenAddress>.*</listenAddress>,<listenAddress>tcp://:22000</listenAddress>,' -i /app/data/config/config.xml
+sed -e 's,<user>.*</user>,<user>admin</user>,' -i /app/data/config/config.xml
+sed -e 's,<password>.*</password>,<password>$2a$10$onEZNvFhasmJMq7ugGDIJekK0mZ9YByNK0b1p8kJPtXL.ELVrsolm</password>,' -i /app/data/config/config.xml
 
 export STNODEFAULTFOLDER=1 STNOUPGRADE=1
 exec busybox init