Implemented OAuth2-Proxy and other security measures for phpmyadmin

2025-02-22 12:29:39 +01:00 · 2025-01-26 20:57:34 +01:00 · 2025-01-26 20:57:34 +01:00 · b742ffd476
commit b742ffd476
parent ec5768f3d4
7 changed files with 45 additions and 21 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -297,21 +297,26 @@ nextcloud_version:          "production"  # @see https://nextcloud.com/blog/next

 #### OAuth2 Proxy
 oauth2_configuration_file:            "oauth2-proxy-keycloak.cfg"
-oauth2_proxy_active:                  false       # Needs to be set true in the roles which use it
+oauth2_proxy_active:                  false   # Needs to be set true in the roles which use it
 oauth2_version:                       "latest"
 oauth2_proxy_redirect_url:            "https://{{domain_keycloak}}/auth/realms/{{primary_domain}}/protocol/openid-connect/auth"  # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-# oauth2_proxy_port:                  >= 4180     # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
-# oauth2_proxy_upstream_application_and_port:  # The name of the application which the server redirects to. Needs to be defined in role vars.
+# oauth2_proxy_port:                  >= 4180 # This ports should be defined in the roles. They are for the local mapping on the host and need to be defined in the playbook for transparancy.
+# oauth2_proxy_upstream_application_and_port: # The name of the application which the server redirects to. Needs to be defined in role vars.
+oauth2_proxy_allowed_roles:           admin   # Restrict it default to admin role. Use the vars/main.yml to open the specific role for other groups  

 #### Open Project
 # openproject_oauth2_proxy_client_secret: Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
-# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application.
+# openproject_oauth2_proxy_cookie_secret: Needs to be defined in inventory # The client secret configured in Keycloak for the application: 0dc07dc3b323921acbd96656f33dc55a
+

 #### Peertube
-peertube_version:           "bookworm"
+peertube_version:                         "bookworm"

 #### PHPMyAdmin
-phpmyadmin_version:         "latest"
+phpmyadmin_version:                       "latest"
+phpmyadmin_autologin:                     false     # This is a high security risk. Just activate this option if you know what you're doing
+# phpmyadmin_oauth2_proxy_client_secret:    Needs to be defined in inventory # The client ID configured in Keycloak for the application. 
+# phpmyadmin_oauth2_proxy_cookie_secret:    Needs to be defined in inventory # The client secret configured in Keycloak for the application.

 #### Pixelfed
 pixelfed_app_name:          "Pictures on {{primary_domain}}"
--- a/playbook.servers.yml
+++ b/playbook.servers.yml
@ -323,7 +323,8 @@
   -  role: docker-phpmyadmin
      vars:
        domain: "{{domain_phpmyadmin}}"
-        http_port: 8034
+        http_port:          8034
+        oauth2_proxy_port:  4181

 # Native Webserver Roles
 - name: setup nginx-static-repositorys
--- a/roles/docker-ldap/templates/docker-compose.yml.j2
+++ b/roles/docker-ldap/templates/docker-compose.yml.j2
@ -24,6 +24,7 @@ services:
      LDAP_ADMIN_PASSWORD: {{ldap_administrator_database_password}}  # LDAP admin password
 {% elif ldap_webinterface == 'phpldapadmin' %}
  phpldapadmin:
+    name: phpldapadmin
    image: leenooks/phpldapadmin:{{ldap_phpldapadmin_version}}
    logging:
      driver: journald
@ -37,6 +38,7 @@ services:
 {% endif %}
  openldap:
    image: bitnami/openldap:{{ldap_openldap_version}}
+    name: openldap
    logging:
      driver: journald
    restart: {{docker_restart_policy}}
--- a/roles/docker-mailu/README.md
+++ b/roles/docker-mailu/README.md
@ -177,6 +177,7 @@ If your IP or domain is flagged by Cloudmark, you can submit a **reset request**
 - [Mailu GitHub repository](https://github.com/Mailu/Mailu)
 - [Plesk support article on RoundCube connection issue](https://support.plesk.com/hc/en-us/articles/115001264814-Unable-to-log-into-RoundCube-Connection-to-storage-server-failed)
 - [Gist by marienfressinaud](https://gist.github.com/marienfressinaud/f284a59b18aad395eb0de2d22836ae6b)
+- [Implementing OpenID with Mailu](https://github.com/heviat/Mailu-OIDC)

 For more information about this role, visit the [GitHub repository](https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/docker-mailu).

--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -1,15 +1,19 @@
-http_address="0.0.0.0:4180"
-cookie_secret="{{oauth2_proxy_cookie_secret}}"
-email_domains="{{primary_domain}}"
-cookie_secure="false"
-upstreams="http://{{oauth2_proxy_upstream_application_and_port}}"
-cookie_domains=["{{domain}}", "{{domain_keycloak}}"]                # Required so cookie can be read on all subdomains.
-whitelist_domains=[".{{primary_domain}}"]                           # Required to allow redirection back to original requested target.
+http_address            =   "0.0.0.0:4180"
+cookie_secret           =   "{{oauth2_proxy_cookie_secret}}"
+email_domains           =   "{{primary_domain}}"
+cookie_secure           =   "false"
+upstreams               =   "http://{{oauth2_proxy_upstream_application_and_port}}"
+cookie_domains          =   ["{{domain}}", "{{domain_keycloak}}"]                   # Required so cookie can be read on all subdomains.
+whitelist_domains       =   [".{{primary_domain}}"]                                 # Required to allow redirection back to original requested target.

 # keycloak provider
-client_secret="{{oauth2_proxy_client_secret}}"
-client_id="{{domain}}"
-redirect_url="https://{{domain}}/oauth2/callback"
-oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
-provider="oidc"
-provider_display_name="Keycloak"
+client_secret           =   "{{oauth2_proxy_client_secret}}"
+client_id               =   "{{domain}}"
+redirect_url            =   "https://{{domain}}/oauth2/callback"
+oidc_issuer_url         =   "https://{{domain_keycloak}}/realms/{{primary_domain}}"
+provider                =   "oidc"
+provider_display_name   =   "Keycloak"
+
+# role restrictions
+cookie_roles            =   "realm_access.roles"
+allowed_roles           =   "{{oauth2_proxy_allowed_roles}}"
--- a/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
+++ b/roles/docker-phpmyadmin/templates/docker-compose.yml.j2
@ -1,4 +1,7 @@
 services:
+
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}
+
  application:
    logging:
      driver: journald
@ -6,8 +9,10 @@ services:
    container_name: phpmyadmin
    environment:
      PMA_HOST: central-mariadb
+{% if phpmyadmin_autologin | bool %}
      PMA_USER: root
      PMA_PASSWORD: "{{central_mariadb_root_password}}"
+{% endif %}
    restart: {{docker_restart_policy}}
    ports:
      - "127.0.0.1:{{http_port}}:80"
--- a/roles/docker-phpmyadmin/vars/main.yml
+++ b/roles/docker-phpmyadmin/vars/main.yml
@ -1,2 +1,8 @@
 docker_compose_project_name:  "phpmyadmin"
-database_type:                "mariadb"
+database_type:                "mariadb"
+database_host:                "{{ 'central-' + database_type if enable_central_database}}"
+# OAuth2 Proxy Configuration
+oauth2_proxy_client_secret:                   "{{phpmyadmin_oauth2_proxy_client_secret}}"
+oauth2_proxy_cookie_secret:                   "{{phpmyadmin_oauth2_proxy_cookie_secret}}"
+oauth2_proxy_upstream_application_and_port:   "application:80"
+oauth2_proxy_active:                          true