From ef3cccb6ea6a27d8fe4b677fd894d39c13247ac1 Mon Sep 17 00:00:00 2001
From: David Beniamine <david.beniamine@tetras-libre.fr>
Date: Tue, 18 Mar 2025 14:55:31 +0100
Subject: [PATCH] Add an NGINX reverse proxy to handle htpasswd

---
 docker-compose.yml                   | 13 +++++++++++--
 docker/front/Dockerfile              |  5 +++++
 docker/front/nginx.conf              | 20 ++++++++++++++++++++
 docker/front/start.sh                |  5 +++++
 docker/{ => kasm}/Dockerfile         |  0
 docker/{ => kasm}/change_password.sh |  1 +
 docker/{ => kasm}/custom_startup.sh  |  1 +
 ports.yml                            |  4 ++--
 8 files changed, 45 insertions(+), 4 deletions(-)
 create mode 100644 docker/front/Dockerfile
 create mode 100644 docker/front/nginx.conf
 create mode 100755 docker/front/start.sh
 rename docker/{ => kasm}/Dockerfile (100%)
 rename docker/{ => kasm}/change_password.sh (91%)
 rename docker/{ => kasm}/custom_startup.sh (95%)

diff --git a/docker-compose.yml b/docker-compose.yml
index 5aad9d8..2ff6304 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,7 +1,16 @@
 services:
+  front:
+    build:
+      context: ./docker/front
+    volumes:
+      - type: volume
+        source: homedir
+        target: /etc/kasm
+        volume:
+          subpath: kasm-user/
   kasm:
     build:
-      context: ./docker/
+      context: ./docker/kasm
       target: kasmvnc-base
       args:
         - SPYDER=${SPYDER}
@@ -16,7 +25,7 @@ services:
       - SPYDER=${SPYDER}
       - ANACONDA=${ANACONDA}
       - KASM_USER=${VNC_USER}
-      - VNCOPTIONS=-PreferBandwidth -DynamicQualityMin=4 -DynamicQualityMax=7 -DLP_ClipDelay=0 -select-de manual -UnixRelay printer:/tmp/printer -allowoverride AcceptPointerEvents,BlacklistTimeout,BlacklistThreshold -blacklistthreshold 1000 -blacklisttimeout 1"
+      - VNCOPTIONS=-PreferBandwidth -DynamicQualityMin=4 -DynamicQualityMax=7 -DLP_ClipDelay=0 -select-de manual -UnixRelay printer:/tmp/printer -allowoverride AcceptPointerEvents  -disableBasicAuth
 
 
 volumes:
diff --git a/docker/front/Dockerfile b/docker/front/Dockerfile
new file mode 100644
index 0000000..4dd6f60
--- /dev/null
+++ b/docker/front/Dockerfile
@@ -0,0 +1,5 @@
+FROM nginx:latest
+
+COPY nginx.conf /etc/nginx/conf.d/kasm.conf
+
+COPY start.sh /docker-entrypoint.d
diff --git a/docker/front/nginx.conf b/docker/front/nginx.conf
new file mode 100644
index 0000000..8d11269
--- /dev/null
+++ b/docker/front/nginx.conf
@@ -0,0 +1,20 @@
+server {
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name nginx;
+    ssl_certificate      /etc/nginx/certs/nginx.crt;
+    ssl_certificate_key  /etc/nginx/certs/nginx.key;
+    location / {
+       auth_basic           "Administrator’s Area";
+       auth_basic_user_file /etc/kasm/.nginxpasswd;
+       proxy_set_header X-Real-IP $remote_addr;
+       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+       proxy_http_version 1.1;
+       proxy_set_header Upgrade $http_upgrade;
+       proxy_set_header Connection "upgrade";
+       proxy_set_header Host $http_host;
+       proxy_cache_bypass $http_upgrade;
+       proxy_pass https://kasm:6901/;
+     }
+}
diff --git a/docker/front/start.sh b/docker/front/start.sh
new file mode 100755
index 0000000..68e05f1
--- /dev/null
+++ b/docker/front/start.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+mkdir -p /etc/nginx/certs
+echo -e "FR\n\n\n\n\n\n\n" | openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -keyout /etc/nginx/certs/nginx.key -out /etc/nginx/certs/nginx.crt
diff --git a/docker/Dockerfile b/docker/kasm/Dockerfile
similarity index 100%
rename from docker/Dockerfile
rename to docker/kasm/Dockerfile
diff --git a/docker/change_password.sh b/docker/kasm/change_password.sh
similarity index 91%
rename from docker/change_password.sh
rename to docker/kasm/change_password.sh
index 2ca771d..eb2cd5c 100755
--- a/docker/change_password.sh
+++ b/docker/kasm/change_password.sh
@@ -10,6 +10,7 @@ if [ "$password" == "$confirm" ]; then
     message=$(echo -e "$password\n$password\n" | kasmvncpasswd -u $KASM_USER -wo 2>&1)
     if [ $? -eq 0 ]; then
         cp $HOME/.kasmpasswd $HOME/.kasmpasswd.persist
+        cut -d : -f 1-2 $HOME/.kasmpasswd > $HOME/.nginxpasswd
         # Restart the VNC server
         kill $(cat .vnc/*.pid)
         icon="info"
diff --git a/docker/custom_startup.sh b/docker/kasm/custom_startup.sh
similarity index 95%
rename from docker/custom_startup.sh
rename to docker/kasm/custom_startup.sh
index 6ecc32c..7c06020 100755
--- a/docker/custom_startup.sh
+++ b/docker/kasm/custom_startup.sh
@@ -41,6 +41,7 @@ if [ -f "$HOME/.kasmpasswd.persist" ]; then
     cp $HOME/.kasmpasswd.persist $HOME/.kasmpasswd
     chown 600 $HOME/.kasmpasswd
 fi
+cut -d : -f 1-2 $HOME/.kasmpasswd > $HOME/.nginxpasswd
 
 # We should not exit
 sleep infinity
diff --git a/ports.yml b/ports.yml
index 68a912b..6d1033a 100644
--- a/ports.yml
+++ b/ports.yml
@@ -1,4 +1,4 @@
 services:
-  kasm:
+  front:
     ports:
-      - ${PORT}:6901
+      - ${PORT}:443
-- 
GitLab