Where to store passwords / credentials in Gradle Project

Problem Statement

Projects are checked in version control systems like git. You don’t want your credentials to be checked in git too. As such you need a way to easily inject your credentials in your build while keeping it away from prying eye.

Solution

The solution is to store it in ~/.gradle/gradle.properties. This file is not checked in and can be used across all your projects.

Guide: HAProxy HTTP Basic Authentication for specific sites (SSL Termination)

Objective

I use HAProxy to serve multiple SSL/TLS enabled sites with HAProxy doing SSL termination. The sites serve regular HTTP while users see proper HTTPS sites (with free certificates from LetsEncrypt). My objective was to provide HTTP Basic Authentication as a second layer of protection for certain applications like NextCloud (DropBox clone) or Gitea (GitHub clone).

Challenges

I wanted to provide HTTP Basic Auth over specific services (not all which is much easier) which didn’t natively support them like Gitea. Secondly, I wanted it to be transparent to the underlying Application. Thirdly, I didn’t want to provide plain-text passwords in haproxy.cfg.

Solution

After few iterations I arrived at a simple solution to the problem. The steps are:

  1. Create users with encrypted passwords
  2. Add users to haproxy.cfg
  3. Force authentication for specific sites on frontend
  4. Remove authorization on backend

Create users with encrypted passwords

To create encrypted passwords, you need a tool called mkpasswd which is available with whois, so you need to install it first (one time activity):

sudo apt install whois

Create password as shown below (replace Password with your actual Password):

mkpasswd -m sha-512 Password

Copy the encrypted password generated by the tool (mkpasswd).

Add users to haproxy.cfg

You can add multiple user lists as well as user groups (beyond the scope of this guide) to haproxy. Let’s create an user list named AuthUsers (as an example):

userlist AuthUsers
        user Username1 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFiV89xhW524abcdfg
        user Username2 password $6$d./LYD0vplX$XoPWiTQfhNt4g4NRcU/toFefghxhW524abcdfg

Replace Username1, Username2 with your actual user names and the corresponding encrypted password as the last argument in the line.

You can add as many users as you want.

Force authentication for specific sites only

Let’s say we want to force authentication for these two sites (in frontend section):

acl host_example1 hdr(host) -i example1.com
acl host_example1 hdr(host) -i example2.com

Below this we force them to be authenticated:

acl authorized http_auth(AuthUsers)
http-request auth realm Example1 if host_example1 !authorized
http-request auth realm Example2 if host_example2 !authorized

Use backend only when properly authenticated:

use_backend example1 if host_example1 authorized
use_backend example2 if host_cexample2 authorized

Remove authentication header from backend

HAProxy for some strange reason sends this Authorization header to backend which sends certain servers in a loop. it is advisable to remove it.

backend example1
http-request set-header X-Client-IP %[src]
server example1 example1:3000 check
http-request del-header Authorization

backend example2
http-request set-header X-Client-IP %[src]
server example2 example2:3000 check
http-request del-header Authorization

Now restart the haproxy server and voila!

How to provide Secure Isolated (Restricted) SFTP Access for file transfer

Often we need to provide secure but restricted sftp access to our clients to upload or download large files.

Regular sftp accounts allow the users to view login names of other users/clients and in many default installations even allow them to browse through the directories and files. In addition, they can also view your system files and any unprotected files and directories including much of your system settings under etc.

When you provide sftp access, you also provide ssh access (sftp is a subsystem of ssh) and as such users can login.

We address these issues by enclosing the user’s home directory in chroot jail, which makes it impossible for the user to break out of his home directory and view other’s files and directories.

Follow the steps below to configure your system.

As root (or sudo) modify /etc/ssh/sshd_config:Change Subsystem sftp line to:

Subsystem sftp internal-sftp

Add this to the end of the file:

Match Group sftp
    ChrootDirectory %h
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp

Save the changes and restart OpenSSH:

sudo apt install whois

Create a system group for users with restricted sftp access:

addgroup --system sftp

Now you can add users with addsftpuser and delete with delsftpuser from GitHub project restricted-sftp.

Clone the repository with:

git clone https://github.com/angsuman/restricted-sftp.git

Copy the files addsftpuser and delsftpuser to your ~/bin or any other directory in your PATH like /usr/bin.

Run it with by specifying the login name of the sftp user:

addsftpuser new-login

The only downside is that the user cannot upload/download files and directories under his home directory directly (as it is owned by root) but can do under Files sub-directory. There you have full access and can upload/download/delete/rename files and directories. To create additional directories under home, edit the addftpuser script and create them following the same procedure as Files.