Update documentation to explain safe usage

2019-06-24 19:13:04 -07:00 · 2019-06-24 19:13:04 -07:00 · 84b291e801
parent 9ba9a71a55
commit 84b291e801
3 changed files with 39 additions and 3 deletions
--- a/27
+++ b/27
@ -1,8 +1,27 @@
 .PHONY: default
 default: remote client

+.PHONY: all
+all: remote client
+
+.PHONY: stop
+stop:
+	docker-compose -f ./docker-compose-remote.yml stop
+	docker-compose -f ./docker-compose-client.yml stop
+
+.PHONY: restart
+restart:
+	docker-compose -f ./docker-compose-remote.yml restart
+	docker-compose -f ./docker-compose-client.yml restart
+
+.PHONY: down
+down:
+	docker-compose -f ./docker-compose-remote.yml down
+	docker-compose -f ./docker-compose-client.yml down
+
 .PHONY: remote
 remote:
+	docker-compose -f ./docker-compose-remote.yml build
 	docker-compose -f ./docker-compose-remote.yml up -d

 .PHONY: client
@ -10,6 +29,10 @@ client:
 	docker-compose -f ./docker-compose-client.yml build
 	docker-compose -f ./docker-compose-client.yml up -d

-.PHONY: logs
-logs:
+.PHONY: remote-logs
+remote-logs:
+	docker-compose -f ./docker-compose-remote.yml logs -f
+
+.PHONY: client-logs
+client-logs:
 	docker-compose -f ./docker-compose-client.yml logs -f
--- a/Readme.md
+++ b/Readme.md
@ -49,3 +49,15 @@ Dockamole is configured using environment variables:
    # Optional
    MAX_TUNNELS         number of tunnels allowed (default 10)
    SSH_KEY             path to ssh private key that should be used (default ~/.ssh/id_rsa)
+
+## Use in production
+
+This example uses [panubo/sshd](https://github.com/panubo/docker-sshd), which seems well maintained enough. I would advise caution though as this is likely something that will have access to sensitive information.
+
+To be safe you should take precautions from someone logging into your server directly.  In my example, I'm using the following as my `authorized_keys` file:
+
+    no-pty,no-X11-forwarding,command="/bin/echo do-not-send-commands" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDeG0iBsd5P9ZwDlav7mWaMGiq4SH5XvYGEGoZPgC3PjKgiEpe5lxH9p5lOFicqG7nNBaTwJwDPnJJaIIeHeCcpKF9f5RhTA5rwLkPcVIwZTh2GL7PD/yDmnsB1L8v04yTzjvJxHAi+xx+yN0fcxw2IOJ4k4FC1mNJKNwHZZHvzEyvRbC0GUB1K32dKSDUAWQHKx7xJqgtpkZ0DV78GzBfNUZcucImRwjQTBlJFumTjB5k0xUt0NRDLEkHwUMyiAeXB13tfjZipEHCWPxIrQnuwmV4Lb3VFbh8UqeObsarxG9t+SMoxnrKxQCAntcS0do1VjfiGr6usGVsV56ua8Tyj ifij@C02V7083HV2V
+
+This prevents getting a shell if my key is ever leaked.
+
+Additionally, if you are actually planning on doing this in production, do not use the `-insecure` flag in ./mole/start.sh`. Instead you should provide pre generated server keys and add those as known hosts for `mole`.
--- a/docker-compose-remote.yml
+++ b/docker-compose-remote.yml
@ -7,7 +7,8 @@ services:
      - "2222:22"
    volumes:
      # This key must be provided
-      - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
+      # - ./id_rsa_proxy.pub:/etc/authorized_keys/mole
+      - ./authorized_keys:/etc/authorized_keys/mole
    environment:
      - SSH_USERS=mole:101:101