Keys-To-The-Tunnel is named after the fact that it uses SSH tunnels and the keys for this are pivotal to why it exists: easily provision accounts from GitHub users based off their SSH keys.
It started as "just a quick bash script" and then spiraled out of control from there. Sorry!
A user has created an SSH tunnel using the non-ssl vhost in the top group of port/URL sets which points to a web server running SSL on localhost. Have them use the -ssl
vhost listed in the bottom group of port/URL sets. The reason is that the Apache vhost has a hard coded proxy of either ProxyPass / http://localhost:PORT/
or ProxyPass / https://localhost:PORT/
, it can't be both.
Why not use ngrok, pagekite, localtunnel or InsertSolutionHere instead?
You totally can! These are much more full featured and are much easier to use. localtunnel may be of particular interest as it has a self-hosted option. Conversely, they cost more money than this script. It's estimated a $5/mo VPS could support dozens of users. This solution also offers authentication in the way of SSH keys. Finally, this script makes it trivially easy to provision users because the accounts are tied to GitHub.
Yes! Apache is intentionally configured to ignore all certificate errors. Traffic sent between the remote web server and the localhost is sent securely over SSH, so there should be no security concerns about using self-signed certs here.
If the user is named alligator-lovely
, open /home/alligator-lovely/.ssh/authorized_kes
and add your public SSH key on a new line. This way you can SSH in to remove any doubt that the server is working correctly.
Yes, the script is safe to re-run multiple times. Edit the user.txt
file to only have the new users.
Edit the user.txt
file to only have the one user. They will lose their original port mapping and get a new one.
Get a personal GitHub token, then call the list org members API with this call curl -H "Authorization: token TOKEN" https://api.github.com/orgs/ORG/members > members.json
. Be sure to replace TOKEN
and ORG
with your token and your org. The result will be a JSON file members.json
which you can easily parse - consider using jq
! Otherwise, to get a user.txt
file with just the users you should be able to run grep login members.json | cut -d\" -f4>user.txt
.
NB - If your org has more than 30 members, be sure to append the ?per_page=100
to the query string per the docs. If you have more than 100 members, you'll have to also use page=1
and then another call with page=2
etc. Again, see the docs.
Yes! It's 50/week. This script should really be using Subject Alternative Name (SAN) mechanism...hopefully soon!
Until then, if you have less than 50 users you're onboarding per day, you're fine. Each user gets two domains and both are done in a single call with 2 SANs.
All users must have an SSH key on GitHub. Check https://github.com/USERNAME.keys
and ensure a key is listed there. Re-run the script if need be after a key has been added by the user.