Skip to content

Latest commit

 

History

History
43 lines (25 loc) · 4.24 KB

faq.md

File metadata and controls

43 lines (25 loc) · 4.24 KB

FAQ

Where does the name "Keys-To-The-Tunnel" come from?

Keys-To-The-Tunnel is named after the fact that it uses SSH tunnels and the keys for this are pivotal to why it exists: easily provision accounts from GitHub users based off their SSH keys.

Wait...why not ansible, saltstack etc.?

It started as "just a quick bash script" and then spiraled out of control from there. Sorry!

How come I'm getting 400 errors in Apache The plain http request was sent to https port?

A user has created an SSH tunnel using the non-ssl vhost in the top group of port/URL sets which points to a web server running SSL on localhost. Have them use the -ssl vhost listed in the bottom group of port/URL sets. The reason is that the Apache vhost has a hard coded proxy of either ProxyPass / http://localhost:PORT/ or ProxyPass / https://localhost:PORT/, it can't be both.

Why not use ngrok, pagekite, localtunnel or InsertSolutionHere instead?

You totally can! These are much more full featured and are much easier to use. localtunnel may be of particular interest as it has a self-hosted option. Conversely, they cost more money than this script. It's estimated a $5/mo VPS could support dozens of users. This solution also offers authentication in the way of SSH keys. Finally, this script makes it trivially easy to provision users because the accounts are tied to GitHub.

Does this work with self-signed certs on localhost?

Yes! Apache is intentionally configured to ignore all certificate errors. Traffic sent between the remote web server and the localhost is sent securely over SSH, so there should be no security concerns about using self-signed certs here.

A user having trouble setting up the tunnel - how can test using their account?

If the user is named alligator-lovely, open /home/alligator-lovely/.ssh/authorized_kes and add your public SSH key on a new line. This way you can SSH in to remove any doubt that the server is working correctly.

I need to add more users after setting this up a first time - can I re-run the script?

Yes, the script is safe to re-run multiple times. Edit the user.txt file to only have the new users.

A user changed their SSH key on GitHub - how do I update their account?

Edit the user.txt file to only have the one user. They will lose their original port mapping and get a new one.

How do I get a list of all the users in my GitHub org?

Get a personal GitHub token, then call the list org members API with this call curl -H "Authorization: token TOKEN" https://api.github.com/orgs/ORG/members > members.json. Be sure to replace TOKEN and ORG with your token and your org. The result will be a JSON file members.json which you can easily parse - consider using jq! Otherwise, to get a user.txt file with just the users you should be able to run grep login members.json | cut -d\" -f4>user.txt.

NB - If your org has more than 30 members, be sure to append the ?per_page=100 to the query string per the docs. If you have more than 100 members, you'll have to also use page=1 and then another call with page=2 etc. Again, see the docs.

Is there a rate limit to the number of Let's Encrypt certs I can request?

Yes! It's 50/week. This script should really be using Subject Alternative Name (SAN) mechanism...hopefully soon!

Until then, if you have less than 50 users you're onboarding per day, you're fine. Each user gets two domains and both are done in a single call with 2 SANs.

I added a GitHub user, but it doesn't create an account for them, why not?

All users must have an SSH key on GitHub. Check https://github.com/USERNAME.keys and ensure a key is listed there. Re-run the script if need be after a key has been added by the user.