Skip to content

Commit

Permalink
Update readme for new auth [skip ci]
Browse files Browse the repository at this point in the history
  • Loading branch information
@robballantyne
robballantyne committed Feb 18, 2024
1 parent 8b8bdf5 commit c0b7481
Showing 1 changed file with 18 additions and 6 deletions.
24 changes: 18 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -164,20 +164,32 @@ Example usage: `docker run -e STANDARD_VAR1="this value" -e STANDARD_VAR2="that

## Security

By default, all exposed web services other than the port redirect page are protected by HTTP basic authentication.
All ai-dock containers are interactive and will not drop root privileges. You should ensure that your docker daemon runs as an unprivileged user.

The default username is `user` and the password is `password`.
### System

You can set your credentials by passing environment variables as shown above.
A system user will be created at startup. The UID will be either 1000 or will match the UID of the `$WORKSPACE` bind mount.

The user will share the root user's ssh public key.

Some processes may start in the user context for convenience only.

### Web Services

The password is stored as a bcrypt hash. If you prefer not to pass a plain text password to the container you can pre-hash and use the variable `WEB_PASSWORD_HASH`.
By default, all exposed web services are protected by a single login form at `:1111/login`.

The default username is `user` and the password is auto generated unless you have passed a value in the environment variable `WEB_PASSWORD`. To find the auto-generated password and related tokens you should type `env | grep WEB_` from inside the container.

You can set your credentials by passing environment variables as shown above.

If you are running the image locally on a trusted network, you may disable authentication by setting the environment variable `WEB_ENABLE_AUTH=false`.

The Coturn turn server username is `user` and a random password is generated on startup. You can overide this behaviour by supplying `COTURN_USER` and `COTURN_PASSWORD` environment variables.
If you need to connect programmatically to the web services you can authenticate using either `Bearer $WEB_TOKEN` or `Basic $WEB_PASSWORD_B64`.

The security measures included aim to be as secure as basic authentication, i.e. not secure without HTTPS. Please use the provided cloudflare connections wherever possible.

>[!NOTE]
>You can use `set-web-credentials.sh <username> <password>` change the username and password in a running container.
>You can use `set-web-credentials.sh <username> <password>` to change the username and password in a running container.
## Provisioning script

Expand Down

0 comments on commit c0b7481

Please sign in to comment.