Skip to content

docker: implement --auth-proxy option #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: S3toWebdavProxy
Choose a base branch
from
Draft

docker: implement --auth-proxy option #11

wants to merge 1 commit into from

Conversation

@anon-pradip
Copy link

@anon-pradip anon-pradip commented Nov 14, 2025
edited
Loading

This PR enables per-request WebDAV backend configuration via --auth-proxy while fully supporting anonymous access (no client credentials) when the flag is omitted.

Core Flow

  1. Client (mc alias set … <bearer_token> 12345678) → signs S3 request.
  2. --auth-key ,12345678 → validates SigV4 using fixed secret (wildcard AccessKey).
  3. If --auth-proxy present
    • auth-proxy.py receives: {"pass": "<bearer_token>", "user": "<session_id>"}
    • Returns WebDAV config with bearer_token = i["pass"]
    • rclone builds per-request remote → proxies to OCIS.
  4. If --auth-proxy absent
    • No auth check; uses static remote $REMOTE_NAME:
    • Client sends empty creds (mc alias set … "" "")
    • Enables true anonymous access (e.g., public WebDAV links).

Key Change: docker/startup

if echo " $PROXY_ARGS " | grep -q ' --auth-proxy '; then
  exec rclone serve s3 $PROXY_ARGS                  # dynamic
else
  exec rclone serve s3 $PROXY_ARGS "$REMOTE_NAME:"  # static / anonymous
fi
  1. I started owncloud/ocis at https://localhost:9200: OCIS_LOG_LEVEL=debug PROXY_ENABLE_BASIC_AUTH=true IDM_CREATE_DEMO_USERS=true OCIS_INSECURE=true ./ocis/bin/ocis server
ocis-access-token
  1. Built the docker image : docker build -t jankari/rclone-webdav-proxy .

Per-user mode (private OCIS account)

Run the docker container:
PROXY_ARGS="--auth-proxy /usr/local/bin/auth-proxy.py --auth-key ,12345678 --no-check-certificate -vv"

docker run --rm --network=host \             
  -e REMOTE_NAME=ocis \
  -e REMOTE_URL="https://localhost:9200/remote.php/webdav" \
  -e REMOTE_VENDOR=owncloud \
  -e PROXY_ARGS="--auth-proxy /usr/local/bin/auth-proxy.py --auth-key ,12345678 --no-check-certificate -vv" \
  jankari/rclone-webdav-proxy

mc alias set myproxy http://localhost:8080 <access-token-from owncloud/ocis> 12345678

List the buckets: mc ls myproxy

[2025-11-17 18:11:37 +0545]     0B Folder1/
[2025-11-17 18:11:48 +0545]     0B Folder2/
[1970-01-01 05:30:00 +0530]     0B Shares/
final-mc-output

Anonymous mode (public link – no credentials)

REMOTE_URL="https://localhost:9200/dav/public-files/A1b2C3d4E5f6G7h8I9j0"
PROXY_ARGS="--no-check-certificate -vv"   # no --auth-proxy, no --auth-key

docker run --rm --network=host \             
  -e REMOTE_NAME=ocis \
  -e REMOTE_URL="https://localhost:9200/dav/public-files/<unique identifier of the public file link>" \
  -e REMOTE_VENDOR=owncloud \
  -e PROXY_ARGS="--no-check-certificate -vv" \
  jankari/rclone-webdav-proxy

where unique identifier of the public file link is the last part of the public link created by ocis

mc alias set myproxy http://localhost:8080 "" ""

List the buckets: mc ls myproxy

[2025-11-19 16:33:00 +0545]     0B sub-folder/
folder-opened-with-public-link

@anon-pradip anon-pradip changed the title chore(auth): implement --auth-proxy option docker: implement --auth-proxy option Nov 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anon-pradip