From a2992aeedca22a8d0587d13c2723bc27ca82f266 Mon Sep 17 00:00:00 2001 From: Subv Date: Mon, 25 May 2020 11:45:47 -0500 Subject: [PATCH] Use OpenResty instead of plain nginx to support OpenID Connect authorization. --- backend/templates/_openid_connect.conf | 26 ++++++++++++++++++++++++++ backend/templates/proxy_host.conf | 2 ++ docker/Dockerfile | 2 +- docker/rootfs/etc/nginx/nginx.conf | 10 ++++++++++ 4 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 backend/templates/_openid_connect.conf diff --git a/backend/templates/_openid_connect.conf b/backend/templates/_openid_connect.conf new file mode 100644 index 00000000..9e0589c5 --- /dev/null +++ b/backend/templates/_openid_connect.conf @@ -0,0 +1,26 @@ +{% if openidc_enabled -%} + access_by_lua_block { + local openidc = require("resty.openidc") + local opts = { + redirect_uri = "{{- openidc_redirect_uri -}}", + discovery = "{{- openidc_discovery -}}", + token_endpoint_auth_method = "{{- openidc_auth_method -}}", + client_id = "{{- openidc_client_id -}}", + client_secret = "{{- openidc_client_secret -}}", + scope = "openid email profile" + } + + local res, err = openidc.authenticate(opts) + + if err then + ngx.status = 500 + ngx.say(err) + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + end + + + ngx.req.set_header("X-OIDC-SUB", res.id_token.sub) + ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email) + ngx.req.set_header("X-OIDC-NAME", res.id_token.name) + } +{% endif %} \ No newline at end of file diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index b553e1c1..feb998d5 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -39,6 +39,8 @@ server { {% endif %} +{% include "_openid_connect.conf" %} + {% include "_forced_ssl.conf" %} {% include "_hsts.conf" %} diff --git a/docker/Dockerfile b/docker/Dockerfile index e3eefb34..3209d83d 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -38,7 +38,7 @@ WORKDIR /app RUN yarn install # Remove frontend service not required for prod, dev nginx config as well -RUN rm -rf /etc/services.d/frontend RUN rm -f /etc/nginx/conf.d/dev.conf +RUN rm -rf /etc/services.d/frontend && rm -f /etc/nginx/conf.d/dev.conf VOLUME [ "/data", "/etc/letsencrypt" ] CMD [ "/init" ] diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf index 0643cc2a..af2b9b4b 100644 --- a/docker/rootfs/etc/nginx/nginx.conf +++ b/docker/rootfs/etc/nginx/nginx.conf @@ -43,6 +43,16 @@ http { proxy_cache_path /var/lib/nginx/cache/public levels=1:2 keys_zone=public-cache:30m max_size=192m; proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m; + lua_package_path '~/lua/?.lua;;'; + + lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + lua_ssl_verify_depth 5; + + # cache for discovery metadata documents + lua_shared_dict discovery 1m; + # cache for JWKs + lua_shared_dict jwks 1m; + log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"'; log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';