From 58113450505e892f9551007d1195dc8dce8d50cf Mon Sep 17 00:00:00 2001 From: Subv Date: Mon, 25 May 2020 11:45:47 -0500 Subject: [PATCH] Use OpenResty instead of plain nginx to support OpenID Connect authorization. --- backend/templates/_openid_connect.conf | 26 ++++++++++++++++++++++++++ backend/templates/proxy_host.conf | 3 ++- docker/rootfs/etc/nginx/nginx.conf | 10 ++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 backend/templates/_openid_connect.conf diff --git a/backend/templates/_openid_connect.conf b/backend/templates/_openid_connect.conf new file mode 100644 index 00000000..9e0589c5 --- /dev/null +++ b/backend/templates/_openid_connect.conf @@ -0,0 +1,26 @@ +{% if openidc_enabled -%} + access_by_lua_block { + local openidc = require("resty.openidc") + local opts = { + redirect_uri = "{{- openidc_redirect_uri -}}", + discovery = "{{- openidc_discovery -}}", + token_endpoint_auth_method = "{{- openidc_auth_method -}}", + client_id = "{{- openidc_client_id -}}", + client_secret = "{{- openidc_client_secret -}}", + scope = "openid email profile" + } + + local res, err = openidc.authenticate(opts) + + if err then + ngx.status = 500 + ngx.say(err) + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + end + + + ngx.req.set_header("X-OIDC-SUB", res.id_token.sub) + ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email) + ngx.req.set_header("X-OIDC-NAME", res.id_token.name) + } +{% endif %} \ No newline at end of file diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf index ec30cca0..5629694e 100644 --- a/backend/templates/proxy_host.conf +++ b/backend/templates/proxy_host.conf @@ -51,7 +51,8 @@ proxy_http_version 1.1; {% endif %} -{% include "_hsts.conf" %} + {% include "_openid_connect.conf" %} + {% include "_hsts.conf" %} {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %} proxy_set_header Upgrade $http_upgrade; diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf index 4d5ee901..0a58cdbf 100644 --- a/docker/rootfs/etc/nginx/nginx.conf +++ b/docker/rootfs/etc/nginx/nginx.conf @@ -43,6 +43,16 @@ http { proxy_cache_path /var/lib/nginx/cache/public levels=1:2 keys_zone=public-cache:30m max_size=192m; proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m; + lua_package_path '~/lua/?.lua;;'; + + lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; + lua_ssl_verify_depth 5; + + # cache for discovery metadata documents + lua_shared_dict discovery 1m; + # cache for JWKs + lua_shared_dict jwks 1m; + log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"'; log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';