Skip to content

Instantly share code, notes, and snippets.

@cicigee

cicigee/nginx.conf

Last active August 13, 2020 14:24
Show Gist options
  • Save cicigee/78f2d03a380d1d1eed8712c81d5dc57e to your computer and use it in GitHub Desktop.
Save cicigee/78f2d03a380d1d1eed8712c81d5dc57e to your computer and use it in GitHub Desktop.
Download ZIP
op5/nginx header authentication configuration
Raw
nginx.conf
#user www www; ## Default: nobody
worker_processes 5; ## Default: 1
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096; ## Default: 1024
}
http {
server {
listen 192.168.150.1:443 ssl http2;
server_name op5.example.com;
root /var/www/html/;
ssl_certificate /etc/pki/tls/certs/localhost.crt;
ssl_certificate_key /etc/pki/tls/private/localhost.key;
location = / {
return 200 '<html><body><a href="/monitor">Login here</a></body</html>';
add_header Content-Type text/html;
}
location ~ ^/(auth|login|logout|static) {
proxy_pass http://127.0.0.1:9090;
proxy_set_header Host $http_host;
}
location = /validate {
proxy_pass http://127.0.0.1:9090/validate;
proxy_set_header Host $http_host;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_x_vouch_success $upstream_http_x_vouch_success;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
return 302 https://op5.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
location /test/ {
auth_request /validate;
proxy_pass https://127.0.0.1:10443/test/;
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Username $auth_resp_x_vouch_user;
proxy_set_header X-Realname $auth_resp_x_vouch_user;
proxy_set_header X-Email $auth_resp_x_vouch_user;
proxy_set_header X-Groups "admins";
}
location /api/ {
proxy_pass https://127.0.0.1:10443/api/;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto "https";
}
location /nagvis/ {
proxy_pass https://127.0.0.1:10443/nagvis/;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto "https";
}
location /monitor/ {
auth_request /validate;
proxy_pass https://127.0.0.1:10443/monitor/;
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_lasso_jwt;
auth_request_set $auth_resp_err $upstream_http_x_lasso_err;
auth_request_set $auth_resp_failcount $upstream_http_x_lasso_failcount;
auth_request_set $auth_resp_x_lasso_user $upstream_http_x_lasso_user;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Forwarded-Proto "https";
proxy_set_header X-Username $auth_resp_x_vouch_user;
proxy_set_header X-Realname $auth_resp_x_vouch_user;
proxy_set_header X-Email $auth_resp_x_vouch_user;
proxy_set_header X-Groups "admins";
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment