Created
August 16, 2022 14:36
-
-
Save arun-898/6f693dc15842c97335aef7ae6d935787 to your computer and use it in GitHub Desktop.
Voch Config and nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Vouch Proxy configuration | |
# bare minimum to get Vouch Proxy running with Azure AD | |
# https://github.com/vouch/vouch-proxy/issues/290 | |
vouch: | |
logLevel: debug | |
testing: true | |
listen: 0.0.0.0 | |
port: 9090 | |
allowAllUsers: true | |
jwt: | |
secret: kmDDgMLGThapDV1QnhWPJd0oARzjLa5Zy3bQ8WfOIYk= | |
issuer: Vouch | |
compress: false | |
cookie: | |
name: my-vouch-ct | |
secure: true | |
domain: mydomain.com | |
httpOnly: true | |
headers: | |
jwt: X-Vouch-Token | |
querystring: access_token | |
redirect: X-Vouch-Requested-URI | |
accesstoken: X-Vouch-IdP-AccessToken | |
idtoken: X-Vouch-IdP-IdToken | |
claims: | |
- sub | |
- upn | |
post_logout_redirect_uris: | |
# - https://mydomainnebb2cuat.b2clogin.com/mydomainnebb2cuat.onmicrosoft.com/B2C-signuup/oauth2/v2.0/logout?post_logout_redirect_uri=http://localhost:9090/validate | |
- https://mydomainnebb2cuat.b2clogin.com/mydomainnebb2cuat.onmicrosoft.com/B2C-signuup/oauth2/v2.0/logout?post_logout_redirect_uri=https://account.mydomain.com:8443 | |
oauth: | |
provider: adfs | |
client_id: xx | |
client_secret: yy | |
auth_url: https://mydomainnebb2cuat.b2clogin.com/mydomainnebb2cuat.onmicrosoft.com/B2C-signuup/oauth2/v2.0/authorize | |
token_url: https://mydomainnebb2cuat.b2clogin.com/mydomainnebb2cuat.onmicrosoft.com/B2C-signuup/oauth2/v2.0/token | |
user_info_url: https://graph.microsoft.com/oidc/userinfo | |
scopes: | |
- openid | |
- profile | |
callback_url: https://vouch.mydomain.com:8443/auth #http://localhost:9090/auth | |
azure_token: id_token # access_token and id_token supported |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name account.mydomain.com; | |
# Alter port as needed (8443 used for demonstration purposes) | |
return 301 https://$host:8443$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
# Make site accessible from http://localhost/ | |
server_name account.mydomain.com; | |
root /var/www/html/docroot; | |
index index.php index.html index.htm; | |
ssl_certificate /etc/ssl/account.mydomain.com/account.mydomain.com.crt; | |
ssl_certificate_key /etc/ssl/account.mydomain.com/account.mydomain.com.key; | |
################Vouch config open ######################## | |
# send all requests to the `/validate` endpoint for authorization | |
auth_request /validate; | |
location = /validate { | |
# forward the /validate request to Vouch Proxy | |
proxy_pass http://vouch:9090; | |
#be sure to pass the original host header | |
#proxy_set_header Host $http_host; | |
proxy_set_header Host vouch.mydomain.com; | |
# Vouch Proxy only acts on the request headers | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
### AUTH REQUEST SET ### | |
# optionally add X-Vouch-User as returned by Vouch Proxy along with the request | |
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; | |
# optionally add X-Vouch-IdP-Claims-* custom claims you are tracking | |
auth_request_set $auth_resp_x_vouch_idp_claims_sub $upstream_http_x_vouch_idp_claims_sub; | |
auth_request_set $auth_resp_x_vouch_idp_claims_upn $upstream_http_x_vouch_idp_claims_email; | |
# optinally add X-Vouch-IdP-IdToken, X-Vouch-IdP-AccessToken or X-Vouch-IdP-RefreshToken | |
auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken; | |
auth_request_set $auth_resp_x_vouch_idp_accesstoken $upstream_http_x_vouch_idp_accesstoken; | |
#auth_request_set $auth_resp_x_vouch_idp_refreshtoken $upstream_http_x_vouch_idp_refreshtoken; | |
# these return values are used by the @error401 call | |
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; | |
auth_request_set $auth_resp_err $upstream_http_x_vouch_err; | |
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; | |
} | |
# if validate returns `401 not authorized` then forward the request to the error401block | |
error_page 401 = @error401; | |
location @error401 { | |
# redirect to Vouch Proxy for login | |
return 302 https://vouch.mydomain.com:8443/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; | |
} | |
# proxy pass authorized requests to your service | |
location / { | |
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; | |
auth_request_set $auth_resp_err $upstream_http_x_vouch_err; | |
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; | |
# forward authorized requests to your service protectedapp.yourdomain.com | |
#proxy_pass http://127.0.0.1:8080; | |
proxy_pass https://account.mydomain.com:8443; | |
# you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 | |
### AUTH REQUEST SET ### | |
# you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 | |
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; | |
auth_request_set $auth_resp_x_vouch_idp_claims_sub $upstream_http_x_vouch_idp_claims_sub; | |
auth_request_set $auth_resp_x_vouch_idp_claims_upn $upstream_http_x_vouch_idp_claims_email; | |
# optinally add X-Vouch-IdP-IdToken, X-Vouch-IdP-AccessToken or X-Vouch-IdP-RefreshToken | |
auth_request_set $auth_resp_x_vouch_idp_idtoken $upstream_http_x_vouch_idp_idtoken; | |
auth_request_set $auth_resp_x_vouch_idp_accesstoken $upstream_http_x_vouch_idp_accesstoken; | |
#auth_request_set $auth_resp_x_vouch_idp_refreshtoken $upstream_http_x_vouch_idp_refreshtoken; | |
### PROXY SET HEADER ### | |
# optionally pass any custom claims you are tracking | |
proxy_set_header X-Vouch-IdP-Claims-Sub $auth_resp_x_vouch_idp_claims_sub; | |
proxy_set_header X-Vouch-IdP-Claims-Upn $auth_resp_x_vouch_idp_claims_upn; | |
# set user header (usually an email) | |
proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; | |
# optionally pass the idtoken, accesstoken or refreshtoken | |
proxy_set_header X-Vouch-IdP-IdToken $auth_resp_x_vouch_idp_idtoken; | |
proxy_set_header X-Vouch-IdP-AccessToken $auth_resp_x_vouch_idp_accesstoken; | |
#proxy_set_header X-Vouch-IdP-RefreshToken $auth_resp_x_vouch_idp_refreshtoken; | |
#try_files $uri /index.php?$query_string; # For Drupal >= 7 | |
} | |
location = /logout { | |
proxy_pass http://vouch:9090/logout?url=https://mydomainnebb2cuat.b2clogin.com/mydomainnebb2cuat.onmicrosoft.com/B2C-signuup/oauth2/v2.0/logout?post_logout_redirect_uri=https://vouch.mydomain.com:8443/validate; | |
proxy_set_header Host $http_host; | |
} | |
####################Vouch config Close###################### | |
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html | |
sendfile on; | |
# Security - Hide nginx version number in error pages and Server header | |
server_tokens off; | |
# Add stdout logging | |
error_log /dev/stdout info; | |
access_log /dev/stdout; | |
# reduce the data that needs to be sent over network | |
gzip on; | |
gzip_min_length 10240; | |
gzip_proxied expired no-cache no-store private auth; | |
gzip_types text/plain text/css text/xml application/json text/javascript application/x-javascript application/xml; | |
gzip_disable "MSIE [1-6]\."; | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# Very rarely should these ever be accessed outside of your lan | |
location ~* \.(txt|log)$ { | |
allow 192.168.0.0/16; | |
deny all; | |
} | |
location ~ \..*/.*\.php$ { | |
return 403; | |
} | |
location ~ ^/sites/.*/private/ { | |
return 403; | |
} | |
# Block access to scripts in site files directory | |
location ~ ^/sites/[^/]+/files/.*\.php$ { | |
deny all; | |
} | |
# Allow "Well-Known URIs" as per RFC 5785 | |
location ~* ^/.well-known/ { | |
allow all; | |
} | |
# Block access to "hidden" files and directories whose names begin with a | |
# period. This includes directories used by version control systems such | |
# as Subversion or Git to store control files. | |
location ~ (^|/)\. { | |
return 403; | |
} | |
location @rewrite { | |
#rewrite ^/(.*)$ /index.php?q=$1; # For Drupal <= 6 | |
rewrite ^ /index.php; # For Drupal >= 7 | |
} | |
# Don't allow direct access to PHP files in the vendor directory. | |
location ~ /vendor/.*\.php$ { | |
deny all; | |
return 404; | |
} | |
# Protect files and directories from prying eyes. | |
location ~* \.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ { | |
deny all; | |
return 404; | |
} | |
location ~ '\.php$|^/update.php' { | |
fastcgi_split_path_info ^(.+?\.php)(|/.*)$; | |
# Ensure the php file exists. Mitigates CVE-2019-11043 | |
try_files $fastcgi_script_name =404; | |
# Security note: If you're running a version of PHP older than the | |
# latest 5.3, you should have "cgi.fix_pathinfo = 0;" in php.ini. | |
# See http://serverfault.com/q/627903/94922 for details. | |
include fastcgi_params; | |
# Block httpoxy attacks. See https://httpoxy.org/. | |
fastcgi_param HTTP_PROXY ""; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param PATH_INFO $fastcgi_path_info; | |
fastcgi_param QUERY_STRING $query_string; | |
fastcgi_intercept_errors on; | |
# PHP 5 socket location. | |
#fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# PHP 7 socket location. | |
fastcgi_pass php:9000; | |
#fastcgi_pass https://vouch.account.com:8443; | |
} | |
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { | |
try_files $uri @rewrite; | |
expires max; | |
log_not_found off; | |
} | |
# Fighting with Styles? This little gem is amazing. | |
# location ~ ^/sites/.*/files/imagecache/ { # For Drupal <= 6 | |
location ~ ^/sites/.*/files/styles/ { # For Drupal >= 7 | |
try_files $uri @rewrite; | |
} | |
# Handle private files through Drupal. Private file's path can come | |
# with a language prefix. | |
location ~ ^(/[a-z\-]+)?/system/files/ { # For Drupal >= 7 | |
try_files $uri /index.php?$query_string; | |
} | |
# Enforce clean URLs | |
# Removes index.php from urls like www.example.com/index.php/my-page --> www.example.com/my-page | |
# Could be done with 301 for permanent or other redirect codes. | |
if ($request_uri ~* "^(.*/)index\.php/(.*)") { | |
return 307 $1$2; | |
} | |
} | |
######################Vouch config open ########################### | |
server { | |
# Setting vouch behind SSL allows you to use the Secure flag for cookies. | |
listen 443 ssl http2; | |
server_name vouch.mydomain.com; | |
ssl_certificate /etc/ssl/vouch.mydomain.com/vouch.mydomain.com.crt; | |
ssl_certificate_key /etc/ssl/vouch.mydomain.com/vouch.mydomain.com.key; | |
location / { | |
proxy_pass http://vouch:9090; | |
# be sure to pass the original host header | |
proxy_set_header Host vouch.mydomain.com; | |
#proxy_set_header Host $http_host; | |
} | |
} | |
#####################Vouch config close ######################## |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment