Created
September 16, 2019 12:44
-
-
Save dzirg44/86d4488663ab88b8e8b3913a777df996 to your computer and use it in GitHub Desktop.
vouch bug report
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# vouch config | |
# bare minimum to get vouch running with OpenID Connect (such as okta) | |
vouch: | |
# domains: | |
# valid domains that the jwt cookies can be set into | |
# the callback_urls will be to these domains | |
listen: 0.0.0.0 | |
domains: | |
- vouch.mydomain.io | |
- mydomain.io | |
- vouch-proxy | |
logLevel: debug | |
allowAllUsers: true | |
headers: | |
claims: | |
oauth: | |
provider: oidc | |
client_id: myid.apps.googleusercontent.com | |
client_secret: my-secret | |
auth_url: https://accounts.google.com/o/oauth2/v2/auth | |
token_url: https://www.googleapis.com/oauth2/v4/token | |
user_info_url: https://www.googleapis.com/oauth2/v3/userinfo | |
scopes: | |
- openid | |
- profile | |
callback_url: https://vouch.mydomain.io/auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3" | |
services: | |
vouch-proxy: | |
image: voucher/vouch-proxy | |
ports: | |
- "9090:9090" | |
networks: | |
- service | |
volumes: | |
- ./vouch-proxy/config:/config | |
- ./vouch-proxy/data:/data | |
nginx: | |
image: nginx | |
ports: | |
- "80:80" | |
- "443:443" | |
networks: | |
- service | |
depends_on: | |
- vouch-proxy | |
volumes: | |
- ./nginx/config/nginx.conf:/etc/nginx/nginx.conf:ro | |
- ./nginx/certs:/etc/nginx/conf.d | |
httpbin: | |
image: kennethreitz/httpbin:latest | |
expose: | |
- 80 | |
networks: | |
- service | |
networks: | |
service: | |
driver: bridge |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx; | |
worker_processes 1; | |
error_log /var/log/nginx/error.log warn; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log /var/log/nginx/access.log main; | |
sendfile on; | |
keepalive_timeout 65; | |
upstream vouch { | |
server vouch-proxy:9090; | |
} | |
server { | |
listen 443 ssl http2; | |
server_name service.mydomain.io; | |
root /usr/share/nginx/html; | |
ssl_certificate /etc/nginx/conf.d/cert.cert; | |
ssl_certificate_key /etc/nginx/conf.d/cert.key; | |
# send all requests to the `/validate` endpoint for authorization | |
auth_request /validate; | |
location = /validate { | |
#internal; | |
# Vouch Proxy can run behind the same nginx-revproxy | |
# May need to add "internal", and comply to "upstream" server naming | |
proxy_set_header Host $http_host; | |
proxy_pass http://vouch-proxy:9090/validate; | |
# Vouch Proxy only acts on the request headers | |
proxy_pass_request_body off; | |
proxy_set_header Content-Length ""; | |
# pass X-Vouch-User along with the request | |
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; | |
# these return values are used by the @error401 call | |
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; | |
auth_request_set $auth_resp_err $upstream_http_x_vouch_err; | |
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; | |
} | |
# if validate returns `401 not authorized` then forward the request to the error401block | |
error_page 401 = @error401; | |
location @error401 { | |
# redirect to Vouch Proxy for login | |
return 302 https://vouch.mydomain.io/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; | |
} | |
# proxy pass authorized requests to your service | |
location / { | |
proxy_pass http://httpbin; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
} | |
} | |
server { | |
listen 443 ssl http2; | |
server_name vouch.mydomain.io; | |
ssl_certificate /etc/nginx/conf.d/cert.cert; | |
ssl_certificate_key /etc/nginx/conf.d/cert.key; | |
location / { | |
proxy_pass http://vouch-proxy:9090; | |
proxy_set_header Host $http_host; | |
} | |
} | |
server { | |
listen 80; | |
server_name vouch.mydomain.io; | |
return 302 https://$host$request_uri; | |
} | |
server { | |
listen 80; | |
server_name service.mydomain.io; | |
return 302 https://$host$request_uri; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment