-
-
Save ivanjx/1a08d6e0413cb6b9bb8302ebe7db9de1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| listen 443 ssl; | |
| server_name app.domain.net; | |
| auth_request /validate; | |
| location = /validate { | |
| proxy_pass http://vouch-auth:9090/validate; # i am using docker compose | |
| proxy_pass_request_body off; | |
| proxy_set_header Content-Length ""; | |
| auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; | |
| auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; | |
| auth_request_set $auth_resp_err $upstream_http_x_vouch_err; | |
| auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; | |
| } | |
| error_page 401 = @error401; | |
| location @error401 { | |
| return 302 https://auth.domain.net/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; | |
| } | |
| location / { | |
| auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; | |
| proxy_pass http://protected-app:8080; | |
| access_by_lua_file user_auth.lua; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| vouch-auth: | |
| image: quay.io/vouch/vouch-proxy:latest | |
| restart: always | |
| environment: | |
| VOUCH_ALLOWALLUSERS: "true" | |
| VOUCH_COOKIE_DOMAIN: "domain.net" | |
| VOUCH_COOKIE_SECURE: "true" | |
| OAUTH_PROVIDER: "homeassistant" | |
| OAUTH_CLIENT_ID: "https://auth.domain.net" | |
| OAUTH_CALLBACK_URL: "https://auth.domain.net/auth" | |
| OAUTH_AUTH_URL: "https://home.domain.net/auth/authorize" | |
| OAUTH_TOKEN_URL: "https://home.domain.net/auth/token" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- ============================== | |
| -- User Authentication | |
| -- via X-Vouch-User | |
| -- ============================== | |
| -- Function to turn a table with only values into a k=>v table | |
| function Set (list) | |
| local set = {} | |
| for _, l in ipairs(list) do set[l] = true end | |
| return set | |
| end | |
| -- Function to find a key in a table | |
| function tableHasKey(table,key) | |
| return table[key] ~= nil | |
| end | |
| -- Validate a user in nginx, instead of vouch | |
| local authorized_users = Set { | |
| "admin" | |
| } | |
| -- Verify the variable exists | |
| if ngx.var.auth_resp_x_vouch_user then | |
| -- Check if the found user is in the authorized_users table | |
| if not tableHasKey(authorized_users, ngx.var.auth_resp_x_vouch_user) then | |
| -- If not, throw a forbidden | |
| ngx.log(ngx.ERR, "VOUCH USER GNAME: " .. ngx.var.auth_resp_x_vouch_user .. "!") | |
| ngx.exit(ngx.HTTP_FORBIDDEN) | |
| end | |
| else | |
| -- Throw forbidden if variable doesn't exist | |
| ngx.log(ngx.ERR, "NO VOUCH USER!") | |
| ngx.exit(ngx.HTTP_FORBIDDEN) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment