Skip to content

Instantly share code, notes, and snippets.

@ivanjx
Created June 27, 2024 17:24
Show Gist options
  • Save ivanjx/1a08d6e0413cb6b9bb8302ebe7db9de1 to your computer and use it in GitHub Desktop.
Save ivanjx/1a08d6e0413cb6b9bb8302ebe7db9de1 to your computer and use it in GitHub Desktop.
server {
listen 80;
listen 443 ssl;
server_name app.domain.net;
auth_request /validate;
location = /validate {
proxy_pass http://vouch-auth:9090/validate; # i am using docker compose
proxy_pass_request_body off;
proxy_set_header Content-Length "";
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
error_page 401 = @error401;
location @error401 {
return 302 https://auth.domain.net/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
location / {
auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
proxy_pass http://protected-app:8080;
access_by_lua_file user_auth.lua;
}
}
vouch-auth:
image: quay.io/vouch/vouch-proxy:latest
restart: always
environment:
VOUCH_ALLOWALLUSERS: "true"
VOUCH_COOKIE_DOMAIN: "domain.net"
VOUCH_COOKIE_SECURE: "true"
OAUTH_PROVIDER: "homeassistant"
OAUTH_CLIENT_ID: "https://auth.domain.net"
OAUTH_CALLBACK_URL: "https://auth.domain.net/auth"
OAUTH_AUTH_URL: "https://home.domain.net/auth/authorize"
OAUTH_TOKEN_URL: "https://home.domain.net/auth/token"
-- ==============================
-- User Authentication
-- via X-Vouch-User
-- ==============================
-- Function to turn a table with only values into a k=>v table
function Set (list)
local set = {}
for _, l in ipairs(list) do set[l] = true end
return set
end
-- Function to find a key in a table
function tableHasKey(table,key)
return table[key] ~= nil
end
-- Validate a user in nginx, instead of vouch
local authorized_users = Set {
"admin"
}
-- Verify the variable exists
if ngx.var.auth_resp_x_vouch_user then
-- Check if the found user is in the authorized_users table
if not tableHasKey(authorized_users, ngx.var.auth_resp_x_vouch_user) then
-- If not, throw a forbidden
ngx.log(ngx.ERR, "VOUCH USER GNAME: " .. ngx.var.auth_resp_x_vouch_user .. "!")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
else
-- Throw forbidden if variable doesn't exist
ngx.log(ngx.ERR, "NO VOUCH USER!")
ngx.exit(ngx.HTTP_FORBIDDEN)
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment