joxz/_01.md

## _01.md

      
    Raw
  

              _01.md
            
          
    Netbox LetsEncrypt and SSO with OpenResty
sudo apt-get -y install --no-install-recommends wget gnupg ca-certificates
wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -

echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" \
    | sudo tee /etc/apt/sources.list.d/openresty.list

sudo apt-get update

sudo apt-get -y install openresty
sudo apt -y install luarocks

sudo luarocks install lua-resty-auto-ssl
sudo mkdir /etc/resty-auto-ssl
sudo chown www-data /etc/resty-auto-ssl

sudo opm install zmartzone/lua-resty-openidc

  
## auth.conf
set $session_cipher none;                 # don't need to encrypt the session content, it's an opaque identifier
set $session_storage shm;                 # use shared memory
set $session_cookie_persistent on;        # persist cookie between browser sessions
set $session_cookie_renew      3600;      # new cookie every hour
set $session_cookie_lifetime   86400;     # lifetime for persistent cookies
set $session_name              sess_auth; # name of the cookie to store the session identifier in

set $session_shm_store         sessions;  # name of the dict to store sessions in
# See https://github.com/bungle/lua-resty-session#shared-dictionary-storage-adapter for the following options
set $session_shm_uselocking    off;
set $session_shm_lock_exptime  3;
set $session_shm_lock_timeout  2;
set $session_shm_lock_step     0.001;
set $session_shm_lock_ratio    1;
set $session_shm_lock_max_step 0.5;


access_by_lua_block {
  local opts = {
    discovery = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/.well-known/oauth-authorization-server",
    -- Create an application with your OIDC provider and use the returned client ID and secret here
    client_id = "CLIENT_ID",
    client_secret = "CLIENT_SECRET",
    redirect_uri_path = "/auth",
    redirect_uri_scheme = "https",
    logout_path = "/logout",
    -- Scopes to request; group contains group memberships, offline_access gives us a refresh token
    scope = "openid email profile offline_access",
    redirect_after_logout_uri = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/v1/logout",
    redirect_after_logout_with_id_token_hint = false,
    renew_access_token_on_expiry = true,
    access_token_expires_leeway = 60,
    -- Storing the access token also includes the refresh token letting the server transparently
    -- renew the session
    session_contents = {id_token=true, access_token=true},
    ssl_verify = "no"
  }


  -- call authenticate for OpenID Connect user authentication
  local res, err = require("resty.openidc").authenticate(opts)
          if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
          end

  -- set data from the ID token as HTTP Request headers
  ngx.req.set_header("X-Auth-Audience", res.id_token.aud)
  ngx.req.set_header("X-Auth-Email", res.id_token.email)
  ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp)
  ngx.req.set_header("X-Auth-Groups", res.id_token.groups)
  ngx.req.set_header("X-Auth-Name", res.id_token.name)
  ngx.req.set_header("X-Auth-Subject", res.id_token.sub)
  ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username)
  ngx.req.set_header("X-Remote-User", res.id_token.preferred_username)

## nginx.conf
user  www-data;
worker_processes  auto;

error_log  /var/log/error.log;
error_log  /var/log/error.log  notice;
error_log  /var/log/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    use epoll;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/access.log  main;

    sendfile        on;
    tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;
    gzip_http_version 1.1;
    gzip_proxied any;
    gzip_buffers 16 8k;
    gzip_vary on;
    gzip_disable msie6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;

    reset_timedout_connection on;

    client_body_timeout 10;

    send_timeout 2;
    server_tokens off;

    lua_package_path '~/lua/?.lua;;';
    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    lua_ssl_verify_depth 5;
    lua_shared_dict discovery 1m;
    lua_shared_dict jwks 1m;

    lua_shared_dict sessions 10m;
    lua_shared_dict auto_ssl 1m;
    lua_shared_dict auto_ssl_settings 64k;

    init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()

        auto_ssl:set("allow_domain", function(domain)
            return true
        end)

        auto_ssl:init()
    }

    init_worker_by_lua_block {
        auto_ssl:init_worker()
    }

    server {
        listen       80 default_server;
        server_name  _;

        location / {
            return 301 https://$host$request_uri;
        }

        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                auto_ssl:challenge_server()
            }
        }
    }
    server {
        listen 127.0.0.1:8999;
        client_body_buffer_size 128k;
        client_max_body_size 128k;

        location / {
            content_by_lua_block {
                auto_ssl:hook_server()
            }
        }
    }

    server {
        listen 443 ssl http2;
        server_name <FQDN>;

        ssl_certificate_by_lua_block {
            auto_ssl:ssl_certificate()
        }

        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
        include ssl.conf;

        location /static/ {
            alias /opt/netbox/netbox/static/;
        }

        location /api {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        location / {
            include auth.conf;
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

## ssl.conf
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;


ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

add_header Strict-Transport-Security "max-age=63072000" always;

ssl_stapling on;
ssl_stapling_verify on;

resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 5s;
	set $session_cipher none; # don't need to encrypt the session content, it's an opaque identifier
	set $session_storage shm; # use shared memory
	set $session_cookie_persistent on; # persist cookie between browser sessions
	set $session_cookie_renew 3600; # new cookie every hour
	set $session_cookie_lifetime 86400; # lifetime for persistent cookies
	set $session_name sess_auth; # name of the cookie to store the session identifier in

	set $session_shm_store sessions; # name of the dict to store sessions in
	# See https://github.com/bungle/lua-resty-session#shared-dictionary-storage-adapter for the following options
	set $session_shm_uselocking off;
	set $session_shm_lock_exptime 3;
	set $session_shm_lock_timeout 2;
	set $session_shm_lock_step 0.001;
	set $session_shm_lock_ratio 1;
	set $session_shm_lock_max_step 0.5;


	access_by_lua_block {
	local opts = {
	discovery = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/.well-known/oauth-authorization-server",
	-- Create an application with your OIDC provider and use the returned client ID and secret here
	client_id = "CLIENT_ID",
	client_secret = "CLIENT_SECRET",
	redirect_uri_path = "/auth",
	redirect_uri_scheme = "https",
	logout_path = "/logout",
	-- Scopes to request; group contains group memberships, offline_access gives us a refresh token
	scope = "openid email profile offline_access",
	redirect_after_logout_uri = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/v1/logout",
	redirect_after_logout_with_id_token_hint = false,
	renew_access_token_on_expiry = true,
	access_token_expires_leeway = 60,
	-- Storing the access token also includes the refresh token letting the server transparently
	-- renew the session
	session_contents = {id_token=true, access_token=true},
	ssl_verify = "no"
	}


	-- call authenticate for OpenID Connect user authentication
	local res, err = require("resty.openidc").authenticate(opts)
	if err then
	ngx.status = 500
	ngx.say(err)
	ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
	end

	-- set data from the ID token as HTTP Request headers
	ngx.req.set_header("X-Auth-Audience", res.id_token.aud)
	ngx.req.set_header("X-Auth-Email", res.id_token.email)
	ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp)
	ngx.req.set_header("X-Auth-Groups", res.id_token.groups)
	ngx.req.set_header("X-Auth-Name", res.id_token.name)
	ngx.req.set_header("X-Auth-Subject", res.id_token.sub)
	ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username)
	ngx.req.set_header("X-Remote-User", res.id_token.preferred_username)
	user www-data;
	worker_processes auto;

	error_log /var/log/error.log;
	error_log /var/log/error.log notice;
	error_log /var/log/error.log info;

	pid /var/run/nginx.pid;


	events {
	worker_connections 1024;
	use epoll;
	}


	http {
	include mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	access_log /var/log/access.log main;

	sendfile on;
	tcp_nopush on;

	keepalive_timeout 65;

	gzip on;
	gzip_http_version 1.1;
	gzip_proxied any;
	gzip_buffers 16 8k;
	gzip_vary on;
	gzip_disable msie6;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types
	# text/html is always compressed by HttpGzipModule
	text/css
	text/javascript
	text/xml
	text/plain
	text/x-component
	application/javascript
	application/x-javascript
	application/json
	application/xml
	application/rss+xml
	application/atom+xml
	font/truetype
	font/opentype
	application/vnd.ms-fontobject
	image/svg+xml;

	reset_timedout_connection on;

	client_body_timeout 10;

	send_timeout 2;
	server_tokens off;

	lua_package_path '~/lua/?.lua;;';
	lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
	lua_ssl_verify_depth 5;
	lua_shared_dict discovery 1m;
	lua_shared_dict jwks 1m;

	lua_shared_dict sessions 10m;
	lua_shared_dict auto_ssl 1m;
	lua_shared_dict auto_ssl_settings 64k;

	init_by_lua_block {
	auto_ssl = (require "resty.auto-ssl").new()

	auto_ssl:set("allow_domain", function(domain)
	return true
	end)

	auto_ssl:init()
	}

	init_worker_by_lua_block {
	auto_ssl:init_worker()
	}

	server {
	listen 80 default_server;
	server_name _;

	location / {
	return 301 https://$host$request_uri;
	}

	location /.well-known/acme-challenge/ {
	content_by_lua_block {
	auto_ssl:challenge_server()
	}
	}
	}
	server {
	listen 127.0.0.1:8999;
	client_body_buffer_size 128k;
	client_max_body_size 128k;

	location / {
	content_by_lua_block {
	auto_ssl:hook_server()
	}
	}
	}

	server {
	listen 443 ssl http2;
	server_name <FQDN>;

	ssl_certificate_by_lua_block {
	auto_ssl:ssl_certificate()
	}

	ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
	ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
	include ssl.conf;

	location /static/ {
	alias /opt/netbox/netbox/static/;
	}

	location /api {
	proxy_pass http://127.0.0.1:8001;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location / {
	include auth.conf;
	proxy_pass http://127.0.0.1:8001;
	proxy_set_header X-Forwarded-Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}
	}
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
	ssl_session_tickets off;


	ssl_protocols TLSv1.3;
	ssl_prefer_server_ciphers off;

	add_header Strict-Transport-Security "max-age=63072000" always;

	ssl_stapling on;
	ssl_stapling_verify on;

	resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
	resolver_timeout 5s;