lcrilly

OAuth 2.0 Token Introspection with NGINX and njs

This configuration enables NGINX to validate an authentication token against an authorization server by using OAuth 2.0 Token Introspection (RFC 7662). This solution uses the auth_request module and the NGINX JavaScript module to require authentication and perform the token introspection request.

By default, the client's authentication token is expected as a bearer token supplied in the Authorization header. If supplied elsewhere in the HTTP request, the $access_token variable must be configured to specify where to obtain the token.

Token introspection requests are authenticated. By default, the $oauth_client_id and $oauth_client_secret variables are used to perform HTTP Basic authentication with the Authorization Server. If only the $oauth_client_secret variable is specified then that value is used

lcrilly

#!/usr/bin/env bash
#
# oas2nginx.sh (c) NGINX, Inc. [v0.5 13-Jan-2020] Liam Crilly <liam.crilly@nginx.com>
#
# Converts OpenAPI/Swagger spec into nginx.conf snippet (server context) as per
#  https://www.nginx.com/blog/deploying-nginx-plus-as-an-api-gateway-part-1/
# Requires shyaml for YAML processing: https://github.com/0k/shyaml

# Defaults
#

lcrilly

Prometheus exporter for NGINX Unit metrics

The NGINX Unit control API includes a /status endpoint for usage statistics. This is a solution for exposing these metrics in Prometheus format.

The application (run by Unit) queries the /status URI on the control socket and converts the JSON response into Prometheus text format. PHP and Python implementations are available.

These instructions assume an existing Unit installation with a working configuration. We will add a new listener on the default prometheus port (9090) and route it directly to the Prometheus app.

Step 0. Install the preferred Unit language module (unit-php or unit-python)

lcrilly

#!/bin/bash

NJS_VER=""
RBT=0
UNIT_VER=""
SUFFIX=()
PATCH_FILES=()
CONFIGURE_OPTIONS=""
STARTDIR=$PWD
WORKDIR=/tmp/build_unit.$$

lcrilly

# This Dockerfile builds NGINX Unit from source, including njs, and
# by applying any .patch files found in the current directory. The
# latest Docker Official Image is used to select the code branch and
# copies the configure arguments so that the lanauge module in the
# Docker Image is compatible with the new unitd binary. 
#
# Build by specifying the tag of the most suitable Docker Official Image
# from <https://hub.docker.com/_/unit/tags> as
# docker build --build-arg TAG=php -t unit:test .
#

lcrilly

FROM nginx AS build

WORKDIR /src
RUN apt-get update && \
    apt-get install -y git gcc make mercurial libperl-dev libpcre3-dev zlib1g-dev libxslt1-dev libgd-ocaml-dev libgeoip-dev
RUN git clone -b openssl-3.0 https://github.com/openssl/openssl openssl-3.0 && \
    hg clone https://hg.nginx.org/nginx && \
    hg clone http://hg.nginx.org/njs
RUN cd nginx && \
    auto/configure `nginx -V 2>&1 | sed "s/ \-\-/ \\\ \n\t--/g" | grep "\-\-" | grep -ve opt= -e param=` \

lcrilly

Moved to GitHub repo https://github.com/lcrilly/unitc

lcrilly

# Builds NGINX from the QUIC+HTTP/3 development branch
# - Based on the official NGINX docker image, including all modules built by default
# - OpenSSL replaced with LibreSSL to support QUIC's TLS requirements (statically linked)
#
# docker build --no-cache -t nginx:quic .
# docker run -d -p 443:443 -p 443:443/udp nginx:quic
#
# Note that a suitable configuration file and TLS certificates are required for testing!
# See <https://quic.nginx.org/readme.html> for more info

lcrilly

lcrilly

Simple demo for NGINX Unit

JSON/REST API for simple addition in several languages and a hello world web page.

echo '{"operands": [100,25]}' | curl -d@- localhost:9000/add