luzifer/nginx-sso
1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-09-16 17:08:26 +00:00
Code Issues Releases Wiki Activity
Page: Nginx Implementation
Pages
Auth Provider Configuration Home MFA Provider Configuration Main Configuration Nginx Implementation Nginx Reverse Proxy for homelab services using SSO Using nginx sso with haproxy and SPOE
1 Nginx Implementation
Knut Ahlers edited this page 2018-12-28 23:17:57 +01:00

You can use the luzifer/nginx-sso docker image to start your SSO service. On first start an example configuration will be generated and after you've changed that configuration you can start the container:

# docker run -d -p 127.0.0.1:8082:8082 -v /data/sso-config:/data luzifer/nginx-sso

After you did this you need to configure your nginx to use the SSO service:

server {
  listen        443 ssl;
  server_name   kibana.hub.luzifer.io;

  ssl_certificate     /data/ssl/certs/luzifer.io.pem;
  ssl_certificate_key /data/ssl/certs/luzifer.io.key;

  # Redirect the user to the login page when they are not logged in
  error_page 401 = @error401;

  location / {
    # Protect this location using the auth_request
    auth_request /sso-auth;

    ## Optionally set a header to pass through the username
    #auth_request_set $username $upstream_http_x_username;
    #proxy_set_header X-User $username;

    # Automatically renew SSO cookie on request
    auth_request_set $cookie $upstream_http_set_cookie;
    add_header Set-Cookie $cookie;

    proxy_pass http://127.0.0.1:1720/;
  }

  # If the user is lead to /logout redirect them to the logout endpoint
  # of ngninx-sso which then will redirect the user to / on the current host
  location /logout {
    # Another server{} directive also proxying to http://127.0.0.1:8082
    return 302 https://login.luzifer.io/logout?go=$scheme://$http_host/;
  }

  location /sso-auth {
    # Do not allow requests from outside
    internal;
    # Access /auth endpoint to query login state
    proxy_pass http://127.0.0.1:8082/auth;
    # Do not forward the request body (nginx-sso does not care about it)
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    # Set custom information for ACL matching: Each one is available as
    # a field for matching: X-Host = x-host, ...
    proxy_set_header X-Origin-URI $request_uri;
    proxy_set_header X-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Application "kibana";
  }

  # Define where to send the user to login and specify how to get back
  location @error401 {
    # Another server{} directive also proxying to http://127.0.0.1:8082
    return 302 https://login.luzifer.io/login?go=$scheme://$http_host$request_uri;
  }
}

To implement a logout you can send the user to the /logout?go=<url> endpoint which will ensure the cookie-stored login will be erased.

Documentation

Examples