mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-09-18 18:02:56 +00:00
1
Nginx Implementation
Knut Ahlers edited this page 2018-12-28 23:17:57 +01:00
You can use the luzifer/nginx-sso
docker image to start your SSO service. On first start an example configuration will be generated and after you've changed that configuration you can start the container:
# docker run -d -p 127.0.0.1:8082:8082 -v /data/sso-config:/data luzifer/nginx-sso
After you did this you need to configure your nginx to use the SSO service:
server {
listen 443 ssl;
server_name kibana.hub.luzifer.io;
ssl_certificate /data/ssl/certs/luzifer.io.pem;
ssl_certificate_key /data/ssl/certs/luzifer.io.key;
# Redirect the user to the login page when they are not logged in
error_page 401 = @error401;
location / {
# Protect this location using the auth_request
auth_request /sso-auth;
## Optionally set a header to pass through the username
#auth_request_set $username $upstream_http_x_username;
#proxy_set_header X-User $username;
# Automatically renew SSO cookie on request
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
proxy_pass http://127.0.0.1:1720/;
}
# If the user is lead to /logout redirect them to the logout endpoint
# of ngninx-sso which then will redirect the user to / on the current host
location /logout {
# Another server{} directive also proxying to http://127.0.0.1:8082
return 302 https://login.luzifer.io/logout?go=$scheme://$http_host/;
}
location /sso-auth {
# Do not allow requests from outside
internal;
# Access /auth endpoint to query login state
proxy_pass http://127.0.0.1:8082/auth;
# Do not forward the request body (nginx-sso does not care about it)
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Set custom information for ACL matching: Each one is available as
# a field for matching: X-Host = x-host, ...
proxy_set_header X-Origin-URI $request_uri;
proxy_set_header X-Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Application "kibana";
}
# Define where to send the user to login and specify how to get back
location @error401 {
# Another server{} directive also proxying to http://127.0.0.1:8082
return 302 https://login.luzifer.io/login?go=$scheme://$http_host$request_uri;
}
}
To implement a logout you can send the user to the /logout?go=<url>
endpoint which will ensure the cookie-stored login will be erased.