1
0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-09-19 18:32:56 +00:00

Updated Using nginx sso with haproxy and SPOE (markdown)

Mike Beattie 2020-08-10 17:29:11 +12:00
parent 34f0ee4af6
commit 6d68b5263d

@ -80,7 +80,7 @@ Configuration of nginx-sso is beyond the scope of this short howto - there's not
The following contains the absolute basics, you should ensure that the rest of the configuration is fleshed out how you need it for your environment. It covers the configuration for SPOE, and how to deal with the redirects to nginx-sso for the login form. It also doesn't have any SSL configuration, that's left up to you. The following contains the absolute basics, you should ensure that the rest of the configuration is fleshed out how you need it for your environment. It covers the configuration for SPOE, and how to deal with the redirects to nginx-sso for the login form. It also doesn't have any SSL configuration, that's left up to you.
Note that the filter being applied can be placed in the frontend, but to selectively apply it based on the `Host: ` header takes a little care (to not apply it to the nginx-sso login domain name or path). You'll need to create an acl in the `spoa-server.spoe.conf` file, and then check that acl on the `event` line with an haproxy condition (`unless` or `if`). You will also need to change the event to be `on-frontend-http-request`. Note that the filter being applied can be placed in the frontend, but to selectively apply it based on the `Host: ` header will take a little extra care and attention. You don't really want to apply the filter to the nginx-sso login page domain name or path. To do this, you'll need to create an acl in the `spoa-server.spoe.conf` file, and then check that acl on the `event` line with an haproxy condition (`unless` or `if`). You will also need to change the event to be `on-frontend-http-request`. There are some commented examples in the file content below.
#### haproxy.conf #### haproxy.conf
``` ```
@ -136,6 +136,10 @@ spoe-agent spoa-server
spoe-message check-sso-auth spoe-message check-sso-auth
args ip=src ff=req.fhdr(x-forwarded-for) host=req.fhdr(host) uri=url cookies=req.fhdr(cookie) args ip=src ff=req.fhdr(x-forwarded-for) host=req.fhdr(host) uri=url cookies=req.fhdr(cookie)
event on-backend-http-request event on-backend-http-request
# When applying to the frontend, something like this will be needed:
# acl is_login hdr(host) -i login.yourdomain.com
# event on-frontend-http-request unless is_login
``` ```
### Further reading ### Further reading