Updated Nginx Reverse Proxy for homelab services using SSO (markdown)

2024-11-09 09:50:01 +00:00 · 2019-02-11 12:17:17 +13:00 · 2019-02-11 12:17:17 +13:00 · ea34e76eae
commit ea34e76eae
parent 73c0e73df9
1 changed files with 13 additions and 8 deletions
--- a/Nginx-Reverse-Proxy-for-homelab-services-using-SSO.md
+++ b/Nginx-Reverse-Proxy-for-homelab-services-using-SSO.md
@ -13,7 +13,7 @@ First, create the following docker containers (feel free to adjust local volume
 ##### nginx-rproxy

 ```sh
-mkdir -p /srv/nginx-rproxy/{conf,certs,log}
+mkdir -p /srv/nginx-rproxy/{conf/include,certs,log}
 docker run -d nginx:latest                                   \
    --name=nginx-rproxy                                      \
    -p 443:443                                               \
@ -96,7 +96,7 @@ Installation of acme.sh and DNS verification (you need DNS verification working
 Generate a wildcard cert with acme.sh using something like the following:

 ```sh
-acme.sh --issue -d yourdomain.com -d \*.yourdomain.comf        \
+acme.sh --issue -d yourdomain.com -d \*.yourdomain.com         \
        --dns dns_<yourdnsprovider>                            \
        --cert-file /srv/nginx-rproxy/certs/yourdomain.com.crt \
        --key-file /srv/nginx-rproxy/certs/yourdomain.com.key  \
@ -121,7 +121,7 @@ ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ```

-Second, nginx's `auth_request` parts for nginx-sso, used by your internal web services. I've named this `nginx-sso_auth.inc`
+Second, nginx's `auth_request` and associated options for nginx-sso, used by `server { }` sections in other config files that link to your internal/protected web services. I've named this `nginx-sso_auth.inc`

 ```nginx
 # Protect this location using the auth_request
@ -162,9 +162,9 @@ location @error401 {
 }
 ```

-The following items are all placed into `/srv/nginx-rproxy/conf/` as `.conf` files, for the main `nginx.conf` file inside the docker container to include.
+The following files are all placed into `/srv/nginx-rproxy/conf/` as `.conf` files, for the main `nginx.conf` file inside the docker container to include.

-The next file we create is a basic config for HTTP->HTTPS redirection, and for the login domain you can see in the 302 redirects above.
+The next file we create is a basic `server` block for HTTP->HTTPS redirection, and another for the login domain you can see referred to in the 302 redirects above which simply passes you through to nginx-sso to deal with logins.

 I've called this `000-nginx-sso.conf` so that it's included first:

@ -179,6 +179,7 @@ server {

 server {
        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
        server_name login.yourdomain.com;

        access_log  /var/log/nginx/login.yourdomain.com_access.log;
@ -199,6 +200,7 @@ Here's a basic template which I use for portainer. Name it whatever you like - I
 ```nginx
 server {
        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
        server_name portainer.yourdomain.com;

        access_log  /var/log/nginx/portainer.yourdomain.com_access.log;
@ -231,6 +233,7 @@ map $http_upgrade $connection_upgrade {

 server {
        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
        server_name hass.yourdomain.com;

        access_log  /var/log/nginx/hass.yourdomain.com_access.log;
@ -259,15 +262,17 @@ server {

 ### Usage

-Make sure you've restarted both containers after modifying their config:
+Make sure you've restarted both containers after modifying their config (you can actually send the `SIGHUP` signal both to reload their configuration using `docker kill -s HUP <name>` if you prefer):
 ```sh
 docker restart nginx-rproxy
 docker restart nginx-sso
 ```

-After all that, ensure that you create DNS names in your domain pointing to the nginx server (your external public IP for example), and ensure that you're forwarding port 80 and 443 through to your docker host on your router, or however your network is configured.
+Ensure that you have created DNS names in your domain pointing to the nginx server (your external public IP for example). Don't forget `login.yourdomain.com` as well.

-Point your browser at one of the DNS names you've created, and you should get redirected to HTTPS, then on to `login.yourdomain.com` where you'll be presented with a login form. Log in with the user account you created, or if you used the config above for nginx-sso, it's `admin`/`admin`.
+Also be sure to set up forwarding of port 80 and 443 through to your docker host on your router, or however your network is configured.
+
+Point your browser at one of the DNS names you've created, and you should get redirected to HTTPS, then on to the nginx-sso login page where you'll be able to log in with the account defined in `config.yml`. If you used the config provided above for nginx-sso, it's `admin`/`admin`.

 After logging in, you should be redirected again back to the dns name you started with, and have access through to your web service. You will also have access to any other service you've configured without needing to log in to the SSO backedn again... This is by design - it's *S*ingle *S*ign *O*n after all.