1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-11-14 04:02:41 +00:00

Updated Nginx Reverse Proxy for homelab services using SSO (markdown)

mjbnz 2019-02-11 12:17:17 +13:00
parent 73c0e73df9
commit ea34e76eae

@ -13,7 +13,7 @@ First, create the following docker containers (feel free to adjust local volume
##### nginx-rproxy ##### nginx-rproxy
```sh ```sh
mkdir -p /srv/nginx-rproxy/{conf,certs,log} mkdir -p /srv/nginx-rproxy/{conf/include,certs,log}
docker run -d nginx:latest \ docker run -d nginx:latest \
--name=nginx-rproxy \ --name=nginx-rproxy \
-p 443:443 \ -p 443:443 \
@ -96,7 +96,7 @@ Installation of acme.sh and DNS verification (you need DNS verification working
Generate a wildcard cert with acme.sh using something like the following: Generate a wildcard cert with acme.sh using something like the following:
```sh ```sh
acme.sh --issue -d yourdomain.com -d \*.yourdomain.comf \ acme.sh --issue -d yourdomain.com -d \*.yourdomain.com \
--dns dns_<yourdnsprovider> \ --dns dns_<yourdnsprovider> \
--cert-file /srv/nginx-rproxy/certs/yourdomain.com.crt \ --cert-file /srv/nginx-rproxy/certs/yourdomain.com.crt \
--key-file /srv/nginx-rproxy/certs/yourdomain.com.key \ --key-file /srv/nginx-rproxy/certs/yourdomain.com.key \
@ -121,7 +121,7 @@ ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
``` ```
Second, nginx's `auth_request` parts for nginx-sso, used by your internal web services. I've named this `nginx-sso_auth.inc` Second, nginx's `auth_request` and associated options for nginx-sso, used by `server { }` sections in other config files that link to your internal/protected web services. I've named this `nginx-sso_auth.inc`
```nginx ```nginx
# Protect this location using the auth_request # Protect this location using the auth_request
@ -162,9 +162,9 @@ location @error401 {
} }
``` ```
The following items are all placed into `/srv/nginx-rproxy/conf/` as `.conf` files, for the main `nginx.conf` file inside the docker container to include. The following files are all placed into `/srv/nginx-rproxy/conf/` as `.conf` files, for the main `nginx.conf` file inside the docker container to include.
The next file we create is a basic config for HTTP->HTTPS redirection, and for the login domain you can see in the 302 redirects above. The next file we create is a basic `server` block for HTTP->HTTPS redirection, and another for the login domain you can see referred to in the 302 redirects above which simply passes you through to nginx-sso to deal with logins.
I've called this `000-nginx-sso.conf` so that it's included first: I've called this `000-nginx-sso.conf` so that it's included first:
@ -179,6 +179,7 @@ server {
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name login.yourdomain.com; server_name login.yourdomain.com;
access_log /var/log/nginx/login.yourdomain.com_access.log; access_log /var/log/nginx/login.yourdomain.com_access.log;
@ -199,6 +200,7 @@ Here's a basic template which I use for portainer. Name it whatever you like - I
```nginx ```nginx
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name portainer.yourdomain.com; server_name portainer.yourdomain.com;
access_log /var/log/nginx/portainer.yourdomain.com_access.log; access_log /var/log/nginx/portainer.yourdomain.com_access.log;
@ -231,6 +233,7 @@ map $http_upgrade $connection_upgrade {
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hass.yourdomain.com; server_name hass.yourdomain.com;
access_log /var/log/nginx/hass.yourdomain.com_access.log; access_log /var/log/nginx/hass.yourdomain.com_access.log;
@ -259,15 +262,17 @@ server {
### Usage ### Usage
Make sure you've restarted both containers after modifying their config: Make sure you've restarted both containers after modifying their config (you can actually send the `SIGHUP` signal both to reload their configuration using `docker kill -s HUP <name>` if you prefer):
```sh ```sh
docker restart nginx-rproxy docker restart nginx-rproxy
docker restart nginx-sso docker restart nginx-sso
``` ```
After all that, ensure that you create DNS names in your domain pointing to the nginx server (your external public IP for example), and ensure that you're forwarding port 80 and 443 through to your docker host on your router, or however your network is configured. Ensure that you have created DNS names in your domain pointing to the nginx server (your external public IP for example). Don't forget `login.yourdomain.com` as well.
Point your browser at one of the DNS names you've created, and you should get redirected to HTTPS, then on to `login.yourdomain.com` where you'll be presented with a login form. Log in with the user account you created, or if you used the config above for nginx-sso, it's `admin`/`admin`. Also be sure to set up forwarding of port 80 and 443 through to your docker host on your router, or however your network is configured.
Point your browser at one of the DNS names you've created, and you should get redirected to HTTPS, then on to the nginx-sso login page where you'll be able to log in with the account defined in `config.yml`. If you used the config provided above for nginx-sso, it's `admin`/`admin`.
After logging in, you should be redirected again back to the dns name you started with, and have access through to your web service. You will also have access to any other service you've configured without needing to log in to the SSO backedn again... This is by design - it's *S*ingle *S*ign *O*n after all. After logging in, you should be redirected again back to the dns name you started with, and have access through to your web service. You will also have access to any other service you've configured without needing to log in to the SSO backedn again... This is by design - it's *S*ingle *S*ign *O*n after all.