Using subdomains and HTTPS for local demo

Siecje · Sep 26, 2017 · 3780157 · 3780157
1 parent 264eb7a
commit 3780157
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -43,6 +43,23 @@ git clone https://github.com/Siecje/nginx-auth-proxy
 cd nginx-auth-proxy
 ```
 
+### Simulate subdomains locally
+
+This will resolve both `one.localhost` and `two.localhost` to `localhost`.
+
+```shell
+echo "127.0.0.1 one.localhost" | sudo tee -a /etc/hosts
+echo "127.0.0.1 one.localhost" | sudo tee -a /etc/hosts
+```
+
+### Create self signed certificate
+
+```shell
+openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj '/CN=localhost'
+sudo mv cert.pem /etc/ssl/certs/
+sudo mv key.pem /etc/ssl/certs/
+```
+
 ### Configure nginx
 
 ```shell
@@ -74,15 +91,15 @@ pip install -r requirements.txt
 ```
 
 ```shell
-FLASK_DEBUG=1 python authenticator.py &
+python authenticator.py &
 python service1.py &
 python service2.py &
 ```
 
 When you visit `http://localhost:8081` you will need to login.
 As long as you use the username 'admin' you will be able to access the service.
 
-You will then be able to visit `http://localhost:8082` without logging in.
+You will then be able to visit `http://localhost:8082` and login with the same username and password.
 
 ## Run in production
 

diff --git a/authenticator.py b/authenticator.py
@@ -88,7 +88,6 @@ def login():
                             )
 
             # Set headers that will be received by the service for this request
-            resp.headers['Location'] = target
             resp.headers['REMOTE_USER'] = username
             resp.headers['X-WEBAUTH-USER'] = username
             resp.headers['X-Forwarded-User'] = username

diff --git a/conf.d/service1.conf b/conf.d/service1.conf
@@ -4,10 +4,20 @@ upstream service1 {
     server 127.0.0.1:9000;
 }
 
-# listen on port 8081 for requests that require
-# authentication. Change the port number as appropriate.
+# Redirect HTTP to HTTPS
 server {
-    listen 8081;
+  listen 80;
+  server_name one.localhost;
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name one.localhost;
+
+    ssl_certificate /etc/ssl/certs/cert.pem;
+    ssl_certificate_key /etc/ssl/certs/key.pem;
+    ssl_trusted_certificate /etc/ssl/certs/cert.pem;
 
     # Protected application
     location / {

diff --git a/conf.d/service2.conf b/conf.d/service2.conf
@@ -4,10 +4,20 @@ upstream service2 {
     server 127.0.0.1:7000;
 }
 
-# listen on port 8082 for requests that require
-# authentication. Change the port number as appropriate.
+# Redirect HTTP to HTTPS
 server {
-    listen 8082;
+  listen 80;
+  server_name two.localhost;
+  return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name two.localhost;
+
+    ssl_certificate /etc/ssl/certs/cert.pem;
+    ssl_certificate_key /etc/ssl/certs/key.pem;
+    ssl_trusted_certificate /etc/ssl/certs/cert.pem;
 
     # Protected application
     location / {

diff --git a/include.d/authentication.include b/include.d/authentication.include
@@ -1,6 +1,6 @@
 location /login {
     proxy_pass http://authenticator/login;
-    proxy_set_header Host $host:$server_port;
+    proxy_set_header Host $host;
     proxy_set_header X-Original-URI $request_uri;
     proxy_set_header X-Real-IP $remote_addr;
 }