Add a second service

Siecje · Aug 30, 2017 · 43dd0d4 · 43dd0d4
1 parent f58212b
commit 43dd0d4
Show file tree

Hide file tree

Showing 7 changed files with 149 additions and 75 deletions.
diff --git a/README.md b/README.md
@@ -41,25 +41,37 @@ git clone https://github.com/Siecje/nginx-auth-proxy
 cd nginx-auth-proxy
 ```
 
+### Configure nginx
+
 ```shell
-virtualenv venv
-source venv/bin/activate
-pip install -r requirements.txt
+sudo rm /etc/nginx/sites-enabled/default
 ```
 
 ```shell
-sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx_backup.conf
-sudo ln -s nginx.conf /etc/nginx/nginx.conf
+sudo ln -s `pwd`/conf.d/authenticator.conf /etc/nginx/conf.d/authenticator.conf
+sudo ln -s `pwd`/conf.d/service1.conf /etc/nginx/conf.d/service1.conf
+sudo ln -s `pwd`/conf.d/service2.conf /etc/nginx/conf.d/service2.conf
 ```
 
 ```shell
-python authenticator.py &
-python service.py &
+sudo service nginx restart
 ```
 
+### Start services
+
 ```shell
-sudo service nginx restart
+virtualenv venv
+source venv/bin/activate
+pip install -r requirements.txt
+```
+
+```shell
+python authenticator.py &
+python service1.py &
+python service2.py &
 ```
 
 When you visit `http://localhost:8081` you will need to login.
 As long as you use the username 'admin' you will be able to access the service.
+
+You will then be able to visit `http://localhost:8082` without logging in.
diff --git a/conf.d/authenticator.conf b/conf.d/authenticator.conf
@@ -0,0 +1,5 @@
+# The authenticator listens on port 8000, as set
+# in authenticator.py.
+upstream authenticator {
+    server 127.0.0.1:8000;
+}
diff --git a/conf.d/service1.conf b/conf.d/service1.conf
@@ -0,0 +1,54 @@
+# The application listens on port 9000 as implemented
+# in service1.py.
+upstream service1 {
+    server 127.0.0.1:9000;
+}
+
+# listen on port 8081 for requests that require
+# authentication. Change the port number as appropriate.
+server {
+    listen 8081;
+
+    # Protected application
+    location / {
+        # Requests must be authenticated
+        auth_request /auth-proxy;
+
+        # Relay the REMOTE_USER and X-WEBAUTH-USER headers
+        # From the response of the authentication request
+        # To the service
+        auth_request_set $remoteUser $upstream_http_REMOTE_USER;
+        proxy_set_header REMOTE_USER $remoteUser;
+
+        auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER;
+        proxy_set_header X-WEBAUTH-USER $xWebauthUser;
+
+        # redirect 401 and 403 to login form
+        error_page 401 403 /login;
+
+        proxy_pass http://service1/;
+    }
+
+    location /login {
+        proxy_pass http://authenticator/login;
+        proxy_set_header Host $host:$server_port;
+        proxy_set_header X-Original-URI $request_uri;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    location /auth-proxy {
+        internal;
+
+        proxy_pass http://authenticator/;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        proxy_set_header X-Real-IP $remote_addr;
+
+        # Login service returns a redirect to the original URI
+        # and sets the cookie for the authenticator
+        proxy_set_header X-Original-URI $request_uri;
+        proxy_set_header Host $host:$server_port;
+    }
+}
diff --git a/conf.d/service2.conf b/conf.d/service2.conf
@@ -0,0 +1,54 @@
+# The application listens on port 7000 as implemented
+# in service2.py.
+upstream service2 {
+    server 127.0.0.1:7000;
+}
+
+# listen on port 8082 for requests that require
+# authentication. Change the port number as appropriate.
+server {
+    listen 8082;
+
+    # Protected application
+    location / {
+        # Requests must be authenticated
+        auth_request /auth-proxy;
+
+        # Relay the REMOTE_USER and X-WEBAUTH-USER headers
+        # From the response of the authentication request
+        # To the service
+        auth_request_set $remoteUser $upstream_http_REMOTE_USER;
+        proxy_set_header REMOTE_USER $remoteUser;
+
+        auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER;
+        proxy_set_header X-WEBAUTH-USER $xWebauthUser;
+
+        # redirect 401 and 403 to login form
+        error_page 401 403 /login;
+
+        proxy_pass http://service2/;
+    }
+
+    location /login {
+        proxy_pass http://authenticator/login;
+        proxy_set_header Host $host:$server_port;
+        proxy_set_header X-Original-URI $request_uri;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    location /auth-proxy {
+        internal;
+
+        proxy_pass http://authenticator/;
+
+        proxy_pass_request_body off;
+        proxy_set_header Content-Length "";
+
+        proxy_set_header X-Real-IP $remote_addr;
+
+        # Login service returns a redirect to the original URI
+        # and sets the cookie for the authenticator
+        proxy_set_header X-Original-URI $request_uri;
+        proxy_set_header Host $host:$server_port;
+    }
+}
diff --git a/nginx.conf b/nginx.conf
diff --git a/service.py → service1.py b/service.py → service1.py
@@ -8,7 +8,7 @@
 @app.route('/', methods=["GET"])
 def home():
     remote_user = request.headers.get('REMOTE_USER')
-    return "Hello {}, this is the service.".format(remote_user)
+    return "Hello {}, this is the service1.".format(remote_user)
 
 
 if __name__ == "__main__":

diff --git a/service2.py b/service2.py
@@ -0,0 +1,15 @@
+from flask import Flask, request
+
+
+app = Flask(__name__)
+
+PORT = 7000
+
+@app.route('/', methods=["GET"])
+def home():
+    remote_user = request.headers.get('REMOTE_USER')
+    return "Hello {}, this is service2.".format(remote_user)
+
+
+if __name__ == "__main__":
+    app.run(port=PORT, debug=True)