diff --git a/README.md b/README.md index b26fc34..f0ce9aa 100644 --- a/README.md +++ b/README.md @@ -41,25 +41,37 @@ git clone https://github.com/Siecje/nginx-auth-proxy cd nginx-auth-proxy ``` +### Configure nginx + ```shell -virtualenv venv -source venv/bin/activate -pip install -r requirements.txt +sudo rm /etc/nginx/sites-enabled/default ``` ```shell -sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx_backup.conf -sudo ln -s nginx.conf /etc/nginx/nginx.conf +sudo ln -s `pwd`/conf.d/authenticator.conf /etc/nginx/conf.d/authenticator.conf +sudo ln -s `pwd`/conf.d/service1.conf /etc/nginx/conf.d/service1.conf +sudo ln -s `pwd`/conf.d/service2.conf /etc/nginx/conf.d/service2.conf ``` ```shell -python authenticator.py & -python service.py & +sudo service nginx restart ``` +### Start services + ```shell -sudo service nginx restart +virtualenv venv +source venv/bin/activate +pip install -r requirements.txt +``` + +```shell +python authenticator.py & +python service1.py & +python service2.py & ``` When you visit `http://localhost:8081` you will need to login. As long as you use the username 'admin' you will be able to access the service. + +You will then be able to visit `http://localhost:8082` without logging in. diff --git a/conf.d/authenticator.conf b/conf.d/authenticator.conf new file mode 100644 index 0000000..bc0ed91 --- /dev/null +++ b/conf.d/authenticator.conf @@ -0,0 +1,5 @@ +# The authenticator listens on port 8000, as set +# in authenticator.py. +upstream authenticator { + server 127.0.0.1:8000; +} diff --git a/conf.d/service1.conf b/conf.d/service1.conf new file mode 100644 index 0000000..86e3f8e --- /dev/null +++ b/conf.d/service1.conf @@ -0,0 +1,54 @@ +# The application listens on port 9000 as implemented +# in service1.py. +upstream service1 { + server 127.0.0.1:9000; +} + +# listen on port 8081 for requests that require +# authentication. Change the port number as appropriate. +server { + listen 8081; + + # Protected application + location / { + # Requests must be authenticated + auth_request /auth-proxy; + + # Relay the REMOTE_USER and X-WEBAUTH-USER headers + # From the response of the authentication request + # To the service + auth_request_set $remoteUser $upstream_http_REMOTE_USER; + proxy_set_header REMOTE_USER $remoteUser; + + auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER; + proxy_set_header X-WEBAUTH-USER $xWebauthUser; + + # redirect 401 and 403 to login form + error_page 401 403 /login; + + proxy_pass http://service1/; + } + + location /login { + proxy_pass http://authenticator/login; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + } + + location /auth-proxy { + internal; + + proxy_pass http://authenticator/; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + proxy_set_header X-Real-IP $remote_addr; + + # Login service returns a redirect to the original URI + # and sets the cookie for the authenticator + proxy_set_header X-Original-URI $request_uri; + proxy_set_header Host $host:$server_port; + } +} diff --git a/conf.d/service2.conf b/conf.d/service2.conf new file mode 100644 index 0000000..87efed9 --- /dev/null +++ b/conf.d/service2.conf @@ -0,0 +1,54 @@ +# The application listens on port 7000 as implemented +# in service2.py. +upstream service2 { + server 127.0.0.1:7000; +} + +# listen on port 8082 for requests that require +# authentication. Change the port number as appropriate. +server { + listen 8082; + + # Protected application + location / { + # Requests must be authenticated + auth_request /auth-proxy; + + # Relay the REMOTE_USER and X-WEBAUTH-USER headers + # From the response of the authentication request + # To the service + auth_request_set $remoteUser $upstream_http_REMOTE_USER; + proxy_set_header REMOTE_USER $remoteUser; + + auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER; + proxy_set_header X-WEBAUTH-USER $xWebauthUser; + + # redirect 401 and 403 to login form + error_page 401 403 /login; + + proxy_pass http://service2/; + } + + location /login { + proxy_pass http://authenticator/login; + proxy_set_header Host $host:$server_port; + proxy_set_header X-Original-URI $request_uri; + proxy_set_header X-Real-IP $remote_addr; + } + + location /auth-proxy { + internal; + + proxy_pass http://authenticator/; + + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + + proxy_set_header X-Real-IP $remote_addr; + + # Login service returns a redirect to the original URI + # and sets the cookie for the authenticator + proxy_set_header X-Original-URI $request_uri; + proxy_set_header Host $host:$server_port; + } +} diff --git a/nginx.conf b/nginx.conf deleted file mode 100644 index a7ca18b..0000000 --- a/nginx.conf +++ /dev/null @@ -1,66 +0,0 @@ -error_log /var/log/nginx/error.log debug; - -events { } - -http { - # The application listens on port 9000 as implemented - # in service.py. - upstream backend { - server 127.0.0.1:9000; - } - - upstream authenticator { - server 127.0.0.1:8000; - } - - # listen on port 8081 for requests that require - # authentication. Change the port number as appropriate. - server { - listen 8081; - - # Protected application - location / { - # Requests must be authenticated - auth_request /auth-proxy; - - # Relay the REMOTE_USER and X-WEBAUTH-USER headers - # From the response of the authentication request - # To the service - auth_request_set $remoteUser $upstream_http_REMOTE_USER; - proxy_set_header REMOTE_USER $remoteUser; - - auth_request_set $xWebauthUser $upstream_http_X_WEBAUTH_USER; - proxy_set_header X-WEBAUTH-USER $xWebauthUser; - - # redirect 401 and 403 to login form - error_page 401 403 /login; - - proxy_pass http://backend/; - } - - location /login { - proxy_pass http://authenticator/login; - proxy_set_header Host $host:$server_port; - proxy_set_header X-Original-URI $request_uri; - proxy_set_header X-Real-IP $remote_addr; - } - - location /auth-proxy { - internal; - - # The authenticator listens on port 8000, as set - # in authenticator.py. - proxy_pass http://authenticator/; - - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - - proxy_set_header X-Real-IP $remote_addr; - - # Login service returns a redirect to the original URI - # and sets the cookie for the authenticator - proxy_set_header X-Original-URI $request_uri; - proxy_set_header Host $host:$server_port; - } - } -} diff --git a/service.py b/service1.py similarity index 78% rename from service.py rename to service1.py index 0e55a0e..19deb30 100644 --- a/service.py +++ b/service1.py @@ -8,7 +8,7 @@ @app.route('/', methods=["GET"]) def home(): remote_user = request.headers.get('REMOTE_USER') - return "Hello {}, this is the service.".format(remote_user) + return "Hello {}, this is the service1.".format(remote_user) if __name__ == "__main__": diff --git a/service2.py b/service2.py new file mode 100644 index 0000000..04d53db --- /dev/null +++ b/service2.py @@ -0,0 +1,15 @@ +from flask import Flask, request + + +app = Flask(__name__) + +PORT = 7000 + +@app.route('/', methods=["GET"]) +def home(): + remote_user = request.headers.get('REMOTE_USER') + return "Hello {}, this is service2.".format(remote_user) + + +if __name__ == "__main__": + app.run(port=PORT, debug=True)