dev: add remote container debug configs (#1459)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

examples/nginx/auth.conf

@@ -0,0 +1,11 @@
+# Send auth check to /authorize location.
+auth_request /authorize;
+
+auth_request_set $target_url $scheme://$http_host$request_uri;
+
+# Set cookies we get back from the auth check
+auth_request_set $saved_set_cookie $upstream_http_set_cookie;
+add_header Set-Cookie $saved_set_cookie;
+
+# If we get a 401, respond with a named location
+error_page 401 =302 https://fwdauth.localhost.pomerium.io/?uri=$target_url;

examples/nginx/docker-compose.yaml

@@ -11,6 +11,9 @@ services:
       - ./pomerium.conf:/etc/nginx/conf.d/pomerium.conf
       - ./_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem
       - ./_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem
+      - ./proxy.conf:/etc/nginx/proxy.conf
+      - ./auth.conf:/etc/nginx/auth.conf
+      - ./ext_authz.conf:/etc/nginx/ext_authz.conf
 
   httpbin:
     image: kennethreitz/httpbin:latest

examples/nginx/ext_authz.conf

@@ -0,0 +1,16 @@
+location /authorize {
+	proxy_pass http://pomerium/verify?uri=$scheme://$http_host$request_uri;
+	proxy_set_header Host fwdauth.localhost.pomerium.io;
+	proxy_http_version 1.1;
+
+	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $remote_addr;
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header X-Forwarded-Host $http_host;
+	proxy_set_header X-Forwarded-Uri $request_uri;
+	proxy_cache_bypass $cookie_session;
+	proxy_no_cache $cookie_session;
+	proxy_buffers 4 32k;
+	proxy_pass_request_body off;
+}

examples/nginx/httpbin.conf

@@ -6,32 +6,11 @@ server {
     ssl_certificate /etc/nginx/nginx.pem;
     ssl_certificate_key /etc/nginx/nginx-key.pem;
 
+    include /etc/nginx/ext_authz.conf;
+
     location / {
       proxy_pass http://httpbin;
+      include /etc/nginx/auth.conf;
+      include /config/nginx/proxy.conf;
     }
-
-    ### External Authorization
-
-    # Send auth check to /authorize location.
-    auth_request /authorize;
-
-    # Set cookies we get back from the auth check
-    auth_request_set $saved_set_cookie $upstream_http_set_cookie;
-    add_header Set-Cookie $saved_set_cookie;
-
-    # If we get a 401, respond with a named location
-    error_page 401 = @error401;
-    # On 401, redirect the user to forward auth to start authentication flow
-    location @error401 {
-        return 302 https://fwdauth.localhost.pomerium.io/?uri=$scheme://$http_host$request_uri;
-    }
-
-    # The auth request must be a subpath of the server
-    location /authorize {
-      proxy_pass http://pomerium/verify?uri=$scheme://$http_host$request_uri;
-      proxy_set_header Host fwdauth.localhost.pomerium.io;
-      proxy_http_version 1.1;
-    }
-
-    ### End External Authorization
 }

examples/nginx/pomerium.conf

@@ -7,8 +7,7 @@ server {
 
     location / {
       proxy_pass http://pomerium;
-      proxy_set_header Host $http_host;
-      proxy_http_version 1.1;
+      include /config/nginx/proxy.conf;
     }
 }
 

examples/nginx/proxy.conf

@@ -0,0 +1,32 @@
+client_body_buffer_size 128k
+
+#Timeout if the real server is dead
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503
+
+# Advanced Proxy Config
+send_timeout 5m
+proxy_read_timeout 360
+proxy_send_timeout 360
+proxy_connect_timeout 360
+
+# Basic Proxy Config
+proxy_set_header Host $host
+proxy_set_header X-Real-IP $remote_addr
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
+proxy_set_header X-Forwarded-Proto $scheme
+proxy_set_header X-Forwarded-Host $http_host
+proxy_set_header X-Forwarded-Uri $request_uri
+proxy_set_header X-Forwarded-Ssl on
+proxy_http_version 1.1
+proxy_set_header Connection ""
+proxy_cache_bypass $cookie_session
+proxy_no_cache $cookie_session
+proxy_buffers 64 256k
+
+# If behind reverse proxy, forwards the correct IP
+set_real_ip_from 10.0.0.0/8
+set_real_ip_from 172.0.0.0/8
+set_real_ip_from 192.168.0.0/16
+set_real_ip_from fc00::/7
+real_ip_header X-Forwarded-For
+real_ip_recursive on