3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity

integration: nginx (#2532)

Browse source
This commit is contained in:
Caleb Doxsey 2021-08-26 09:57:51 -06:00 committed by GitHub
parent ee2b2fefa1
commit 620b126e44
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
21 changed files with 7111 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/test.yaml vendored
View file

@ -100,7 +100,7 @@ jobs:
matrix: matrix:
go-version: [1.17.x] go-version: [1.17.x]
platform: [ubuntu-latest] platform: [ubuntu-latest]
deployment: [multi, single, traefik] deployment: [multi, nginx, single, traefik]
idp: [auth0, azure, github, gitlab, google, oidc, okta, onelogin, ping] idp: [auth0, azure, github, gitlab, google, oidc, okta, onelogin, ping]
runs-on: ${{ matrix.platform }} runs-on: ${{ matrix.platform }}
steps: steps:

767
integration/clusters/auth0-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/azure-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/github-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/gitlab-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/google-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/oidc-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/okta-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/onelogin-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

767
integration/clusters/ping-nginx/compose.yml Normal file
View file

File diff suppressed because one or more lines are too long

181
integration/tpl/backends/nginx.libsonnet Normal file
View file

@ -0,0 +1,181 @@
local utils = import '../utils.libsonnet';
local Routes = (import './routes.libsonnet').Routes;
local ProxyConfig() =
|||
set $pass_access_scheme $scheme;
set $pass_server_port $server_port;
set $best_http_host $http_host;
set $pass_port $pass_server_port;
set $proxy_alternative_upstream_name "";
client_max_body_size 1m;
proxy_set_header Host $best_http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $best_http_host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Scheme $pass_access_scheme;
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
proxy_set_header Proxy "";
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_buffering off;
proxy_buffer_size 4k;
proxy_buffers 4 4k;
proxy_max_temp_file_size 1024m;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_cookie_domain off;
proxy_cookie_path off;
proxy_next_upstream error timeout;
proxy_next_upstream_timeout 0;
proxy_next_upstream_tries 3;
proxy_redirect off;
|||;
local AuthenticateConfig() =
|||
server {
listen 443 ssl;
server_name authenticate.localhost.pomerium.io forward-authenticate.localhost.pomerium.io;
ssl_certificate /etc/_wildcard.localhost.pomerium.io.pem;
ssl_certificate_key /etc/_wildcard.localhost.pomerium.io-key.pem;
location / {
proxy_pass http://pomerium;
include /etc/nginx/proxy.conf;
}
}
upstream pomerium {
server pomerium;
}
|||;
local AuthzConfig() =
|||
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Forwarded-Proto "";
proxy_set_header Host forward-authenticate.localhost.pomerium.io;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Auth-Request-Redirect $request_uri;
proxy_buffering off;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_request_buffering on;
proxy_http_version 1.1;
proxy_ssl_server_name on;
proxy_pass_request_headers on;
client_max_body_size 1m;
set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri;
proxy_pass $target;
|||;
local RouteLocationConfig(route) =
local rule =
if std.objectHas(route, 'prefix') then '^~ ' + route.prefix
else if std.objectHas(route, 'path') then '= ' + route.path
else '/';
|||
location %s {
proxy_pass %s;
include /etc/nginx/proxy.conf;
# If we get a 401, respond with a named location
error_page 401 = @authredirect;
# this location requires authentication
auth_request /ext_authz;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
}
||| % [rule, route.to];
local DomainServerConfig(domain, routes) =
local locations = std.join('\n', std.map(function(route) RouteLocationConfig(route), routes));
|||
server {
listen 443 ssl http2;
server_name %s;
ssl_certificate /etc/_wildcard.localhost.pomerium.io.pem;
ssl_certificate_key /etc/_wildcard.localhost.pomerium.io-key.pem;
location = /ext_authz {
internal;
include /etc/nginx/authz.conf;
}
location @authredirect {
internal;
add_header Set-Cookie $auth_cookie;
return 302 https://forward-authenticate.localhost.pomerium.io/?uri=$scheme://$host$request_uri;
}
%s
}
||| % [domain, locations];
local RoutesConfig(mode, idp, dns_suffix) =
local routes = Routes(mode, idp, dns_suffix);
local domains = std.set(std.map(function(route) utils.ParseURL(route.from).host, routes));
std.join('\n', [
local routesForDomain = std.filter(function(route)
local url = utils.ParseURL(route.from);
url.host == domain && (url.scheme == 'http' || url.scheme == 'https'),
routes);
DomainServerConfig(domain, routesForDomain)
for domain in domains
]);
local WriteFile(path, contents) =
|||
cat <<-'END_OF_NGINX' | tee %s
%s
END_OF_NGINX
||| % [path, std.strReplace(contents, '$', '$$')];
local Command(mode, idp, dns_suffix) =
[
'sh',
'-c',
std.join('\n\n', [
WriteFile('/etc/nginx/conf.d/authenticate.conf', AuthenticateConfig()),
WriteFile('/etc/nginx/conf.d/routes.conf', RoutesConfig(mode, idp, dns_suffix)),
WriteFile('/etc/nginx/authz.conf', AuthzConfig()),
WriteFile('/etc/nginx/proxy.conf', ProxyConfig()),
WriteFile('/etc/_wildcard.localhost.pomerium.io.pem', importstr '../files/trusted.pem'),
WriteFile('/etc/_wildcard.localhost.pomerium.io-key.pem', importstr '../files/trusted-key.pem'),
"nginx -g 'daemon off;'",
]),
];
function(mode, idp, dns_suffix='') {
local image = 'nginx:1.21.1',
compose: {
services: utils.ComposeService('nginx', {
image: image,
depends_on: {
'pomerium-ready': {
condition: 'service_completed_successfully',
},
},
entrypoint: Command(mode, idp, dns_suffix),
ports: [
'80:80/tcp',
'443:443/tcp',
],
}, ['mock-idp.localhost.pomerium.io']),
},
}

1
integration/tpl/clusters/auth0-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('auth0')

1
integration/tpl/clusters/azure-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('azure')

1
integration/tpl/clusters/github-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('github')

1
integration/tpl/clusters/gitlab-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('gitlab')

1
integration/tpl/clusters/google-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('google')

1
integration/tpl/clusters/oidc-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('oidc')

1
integration/tpl/clusters/okta-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('okta')

1
integration/tpl/clusters/onelogin-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('onelogin')

1
integration/tpl/clusters/ping-nginx/compose.yml.jsonnet Normal file
View file

@ -0,0 +1 @@
(import '../../deployments/nginx.libsonnet')('ping')

17
integration/tpl/deployments/nginx.libsonnet Normal file
View file

@ -0,0 +1,17 @@
local utils = import '../utils.libsonnet';
function(idp) utils.Merge([
(import '../backends/fortio.libsonnet')().compose,
(import '../backends/httpdetails.libsonnet')().compose,
(import '../backends/mock-idp.libsonnet')(idp).compose,
(import '../backends/pomerium.libsonnet')('nginx', idp).compose,
(import '../backends/redis.libsonnet')().compose,
(import '../backends/verify.libsonnet')('nginx').compose,
(import '../backends/websocket-echo.libsonnet')().compose,
(import '../backends/nginx.libsonnet')('single', idp).compose,
{
networks: {
main: {},
},
},
])