mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-10 07:37:33 +02:00
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
bobby
GitHub
parent
c85b45cff6
commit
aadbcd23bd
8 changed files with 257 additions and 154 deletions
|
|
@ -1,11 +0,0 @@
|
|||
# Send auth check to /authorize location.
|
||||
auth_request /authorize;
|
||||
|
||||
auth_request_set $target_url $scheme://$http_host$request_uri;
|
||||
|
||||
# Set cookies we get back from the auth check
|
||||
auth_request_set $saved_set_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $saved_set_cookie;
|
||||
|
||||
# If we get a 401, respond with a named location
|
||||
error_page 401 =302 https://fwdauth.localhost.pomerium.io/?uri=$target_url;
|
||||
|
|
@ -12,8 +12,6 @@ services:
|
|||
- ./_wildcard.localhost.pomerium.io.pem:/etc/nginx/nginx.pem
|
||||
- ./_wildcard.localhost.pomerium.io-key.pem:/etc/nginx/nginx-key.pem
|
||||
- ./proxy.conf:/etc/nginx/proxy.conf
|
||||
- ./auth.conf:/etc/nginx/auth.conf
|
||||
- ./ext_authz.conf:/etc/nginx/ext_authz.conf
|
||||
|
||||
httpbin:
|
||||
image: kennethreitz/httpbin:latest
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
location /authorize {
|
||||
proxy_pass http://pomerium/verify?uri=$scheme://$http_host$request_uri;
|
||||
proxy_set_header Host fwdauth.localhost.pomerium.io;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_cache_bypass $cookie_session;
|
||||
proxy_no_cache $cookie_session;
|
||||
proxy_buffers 4 32k;
|
||||
proxy_pass_request_body off;
|
||||
}
|
||||
|
|
@ -1,16 +1,62 @@
|
|||
# Protected application
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen 80;
|
||||
server_name httpbin.localhost.pomerium.io;
|
||||
ssl_certificate /etc/nginx/nginx.pem;
|
||||
ssl_certificate_key /etc/nginx/nginx-key.pem;
|
||||
listen 80;
|
||||
listen 443 ssl http2;
|
||||
|
||||
include /etc/nginx/ext_authz.conf;
|
||||
server_name httpbin.localhost.pomerium.io;
|
||||
ssl_certificate /etc/nginx/nginx.pem;
|
||||
ssl_certificate_key /etc/nginx/nginx-key.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://httpbin;
|
||||
include /etc/nginx/auth.conf;
|
||||
include /etc/nginx/proxy.conf;
|
||||
}
|
||||
|
||||
location = /ext_authz {
|
||||
internal;
|
||||
|
||||
proxy_pass_request_body off;
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_set_header X-Forwarded-Proto "";
|
||||
|
||||
proxy_set_header Host fwdauth.localhost.pomerium.io;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Original-Method $request_method;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
|
||||
proxy_set_header X-Auth-Request-Redirect $request_uri;
|
||||
|
||||
proxy_buffering off;
|
||||
|
||||
proxy_buffer_size 4k;
|
||||
proxy_buffers 4 4k;
|
||||
proxy_request_buffering on;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass_request_headers on;
|
||||
|
||||
client_max_body_size 1m;
|
||||
|
||||
# Pass the extracted client certificate to the auth provider
|
||||
set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri;
|
||||
proxy_pass $target;
|
||||
}
|
||||
|
||||
location @authredirect {
|
||||
internal;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
return 302
|
||||
https://fwdauth.localhost.pomerium.io/?uri=$scheme://$host$request_uri;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://httpbin;
|
||||
|
||||
include /etc/nginx/proxy.conf;
|
||||
# If we get a 401, respond with a named location
|
||||
error_page 401 = @authredirect;
|
||||
# this location requires authentication
|
||||
auth_request /ext_authz;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,33 +1,61 @@
|
|||
client_body_buffer_size 128k;
|
||||
set $pass_access_scheme $scheme;
|
||||
|
||||
#Timeout if the real server is dead
|
||||
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
||||
set $pass_server_port $server_port;
|
||||
|
||||
# Advanced Proxy Config
|
||||
send_timeout 5m;
|
||||
proxy_read_timeout 360;
|
||||
proxy_send_timeout 360;
|
||||
proxy_connect_timeout 360;
|
||||
set $best_http_host $http_host;
|
||||
set $pass_port $pass_server_port;
|
||||
|
||||
set $proxy_alternative_upstream_name "";
|
||||
|
||||
client_max_body_size 1m;
|
||||
|
||||
|
||||
proxy_set_header Host $best_http_host;
|
||||
|
||||
# Pass the extracted client certificate to the backend
|
||||
|
||||
# Allow websocket connections
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
|
||||
# Basic Proxy Config
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_redirect http:// $scheme://;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection "";
|
||||
proxy_cache_bypass $cookie_session;
|
||||
proxy_no_cache $cookie_session;
|
||||
proxy_buffers 64 256k;
|
||||
|
||||
# If behind reverse proxy, forwards the correct IP
|
||||
set_real_ip_from 10.0.0.0/8;
|
||||
set_real_ip_from 172.0.0.0/8;
|
||||
set_real_ip_from 192.168.0.0/16;
|
||||
set_real_ip_from fc00::/7;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
# proxy_set_header X-Request-ID $req_id;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $best_http_host;
|
||||
proxy_set_header X-Forwarded-Port $pass_port;
|
||||
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
|
||||
|
||||
proxy_set_header X-Scheme $pass_access_scheme;
|
||||
|
||||
# Pass the original X-Forwarded-For
|
||||
proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
|
||||
|
||||
# mitigate HTTPoxy Vulnerability
|
||||
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
|
||||
proxy_set_header Proxy "";
|
||||
|
||||
# Custom headers to proxied server
|
||||
|
||||
proxy_connect_timeout 5s;
|
||||
proxy_send_timeout 60s;
|
||||
proxy_read_timeout 60s;
|
||||
|
||||
proxy_buffering off;
|
||||
proxy_buffer_size 4k;
|
||||
proxy_buffers 4 4k;
|
||||
|
||||
proxy_max_temp_file_size 1024m;
|
||||
|
||||
proxy_request_buffering on;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
proxy_cookie_domain off;
|
||||
proxy_cookie_path off;
|
||||
|
||||
# In case of errors try the next upstream server before returning an error
|
||||
proxy_next_upstream error timeout;
|
||||
proxy_next_upstream_timeout 0;
|
||||
proxy_next_upstream_tries 3;
|
||||
|
||||
proxy_redirect off;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue