proxy: support external access control requests (#324)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

docs/docs/CHANGELOG.md

@@ -4,29 +4,31 @@
 
 ### New
 
-- Add ability to override HTTPS backend's TLS Server Name. [GH-297](https://github.com/pomerium/pomerium/pull/297)
-- Add ability to set pomerium's encrypted session in a auth bearer token, or query param.
-- Add host to the main request logger middleware. [GH-308](https://github.com/pomerium/pomerium/issues/308)
+- Add endpoint to support "forward-auth" integration with third-party ingresses and proxies. Supports [nginx]https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/, [nginx-ingress](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/), and [Traefik](https://docs.traefik.io/middlewares/forwardauth/). [GH-324]
+- Add insecure transport support. [GH-328]
+- Add setting to override HTTPS backend's TLS Server Name. [GH-297]
+- Add setting to set pomerium's encrypted session in a auth bearer token, or query param.
+- Add host to the main request logger middleware. [GH-308]
 
 ### Security
 
-- The user's original intended location before completing the authentication process is now encrypted and kept confidential from the identity provider. [GH-316](https://github.com/pomerium/pomerium/pull/316)
+- The user's original intended location before completing the authentication process is now encrypted and kept confidential from the identity provider. [GH-316]
 - Under certain circumstances, where debug logging was enabled, pomerium's shared secret could be leaked to http access logs as a query param.
 
 ### Fixed
 
-- Fixed an issue where CSRF would fail if multiple tabs were open. [GH-306](https://github.com/pomerium/pomerium/issues/306)
-- Fixed an issue where pomerium would clean double slashes from paths.[GH-262](https://github.com/pomerium/pomerium/issues/262)
-- Fixed a bug where the impersonate form would persist an empty string for groups value if none set.[GH-303](https://github.com/pomerium/pomerium/issues/303)
+- Fixed an issue where CSRF would fail if multiple tabs were open. [GH-306]
+- Fixed an issue where pomerium would clean double slashes from paths. [GH-262]
+- Fixed a bug where the impersonate form would persist an empty string for groups value if none set. [GH-303]
 
 ### Changed
 
-- The healthcheck endpoints (`/ping`) now returns the http status `405` StatusMethodNotAllowed for non-`GET` requests. [GH-319](https://github.com/pomerium/pomerium/issues/319)
+- The healthcheck endpoints (`/ping`) now returns the http status `405` StatusMethodNotAllowed for non-`GET` requests.
 - Authenticate service no longer uses gRPC.
 - The global request logger now captures the full array of proxies from `X-Forwarded-For`, in addition to just the client IP.
-- Options code refactored to eliminate global Viper state. [GH-332](https://github.com/pomerium/pomerium/pull/332/files)
-- Pomerium will no longer default to looking for certificates in the root directory. [GH-328](https://github.com/pomerium/pomerium/issues/328)
-- Pomerium will validate that either `insecure_server`, or a valid certificate bundle is set. [GH-328](https://github.com/pomerium/pomerium/issues/328)
+- Options code refactored to eliminate global Viper state. [GH-332]
+- Pomerium will no longer default to looking for certificates in the root directory. [GH-328]
+- Pomerium will validate that either `insecure_server`, or a valid certificate bundle is set. [GH-328]
 
 ### Removed
 
@@ -52,7 +54,7 @@
 
 ### Changed
 
-- Pomerium will now strip `_csrf` cookies in addition to session cookies. [GG-285]
+- Pomerium will now strip `_csrf` cookies in addition to session cookies. [GH-285]
 - Disabled gRPC service config. [GH-280]
 - A policy's custom certificate authority can set as a file or a base64 encoded blob(`tls_custom_ca`/`tls_custom_ca_file`). [GH-259]
 
@@ -272,8 +274,17 @@
 [gh-259]: https://github.com/pomerium/pomerium/pull/259
 [gh-259]: https://github.com/pomerium/pomerium/pull/259
 [gh-261]: https://github.com/pomerium/pomerium/pull/261
+[gh-262]: https://github.com/pomerium/pomerium/issues/262
 [gh-266]: https://github.com/pomerium/pomerium/pull/266
 [gh-272]: https://github.com/pomerium/pomerium/pull/272
 [gh-280]: https://github.com/pomerium/pomerium/issues/280
 [gh-284]: https://github.com/pomerium/pomerium/pull/284
 [gh-285]: https://github.com/pomerium/pomerium/issues/285
+[gh-297]: https://github.com/pomerium/pomerium/pull/297
+[gh-303]: https://github.com/pomerium/pomerium/issues/303
+[gh-306]: https://github.com/pomerium/pomerium/issues/306
+[gh-308]: https://github.com/pomerium/pomerium/issues/308
+[gh-316]: https://github.com/pomerium/pomerium/pull/316
+[gh-319]: https://github.com/pomerium/pomerium/issues/319
+[gh-328]: https://github.com/pomerium/pomerium/issues/328
+[gh-332]: https://github.com/pomerium/pomerium/pull/332/

docs/docs/reference/reference.md

@@ -163,7 +163,7 @@ Timeouts set the global server timeouts. For route-specific timeouts, see [polic
 
 These settings control upstream connections to the Authorize service.
 
-## GRPC Address
+### GRPC Address
 
 - Environmental Variable: `GRPC_ADDRESS`
 - Config File Key: `grpc_address`
@@ -173,7 +173,7 @@ These settings control upstream connections to the Authorize service.
 
 Address specifies the host and port to serve GRPC requests from. Defaults to `:443` (or `:5443` in all in one mode).
 
-## GRPC Insecure
+### GRPC Insecure
 
 - Environmental Variable: `GRPC_INSECURE`
 - Config File Key: `grpc_insecure`
@@ -284,6 +284,82 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor
 
 ![jaeger example trace](./img/jaeger.png) pomerium_config_last_reload_success_timestamp | Gauge | The timestamp of the last successful configuration reload by service pomerium_build_info | Gauge | Pomerium build metadata by git revision, service, version and goversion
 
+## Forward Auth
+
+- Environmental Variable: `FORWARD_AUTH_URL`
+- Config File Key: `forward_auth_url`
+- Type: `URL` (must contain a scheme and hostname)
+- Example: `https://fwdauth.corp.example.com`
+- Resulting Verification URL: `https://fwdauth.corp.example.com/.pomerium/verify/{URL-TO-VERIFY}`
+- Optional
+
+Forward authentication creates an endpoint that can be used with third-party proxies that do not have rich access control capabilities ([nginx](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html), [nginx-ingress](https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/), [ambassador](https://www.getambassador.io/reference/services/auth-service/), [traefik](https://docs.traefik.io/middlewares/forwardauth/)). Forward authentication allow you to delegate authentication and authorization for each request to Pomerium.
+
+### Request flow
+
+![pomerium forward auth request flow](./img/auth-flow-diagram.svg)
+
+### Examples
+
+#### NGINX Ingress
+
+Some reverse-proxies, such as nginx split access control flow into two parts: verification and sign-in redirection. Notice the additional the additional `?no_redirect=true` query param in `auth-rul` which tells Pomerium to return a `401` instead of redirecting and starting the sign-in process.
+
+```yaml
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: httpbin
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    certmanager.k8s.io/issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/auth-url: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com?no_redirect=true
+    nginx.ingress.kubernetes.io/auth-signin: https://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com
+spec:
+  tls:
+    - hosts:
+        - httpbin.corp.example.com
+      secretName: quickstart-example-tls
+  rules:
+    - host: httpbin.corp.example.com
+      http:
+        paths:
+          - path: /
+            backend:
+              serviceName: httpbin
+              servicePort: 80
+```
+
+### Traefik docker-compose
+
+```yml
+version: "3"
+
+services:
+  traefik:
+    # The official v2.0 Traefik docker image
+    image: traefik:v2.0
+    # Enables the web UI and tells Traefik to listen to docker
+    command: --api.insecure=true --providers.docker
+    ports:
+      # The HTTP port
+      - "80:80"
+      # The Web UI (enabled by --api.insecure=true)
+      - "8080:8080"
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock
+  httpbin:
+    # A container that exposes an API to show its IP address
+    image: kennethreitz/httpbin:latest
+    labels:
+      - "traefik.http.routers.httpbin.rule=Host(`httpbin.corp.example.com`)"
+      # Create a middleware named `foo-add-prefix`
+      - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Pomerium-Authenticated-User-Email,x-pomerium-authenticated-user-id,x-pomerium-authenticated-user-groups,x-pomerium-jwt-assertion"
+      - "traefik.http.middlewares.test-auth.forwardauth.address=http://fwdauth.corp.example.com/.pomerium/verify/httpbin.corp.example.com"
+      - "traefik.http.routers.httpbin.middlewares=test-auth@docker"
+```
+
 ## Policy
 
 - Environmental Variable: `POLICY`
@@ -564,7 +640,9 @@ Certificate Authority is set when behind-the-ingress service communication uses
   Strict-Transport-Security:max-age=31536000; includeSubDomains; preload,
   ```
 
-  Headers specifies a mapping of [HTTP Header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to be added to proxied requests. _Nota bene_ Downstream application headers will be overwritten by Pomerium's headers on conflict.
+```
+
+Headers specifies a mapping of [HTTP Header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) to be added to proxied requests. _Nota bene_ Downstream application headers will be overwritten by Pomerium's headers on conflict.
 
 By default, conservative [secure HTTP headers](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project) are set.
 
@@ -599,3 +677,4 @@ Default Upstream Timeout is the default timeout applied to a proxied route when
 [script]: https://github.com/pomerium/pomerium/blob/master/scripts/generate_wildcard_cert.sh
 [toml]: https://en.wikipedia.org/wiki/TOML
 [yaml]: https://en.wikipedia.org/wiki/YAML
+```