mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Split nginx service into portal, backend and authelia services
This setup is closer to real production infrastructure.
This commit is contained in:
parent
b8c8c3bd75
commit
bbbffaa3ae
8
example/nginx/authelia/docker-compose.yml
Normal file
8
example/nginx/authelia/docker-compose.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
version: '2'
|
||||
services:
|
||||
nginx-authelia:
|
||||
image: nginx:alpine
|
||||
volumes:
|
||||
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
||||
networks:
|
||||
- example-network
|
54
example/nginx/authelia/nginx.conf
Normal file
54
example/nginx/authelia/nginx.conf
Normal file
|
@ -0,0 +1,54 @@
|
|||
# nginx-sso - example nginx config
|
||||
#
|
||||
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
|
||||
#
|
||||
# This is an example config for using nginx with the nginx-sso cookie system.
|
||||
# For simplicity, this config sets up two fictional vhosts that you can use to
|
||||
# test against both components of the nginx-sso system: ssoauth & ssologin.
|
||||
# In a real deployment, these vhosts would be separate hosts.
|
||||
|
||||
#user nobody;
|
||||
worker_processes 1;
|
||||
|
||||
#error_log logs/error.log;
|
||||
#error_log logs/error.log notice;
|
||||
#error_log logs/error.log info;
|
||||
|
||||
#pid logs/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name auth.test.local;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/server.crt;
|
||||
ssl_certificate_key /etc/ssl/server.key;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://authelia/;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
|
||||
if ($request_method !~ ^(POST)$){
|
||||
error_page 401 = /error/401;
|
||||
error_page 403 = /error/403;
|
||||
error_page 404 = /error/404;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
9
example/nginx/backend/docker-compose.yml
Normal file
9
example/nginx/backend/docker-compose.yml
Normal file
|
@ -0,0 +1,9 @@
|
|||
version: '2'
|
||||
services:
|
||||
nginx-backend:
|
||||
image: nginx:alpine
|
||||
volumes:
|
||||
- ./example/nginx/backend/html:/usr/share/nginx/html
|
||||
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
||||
networks:
|
||||
- example-network
|
Before Width: | Height: | Size: 1.4 KiB After Width: | Height: | Size: 1.4 KiB |
61
example/nginx/backend/nginx.conf
Normal file
61
example/nginx/backend/nginx.conf
Normal file
|
@ -0,0 +1,61 @@
|
|||
# nginx-sso - example nginx config
|
||||
#
|
||||
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
|
||||
#
|
||||
# This is an example config for using nginx with the nginx-sso cookie system.
|
||||
# For simplicity, this config sets up two fictional vhosts that you can use to
|
||||
# test against both components of the nginx-sso system: ssoauth & ssologin.
|
||||
# In a real deployment, these vhosts would be separate hosts.
|
||||
|
||||
#user nobody;
|
||||
worker_processes 1;
|
||||
|
||||
#error_log logs/error.log;
|
||||
#error_log logs/error.log notice;
|
||||
#error_log logs/error.log info;
|
||||
|
||||
#pid logs/nginx.pid;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/home.test.local;
|
||||
server_name home.test.local;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/public.test.local;
|
||||
server_name public.test.local;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/admin.test.local;
|
||||
server_name admin.test.local;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/dev.test.local;
|
||||
server_name dev.test.local;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/mail.test.local;
|
||||
server_name mx1.mail.test.local mx2.mail.test.local;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
root /usr/share/nginx/html/single_factor.test.local;
|
||||
server_name single_factor.test.local;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
version: '2'
|
||||
services:
|
||||
nginx:
|
||||
image: nginx:alpine
|
||||
volumes:
|
||||
- ./example/nginx/html:/usr/share/nginx/html
|
||||
- ./example/nginx/ssl:/etc/ssl
|
||||
- ./example/nginx/nginx.conf:/etc/nginx/nginx.conf
|
||||
ports:
|
||||
- "8080:443"
|
||||
depends_on:
|
||||
- authelia
|
||||
networks:
|
||||
- example-network
|
||||
# aliases:
|
||||
# - home.test.local
|
||||
# - public.test.local
|
||||
# - admin.test.local
|
||||
# - dev.test.local
|
||||
# - auth.test.local
|
||||
|
11
example/nginx/portal/docker-compose.yml
Normal file
11
example/nginx/portal/docker-compose.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
version: '2'
|
||||
services:
|
||||
nginx-portal:
|
||||
image: nginx:alpine
|
||||
volumes:
|
||||
- ./example/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
|
||||
- ./example/nginx/portal/ssl:/etc/ssl
|
||||
ports:
|
||||
- "8080:443"
|
||||
networks:
|
||||
- example-network
|
|
@ -24,7 +24,7 @@ events {
|
|||
http {
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name auth.test.local localhost;
|
||||
server_name home.test.local;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/server.crt;
|
||||
|
@ -34,41 +34,14 @@ http {
|
|||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Original-URI $request_uri;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
proxy_pass http://authelia/;
|
||||
|
||||
proxy_intercept_errors on;
|
||||
|
||||
if ($request_method !~ ^(POST)$){
|
||||
error_page 401 = /error/401;
|
||||
error_page 403 = /error/403;
|
||||
error_page 404 = /error/404;
|
||||
}
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/home.test.local;
|
||||
|
||||
server_name home.test.local;
|
||||
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/server.crt;
|
||||
ssl_certificate_key /etc/ssl/server.key;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/public.test.local;
|
||||
|
||||
listen 443 ssl;
|
||||
server_name public.test.local;
|
||||
|
||||
ssl on;
|
||||
|
@ -86,7 +59,7 @@ http {
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
proxy_pass http://authelia/api/verify;
|
||||
proxy_pass http://nginx-authelia/api/verify;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -100,8 +73,12 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
|
||||
location /headers {
|
||||
|
@ -115,17 +92,15 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Custom-Forwarded-Groups $groups;
|
||||
|
||||
proxy_pass http://httpbin:8000/headers;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://httpbin:8000/headers;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/admin.test.local;
|
||||
|
||||
listen 443 ssl;
|
||||
server_name admin.test.local;
|
||||
|
||||
ssl on;
|
||||
|
@ -143,7 +118,7 @@ http {
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
proxy_pass http://authelia/api/verify;
|
||||
proxy_pass http://nginx-authelia/api/verify;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -157,15 +132,17 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/dev.test.local;
|
||||
|
||||
listen 443 ssl;
|
||||
server_name dev.test.local;
|
||||
|
||||
ssl on;
|
||||
|
@ -183,7 +160,7 @@ http {
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
proxy_pass http://authelia/api/verify;
|
||||
proxy_pass http://nginx-authelia/api/verify;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -197,15 +174,17 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/mail.test.local;
|
||||
|
||||
listen 443 ssl;
|
||||
server_name mx1.mail.test.local mx2.mail.test.local;
|
||||
|
||||
ssl on;
|
||||
|
@ -223,7 +202,7 @@ http {
|
|||
proxy_set_header Host $http_host;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
proxy_pass http://authelia/api/verify;
|
||||
proxy_pass http://nginx-authelia/api/verify;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -237,15 +216,17 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl;
|
||||
root /usr/share/nginx/html/single_factor.test.local;
|
||||
|
||||
server_name single_factor.test.local;
|
||||
|
||||
ssl on;
|
||||
|
@ -264,7 +245,7 @@ http {
|
|||
proxy_set_header Content-Length "";
|
||||
proxy_set_header Proxy-Authorization $http_authorization;
|
||||
|
||||
proxy_pass http://authelia/api/verify;
|
||||
proxy_pass http://nginx-authelia/api/verify;
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -278,8 +259,12 @@ http {
|
|||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
proxy_set_header Remote-Groups $groups;
|
||||
|
||||
proxy_set_header Host $http_host;
|
||||
|
||||
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
|
||||
error_page 403 = https://auth.test.local:8080/error/403;
|
||||
|
||||
proxy_pass http://nginx-backend/;
|
||||
}
|
||||
|
||||
location /headers {
|
|
@ -8,7 +8,9 @@ docker-compose \
|
|||
-f example/authelia/docker-compose.dev.yml \
|
||||
-f example/mongo/docker-compose.yml \
|
||||
-f example/redis/docker-compose.yml \
|
||||
-f example/nginx/docker-compose.yml \
|
||||
-f example/nginx/authelia/docker-compose.yml \
|
||||
-f example/nginx/backend/docker-compose.yml \
|
||||
-f example/nginx/portal/docker-compose.yml \
|
||||
-f example/smtp/docker-compose.yml \
|
||||
-f example/httpbin/docker-compose.yml \
|
||||
-f example/ldap/docker-compose.admin.yml \
|
||||
|
|
|
@ -7,7 +7,9 @@ docker-compose \
|
|||
-f example/docker-compose.base.yml \
|
||||
-f example/mongo/docker-compose.yml \
|
||||
-f example/redis/docker-compose.yml \
|
||||
-f example/nginx/docker-compose.yml \
|
||||
-f example/nginx/authelia/docker-compose.yml \
|
||||
-f example/nginx/backend/docker-compose.yml \
|
||||
-f example/nginx/portal/docker-compose.yml \
|
||||
-f example/smtp/docker-compose.yml \
|
||||
-f example/httpbin/docker-compose.yml \
|
||||
-f example/ldap/docker-compose.yml $*
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
DC_SCRIPT=./scripts/example-commit/dc-example.sh
|
||||
|
||||
$DC_SCRIPT build
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
|
||||
|
|
|
@ -7,7 +7,9 @@ docker-compose \
|
|||
-f example/authelia/docker-compose.dockerhub.yml \
|
||||
-f example/mongo/docker-compose.yml \
|
||||
-f example/redis/docker-compose.yml \
|
||||
-f example/nginx/docker-compose.yml \
|
||||
-f example/nginx/authelia/docker-compose.yml \
|
||||
-f example/nginx/backend/docker-compose.yml \
|
||||
-f example/nginx/portal/docker-compose.yml \
|
||||
-f example/smtp/docker-compose.yml \
|
||||
-f example/httpbin/docker-compose.yml \
|
||||
-f example/ldap/docker-compose.yml $*
|
||||
|
|
|
@ -3,4 +3,4 @@
|
|||
DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh
|
||||
|
||||
#$DC_SCRIPT build
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
#!/bin/bash
|
||||
|
||||
DC_SCRIPT=./scripts/example-commit/dc-example.sh
|
||||
EXPECTED_SERVICES_COUNT=7
|
||||
EXPECTED_SERVICES_COUNT=9
|
||||
|
||||
build_services() {
|
||||
$DC_SCRIPT build authelia
|
||||
}
|
||||
|
||||
start_services() {
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
|
||||
$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
|
||||
sleep 3
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user