From bbbffaa3ae73358e6a8aa26bf5454d4bda39e3e9 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Thu, 2 Nov 2017 00:37:10 +0100 Subject: [PATCH] Split nginx service into portal, backend and authelia services This setup is closer to real production infrastructure. --- example/nginx/authelia/docker-compose.yml | 8 ++ example/nginx/authelia/nginx.conf | 54 ++++++++++++ example/nginx/backend/docker-compose.yml | 9 ++ .../html/admin.test.local/secret.html | 0 .../dev.test.local/groups/admin/secret.html | 0 .../dev.test.local/groups/dev/secret.html | 0 .../html/dev.test.local/users/bob/secret.html | 0 .../dev.test.local/users/harry/secret.html | 0 .../dev.test.local/users/john/secret.html | 0 .../html/home.test.local/index.html | 0 example/nginx/{ => backend}/html/icon.png | Bin .../html/mail.test.local/secret.html | 0 .../html/public.test.local/index.html | 0 .../html/public.test.local/secret.html | 0 .../html/single_factor.test.local/secret.html | 0 example/nginx/backend/nginx.conf | 61 +++++++++++++ example/nginx/docker-compose.yml | 21 ----- example/nginx/portal/docker-compose.yml | 11 +++ example/nginx/{ => portal}/nginx.conf | 81 +++++++----------- example/nginx/{ => portal}/ssl/server.crt | 0 example/nginx/{ => portal}/ssl/server.csr | 0 example/nginx/{ => portal}/ssl/server.key | 0 scripts/dc-dev.sh | 4 +- scripts/example-commit/dc-example.sh | 4 +- scripts/example-commit/deploy-example.sh | 2 +- scripts/example-dockerhub/dc-example.sh | 4 +- scripts/example-dockerhub/deploy-example.sh | 2 +- scripts/integration-tests.sh | 4 +- 28 files changed, 189 insertions(+), 76 deletions(-) create mode 100644 example/nginx/authelia/docker-compose.yml create mode 100644 example/nginx/authelia/nginx.conf create mode 100644 example/nginx/backend/docker-compose.yml rename example/nginx/{ => backend}/html/admin.test.local/secret.html (100%) rename example/nginx/{ => backend}/html/dev.test.local/groups/admin/secret.html (100%) rename example/nginx/{ => backend}/html/dev.test.local/groups/dev/secret.html (100%) rename example/nginx/{ => backend}/html/dev.test.local/users/bob/secret.html (100%) rename example/nginx/{ => backend}/html/dev.test.local/users/harry/secret.html (100%) rename example/nginx/{ => backend}/html/dev.test.local/users/john/secret.html (100%) rename example/nginx/{ => backend}/html/home.test.local/index.html (100%) rename example/nginx/{ => backend}/html/icon.png (100%) rename example/nginx/{ => backend}/html/mail.test.local/secret.html (100%) rename example/nginx/{ => backend}/html/public.test.local/index.html (100%) rename example/nginx/{ => backend}/html/public.test.local/secret.html (100%) rename example/nginx/{ => backend}/html/single_factor.test.local/secret.html (100%) create mode 100644 example/nginx/backend/nginx.conf delete mode 100644 example/nginx/docker-compose.yml create mode 100644 example/nginx/portal/docker-compose.yml rename example/nginx/{ => portal}/nginx.conf (84%) rename example/nginx/{ => portal}/ssl/server.crt (100%) rename example/nginx/{ => portal}/ssl/server.csr (100%) rename example/nginx/{ => portal}/ssl/server.key (100%) diff --git a/example/nginx/authelia/docker-compose.yml b/example/nginx/authelia/docker-compose.yml new file mode 100644 index 00000000..1b560657 --- /dev/null +++ b/example/nginx/authelia/docker-compose.yml @@ -0,0 +1,8 @@ +version: '2' +services: + nginx-authelia: + image: nginx:alpine + volumes: + - ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf + networks: + - example-network diff --git a/example/nginx/authelia/nginx.conf b/example/nginx/authelia/nginx.conf new file mode 100644 index 00000000..7305ba70 --- /dev/null +++ b/example/nginx/authelia/nginx.conf @@ -0,0 +1,54 @@ +# nginx-sso - example nginx config +# +# (c) 2015 by Johannes Gilger +# +# This is an example config for using nginx with the nginx-sso cookie system. +# For simplicity, this config sets up two fictional vhosts that you can use to +# test against both components of the nginx-sso system: ssoauth & ssologin. +# In a real deployment, these vhosts would be separate hosts. + +#user nobody; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + +events { + worker_connections 1024; +} + + +http { + server { + listen 443 ssl; + server_name auth.test.local; + + ssl on; + ssl_certificate /etc/ssl/server.crt; + ssl_certificate_key /etc/ssl/server.key; + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; + + location / { + proxy_set_header X-Original-URI $request_uri; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://authelia/; + + proxy_intercept_errors on; + + if ($request_method !~ ^(POST)$){ + error_page 401 = /error/401; + error_page 403 = /error/403; + error_page 404 = /error/404; + } + } + } +} + diff --git a/example/nginx/backend/docker-compose.yml b/example/nginx/backend/docker-compose.yml new file mode 100644 index 00000000..9adb9f28 --- /dev/null +++ b/example/nginx/backend/docker-compose.yml @@ -0,0 +1,9 @@ +version: '2' +services: + nginx-backend: + image: nginx:alpine + volumes: + - ./example/nginx/backend/html:/usr/share/nginx/html + - ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf + networks: + - example-network diff --git a/example/nginx/html/admin.test.local/secret.html b/example/nginx/backend/html/admin.test.local/secret.html similarity index 100% rename from example/nginx/html/admin.test.local/secret.html rename to example/nginx/backend/html/admin.test.local/secret.html diff --git a/example/nginx/html/dev.test.local/groups/admin/secret.html b/example/nginx/backend/html/dev.test.local/groups/admin/secret.html similarity index 100% rename from example/nginx/html/dev.test.local/groups/admin/secret.html rename to example/nginx/backend/html/dev.test.local/groups/admin/secret.html diff --git a/example/nginx/html/dev.test.local/groups/dev/secret.html b/example/nginx/backend/html/dev.test.local/groups/dev/secret.html similarity index 100% rename from example/nginx/html/dev.test.local/groups/dev/secret.html rename to example/nginx/backend/html/dev.test.local/groups/dev/secret.html diff --git a/example/nginx/html/dev.test.local/users/bob/secret.html b/example/nginx/backend/html/dev.test.local/users/bob/secret.html similarity index 100% rename from example/nginx/html/dev.test.local/users/bob/secret.html rename to example/nginx/backend/html/dev.test.local/users/bob/secret.html diff --git a/example/nginx/html/dev.test.local/users/harry/secret.html b/example/nginx/backend/html/dev.test.local/users/harry/secret.html similarity index 100% rename from example/nginx/html/dev.test.local/users/harry/secret.html rename to example/nginx/backend/html/dev.test.local/users/harry/secret.html diff --git a/example/nginx/html/dev.test.local/users/john/secret.html b/example/nginx/backend/html/dev.test.local/users/john/secret.html similarity index 100% rename from example/nginx/html/dev.test.local/users/john/secret.html rename to example/nginx/backend/html/dev.test.local/users/john/secret.html diff --git a/example/nginx/html/home.test.local/index.html b/example/nginx/backend/html/home.test.local/index.html similarity index 100% rename from example/nginx/html/home.test.local/index.html rename to example/nginx/backend/html/home.test.local/index.html diff --git a/example/nginx/html/icon.png b/example/nginx/backend/html/icon.png similarity index 100% rename from example/nginx/html/icon.png rename to example/nginx/backend/html/icon.png diff --git a/example/nginx/html/mail.test.local/secret.html b/example/nginx/backend/html/mail.test.local/secret.html similarity index 100% rename from example/nginx/html/mail.test.local/secret.html rename to example/nginx/backend/html/mail.test.local/secret.html diff --git a/example/nginx/html/public.test.local/index.html b/example/nginx/backend/html/public.test.local/index.html similarity index 100% rename from example/nginx/html/public.test.local/index.html rename to example/nginx/backend/html/public.test.local/index.html diff --git a/example/nginx/html/public.test.local/secret.html b/example/nginx/backend/html/public.test.local/secret.html similarity index 100% rename from example/nginx/html/public.test.local/secret.html rename to example/nginx/backend/html/public.test.local/secret.html diff --git a/example/nginx/html/single_factor.test.local/secret.html b/example/nginx/backend/html/single_factor.test.local/secret.html similarity index 100% rename from example/nginx/html/single_factor.test.local/secret.html rename to example/nginx/backend/html/single_factor.test.local/secret.html diff --git a/example/nginx/backend/nginx.conf b/example/nginx/backend/nginx.conf new file mode 100644 index 00000000..106d1782 --- /dev/null +++ b/example/nginx/backend/nginx.conf @@ -0,0 +1,61 @@ +# nginx-sso - example nginx config +# +# (c) 2015 by Johannes Gilger +# +# This is an example config for using nginx with the nginx-sso cookie system. +# For simplicity, this config sets up two fictional vhosts that you can use to +# test against both components of the nginx-sso system: ssoauth & ssologin. +# In a real deployment, these vhosts would be separate hosts. + +#user nobody; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + +events { + worker_connections 1024; +} + + +http { + server { + listen 80; + root /usr/share/nginx/html/home.test.local; + server_name home.test.local; + } + + server { + listen 80; + root /usr/share/nginx/html/public.test.local; + server_name public.test.local; + } + + server { + listen 80; + root /usr/share/nginx/html/admin.test.local; + server_name admin.test.local; + } + + server { + listen 80; + root /usr/share/nginx/html/dev.test.local; + server_name dev.test.local; + } + + server { + listen 80; + root /usr/share/nginx/html/mail.test.local; + server_name mx1.mail.test.local mx2.mail.test.local; + } + + server { + listen 80; + root /usr/share/nginx/html/single_factor.test.local; + server_name single_factor.test.local; + } +} + diff --git a/example/nginx/docker-compose.yml b/example/nginx/docker-compose.yml deleted file mode 100644 index 712a23b6..00000000 --- a/example/nginx/docker-compose.yml +++ /dev/null @@ -1,21 +0,0 @@ -version: '2' -services: - nginx: - image: nginx:alpine - volumes: - - ./example/nginx/html:/usr/share/nginx/html - - ./example/nginx/ssl:/etc/ssl - - ./example/nginx/nginx.conf:/etc/nginx/nginx.conf - ports: - - "8080:443" - depends_on: - - authelia - networks: - - example-network - # aliases: - # - home.test.local - # - public.test.local - # - admin.test.local - # - dev.test.local - # - auth.test.local - diff --git a/example/nginx/portal/docker-compose.yml b/example/nginx/portal/docker-compose.yml new file mode 100644 index 00000000..af52f092 --- /dev/null +++ b/example/nginx/portal/docker-compose.yml @@ -0,0 +1,11 @@ +version: '2' +services: + nginx-portal: + image: nginx:alpine + volumes: + - ./example/nginx/portal/nginx.conf:/etc/nginx/nginx.conf + - ./example/nginx/portal/ssl:/etc/ssl + ports: + - "8080:443" + networks: + - example-network diff --git a/example/nginx/nginx.conf b/example/nginx/portal/nginx.conf similarity index 84% rename from example/nginx/nginx.conf rename to example/nginx/portal/nginx.conf index ed82f772..0f597d93 100644 --- a/example/nginx/nginx.conf +++ b/example/nginx/portal/nginx.conf @@ -24,7 +24,7 @@ events { http { server { listen 443 ssl; - server_name auth.test.local localhost; + server_name home.test.local; ssl on; ssl_certificate /etc/ssl/server.crt; @@ -34,41 +34,14 @@ http { add_header X-Frame-Options "SAMEORIGIN"; location / { - proxy_set_header X-Original-URI $request_uri; proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://authelia/; - - proxy_intercept_errors on; - - if ($request_method !~ ^(POST)$){ - error_page 401 = /error/401; - error_page 403 = /error/403; - error_page 404 = /error/404; - } + proxy_pass http://nginx-backend/; } } server { - listen 443 ssl; - root /usr/share/nginx/html/home.test.local; - - server_name home.test.local; - - ssl on; - ssl_certificate /etc/ssl/server.crt; - ssl_certificate_key /etc/ssl/server.key; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; - add_header X-Frame-Options "SAMEORIGIN"; - } - - server { - listen 443 ssl; - root /usr/share/nginx/html/public.test.local; - + listen 443 ssl; server_name public.test.local; ssl on; @@ -86,7 +59,7 @@ http { proxy_set_header Host $http_host; proxy_set_header Content-Length ""; - proxy_pass http://authelia/api/verify; + proxy_pass http://nginx-authelia/api/verify; } location / { @@ -100,8 +73,12 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; + proxy_set_header Host $http_host; + error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://nginx-backend/; } location /headers { @@ -115,17 +92,15 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; - proxy_pass http://httpbin:8000/headers; - error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://httpbin:8000/headers; } } server { - listen 443 ssl; - root /usr/share/nginx/html/admin.test.local; - + listen 443 ssl; server_name admin.test.local; ssl on; @@ -143,7 +118,7 @@ http { proxy_set_header Host $http_host; proxy_set_header Content-Length ""; - proxy_pass http://authelia/api/verify; + proxy_pass http://nginx-authelia/api/verify; } location / { @@ -157,15 +132,17 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; + proxy_set_header Host $http_host; + error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://nginx-backend/; } } server { - listen 443 ssl; - root /usr/share/nginx/html/dev.test.local; - + listen 443 ssl; server_name dev.test.local; ssl on; @@ -183,7 +160,7 @@ http { proxy_set_header Host $http_host; proxy_set_header Content-Length ""; - proxy_pass http://authelia/api/verify; + proxy_pass http://nginx-authelia/api/verify; } location / { @@ -197,15 +174,17 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; + proxy_set_header Host $http_host; + error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://nginx-backend/; } } server { - listen 443 ssl; - root /usr/share/nginx/html/mail.test.local; - + listen 443 ssl; server_name mx1.mail.test.local mx2.mail.test.local; ssl on; @@ -223,7 +202,7 @@ http { proxy_set_header Host $http_host; proxy_set_header Content-Length ""; - proxy_pass http://authelia/api/verify; + proxy_pass http://nginx-authelia/api/verify; } location / { @@ -237,15 +216,17 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; + proxy_set_header Host $http_host; + error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://nginx-backend/; } } server { listen 443 ssl; - root /usr/share/nginx/html/single_factor.test.local; - server_name single_factor.test.local; ssl on; @@ -264,7 +245,7 @@ http { proxy_set_header Content-Length ""; proxy_set_header Proxy-Authorization $http_authorization; - proxy_pass http://authelia/api/verify; + proxy_pass http://nginx-authelia/api/verify; } location / { @@ -278,8 +259,12 @@ http { auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; + proxy_set_header Host $http_host; + error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 403 = https://auth.test.local:8080/error/403; + + proxy_pass http://nginx-backend/; } location /headers { diff --git a/example/nginx/ssl/server.crt b/example/nginx/portal/ssl/server.crt similarity index 100% rename from example/nginx/ssl/server.crt rename to example/nginx/portal/ssl/server.crt diff --git a/example/nginx/ssl/server.csr b/example/nginx/portal/ssl/server.csr similarity index 100% rename from example/nginx/ssl/server.csr rename to example/nginx/portal/ssl/server.csr diff --git a/example/nginx/ssl/server.key b/example/nginx/portal/ssl/server.key similarity index 100% rename from example/nginx/ssl/server.key rename to example/nginx/portal/ssl/server.key diff --git a/scripts/dc-dev.sh b/scripts/dc-dev.sh index cbee1a13..2a04d59e 100755 --- a/scripts/dc-dev.sh +++ b/scripts/dc-dev.sh @@ -8,7 +8,9 @@ docker-compose \ -f example/authelia/docker-compose.dev.yml \ -f example/mongo/docker-compose.yml \ -f example/redis/docker-compose.yml \ - -f example/nginx/docker-compose.yml \ + -f example/nginx/authelia/docker-compose.yml \ + -f example/nginx/backend/docker-compose.yml \ + -f example/nginx/portal/docker-compose.yml \ -f example/smtp/docker-compose.yml \ -f example/httpbin/docker-compose.yml \ -f example/ldap/docker-compose.admin.yml \ diff --git a/scripts/example-commit/dc-example.sh b/scripts/example-commit/dc-example.sh index 7d38612e..020bfde7 100755 --- a/scripts/example-commit/dc-example.sh +++ b/scripts/example-commit/dc-example.sh @@ -7,7 +7,9 @@ docker-compose \ -f example/docker-compose.base.yml \ -f example/mongo/docker-compose.yml \ -f example/redis/docker-compose.yml \ - -f example/nginx/docker-compose.yml \ + -f example/nginx/authelia/docker-compose.yml \ + -f example/nginx/backend/docker-compose.yml \ + -f example/nginx/portal/docker-compose.yml \ -f example/smtp/docker-compose.yml \ -f example/httpbin/docker-compose.yml \ -f example/ldap/docker-compose.yml $* diff --git a/scripts/example-commit/deploy-example.sh b/scripts/example-commit/deploy-example.sh index 3ea60e07..c56da73b 100755 --- a/scripts/example-commit/deploy-example.sh +++ b/scripts/example-commit/deploy-example.sh @@ -3,4 +3,4 @@ DC_SCRIPT=./scripts/example-commit/dc-example.sh $DC_SCRIPT build -$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp +$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend diff --git a/scripts/example-dockerhub/dc-example.sh b/scripts/example-dockerhub/dc-example.sh index df09c07e..10a452f5 100755 --- a/scripts/example-dockerhub/dc-example.sh +++ b/scripts/example-dockerhub/dc-example.sh @@ -7,7 +7,9 @@ docker-compose \ -f example/authelia/docker-compose.dockerhub.yml \ -f example/mongo/docker-compose.yml \ -f example/redis/docker-compose.yml \ - -f example/nginx/docker-compose.yml \ + -f example/nginx/authelia/docker-compose.yml \ + -f example/nginx/backend/docker-compose.yml \ + -f example/nginx/portal/docker-compose.yml \ -f example/smtp/docker-compose.yml \ -f example/httpbin/docker-compose.yml \ -f example/ldap/docker-compose.yml $* diff --git a/scripts/example-dockerhub/deploy-example.sh b/scripts/example-dockerhub/deploy-example.sh index ec042ec7..586df111 100755 --- a/scripts/example-dockerhub/deploy-example.sh +++ b/scripts/example-dockerhub/deploy-example.sh @@ -3,4 +3,4 @@ DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh #$DC_SCRIPT build -$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp +$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend diff --git a/scripts/integration-tests.sh b/scripts/integration-tests.sh index 639e80cc..02d13744 100755 --- a/scripts/integration-tests.sh +++ b/scripts/integration-tests.sh @@ -1,14 +1,14 @@ #!/bin/bash DC_SCRIPT=./scripts/example-commit/dc-example.sh -EXPECTED_SERVICES_COUNT=7 +EXPECTED_SERVICES_COUNT=9 build_services() { $DC_SCRIPT build authelia } start_services() { - $DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp + $DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend sleep 3 }