Split nginx service into portal, backend and authelia services

This setup is closer to real production infrastructure.
This commit is contained in:
Clement Michaud 2017-11-02 00:37:10 +01:00
parent b8c8c3bd75
commit bbbffaa3ae
28 changed files with 189 additions and 76 deletions

View File

@ -0,0 +1,8 @@
version: '2'
services:
nginx-authelia:
image: nginx:alpine
volumes:
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
networks:
- example-network

View File

@ -0,0 +1,54 @@
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 443 ssl;
server_name auth.test.local;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
location / {
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://authelia/;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
}
}
}

View File

@ -0,0 +1,9 @@
version: '2'
services:
nginx-backend:
image: nginx:alpine
volumes:
- ./example/nginx/backend/html:/usr/share/nginx/html
- ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
networks:
- example-network

View File

Before

Width:  |  Height:  |  Size: 1.4 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

View File

@ -0,0 +1,61 @@
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 80;
root /usr/share/nginx/html/home.test.local;
server_name home.test.local;
}
server {
listen 80;
root /usr/share/nginx/html/public.test.local;
server_name public.test.local;
}
server {
listen 80;
root /usr/share/nginx/html/admin.test.local;
server_name admin.test.local;
}
server {
listen 80;
root /usr/share/nginx/html/dev.test.local;
server_name dev.test.local;
}
server {
listen 80;
root /usr/share/nginx/html/mail.test.local;
server_name mx1.mail.test.local mx2.mail.test.local;
}
server {
listen 80;
root /usr/share/nginx/html/single_factor.test.local;
server_name single_factor.test.local;
}
}

View File

@ -1,21 +0,0 @@
version: '2'
services:
nginx:
image: nginx:alpine
volumes:
- ./example/nginx/html:/usr/share/nginx/html
- ./example/nginx/ssl:/etc/ssl
- ./example/nginx/nginx.conf:/etc/nginx/nginx.conf
ports:
- "8080:443"
depends_on:
- authelia
networks:
- example-network
# aliases:
# - home.test.local
# - public.test.local
# - admin.test.local
# - dev.test.local
# - auth.test.local

View File

@ -0,0 +1,11 @@
version: '2'
services:
nginx-portal:
image: nginx:alpine
volumes:
- ./example/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
- ./example/nginx/portal/ssl:/etc/ssl
ports:
- "8080:443"
networks:
- example-network

View File

@ -24,7 +24,7 @@ events {
http { http {
server { server {
listen 443 ssl; listen 443 ssl;
server_name auth.test.local localhost; server_name home.test.local;
ssl on; ssl on;
ssl_certificate /etc/ssl/server.crt; ssl_certificate /etc/ssl/server.crt;
@ -34,41 +34,14 @@ http {
add_header X-Frame-Options "SAMEORIGIN"; add_header X-Frame-Options "SAMEORIGIN";
location / { location / {
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://authelia/; proxy_pass http://nginx-backend/;
proxy_intercept_errors on;
if ($request_method !~ ^(POST)$){
error_page 401 = /error/401;
error_page 403 = /error/403;
error_page 404 = /error/404;
}
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
root /usr/share/nginx/html/home.test.local;
server_name home.test.local;
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/server.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN";
}
server {
listen 443 ssl;
root /usr/share/nginx/html/public.test.local;
server_name public.test.local; server_name public.test.local;
ssl on; ssl on;
@ -86,7 +59,7 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://authelia/api/verify; proxy_pass http://nginx-authelia/api/verify;
} }
location / { location / {
@ -100,8 +73,12 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://nginx-backend/;
} }
location /headers { location /headers {
@ -115,17 +92,15 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Custom-Forwarded-Groups $groups; proxy_set_header Custom-Forwarded-Groups $groups;
proxy_pass http://httpbin:8000/headers;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://httpbin:8000/headers;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
root /usr/share/nginx/html/admin.test.local;
server_name admin.test.local; server_name admin.test.local;
ssl on; ssl on;
@ -143,7 +118,7 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://authelia/api/verify; proxy_pass http://nginx-authelia/api/verify;
} }
location / { location / {
@ -157,15 +132,17 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://nginx-backend/;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
root /usr/share/nginx/html/dev.test.local;
server_name dev.test.local; server_name dev.test.local;
ssl on; ssl on;
@ -183,7 +160,7 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://authelia/api/verify; proxy_pass http://nginx-authelia/api/verify;
} }
location / { location / {
@ -197,15 +174,17 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://nginx-backend/;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
root /usr/share/nginx/html/mail.test.local;
server_name mx1.mail.test.local mx2.mail.test.local; server_name mx1.mail.test.local mx2.mail.test.local;
ssl on; ssl on;
@ -223,7 +202,7 @@ http {
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass http://authelia/api/verify; proxy_pass http://nginx-authelia/api/verify;
} }
location / { location / {
@ -237,15 +216,17 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://nginx-backend/;
} }
} }
server { server {
listen 443 ssl; listen 443 ssl;
root /usr/share/nginx/html/single_factor.test.local;
server_name single_factor.test.local; server_name single_factor.test.local;
ssl on; ssl on;
@ -264,7 +245,7 @@ http {
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Proxy-Authorization $http_authorization; proxy_set_header Proxy-Authorization $http_authorization;
proxy_pass http://authelia/api/verify; proxy_pass http://nginx-authelia/api/verify;
} }
location / { location / {
@ -278,8 +259,12 @@ http {
auth_request_set $groups $upstream_http_remote_groups; auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups; proxy_set_header Remote-Groups $groups;
proxy_set_header Host $http_host;
error_page 401 =302 https://auth.test.local:8080?redirect=$redirect; error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
error_page 403 = https://auth.test.local:8080/error/403; error_page 403 = https://auth.test.local:8080/error/403;
proxy_pass http://nginx-backend/;
} }
location /headers { location /headers {

View File

@ -8,7 +8,9 @@ docker-compose \
-f example/authelia/docker-compose.dev.yml \ -f example/authelia/docker-compose.dev.yml \
-f example/mongo/docker-compose.yml \ -f example/mongo/docker-compose.yml \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/authelia/docker-compose.yml \
-f example/nginx/backend/docker-compose.yml \
-f example/nginx/portal/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \ -f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.admin.yml \ -f example/ldap/docker-compose.admin.yml \

View File

@ -7,7 +7,9 @@ docker-compose \
-f example/docker-compose.base.yml \ -f example/docker-compose.base.yml \
-f example/mongo/docker-compose.yml \ -f example/mongo/docker-compose.yml \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/authelia/docker-compose.yml \
-f example/nginx/backend/docker-compose.yml \
-f example/nginx/portal/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \ -f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.yml $* -f example/ldap/docker-compose.yml $*

View File

@ -3,4 +3,4 @@
DC_SCRIPT=./scripts/example-commit/dc-example.sh DC_SCRIPT=./scripts/example-commit/dc-example.sh
$DC_SCRIPT build $DC_SCRIPT build
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend

View File

@ -7,7 +7,9 @@ docker-compose \
-f example/authelia/docker-compose.dockerhub.yml \ -f example/authelia/docker-compose.dockerhub.yml \
-f example/mongo/docker-compose.yml \ -f example/mongo/docker-compose.yml \
-f example/redis/docker-compose.yml \ -f example/redis/docker-compose.yml \
-f example/nginx/docker-compose.yml \ -f example/nginx/authelia/docker-compose.yml \
-f example/nginx/backend/docker-compose.yml \
-f example/nginx/portal/docker-compose.yml \
-f example/smtp/docker-compose.yml \ -f example/smtp/docker-compose.yml \
-f example/httpbin/docker-compose.yml \ -f example/httpbin/docker-compose.yml \
-f example/ldap/docker-compose.yml $* -f example/ldap/docker-compose.yml $*

View File

@ -3,4 +3,4 @@
DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh
#$DC_SCRIPT build #$DC_SCRIPT build
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend

View File

@ -1,14 +1,14 @@
#!/bin/bash #!/bin/bash
DC_SCRIPT=./scripts/example-commit/dc-example.sh DC_SCRIPT=./scripts/example-commit/dc-example.sh
EXPECTED_SERVICES_COUNT=7 EXPECTED_SERVICES_COUNT=9
build_services() { build_services() {
$DC_SCRIPT build authelia $DC_SCRIPT build authelia
} }
start_services() { start_services() {
$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp $DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
sleep 3 sleep 3
} }