Use OpenResty instead of plain nginx to support OpenID Connect authorization.

Subv · Subv · commit d8f61708dd80 · 2020-05-22T14:41:55.000-05:00
diff --git a/backend/templates/_openid_connect.conf b/backend/templates/_openid_connect.conf
@@ -0,0 +1,26 @@
+{% if openidc_enabled -%}
+    access_by_lua_block {
+	    local openidc = require("resty.openidc")
+        local opts = {
+            redirect_uri = "{{- openidc_redirect_uri -}}",
+            discovery = "{{- openidc_discovery -}}",
+            token_endpoint_auth_method = "{{- openidc_auth_method -}}",
+            client_id = "{{- openidc_client_id -}}",
+            client_secret = "{{- openidc_client_secret -}}",
+            scope = "openid email profile"
+        }
+
+        local res, err = openidc.authenticate(opts)
+
+        if err then
+            ngx.status = 500
+            ngx.say(err)
+            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+        end
+
+
+        ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
+        ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
+        ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
+    }
+{% endif %}
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
@@ -37,6 +37,8 @@ server {
 
     {% endif %}
 
+{% include "_openid_connect.conf" %}
+
 {% include "_forced_ssl.conf" %}
 {% include "_hsts.conf" %}
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -41,6 +41,52 @@ RUN yarn install
 # Remove frontend service not required for prod, dev nginx config as well
 RUN rm -rf /etc/services.d/frontend RUN rm -f /etc/nginx/conf.d/dev.conf
 
+RUN mkdir -p /opt/luarocks-build && cd /opt/luarocks-build && apk add readline-dev perl pcre-dev openssl-dev zlib-dev
+RUN wget -O /opt/luarocks-build/luarocks-3.3.1.tar.gz http://luarocks.github.io/luarocks/releases/luarocks-3.3.1.tar.gz && wget -O /opt/luarocks-build/lua-5.1.5.tar.gz http://www.lua.org/ftp/lua-5.1.5.tar.gz
+RUN mkdir -p /opt/openresty-build && cd /opt/openresty-build && wget -O /opt/openresty-build/openresty-1.15.8.3.tar.gz https://openresty.org/download/openresty-1.15.8.3.tar.gz
+RUN cd /opt/openresty-build && tar -xvf openresty-1.15.8.3.tar.gz && cd /opt/openresty-build/openresty-1.15.8.3 && ./configure --prefix=/etc/nginx \
+	--sbin-path=/usr/sbin/nginx \
+	--modules-path=/usr/lib/nginx/modules \
+	--conf-path=/etc/nginx/nginx.conf \
+	--error-log-path=/var/log/nginx/error.log \
+	--http-log-path=/var/log/nginx/access.log \
+	--pid-path=/var/run/nginx.pid \
+	--lock-path=/var/run/nginx.lock \
+	--http-client-body-temp-path=/var/cache/nginx/client_temp \
+	--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+	--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+	--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+	--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+	--user=nginx \
+	--group=nginx \
+	--with-compat \
+	--with-threads \
+	--with-http_addition_module \
+	--with-http_auth_request_module \
+	--with-http_dav_module \
+	--with-http_flv_module \
+	--with-http_gunzip_module \
+	--with-http_gzip_static_module \
+	--with-http_mp4_module \
+	--with-http_random_index_module \
+	--with-http_realip_module \
+	--with-http_secure_link_module \
+	--with-http_slice_module \
+	--with-http_ssl_module \
+	--with-http_stub_status_module \
+	--with-http_sub_module \
+	--with-http_v2_module \
+	--with-mail \
+	--with-mail_ssl_module \
+	--with-stream \
+	--with-stream_realip_module \
+	--with-stream_ssl_module \
+	--with-stream_ssl_preread_module -j2 && make -j2 && make install
+RUN cd /opt/luarocks-build && tar -zxf lua-5.1.5.tar.gz && tar zxpf luarocks-3.3.1.tar.gz
+RUN cd /opt/luarocks-build/lua-5.1.5 && make linux test && make install
+RUN cd /opt/luarocks-build/luarocks-3.3.1 && ./configure && make && make install
+RUN apk add unzip && luarocks install lua-resty-openidc && luarocks install lua-cjson
+
 VOLUME [ "/data", "/etc/letsencrypt" ]
 CMD [ "/init" ]
 
diff --git a/docker/dev/Dockerfile b/docker/dev/Dockerfile
@@ -23,6 +23,52 @@ RUN rm -f /etc/nginx/conf.d/production.conf
 RUN curl -L -o /tmp/s6-overlay-amd64.tar.gz "https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-amd64.tar.gz" \
 	&& tar -xzf /tmp/s6-overlay-amd64.tar.gz -C /
 
+RUN mkdir -p /opt/luarocks-build && cd /opt/luarocks-build && apk add readline-dev perl pcre-dev openssl-dev zlib-dev
+RUN wget -O /opt/luarocks-build/luarocks-3.3.1.tar.gz http://luarocks.github.io/luarocks/releases/luarocks-3.3.1.tar.gz && wget -O /opt/luarocks-build/lua-5.1.5.tar.gz http://www.lua.org/ftp/lua-5.1.5.tar.gz
+RUN mkdir -p /opt/openresty-build && cd /opt/openresty-build && wget -O /opt/openresty-build/openresty-1.15.8.3.tar.gz https://openresty.org/download/openresty-1.15.8.3.tar.gz
+RUN cd /opt/openresty-build && tar -xvf openresty-1.15.8.3.tar.gz && cd /opt/openresty-build/openresty-1.15.8.3 && ./configure --prefix=/etc/nginx \
+	--sbin-path=/usr/sbin/nginx \
+	--modules-path=/usr/lib/nginx/modules \
+	--conf-path=/etc/nginx/nginx.conf \
+	--error-log-path=/var/log/nginx/error.log \
+	--http-log-path=/var/log/nginx/access.log \
+	--pid-path=/var/run/nginx.pid \
+	--lock-path=/var/run/nginx.lock \
+	--http-client-body-temp-path=/var/cache/nginx/client_temp \
+	--http-proxy-temp-path=/var/cache/nginx/proxy_temp \
+	--http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \
+	--http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \
+	--http-scgi-temp-path=/var/cache/nginx/scgi_temp \
+	--user=nginx \
+	--group=nginx \
+	--with-compat \
+	--with-threads \
+	--with-http_addition_module \
+	--with-http_auth_request_module \
+	--with-http_dav_module \
+	--with-http_flv_module \
+	--with-http_gunzip_module \
+	--with-http_gzip_static_module \
+	--with-http_mp4_module \
+	--with-http_random_index_module \
+	--with-http_realip_module \
+	--with-http_secure_link_module \
+	--with-http_slice_module \
+	--with-http_ssl_module \
+	--with-http_stub_status_module \
+	--with-http_sub_module \
+	--with-http_v2_module \
+	--with-mail \
+	--with-mail_ssl_module \
+	--with-stream \
+	--with-stream_realip_module \
+	--with-stream_ssl_module \
+	--with-stream_ssl_preread_module -j2 && make -j2 && make install
+RUN cd /opt/luarocks-build && tar -zxf lua-5.1.5.tar.gz && tar zxpf luarocks-3.3.1.tar.gz
+RUN cd /opt/luarocks-build/lua-5.1.5 && make linux test && make install
+RUN cd /opt/luarocks-build/luarocks-3.3.1 && ./configure && make && make install
+RUN apk add unzip && luarocks install lua-resty-openidc && luarocks install lua-cjson
+
 EXPOSE 80
 EXPOSE 81
 EXPOSE 443
diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf
@@ -40,6 +40,16 @@ http {
 	proxy_cache_path              /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
 	proxy_cache_path              /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
 
+	lua_package_path '~/lua/?.lua;;';
+
+	lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+	lua_ssl_verify_depth 5;
+
+	# cache for discovery metadata documents
+	lua_shared_dict discovery 1m;
+	# cache for JWKs
+	lua_shared_dict jwks 1m;
+
 	log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
 	log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
 
