From 67cbce781027258d5a030c5af26c7cd54a46632f Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:05:02 +0200 Subject: [PATCH 1/8] Delete Dockerfile --- Dockerfile | 144 ----------------------------------------------------- 1 file changed, 144 deletions(-) delete mode 100644 Dockerfile diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 29f7295..0000000 --- a/Dockerfile +++ /dev/null @@ -1,144 +0,0 @@ -FROM centos:7 - -LABEL maintainer="TeslaGov" email="developers@teslagov.com" - -ARG NGINX_VERSION=1.12.2 - -ENV LD_LIBRARY_PATH=/usr/local/lib - -RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \ - yum -y update && \ - yum -y groupinstall 'Development Tools' && \ - yum -y install pcre-devel pcre zlib-devel openssl-devel wget cmake check-devel check && \ - yum -y install nginx-$NGINX_VERSION - -# for compiling for rh-nginx110 -# yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed - -# for compiling for epel7 -RUN yum -y install libxml2 libxslt libxml2-devel libxslt-devel gd gd-devel perl-ExtUtils-Embed geoip geoip-devel google-perftools google-perftools-devel - -RUN mkdir -p /root/dl -WORKDIR /root/dl - -# build jansson -ARG JANSSON_VERSION=2.10 -RUN wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \ - unzip v$JANSSON_VERSION.zip && \ - rm v$JANSSON_VERSION.zip && \ - ln -sf jansson-$JANSSON_VERSION jansson && \ - cd /root/dl/jansson && \ - cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \ - make && \ - make check && \ - make install - -# build libjwt -ARG LIBJWT_VERSION=1.9.0 -RUN wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \ - unzip v$LIBJWT_VERSION.zip && \ - rm v$LIBJWT_VERSION.zip && \ - ln -sf libjwt-$LIBJWT_VERSION libjwt && \ - cd /root/dl/libjwt && \ - autoreconf -i && \ - ./configure JANSSON_CFLAGS=/usr/local/include JANSSON_LIBS=/usr/local/lib && \ - make all && \ - make install - -ADD . /root/dl/ngx-http-auth-jwt-module - -# after 1.11.5 use this command -# ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module --with-cc-opt='-std=gnu99' -# cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /etc/nginx/modules/. -# build nginx module against nginx sources -# -# 1.10.2 from nginx by default use config flags... I had to add the -std=c99 and could not achieve "binary compatibility" -# ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-file-aio --with-threads --with-ipv6 --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_ssl_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -std=c99' -# -# rh-nginx110 uses these config flags -# ./configure --add-dynamic-module=../ngx-http-auth-jwt-module --prefix=/opt/rh/rh-nginx110/root/usr/share/nginx --sbin-path=/opt/rh/rh-nginx110/root/usr/sbin/nginx --modules-path=/opt/rh/rh-nginx110/root/usr/lib64/nginx/modules --conf-path=/etc/opt/rh/rh-nginx110/nginx/nginx.conf --error-log-path=/var/opt/rh/rh-nginx110/log/nginx/error.log --http-log-path=/var/opt/rh/rh-nginx110/log/nginx/access.log --http-client-body-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/opt/rh/rh-nginx110/lib/nginx/tmp/scgi --pid-path=/var/opt/rh/rh-nginx110/run/nginx/nginx.pid --lock-path=/var/opt/rh/rh-nginx110/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=c99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' -# -# epel7 version uses these config flags -# ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' -# -#RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \ -# tar -xzf nginx-$NGINX_VERSION.tar.gz && \ -# rm nginx-$NGINX_VERSION.tar.gz && \ -# ln -sf nginx-$NGINX_VERSION nginx && \ -# cd /root/dl/nginx && \ -# ./configure --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \ -# make modules && \ -# cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/. - -# ARG CACHEBUST=1 - -RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \ - tar -xzf nginx-$NGINX_VERSION.tar.gz && \ - rm nginx-$NGINX_VERSION.tar.gz && \ - ln -sf nginx-$NGINX_VERSION nginx && \ - cd /root/dl/nginx && \ - ./configure \ - --add-dynamic-module=../ngx-http-auth-jwt-module \ - --prefix=/usr/share/nginx \ - --sbin-path=/usr/sbin/nginx \ - --modules-path=/usr/lib64/nginx/modules \ - --conf-path=/etc/nginx/nginx.conf \ - --error-log-path=/var/log/nginx/error.log \ - --http-log-path=/var/log/nginx/access.log \ - --http-client-body-temp-path=/var/lib/nginx/tmp/client_body \ - --http-proxy-temp-path=/var/lib/nginx/tmp/proxy \ - --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi \ - --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi \ - --http-scgi-temp-path=/var/lib/nginx/tmp/scgi \ - --pid-path=/run/nginx.pid \ - --lock-path=/run/lock/subsys/nginx \ - --user=nginx \ - --group=nginx \ - --with-file-aio \ - --with-ipv6 \ - --with-http_ssl_module \ - --with-http_v2_module \ - --with-http_realip_module \ - --with-http_addition_module \ - --with-http_xslt_module=dynamic \ - --with-http_image_filter_module=dynamic \ - --with-http_geoip_module=dynamic \ - --with-http_sub_module \ - --with-http_dav_module \ - --with-http_flv_module \ - --with-http_mp4_module \ - --with-http_gunzip_module \ - --with-http_gzip_static_module \ - --with-http_random_index_module \ - --with-http_secure_link_module \ - --with-http_degradation_module \ - --with-http_slice_module \ - --with-http_stub_status_module \ - --with-http_perl_module=dynamic \ - --with-mail=dynamic \ - --with-mail_ssl_module \ - --with-pcre \ - --with-pcre-jit \ - --with-stream=dynamic \ - --with-stream_ssl_module \ - --with-google_perftools_module \ - --with-debug \ - --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -std=gnu99' \ - --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E' && \ - make modules && \ - cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /usr/lib64/nginx/modules/. && \ - mkdir /build && \ - cp /root/dl/nginx/objs/ngx_http_auth_jwt_module.so /build. - -# Get nginx ready to run -COPY resources/nginx.conf /etc/nginx/nginx.conf -COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf -RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure -RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256 -RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header -RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-no-redirect - -ENTRYPOINT ["/usr/sbin/nginx"] -#ENTRYPOINT ["while true; do echo hello world; sleep 1; done"] - -EXPOSE 8000 From 70a947d392f78797adcad3106ec9f668816c5392 Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:06:05 +0200 Subject: [PATCH 2/8] Delete Dockerfile-test --- Dockerfile-test | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 Dockerfile-test diff --git a/Dockerfile-test b/Dockerfile-test deleted file mode 100644 index adff57a..0000000 --- a/Dockerfile-test +++ /dev/null @@ -1,4 +0,0 @@ -FROM alpine:3.7 -RUN apk add --no-cache bash curl -COPY test.sh . -CMD ["./test.sh"] \ No newline at end of file From 48cbd8bbb2ea0f16a6f82e0fafd27bec42326cbe Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:06:35 +0200 Subject: [PATCH 3/8] Delete Makefile --- Makefile | 53 ----------------------------------------------------- 1 file changed, 53 deletions(-) delete mode 100644 Makefile diff --git a/Makefile b/Makefile deleted file mode 100644 index 25a0150..0000000 --- a/Makefile +++ /dev/null @@ -1,53 +0,0 @@ -SHELL += -eu - -BLUE := \033[0;34m -GREEN := \033[0;32m -RED := \033[0;31m -NC := \033[0m - -DOCKER_ORG_NAME = teslagov -DOCKER_IMAGE_NAME = jwt-nginx - -.PHONY: all -all: - @$(MAKE) build-nginx - @$(MAKE) build-test-runner - @$(MAKE) start-nginx - @$(MAKE) test - -.PHONY: build-nginx -build-nginx: - @echo "${BLUE} Building...${NC}" - @docker image build -t $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME) . ; \ - if [ $$? -ne 0 ] ; \ - then echo "${RED} Build failed :(${NC}" ; \ - else echo "${GREEN}✓ Successfully built NGINX module ${NC}" ; fi - -.PHONY: rebuild-nginx -rebuild-nginx: - @echo "${BLUE} Rebuilding...${NC}" - @docker image build -t $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME) . --no-cache ; \ - if [ $$? -ne 0 ] ; \ - then echo "${RED} Build failed :(${NC}" ; \ - else echo "${GREEN}✓ Successfully rebuilt NGINX module ${NC}" ; fi - -.PHONY: stop-nginx -stop-nginx: - docker stop $(shell docker inspect --format="{{.Id}}" "$(DOCKER_IMAGE_NAME)-cont") ||: - -.PHONY: start-nginx -start-nginx: - docker run --rm --name "$(DOCKER_IMAGE_NAME)-cont" -d -p 8000:8000 $(DOCKER_ORG_NAME)/$(DOCKER_IMAGE_NAME) - docker cp $(DOCKER_IMAGE_NAME)-cont:/usr/lib64/nginx/modules/ngx_http_auth_jwt_module.so . - -.PHONY: build-test-runner -build-test-runner: - docker image build -f Dockerfile-test -t $(DOCKER_ORG_NAME)/jwt-nginx-test-runner . - -.PHONY: frebuild-test-runner -rebuild-test-runner: - docker image build -f Dockerfile-test -t $(DOCKER_ORG_NAME)/jwt-nginx-test-runner . --no-cache - -.PHONY: test -test: - docker run --rm $(DOCKER_ORG_NAME)/jwt-nginx-test-runner \ No newline at end of file From 4217c29b034e1944746021c0585e7491358796c9 Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:06:56 +0200 Subject: [PATCH 4/8] Delete test.sh --- test.sh | 48 ------------------------------------------------ 1 file changed, 48 deletions(-) delete mode 100755 test.sh diff --git a/test.sh b/test.sh deleted file mode 100755 index 955bb13..0000000 --- a/test.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash - -RED='\033[01;31m' -GREEN='\033[01;32m' -NONE='\033[00m' - -test_jwt () { - local name=$1 - local path=$2 - local expect=$3 - local extra=$4 - - cmd="curl -X GET -o /dev/null --silent --head --write-out '%{http_code}' http://host.docker.internal:8000$path -H 'cache-control: no-cache' $extra" - - test=$( eval ${cmd} ) - if [ "$test" -eq "$expect" ];then - echo -e "${GREEN}${name}: passed (${test})${NONE}"; - else - echo -e "${RED}${name}: failed (${test})${NONE}"; - fi -} - -main() { - local VALIDJWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.TvDD63ZOqFKgE-uxPDdP5aGIsbl5xPKz4fMul3Zlti4 - local MISSING_SUB_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmaXJzdE5hbWUiOiJoZWxsbyIsImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwicm9sZXMiOlsidGhpcyIsInRoYXQiLCJ0aGVvdGhlciJdLCJpc3MiOiJpc3N1ZXIiLCJwZXJzb25JZCI6Ijc1YmIzY2M3LWI5MzMtNDRmMC05M2M2LTE0N2IwODJmYWRiNSIsImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.lD6jUsazVtzeGhRTNeP_b2Zs6O798V2FQql11QOEI1Q - local MISSING_EMAIL_JWT=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwibGFzdE5hbWUiOiJ3b3JsZCIsInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwiaXNzIjoiaXNzdWVyIiwicGVyc29uSWQiOiI3NWJiM2NjNy1iOTMzLTQ0ZjAtOTNjNi0xNDdiMDgyZmFkYjUiLCJleHAiOjE5MDg4MzUyMDAsImlhdCI6MTQ4ODgxOTYwMCwidXNlcm5hbWUiOiJoZWxsby53b3JsZCJ9.tJoAl_pvq95hK7GKqsp5TU462pLTbmSYZc1fAHzcqWM - local VALID_RS256_JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJzb21lLWxvbmctdXVpZCIsImZpcnN0TmFtZSI6ImhlbGxvIiwgImxhc3ROYW1lIjoid29ybGQiLCJlbWFpbEFkZHJlc3MiOiJoZWxsb3dvcmxkQGV4YW1wbGUuY29tIiwgInJvbGVzIjpbInRoaXMiLCJ0aGF0IiwidGhlb3RoZXIiXSwgImlzcyI6Imlzc3VlciIsInBlcnNvbklkIjoiNzViYjNjYzctYjkzMy00NGYwLTkzYzYtMTQ3YjA4MmZhZGI1IiwgImV4cCI6MTkwODgzNTIwMCwiaWF0IjoxNDg4ODE5NjAwLCJ1c2VybmFtZSI6ImhlbGxvLndvcmxkIn0.cn5Gb75XL-r7TMsPuqzWoKZ06ZsyF_VZIG0Ohn8uZZFeF8dFUhSrEOYe8WFN6Eon8a8LC0OCI9eNdGiD4m_e9TD1Iz2juqaeos-6yd7SWuODr4YS8KD3cqfXndnLRPzp9PC_UIpATsbqOmxGDrRKvHsQq0TuIXImU3rM_m3kFJFgtoJFHx3KmZUo_Ozkyhhc6Pukikhy6odNAtEyLHP5_tabMXtkeAuIlG8dhjAxef4mJLexYFclG-vl7No5VBU4JrMbfgyxtobcYoE-bDIpmQHywrwo6Li7X0hgHJ17sfS3G2YMHmE-Ij_W2Lf9kf5r2r12DUvg44SLIfM58pCINQ - - test_jwt "Insecure test" "/" "200" - - test_jwt "Secure test without jwt cookie" "/secure/" "302" - - test_jwt "Secure test with jwt cookie" "/secure/" "200" "--cookie \"rampartjwt=${VALIDJWT}\"" - - test_jwt "Secure test with jwt auth header" "/secure-auth-header/" "200" "--header \"Authorization: Bearer ${VALIDJWT}\"" - - test_jwt "Secure test without jwt auth header" "/secure-auth-header/" "302" - - test_jwt "Secure test without jwt auth header" "/secure-no-redirect/" "401" - - test_jwt "Secure test with jwt cookie - with no sub" "/secure/" "200" " --cookie \"rampartjwt=${MISSING_SUB_JWT}\"" - - test_jwt "Secure test with jwt cookie - with no email" "/secure/" "200" " --cookie \"rampartjwt=${MISSING_EMAIL_JWT}\"" - - test_jwt "Secure test with rs256 jwt cookie" "/secure-rs256/" "200" " --cookie \"rampartjwt=${VALID_RS256_JWT}\"" -} - -main "$@" \ No newline at end of file From 94aff90c41d312823224271e4098936c0591e77a Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:11:27 +0200 Subject: [PATCH 5/8] Update README.md --- README.md | 88 +------------------------------------------------------ 1 file changed, 1 insertion(+), 87 deletions(-) diff --git a/README.md b/README.md index c04a8fd..28fe237 100644 --- a/README.md +++ b/README.md @@ -1,88 +1,2 @@ # Intro -This is an NGINX module to check for a valid JWT and proxy to an upstream server or redirect to a login page. - -## Building and testing -To build the Docker image, start NGINX, and run our Bash test against it, run -```bash -make -``` - -When you make a change to the module, run `make rebuild-nginx`. - -When you make a change to `test.sh`, run `make rebuild-test-runner`. - -| Command | Description | -| -------------------------- |:-------------------------------------------:| -| `make build-nginx` | Builds the NGINX image | -| `make rebuild-nginx` | Re-builds the NGINX image | -| `make build-test-runner` | Builds the image that will run `test.sh` | -| `make rebuild-test-runner` | Re-builds the image that will run `test.sh` | -| `make start-nginx` | Starts the NGINX container | -| `make stop-nginx` | Stops the NGINX container | -| `make test` | Runs `test.sh` against the NGINX container | - -You can re-run tests as many times as you like while NGINX is up. -When you're done running tests, make sure to stop the NGINX container. - -The Dockerfile builds all of the dependencies as well as the module, -downloads a binary version of NGINX, and runs the module as a dynamic module. - -Tests get executed in containers. This project is 100% Docker-ized. - -## Dependencies -This module depends on the [JWT C Library](https://github.com/benmcollins/libjwt) - -Transitively, that library depends on a JSON Parser called -[Jansson](https://github.com/akheron/jansson) as well as the OpenSSL library. - -## NGINX Directives -This module requires several new `nginx.conf` directives, -which can be specified in on the `main` `server` or `location` level. - -``` -auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF"; # see docs for format based on algorithm -auth_jwt_loginurl "https://yourdomain.com/loginpage"; -auth_jwt_enabled on; -auth_jwt_algorithm HS256; # or RS256 -auth_jwt_validate_email on; # or off -``` - -The default algorithm is 'HS256', for symmetric key validation. When using HS256, the value for `auth_jwt_key` should be specified in binhex format. It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above. Note that using more than 512 bits will not increase the security. For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key. - -The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key. -That is the public key, rather than a PEM certificate. I.e.: - -``` -auth_jwt_key "-----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0aPPpS7ufs0bGbW9+OFQ -RvJwb58fhi2BuHMd7Ys6m8D1jHW/AhDYrYVZtUnA60lxwSJ/ZKreYOQMlNyZfdqA -rhYyyUkedDn8e0WsDvH+ocY0cMcxCCN5jItCwhIbIkTO6WEGrDgWTY57UfWDqbMZ -4lMn42f77OKFoxsOA6CVvpsvrprBPIRPa25H2bJHODHEtDr/H519Y681/eCyeQE/ -1ibKL2cMN49O7nRAAaUNoFcO89Uc+GKofcad1TTwtTIwmSMbCLVkzGeExBCrBTQo -wO6AxLijfWV/JnVxNMUiobiKGc/PP6T5PI70Uv67Y4FzzWTuhqmREb3/BlcbPwtM -oQIDAQAB ------END PUBLIC KEY-----"; -``` - -A typical use would be to specify the key and loginurl on the main level -and then only turn on the locations that you want to secure (not the login page). -Unauthorized requests are given 302 "Moved Temporarily" responses with a location of the specified loginurl. - -``` -auth_jwt_redirect off; -``` -If you prefer to return 401 Unauthorized, you may turn `auth_jwt_redirect` off. - -``` -auth_jwt_validation_type AUTHORIZATION; -auth_jwt_validation_type COOKIE=rampartjwt; -``` -By default the authorization header is used to provide a JWT for validation. -However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT. - -``` -auth_jwt_validate_email off; -``` -By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the -session, and will log an error if it isn't found. To disable this behavior, for instance if you are using a different -user identifier property such as 'sub', set `auth_jwt_validate_email` to the value `off`. +Forked from [TeslaGov/ngx-http-auth-jwt-module](https://github.com/TeslaGov/ngx-http-auth-jwt-module) in order to be able to download dependencies needed to build the image. From 0c990696593b8e1b6c2cf8430eb8e7a04e5fc4c2 Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 15:12:29 +0200 Subject: [PATCH 6/8] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 28fe237..bb49ec5 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,2 @@ # Intro -Forked from [TeslaGov/ngx-http-auth-jwt-module](https://github.com/TeslaGov/ngx-http-auth-jwt-module) in order to be able to download dependencies needed to build the image. +Forked from [TeslaGov/ngx-http-auth-jwt-module](https://github.com/TeslaGov/ngx-http-auth-jwt-module) in order to be able to download dependencies needed to build the docker image instead of relying on docker host filesystem (which can be windows). From f7d33774855f23027bb033ee0f88121da51bbb11 Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Sun, 1 Sep 2019 16:12:25 +0200 Subject: [PATCH 7/8] Update test-jwt-nginx.conf --- resources/test-jwt-nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/test-jwt-nginx.conf b/resources/test-jwt-nginx.conf index b39eb95..5b00207 100644 --- a/resources/test-jwt-nginx.conf +++ b/resources/test-jwt-nginx.conf @@ -1,6 +1,6 @@ server { auth_jwt_key "00112233445566778899AABBCCDDEEFF00112233445566778899AABBCCDDEEFF"; - auth_jwt_loginurl "https://teslagov.com"; + auth_jwt_loginurl "http://dataxel.io/"; auth_jwt_enabled off; auth_jwt_redirect on; From be29db45e8bc47b1de4f9d6607989c965e4ead91 Mon Sep 17 00:00:00 2001 From: Nitroboy Date: Tue, 22 Oct 2019 23:53:28 +0200 Subject: [PATCH 8/8] Update nginx.conf --- resources/nginx.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/resources/nginx.conf b/resources/nginx.conf index 7ea8afb..524db54 100644 --- a/resources/nginx.conf +++ b/resources/nginx.conf @@ -36,6 +36,11 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $remote_addr; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + proxy_cache_path /tmp/ levels=1:2 keys_zone=s3_cache:10m max_size=500m inactive=60m use_temp_path=off; include /etc/nginx/conf.d/*.conf; }