Merge branch 'master' into pr/42

fitzyjoe · fitzyjoe · commit 734527ea7bd8 · 2020-07-02T18:18:18.000-04:00
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM centos:7
 
 LABEL maintainer="TeslaGov" email="developers@teslagov.com"
 
-ARG NGINX_VERSION=1.12.2
+ARG NGINX_VERSION=1.16.1
 
 ENV LD_LIBRARY_PATH=/usr/local/lib
 
@@ -133,6 +133,8 @@ RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
 # Get nginx ready to run
 COPY resources/nginx.conf /etc/nginx/nginx.conf
 COPY resources/test-jwt-nginx.conf /etc/nginx/conf.d/test-jwt-nginx.conf
+RUN rm -rf /usr/share/nginx/html
+RUN cp -r /root/dl/nginx-1.16.1/html /usr/share/nginx
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-rs256
 RUN cp -r /usr/share/nginx/html /usr/share/nginx/secure-auth-header
diff --git a/README.md b/README.md
@@ -63,19 +63,9 @@ ___location /secure-___location/ {
 }
 ```
 
-```
-auth_jwt_validation_type AUTHORIZATION;
-auth_jwt_validation_type COOKIE=rampartjwt;
-```
-By default the authorization header is used to provide a JWT for validation.
-However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT.
-
-
+The default algorithm is 'HS256', for symmetric key validation.  When using HS256, the value for `auth_jwt_key` should be specified in binhex format.  It is recommended to use at least 256 bits of data (32 pairs of hex characters or 64 characters in total) as in the example above.  Note that using more than 512 bits will not increase the security.  For key guidelines please see NIST Special Publication 800-107 Recommendation for Applications Using Approved Hash Algorithms, Section 5.3.2 The HMAC Key.
 
-The default algorithm is 'HS256', for symmetric key validation.
-Also supported is 'RS256', for RSA 256-bit public key validation.
-
-If using "auth_jwt_algorithm RS256;", then the 'auth_jwt_key' field must be set to your public key.
+The configuration also supports the `auth_jwt_algorithm` 'RS256', for RSA 256-bit public key validation. If using "auth_jwt_algorithm RS256;", then the `auth_jwt_key` field must be set to your public key.
 That is the public key, rather than a PEM certificate.  I.e.:
 
 ```
@@ -90,10 +80,17 @@ oQIDAQAB
 -----END PUBLIC KEY-----";
 ```
 
-By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the
-session, and will log an error if it isn't found.  To disable this behavior, for instance if you are using a different
-user identifier property such as 'sub', set:
+This module supports two ways of presenting the token.
+```
+auth_jwt_validation_type AUTHORIZATION;
+auth_jwt_validation_type COOKIE=rampartjwt;
+```
+By default the authorization header is used to provide a JWT for validation.
+However, you may use the `auth_jwt_validation_type` configuration to specify the name of a cookie that provides the JWT.
 
 ```
 auth_jwt_validate_email off;
 ```
+By default, the module will attempt to validate the email address field of the JWT, then set the x-email header of the
+session, and will log an error if it isn't found.  To disable this behavior, for instance if you are using a different
+user identifier property such as 'sub', set `auth_jwt_validate_email` to the value `off`.
