Use OpenResty instead of plain nginx to support OpenID Connect authorization.

Subv · Jamie Curnow · commit da7c0ba82662 · 2021-02-08T12:43:16.000+10:00
diff --git a/backend/templates/_openid_connect.conf b/backend/templates/_openid_connect.conf
@@ -0,0 +1,26 @@
+{% if openidc_enabled -%}
+    access_by_lua_block {
+	    local openidc = require("resty.openidc")
+        local opts = {
+            redirect_uri = "{{- openidc_redirect_uri -}}",
+            discovery = "{{- openidc_discovery -}}",
+            token_endpoint_auth_method = "{{- openidc_auth_method -}}",
+            client_id = "{{- openidc_client_id -}}",
+            client_secret = "{{- openidc_client_secret -}}",
+            scope = "openid email profile"
+        }
+
+        local res, err = openidc.authenticate(opts)
+
+        if err then
+            ngx.status = 500
+            ngx.say(err)
+            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+        end
+
+
+        ngx.req.set_header("X-OIDC-SUB", res.id_token.sub)
+        ngx.req.set_header("X-OIDC-EMAIL", res.id_token.email)
+        ngx.req.set_header("X-OIDC-NAME", res.id_token.name)
+    }
+{% endif %}
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
@@ -43,6 +43,8 @@ server {
 
     {% endif %}
 
+{% include "_openid_connect.conf" %}
+
 {% include "_forced_ssl.conf" %}
 {% include "_hsts.conf" %}
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -43,7 +43,7 @@ RUN yarn install
 COPY docker/rootfs      /
 
 # Remove frontend service not required for prod, dev nginx config as well
-RUN rm -rf /etc/services.d/frontend RUN rm -f /etc/nginx/conf.d/dev.conf
+RUN rm -rf /etc/services.d/frontend && rm -f /etc/nginx/conf.d/dev.conf
 
 VOLUME [ "/data", "/etc/letsencrypt" ]
 ENTRYPOINT [ "/init" ]
diff --git a/docker/rootfs/etc/nginx/nginx.conf b/docker/rootfs/etc/nginx/nginx.conf
@@ -43,6 +43,16 @@ http {
 	proxy_cache_path              /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
 	proxy_cache_path              /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
 
+	lua_package_path '~/lua/?.lua;;';
+
+	lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+	lua_ssl_verify_depth 5;
+
+	# cache for discovery metadata documents
+	lua_shared_dict discovery 1m;
+	# cache for JWKs
+	lua_shared_dict jwks 1m;
+
 	log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
 	log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
 
