Http auth req additions - issue 120 (#121)

* added http_auth_req

* removed existing set-headers

* is defined for proxy_pass_request_body
This commit is contained in:
Tom Gamull 2019-04-18 02:51:44 -07:00 committed by Grzegorz Dzien
parent e2ec4f6969
commit 783d29639c
5 changed files with 152 additions and 10 deletions

View File

@ -313,6 +313,7 @@ nginx_main_template:
keyval: false
stream_enable: false
http_global_autoindex: false
#auth_request_http: /auth
# Enable creating dynamic templated NGINX HTTP configuration files.
# Defaults will not produce a valid configuration. Instead they are meant to showcase
@ -329,6 +330,7 @@ nginx_http_template:
root: /usr/share/nginx/html
https_redirect: false
autoindex: false
#auth_request: /auth
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
@ -345,6 +347,11 @@ nginx_http_template:
autoindex: false
auth_basic: null
auth_basic_file: null
#auth_req: /auth
#returns:
#return302:
#code: 302
#url: https://sso.somehost.local/?url=https://$http_host$request_uri
http_demo_conf: false
reverse_proxy:
proxy_cache_path:
@ -371,6 +378,32 @@ nginx_http_template:
location: /
proxy_connect_timeout: null
proxy_pass: http://backend
#proxy_pass_request_body: off
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
#header_upgrade:
#name: Upgrade
#value: $http_upgrade
#header_connection:
#name: Connection
#value: "Upgrade"
#header_random:
#name: RandomName
#value: RandomValue
#internal: false
#proxy_store: off
#proxy_store_acccess: user:rw
proxy_read_timeout: null
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
@ -400,6 +433,11 @@ nginx_http_template:
websocket: false
auth_basic: null
auth_basic_file: null
#auth_req: /auth
#returns:
#return302:
#code: 302
#url: https://sso.somehost.local/?url=https://$http_host$request_uri
health_check_plus: false
proxy_cache:
proxy_cache_path:

View File

@ -155,6 +155,7 @@ nginx_main_template:
keyval: false
stream_enable: false
http_global_autoindex: false
#auth_request_http: /auth
# Enable creating dynamic templated NGINX HTTP configuration files.
# Defaults will not produce a valid configuration. Instead they are meant to showcase
@ -172,6 +173,7 @@ nginx_http_template:
https_redirect: false
autoindex: false
try_files: $uri $uri/index.html $uri.html =404
#auth_request: /auth
ssl:
cert: /etc/ssl/certs/default.crt
key: /etc/ssl/private/default.key
@ -190,6 +192,11 @@ nginx_http_template:
auth_basic: null
auth_basic_file: null
try_files: $uri $uri/index.html $uri.html =404
#auth_request: /auth
#returns:
#return302:
#code: 302
#url: https://sso.somehost.local/?url=https://$http_host$request_uri
http_demo_conf: false
reverse_proxy:
proxy_cache_path:
@ -216,6 +223,32 @@ nginx_http_template:
location: /
proxy_connect_timeout: null
proxy_pass: http://backend
#proxy_pass_request_body: off
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
#header_upgrade:
#name: Upgrade
#value: $http_upgrade
#header_connection:
#name: Connection
#value: "Upgrade"
#header_random:
#name: RandomName
#value: RandomValue
#internal: false
#proxy_store: off
#proxy_store_acccess: user:rw
proxy_read_timeout: null
proxy_ssl:
cert: /etc/ssl/certs/proxy_default.crt
@ -242,6 +275,11 @@ nginx_http_template:
auth_basic: null
auth_basic_file: null
try_files: $uri $uri/index.html $uri.html =404
#auth_req: /auth
#returns:
#return302:
#code: 302
#url: https://sso.somehost.local/?url=https://$http_host$request_uri
health_check_plus: false
proxy_cache:
proxy_cache_path:

View File

@ -18,4 +18,4 @@
when: nginx_modules.xslt | default(false)
- import_tasks: install-waf.yml
when: nginx_modules.waf | default(false) and nginx_type == "plus"
when: nginx_modules.waf | default(false) and nginx_type == "plus"

View File

@ -46,6 +46,9 @@ proxy_temp_path {{ item.value.reverse_proxy.proxy_temp_path.path }} {{ item.valu
{% endif %}
{% endif %}
{% endif %}
{% if item.value.auth_request_http is defined %}
auth_request {{ item.value.auth_request_http }};
{% endif %}
server {
{% if item.value.ssl is defined %}
@ -83,15 +86,34 @@ server {
{% if item.value.try_files is defined %}
try_files {{ item.value.try_files }};
{% endif %}
{% if item.value.auth_request is defined %}
auth_request {{ item.value.auth_request }};
{% endif %}
{% if item.value.reverse_proxy is defined %}
{% for location in item.value.reverse_proxy.locations %}
location {{ item.value.reverse_proxy.locations[location].location }} {
{% if item.value.reverse_proxy.locations[location].internal is sameas true %}
internal;
{% endif %}
{% if item.value.reverse_proxy.locations[location].auth_request is defined %}
auth_request {{ item.value.reverse_proxy.locations[location].auth_request }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].auth_basic is defined and item.value.reverse_proxy.locations[location].auth_basic %}
auth_basic "{{ item.value.reverse_proxy.locations[location].auth_basic }}";
{% endif %}
{% if item.value.reverse_proxy.locations[location].auth_basic_file is defined and item.value.reverse_proxy.locations[location].auth_basic_file %}
auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].returns is defined %}
{% for code in item.value.reverse_proxy.locations[location].returns %}
{% if item.value.reverse_proxy.locations[location].returns[code] is defined %}
return {{ item.value.reverse_proxy.locations[location].returns[code].code }} {{ item.value.reverse_proxy.locations[location].returns[code].url }};
{% else %}
return {{ item.value.reverse_proxy.locations[location].returns[code].url }};
{% endif %}
{% endfor %}
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_connect_timeout is defined and item.value.reverse_proxy.locations[location].proxy_connect_timeout %}
proxy_connect_timeout {{ item.value.reverse_proxy.locations[location].proxy_connect_timeout }};
{% endif %}
@ -99,6 +121,20 @@ server {
{% if item.value.reverse_proxy.locations[location].proxy_read_timeout is defined and item.value.reverse_proxy.locations[location].proxy_read_timeout %}
proxy_read_timeout {{ item.value.reverse_proxy.locations[location].proxy_read_timeout }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_pass_request_body is defined %}
proxy_pass_request_body {{ item.value.reverse_proxy.locations[location].proxy_pass_request_body }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_store is defined %}
proxy_store {{ item.value.reverse_proxy.locations[location].proxy_store | ternary("on", "off") }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_store_access is defined %}
proxy_store_access {{ item.value.reverse_proxy.locations[location].proxy_store_access }};
{% endif %}
{% if item.value.reverse_proxy.locations[location].proxy_set_header is defined %}
{% for header in item.value.reverse_proxy.locations[location].proxy_set_header %}
proxy_set_header {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].name }} {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].value }};
{% endfor %}
{% endif %}
{% if item.value.reverse_proxy.locations[location].try_files is defined %}
try_files {{ item.value.reverse_proxy.locations[location].try_files }};
{% endif %}
@ -166,14 +202,6 @@ server {
health_check;
{% endif %}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
{% if item.value.reverse_proxy.locations[location].websocket is defined and item.value.reverse_proxy.locations[location].websocket %}
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
{% endif %}
}
{% endfor %}
{% endif %}
@ -189,11 +217,23 @@ server {
{% if item.value.web_server.locations[location].try_files is defined %}
try_files {{ item.value.web_server.locations[location].try_files }};
{% endif %}
{% if item.value.web_server.locations[location].returns is defined %}
{% for code in item.value.web_server.locations[location].returns %}
{% if item.value.web_server.locations[location].returns[code] is defined %}
return {{ item.value.web_server.locations[location].returns[code].code }} {{ item.value.web_server.locations[location].returns[code].url }};
{% else %}
return {{ item.value.web_server.locations[location].returns[code].url }};
{% endif %}
{% endfor %}
{% endif %}
{% if item.value.web_server.locations[location].auth_basic is defined and item.value.web_server.locations[location].auth_basic %}
auth_basic "{{ item.value.web_server.locations[location].auth_basic }}";
{% endif %}
{% if item.value.web_server.locations[location].auth_basic_file is defined and item.value.web_server.locations[location].auth_basic_file %}
auth_basic_user_file {{ item.value.web_server.locations[location].auth_basic_file }};
{% endif %}
{% if item.value.web_server.locations[location].auth_request is defined %}
auth_request {{ item.value.web_server.locations[location].auth_request }};
{% endif %}
}
{% endfor %}
@ -219,4 +259,4 @@ server {
root {{ item.value.error_page }};
}
{% endif %}
}
}

View File

@ -60,6 +60,19 @@
- Vary
- Cache-Control
proxy_redirect: false
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
backend:
location: /backend
proxy_pass: http://backend_servers/
@ -74,6 +87,19 @@
- http_502
- http_503
proxy_redirect: default
proxy_set_header:
header_host:
name: Host
value: $host
header_x_real_ip:
name: X-Real-IP
value: $remote_addr
header_x_forwarded_for:
name: X-Forwarded-For
value: $proxy_add_x_forwarded_for
header_x_forwarded_proto:
name: X-Forwarded-Proto
value: $scheme
upstreams:
frontend_upstream:
name: frontend_servers