From 783d29639cce0a931589e67a1e2cb938b74dd1ef Mon Sep 17 00:00:00 2001 From: Tom Gamull Date: Thu, 18 Apr 2019 02:51:44 -0700 Subject: [PATCH] Http auth req additions - issue 120 (#121) * added http_auth_req * removed existing set-headers * is defined for proxy_pass_request_body --- README.md | 38 ++++++++++++++++ defaults/main.yml | 38 ++++++++++++++++ tasks/modules/install-modules.yml | 2 +- templates/http/default.conf.j2 | 58 +++++++++++++++++++++---- tests/playbooks/nginx-http-template.yml | 26 +++++++++++ 5 files changed, 152 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 368b408..6283117 100644 --- a/README.md +++ b/README.md @@ -313,6 +313,7 @@ nginx_main_template: keyval: false stream_enable: false http_global_autoindex: false + #auth_request_http: /auth # Enable creating dynamic templated NGINX HTTP configuration files. # Defaults will not produce a valid configuration. Instead they are meant to showcase @@ -329,6 +330,7 @@ nginx_http_template: root: /usr/share/nginx/html https_redirect: false autoindex: false + #auth_request: /auth ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key @@ -345,6 +347,11 @@ nginx_http_template: autoindex: false auth_basic: null auth_basic_file: null + #auth_req: /auth + #returns: + #return302: + #code: 302 + #url: https://sso.somehost.local/?url=https://$http_host$request_uri http_demo_conf: false reverse_proxy: proxy_cache_path: @@ -371,6 +378,32 @@ nginx_http_template: location: / proxy_connect_timeout: null proxy_pass: http://backend + #proxy_pass_request_body: off + proxy_set_header: + header_host: + name: Host + value: $host + header_x_real_ip: + name: X-Real-IP + value: $remote_addr + header_x_forwarded_for: + name: X-Forwarded-For + value: $proxy_add_x_forwarded_for + header_x_forwarded_proto: + name: X-Forwarded-Proto + value: $scheme + #header_upgrade: + #name: Upgrade + #value: $http_upgrade + #header_connection: + #name: Connection + #value: "Upgrade" + #header_random: + #name: RandomName + #value: RandomValue + #internal: false + #proxy_store: off + #proxy_store_acccess: user:rw proxy_read_timeout: null proxy_ssl: cert: /etc/ssl/certs/proxy_default.crt @@ -400,6 +433,11 @@ nginx_http_template: websocket: false auth_basic: null auth_basic_file: null + #auth_req: /auth + #returns: + #return302: + #code: 302 + #url: https://sso.somehost.local/?url=https://$http_host$request_uri health_check_plus: false proxy_cache: proxy_cache_path: diff --git a/defaults/main.yml b/defaults/main.yml index d34e167..ea0d2e7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -155,6 +155,7 @@ nginx_main_template: keyval: false stream_enable: false http_global_autoindex: false + #auth_request_http: /auth # Enable creating dynamic templated NGINX HTTP configuration files. # Defaults will not produce a valid configuration. Instead they are meant to showcase @@ -172,6 +173,7 @@ nginx_http_template: https_redirect: false autoindex: false try_files: $uri $uri/index.html $uri.html =404 + #auth_request: /auth ssl: cert: /etc/ssl/certs/default.crt key: /etc/ssl/private/default.key @@ -190,6 +192,11 @@ nginx_http_template: auth_basic: null auth_basic_file: null try_files: $uri $uri/index.html $uri.html =404 + #auth_request: /auth + #returns: + #return302: + #code: 302 + #url: https://sso.somehost.local/?url=https://$http_host$request_uri http_demo_conf: false reverse_proxy: proxy_cache_path: @@ -216,6 +223,32 @@ nginx_http_template: location: / proxy_connect_timeout: null proxy_pass: http://backend + #proxy_pass_request_body: off + proxy_set_header: + header_host: + name: Host + value: $host + header_x_real_ip: + name: X-Real-IP + value: $remote_addr + header_x_forwarded_for: + name: X-Forwarded-For + value: $proxy_add_x_forwarded_for + header_x_forwarded_proto: + name: X-Forwarded-Proto + value: $scheme + #header_upgrade: + #name: Upgrade + #value: $http_upgrade + #header_connection: + #name: Connection + #value: "Upgrade" + #header_random: + #name: RandomName + #value: RandomValue + #internal: false + #proxy_store: off + #proxy_store_acccess: user:rw proxy_read_timeout: null proxy_ssl: cert: /etc/ssl/certs/proxy_default.crt @@ -242,6 +275,11 @@ nginx_http_template: auth_basic: null auth_basic_file: null try_files: $uri $uri/index.html $uri.html =404 + #auth_req: /auth + #returns: + #return302: + #code: 302 + #url: https://sso.somehost.local/?url=https://$http_host$request_uri health_check_plus: false proxy_cache: proxy_cache_path: diff --git a/tasks/modules/install-modules.yml b/tasks/modules/install-modules.yml index 7179d6d..c86f7d2 100644 --- a/tasks/modules/install-modules.yml +++ b/tasks/modules/install-modules.yml @@ -18,4 +18,4 @@ when: nginx_modules.xslt | default(false) - import_tasks: install-waf.yml - when: nginx_modules.waf | default(false) and nginx_type == "plus" + when: nginx_modules.waf | default(false) and nginx_type == "plus" \ No newline at end of file diff --git a/templates/http/default.conf.j2 b/templates/http/default.conf.j2 index 7f9058b..e349bf6 100644 --- a/templates/http/default.conf.j2 +++ b/templates/http/default.conf.j2 @@ -46,6 +46,9 @@ proxy_temp_path {{ item.value.reverse_proxy.proxy_temp_path.path }} {{ item.valu {% endif %} {% endif %} {% endif %} +{% if item.value.auth_request_http is defined %} +auth_request {{ item.value.auth_request_http }}; +{% endif %} server { {% if item.value.ssl is defined %} @@ -83,15 +86,34 @@ server { {% if item.value.try_files is defined %} try_files {{ item.value.try_files }}; {% endif %} +{% if item.value.auth_request is defined %} + auth_request {{ item.value.auth_request }}; +{% endif %} + {% if item.value.reverse_proxy is defined %} {% for location in item.value.reverse_proxy.locations %} location {{ item.value.reverse_proxy.locations[location].location }} { +{% if item.value.reverse_proxy.locations[location].internal is sameas true %} + internal; +{% endif %} +{% if item.value.reverse_proxy.locations[location].auth_request is defined %} + auth_request {{ item.value.reverse_proxy.locations[location].auth_request }}; +{% endif %} {% if item.value.reverse_proxy.locations[location].auth_basic is defined and item.value.reverse_proxy.locations[location].auth_basic %} auth_basic "{{ item.value.reverse_proxy.locations[location].auth_basic }}"; {% endif %} {% if item.value.reverse_proxy.locations[location].auth_basic_file is defined and item.value.reverse_proxy.locations[location].auth_basic_file %} auth_basic_user_file {{ item.value.reverse_proxy.locations[location].auth_basic_file }}; {% endif %} +{% if item.value.reverse_proxy.locations[location].returns is defined %} +{% for code in item.value.reverse_proxy.locations[location].returns %} +{% if item.value.reverse_proxy.locations[location].returns[code] is defined %} + return {{ item.value.reverse_proxy.locations[location].returns[code].code }} {{ item.value.reverse_proxy.locations[location].returns[code].url }}; +{% else %} + return {{ item.value.reverse_proxy.locations[location].returns[code].url }}; +{% endif %} +{% endfor %} +{% endif %} {% if item.value.reverse_proxy.locations[location].proxy_connect_timeout is defined and item.value.reverse_proxy.locations[location].proxy_connect_timeout %} proxy_connect_timeout {{ item.value.reverse_proxy.locations[location].proxy_connect_timeout }}; {% endif %} @@ -99,6 +121,20 @@ server { {% if item.value.reverse_proxy.locations[location].proxy_read_timeout is defined and item.value.reverse_proxy.locations[location].proxy_read_timeout %} proxy_read_timeout {{ item.value.reverse_proxy.locations[location].proxy_read_timeout }}; {% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_pass_request_body is defined %} + proxy_pass_request_body {{ item.value.reverse_proxy.locations[location].proxy_pass_request_body }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_store is defined %} + proxy_store {{ item.value.reverse_proxy.locations[location].proxy_store | ternary("on", "off") }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_store_access is defined %} + proxy_store_access {{ item.value.reverse_proxy.locations[location].proxy_store_access }}; +{% endif %} +{% if item.value.reverse_proxy.locations[location].proxy_set_header is defined %} +{% for header in item.value.reverse_proxy.locations[location].proxy_set_header %} + proxy_set_header {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].name }} {{ item.value.reverse_proxy.locations[location].proxy_set_header[header].value }}; +{% endfor %} +{% endif %} {% if item.value.reverse_proxy.locations[location].try_files is defined %} try_files {{ item.value.reverse_proxy.locations[location].try_files }}; {% endif %} @@ -166,14 +202,6 @@ server { health_check; {% endif %} - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; -{% if item.value.reverse_proxy.locations[location].websocket is defined and item.value.reverse_proxy.locations[location].websocket %} - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; -{% endif %} } {% endfor %} {% endif %} @@ -189,11 +217,23 @@ server { {% if item.value.web_server.locations[location].try_files is defined %} try_files {{ item.value.web_server.locations[location].try_files }}; {% endif %} +{% if item.value.web_server.locations[location].returns is defined %} +{% for code in item.value.web_server.locations[location].returns %} +{% if item.value.web_server.locations[location].returns[code] is defined %} + return {{ item.value.web_server.locations[location].returns[code].code }} {{ item.value.web_server.locations[location].returns[code].url }}; +{% else %} + return {{ item.value.web_server.locations[location].returns[code].url }}; +{% endif %} +{% endfor %} +{% endif %} {% if item.value.web_server.locations[location].auth_basic is defined and item.value.web_server.locations[location].auth_basic %} auth_basic "{{ item.value.web_server.locations[location].auth_basic }}"; {% endif %} {% if item.value.web_server.locations[location].auth_basic_file is defined and item.value.web_server.locations[location].auth_basic_file %} auth_basic_user_file {{ item.value.web_server.locations[location].auth_basic_file }}; +{% endif %} +{% if item.value.web_server.locations[location].auth_request is defined %} + auth_request {{ item.value.web_server.locations[location].auth_request }}; {% endif %} } {% endfor %} @@ -219,4 +259,4 @@ server { root {{ item.value.error_page }}; } {% endif %} -} +} \ No newline at end of file diff --git a/tests/playbooks/nginx-http-template.yml b/tests/playbooks/nginx-http-template.yml index 088b1ab..7b9e3b3 100644 --- a/tests/playbooks/nginx-http-template.yml +++ b/tests/playbooks/nginx-http-template.yml @@ -60,6 +60,19 @@ - Vary - Cache-Control proxy_redirect: false + proxy_set_header: + header_host: + name: Host + value: $host + header_x_real_ip: + name: X-Real-IP + value: $remote_addr + header_x_forwarded_for: + name: X-Forwarded-For + value: $proxy_add_x_forwarded_for + header_x_forwarded_proto: + name: X-Forwarded-Proto + value: $scheme backend: location: /backend proxy_pass: http://backend_servers/ @@ -74,6 +87,19 @@ - http_502 - http_503 proxy_redirect: default + proxy_set_header: + header_host: + name: Host + value: $host + header_x_real_ip: + name: X-Real-IP + value: $remote_addr + header_x_forwarded_for: + name: X-Forwarded-For + value: $proxy_add_x_forwarded_for + header_x_forwarded_proto: + name: X-Forwarded-Proto + value: $scheme upstreams: frontend_upstream: name: frontend_servers