Fabio/nginx-proxy-auto-docker
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

change variable names for clarity, only template out vouch config if both variables are set

Browse source
This commit is contained in:
Rahul Vaidya 2022-07-26 00:27:18 -07:00
parent b4f44bf8de
commit ef05f7c5d6
2 changed files with 11 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
README.md
View file

@ -365,8 +365,8 @@ You'll need apache2-utils on the machine where you plan to create the htpasswd f
You can also secure your virtual hosts by using the auth_request nginx module in conjunction with the authentication proxy [vouch-proxy](https://github.com/vouch/vouch-proxy).
Set the following variables on the container you want secured:
VOUCH_INTERNAL_LOCATION - private URL to your vouch-proxy instance, to perform validations again
VOUCH_EXTERNAL_LOCATION - public URL to your vouch-proxy instance
VOUCH_PRIVATE_URL - private URL to your vouch-proxy instance, to perform validations again
VOUCH_PUBLIC_URL - public URL to your vouch-proxy instance
```yaml
authtest:
@ -376,8 +376,8 @@ VOUCH_EXTERNAL_LOCATION - public URL to your vouch-proxy instance
- LETSENCRYPT_HOST=authtest.mydomain.com
- VIRTUAL_HOST=authtest.mydomain.com
- VIRTUAL_PORT=80
- VOUCH_INTERNAL_LOCATION=http://vouch-proxy:9090
- VOUCH_EXTERNAL_LOCATION=https://vouch.mydomain.com
- VOUCH_PRIVATE_URL=http://vouch-proxy:9090
- VOUCH_PUBLIC_URL=https://vouch.mydomain.com
expose:
- "80"
```

16
nginx.tmpl
View file

@ -306,11 +306,11 @@ server {
{{/* Use the cert specified on the container or fallback to the best vhost match */}}
{{ $cert := (coalesce $certName $vhostCert) }}
{{/* Get the VOUCH_INTERNAL_LOCATION defined by containers w/ the same vhost, falling back to empty string (use default) */}}
{{ $vouch_internal_location := or (first (groupByKeys $containers "Env.VOUCH_INTERNAL_LOCATION")) "" }}
{{/* Get the VOUCH_PRIVATE_URL defined by containers w/ the same vhost, falling back to empty string (use default) */}}
{{ $vouch_private_url := or (first (groupByKeys $containers "Env.VOUCH_PRIVATE_URL")) "" }}
{{/* Get the VOUCH_EXTERNAL_LOCATION defined by containers w/ the same vhost, falling back to empty string (use default) */}}
{{ $vouch_external_location := or (first (groupByKeys $containers "Env.VOUCH_EXTERNAL_LOCATION")) "" }}
{{/* Get the VOUCH_PUBLIC_URL defined by containers w/ the same vhost, falling back to empty string (use default) */}}
{{ $vouch_public_url := or (first (groupByKeys $containers "Env.VOUCH_PUBLIC_URL")) "" }}
{{ $is_https := (and (ne $https_method "nohttps") (ne $cert "") (exists (printf "/etc/nginx/certs/%s.crt" $cert)) (exists (printf "/etc/nginx/certs/%s.key" $cert))) }}
@ -388,12 +388,12 @@ server {
include /etc/nginx/vhost.d/default;
{{ end }}
{{ if ne $vouch_internal_location "" }}
{{ if (and (ne $vouch_private_url "") (ne $vouch_public_url "")) }}
auth_request /vouchValidate;
location = /vouchValidate {
# forward the /validate request to Vouch Proxy
proxy_pass {{ $vouch_internal_location }}/validate;
proxy_pass {{ $vouch_private_url }}/validate;
# be sure to pass the original host header
proxy_set_header Host $http_host;
@ -409,15 +409,13 @@ server {
auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
}
{{ end }}
{{ if ne $vouch_external_location "" }}
# if validate returns `401 not authorized` then forward the request to the error401block
error_page 401 = @error401;
location @error401 {
# redirect to Vouch Proxy for login
return 302 {{ $vouch_external_location }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
return 302 {{ $vouch_public_url }}/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}
{{ end }}