Split nginx service into portal, backend and authelia services

This setup is closer to real production infrastructure.
2017-11-02 00:37:10 +01:00 · 2017-11-02 00:37:10 +01:00 · bbbffaa3ae
parent b8c8c3bd75
commit bbbffaa3ae
28 changed files with 189 additions and 76 deletions
--- a/example/nginx/authelia/docker-compose.yml
+++ b/example/nginx/authelia/docker-compose.yml
@ -0,0 +1,8 @@
+version: '2'
+services:
+  nginx-authelia:
+    image: nginx:alpine
+    volumes:
+      - ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
+    networks:
+      - example-network
--- a/example/nginx/authelia/nginx.conf
+++ b/example/nginx/authelia/nginx.conf
@ -0,0 +1,54 @@
+# nginx-sso - example nginx config
+#
+# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
+#
+# This is an example config for using nginx with the nginx-sso cookie system.
+# For simplicity, this config sets up two fictional vhosts that you can use to
+# test against both components of the nginx-sso system: ssoauth & ssologin.
+# In a real deployment, these vhosts would be separate hosts.
+
+#user  nobody;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    server {
+        listen 443 ssl;
+        server_name     auth.test.local;
+
+        ssl on;
+        ssl_certificate     /etc/ssl/server.crt;
+        ssl_certificate_key /etc/ssl/server.key;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN";
+
+        location / {
+            proxy_set_header  X-Original-URI $request_uri;
+            proxy_set_header  Host $http_host;
+            proxy_set_header  X-Real-IP $remote_addr;
+            proxy_set_header  X-Forwarded-Proto $scheme;
+
+            proxy_pass        http://authelia/;
+
+            proxy_intercept_errors on;
+
+            if ($request_method !~ ^(POST)$){
+              error_page 401 = /error/401;
+              error_page 403 = /error/403;
+              error_page 404 = /error/404;
+            }
+        }
+    }
+}
+
--- a/example/nginx/backend/docker-compose.yml
+++ b/example/nginx/backend/docker-compose.yml
@ -0,0 +1,9 @@
+version: '2'
+services:
+  nginx-backend:
+    image: nginx:alpine
+    volumes:
+      - ./example/nginx/backend/html:/usr/share/nginx/html
+      - ./example/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
+    networks:
+      - example-network
--- a/example/nginx/backend/html/admin.test.local/secret.html
+++ b/example/nginx/backend/html/admin.test.local/secret.html
--- a/example/nginx/backend/html/dev.test.local/groups/admin/secret.html
+++ b/example/nginx/backend/html/dev.test.local/groups/admin/secret.html
--- a/example/nginx/backend/html/dev.test.local/groups/dev/secret.html
+++ b/example/nginx/backend/html/dev.test.local/groups/dev/secret.html
--- a/example/nginx/backend/html/dev.test.local/users/bob/secret.html
+++ b/example/nginx/backend/html/dev.test.local/users/bob/secret.html
--- a/example/nginx/backend/html/dev.test.local/users/harry/secret.html
+++ b/example/nginx/backend/html/dev.test.local/users/harry/secret.html
--- a/example/nginx/backend/html/dev.test.local/users/john/secret.html
+++ b/example/nginx/backend/html/dev.test.local/users/john/secret.html
--- a/example/nginx/backend/html/home.test.local/index.html
+++ b/example/nginx/backend/html/home.test.local/index.html
--- a/example/nginx/backend/html/icon.png
+++ b/example/nginx/backend/html/icon.png
--- a/example/nginx/backend/html/mail.test.local/secret.html
+++ b/example/nginx/backend/html/mail.test.local/secret.html
--- a/example/nginx/backend/html/public.test.local/index.html
+++ b/example/nginx/backend/html/public.test.local/index.html
--- a/example/nginx/backend/html/public.test.local/secret.html
+++ b/example/nginx/backend/html/public.test.local/secret.html
--- a/example/nginx/backend/html/single_factor.test.local/secret.html
+++ b/example/nginx/backend/html/single_factor.test.local/secret.html
--- a/example/nginx/backend/nginx.conf
+++ b/example/nginx/backend/nginx.conf
@ -0,0 +1,61 @@
+# nginx-sso - example nginx config
+#
+# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
+#
+# This is an example config for using nginx with the nginx-sso cookie system.
+# For simplicity, this config sets up two fictional vhosts that you can use to
+# test against both components of the nginx-sso system: ssoauth & ssologin.
+# In a real deployment, these vhosts would be separate hosts.
+
+#user  nobody;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid        logs/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    server {
+        listen 80;
+        root /usr/share/nginx/html/home.test.local;
+        server_name     home.test.local;
+    }
+
+    server {
+        listen 80;
+        root /usr/share/nginx/html/public.test.local;
+        server_name     public.test.local;
+    }
+
+    server {
+        listen 80;
+        root /usr/share/nginx/html/admin.test.local;
+        server_name     admin.test.local;
+    }
+
+    server {
+        listen 80;
+        root /usr/share/nginx/html/dev.test.local;
+        server_name     dev.test.local;
+    }
+
+    server {
+        listen 80;
+        root /usr/share/nginx/html/mail.test.local;
+        server_name     mx1.mail.test.local mx2.mail.test.local;
+    }
+
+    server {
+        listen 80;
+        root /usr/share/nginx/html/single_factor.test.local;
+        server_name     single_factor.test.local;
+    }
+}
+
--- a/example/nginx/docker-compose.yml
+++ b/example/nginx/docker-compose.yml
@ -1,21 +0,0 @@
-version: '2'
-services:
-  nginx:
-    image: nginx:alpine
-    volumes:
-      - ./example/nginx/html:/usr/share/nginx/html
-      - ./example/nginx/ssl:/etc/ssl
-      - ./example/nginx/nginx.conf:/etc/nginx/nginx.conf
-    ports:
-      - "8080:443"
-    depends_on:
-      - authelia
-    networks:
-      - example-network
-      #   aliases:
-      #     - home.test.local
-      #     - public.test.local
-      #     - admin.test.local
-      #     - dev.test.local
-      #     - auth.test.local
-
--- a/example/nginx/portal/docker-compose.yml
+++ b/example/nginx/portal/docker-compose.yml
@ -0,0 +1,11 @@
+version: '2'
+services:
+  nginx-portal:
+    image: nginx:alpine
+    volumes:
+      - ./example/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
+      - ./example/nginx/portal/ssl:/etc/ssl
+    ports:
+      - "8080:443"
+    networks:
+      - example-network
--- a/example/nginx/portal/nginx.conf
+++ b/example/nginx/portal/nginx.conf
@ -24,7 +24,7 @@ events {
 http {
    server {
        listen 443 ssl;
-        server_name     auth.test.local localhost;
+        server_name     home.test.local;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
@ -34,41 +34,14 @@ http {
        add_header X-Frame-Options "SAMEORIGIN";

        location / {
-            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  Host $http_host;
-            proxy_set_header  X-Real-IP $remote_addr;
-            proxy_set_header  X-Forwarded-Proto $scheme;

-            proxy_pass        http://authelia/;
-
-            proxy_intercept_errors on;
-
-            if ($request_method !~ ^(POST)$){
-              error_page 401 = /error/401;
-              error_page 403 = /error/403;
-              error_page 404 = /error/404;
-            }
+            proxy_pass        http://nginx-backend/;
        }
    }

    server {
-        listen 443 ssl;
-        root /usr/share/nginx/html/home.test.local;
- 
-        server_name     home.test.local;
-
-        ssl on;
-        ssl_certificate     /etc/ssl/server.crt;
-        ssl_certificate_key /etc/ssl/server.key;
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        add_header X-Frame-Options "SAMEORIGIN";
-    }
-
-    server {
-        listen 443 ssl;
-        root /usr/share/nginx/html/public.test.local;
- 
+        listen 443 ssl; 
        server_name     public.test.local;

        ssl on;
@ -86,7 +59,7 @@ http {
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

-            proxy_pass        http://authelia/api/verify;
+            proxy_pass        http://nginx-authelia/api/verify;
        }

        location / {
@ -100,8 +73,12 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

+            proxy_set_header  Host $http_host;
+
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://nginx-backend/;
        }

        location /headers {
@ -115,17 +92,15 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Custom-Forwarded-Groups $groups;

-            proxy_pass        http://httpbin:8000/headers;
-
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://httpbin:8000/headers;
        }
    }

    server {
-        listen 443 ssl;
-        root /usr/share/nginx/html/admin.test.local;
- 
+        listen 443 ssl; 
        server_name     admin.test.local;

        ssl on;
@ -143,7 +118,7 @@ http {
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

-            proxy_pass        http://authelia/api/verify;
+            proxy_pass        http://nginx-authelia/api/verify;
        }

        location / {
@ -157,15 +132,17 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

+            proxy_set_header  Host $http_host;
+
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://nginx-backend/;
        }
    }

    server {
-        listen 443 ssl;
-        root /usr/share/nginx/html/dev.test.local;
- 
+        listen 443 ssl; 
        server_name     dev.test.local;

        ssl on;
@ -183,7 +160,7 @@ http {
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

-            proxy_pass        http://authelia/api/verify;
+            proxy_pass        http://nginx-authelia/api/verify;
        }

        location / {
@ -197,15 +174,17 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

+            proxy_set_header  Host $http_host;
+
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://nginx-backend/;
        }
    }

    server {
-        listen 443 ssl;
-        root /usr/share/nginx/html/mail.test.local;
- 
+        listen 443 ssl; 
        server_name     mx1.mail.test.local mx2.mail.test.local;

        ssl on;
@ -223,7 +202,7 @@ http {
            proxy_set_header  Host $http_host;
            proxy_set_header  Content-Length "";

-            proxy_pass        http://authelia/api/verify;
+            proxy_pass        http://nginx-authelia/api/verify;
        }

        location / {
@ -237,15 +216,17 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

+            proxy_set_header  Host $http_host;
+
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://nginx-backend/;
        }
    }

    server {
        listen 443 ssl;
-        root /usr/share/nginx/html/single_factor.test.local;
- 
        server_name     single_factor.test.local;

        ssl on;
@ -264,7 +245,7 @@ http {
            proxy_set_header  Content-Length "";
            proxy_set_header  Proxy-Authorization $http_authorization;

-            proxy_pass        http://authelia/api/verify;
+            proxy_pass        http://nginx-authelia/api/verify;
        }

        location / {
@ -278,8 +259,12 @@ http {
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

+            proxy_set_header  Host $http_host;
+
            error_page 401 =302 https://auth.test.local:8080?redirect=$redirect;
            error_page 403 = https://auth.test.local:8080/error/403;
+
+            proxy_pass        http://nginx-backend/;
        }

        location /headers {
--- a/example/nginx/portal/ssl/server.crt
+++ b/example/nginx/portal/ssl/server.crt
--- a/example/nginx/portal/ssl/server.csr
+++ b/example/nginx/portal/ssl/server.csr
--- a/example/nginx/portal/ssl/server.key
+++ b/example/nginx/portal/ssl/server.key
--- a/scripts/dc-dev.sh
+++ b/scripts/dc-dev.sh
@ -8,7 +8,9 @@ docker-compose \
  -f example/authelia/docker-compose.dev.yml \
  -f example/mongo/docker-compose.yml \
  -f example/redis/docker-compose.yml \
-  -f example/nginx/docker-compose.yml \
+  -f example/nginx/authelia/docker-compose.yml \
+  -f example/nginx/backend/docker-compose.yml \
+  -f example/nginx/portal/docker-compose.yml \
  -f example/smtp/docker-compose.yml \
  -f example/httpbin/docker-compose.yml \
  -f example/ldap/docker-compose.admin.yml \
--- a/scripts/example-commit/dc-example.sh
+++ b/scripts/example-commit/dc-example.sh
@ -7,7 +7,9 @@ docker-compose \
  -f example/docker-compose.base.yml \
  -f example/mongo/docker-compose.yml \
  -f example/redis/docker-compose.yml \
-  -f example/nginx/docker-compose.yml \
+  -f example/nginx/authelia/docker-compose.yml \
+  -f example/nginx/backend/docker-compose.yml \
+  -f example/nginx/portal/docker-compose.yml \
  -f example/smtp/docker-compose.yml \
  -f example/httpbin/docker-compose.yml \
  -f example/ldap/docker-compose.yml $*
--- a/scripts/example-commit/deploy-example.sh
+++ b/scripts/example-commit/deploy-example.sh
@ -3,4 +3,4 @@
 DC_SCRIPT=./scripts/example-commit/dc-example.sh

 $DC_SCRIPT build
-$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
+$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
--- a/scripts/example-dockerhub/dc-example.sh
+++ b/scripts/example-dockerhub/dc-example.sh
@ -7,7 +7,9 @@ docker-compose \
  -f example/authelia/docker-compose.dockerhub.yml \
  -f example/mongo/docker-compose.yml \
  -f example/redis/docker-compose.yml \
-  -f example/nginx/docker-compose.yml \
+  -f example/nginx/authelia/docker-compose.yml \
+  -f example/nginx/backend/docker-compose.yml \
+  -f example/nginx/portal/docker-compose.yml \
  -f example/smtp/docker-compose.yml \
  -f example/httpbin/docker-compose.yml \
  -f example/ldap/docker-compose.yml $*
--- a/scripts/example-dockerhub/deploy-example.sh
+++ b/scripts/example-dockerhub/deploy-example.sh
@ -3,4 +3,4 @@
 DC_SCRIPT=./scripts/example-dockerhub/dc-example.sh

 #$DC_SCRIPT build
-$DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
+$DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
--- a/scripts/integration-tests.sh
+++ b/scripts/integration-tests.sh
@ -1,14 +1,14 @@
 #!/bin/bash

 DC_SCRIPT=./scripts/example-commit/dc-example.sh
-EXPECTED_SERVICES_COUNT=7
+EXPECTED_SERVICES_COUNT=9

 build_services() {
    $DC_SCRIPT build authelia
 }

 start_services() {
-    $DC_SCRIPT up -d httpbin mongo redis openldap authelia nginx smtp
+    $DC_SCRIPT up -d httpbin mongo redis openldap authelia smtp nginx-authelia nginx-portal nginx-backend
    sleep 3
 }