Tagged: docker
Nginx Plus Docker Image + lua-resty-openidc for OAuth termination
I need a Docker image with Nginx Plus and configured lua-resty-openidc to use Keycloak OAuth provider.
I made it based on this article Deploying NGINX and NGINX Plus with Docker but there was few additional non trivial steps so here is my result.
Create a folder with nginx plus repo keys (nginx-repo.crt and nginx-repo.key)
Then create a Dockerfile with the following content:
FROM ubuntu:artful # Download certificate and key from the customer portal (https://cs.nginx.com) # and copy to the build context COPY nginx-repo.crt /etc/ssl/nginx/ COPY nginx-repo.key /etc/ssl/nginx/ # Install NGINX Plus RUN set -x \ && apt-get update && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates \ && apt-get install -y lsb-release wget \ && wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key \ && wget -q -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx \ && printf "deb https://plus-pkgs.nginx.com/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ && apt-get update && apt-get install -y nginx-plus nginx-plus-module-lua nginx-plus-module-ndk luarocks libssl1.0-dev git RUN set -x \ && apt-get remove --purge --auto-remove -y \ && rm -rf /var/lib/apt/lists/* # Forward request logs to Docker log collector RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log RUN luarocks install lua-resty-openidc RUN luarocks install lua-cjson RUN luarocks install lua-resty-string RUN luarocks install lua-resty-http RUN luarocks install lua-resty-session RUN luarocks install lua-resty-jwt EXPOSE 80 STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"]
Here you can see that we installing not only nginx-plus but also nginx-plus-module-lua and nginx-plus-module-ndk modules which are needed to run lua-resty-openidc.
Since open lua-resty-openidc is distributed via luarocks package manager we need to install it too and then install all needed packages via luarocks. For lua-crypto dependency you need to install libssl1.0-dev package with OpenSSL headers and for some other package we needed git, don't ask me why, I have no idea.
FYI: openidc is installed into file /usr/local/share/lua/5.1/resty/openidc.lua
Then you need to build an image with
docker build --no-cache -t nginxplus .
If you have a Docker Registry inside your company you can publish the image there:
docker tag nginxplus your.docker.registry:5000/nginxplus
docker push your.docker.registry:5000/nginxplus
Not you have an image and you can run it. All you need is to mount you server config into /etc/nginx folder. Consider you have a docker-compose.yml file with the following content:
version: '3' services: gw-nginx: image: your.docker.registry:5000/nginxplus container_name: gw-nginx volumes: - ~/gateway/etc/nginx/nginx.conf:/etc/nginx/nginx.conf - ~/gateway/etc/nginx/conf.d/:/etc/nginx/conf.d/ - /etc/localtime:/etc/localtime ports: - 80:80 gw-keycloak: image: jboss/keycloak container_name: gw-keycloak volumes: - /etc/localtime:/etc/localtime ports: - 8080:8080 environment: - KEYCLOAK_USER=root - KEYCLOAK_PASSWORD=changeMePlease - PROXY_ADDRESS_FORWARDING=true
Now create a gateway folder:
mkdir ~/gateway
cd ~/gateway
And plase nginx.conf file into ~/gateway/etc/nginx/nginx.conf. The most important is to place this two lines:
... http { resolver yourdnsip; lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; lua_ssl_verify_depth 5; ... }
For some reason without this lines Lua scripts can’t resolve upstreams.
Create ~/gateway/etc/nginx/conf.d/default.conf file and configure it as descibed in restly-openidc documentation.
Finally you can run it with docker-compose up -d
command.