Tagged: oauth
Nginx Plus Docker Image + lua-resty-openidc for OAuth termination
I need a Docker image with Nginx Plus and configured lua-resty-openidc to use Keycloak OAuth provider.
I made it based on this article Deploying NGINX and NGINX Plus with Docker but there was few additional non trivial steps so here is my result.
Create a folder with nginx plus repo keys (nginx-repo.crt and nginx-repo.key)
Then create a Dockerfile with the following content:
FROM ubuntu:artful # Download certificate and key from the customer portal (https://cs.nginx.com) # and copy to the build context COPY nginx-repo.crt /etc/ssl/nginx/ COPY nginx-repo.key /etc/ssl/nginx/ # Install NGINX Plus RUN set -x \ && apt-get update && apt-get upgrade -y \ && apt-get install --no-install-recommends --no-install-suggests -y apt-transport-https ca-certificates \ && apt-get install -y lsb-release wget \ && wget http://nginx.org/keys/nginx_signing.key && apt-key add nginx_signing.key \ && wget -q -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx \ && printf "deb https://plus-pkgs.nginx.com/ubuntu `lsb_release -cs` nginx-plus\n" | tee /etc/apt/sources.list.d/nginx-plus.list \ && apt-get update && apt-get install -y nginx-plus nginx-plus-module-lua nginx-plus-module-ndk luarocks libssl1.0-dev git RUN set -x \ && apt-get remove --purge --auto-remove -y \ && rm -rf /var/lib/apt/lists/* # Forward request logs to Docker log collector RUN ln -sf /dev/stdout /var/log/nginx/access.log \ && ln -sf /dev/stderr /var/log/nginx/error.log RUN luarocks install lua-resty-openidc RUN luarocks install lua-cjson RUN luarocks install lua-resty-string RUN luarocks install lua-resty-http RUN luarocks install lua-resty-session RUN luarocks install lua-resty-jwt EXPOSE 80 STOPSIGNAL SIGTERM CMD ["nginx", "-g", "daemon off;"]
Here you can see that we installing not only nginx-plus but also nginx-plus-module-lua and nginx-plus-module-ndk modules which are needed to run lua-resty-openidc.
Since open lua-resty-openidc is distributed via luarocks package manager we need to install it too and then install all needed packages via luarocks. For lua-crypto dependency you need to install libssl1.0-dev package with OpenSSL headers and for some other package we needed git, don't ask me why, I have no idea.
FYI: openidc is installed into file /usr/local/share/lua/5.1/resty/openidc.lua
Then you need to build an image with
docker build --no-cache -t nginxplus .
If you have a Docker Registry inside your company you can publish the image there:
docker tag nginxplus your.docker.registry:5000/nginxplus
docker push your.docker.registry:5000/nginxplus
Not you have an image and you can run it. All you need is to mount you server config into /etc/nginx folder. Consider you have a docker-compose.yml file with the following content:
version: '3'
services:
gw-nginx:
image: your.docker.registry:5000/nginxplus
container_name: gw-nginx
volumes:
- ~/gateway/etc/nginx/nginx.conf:/etc/nginx/nginx.conf
- ~/gateway/etc/nginx/conf.d/:/etc/nginx/conf.d/
- /etc/localtime:/etc/localtime
ports:
- 80:80
gw-keycloak:
image: jboss/keycloak
container_name: gw-keycloak
volumes:
- /etc/localtime:/etc/localtime
ports:
- 8080:8080
environment:
- KEYCLOAK_USER=root
- KEYCLOAK_PASSWORD=changeMePlease
- PROXY_ADDRESS_FORWARDING=true
Now create a gateway folder:
mkdir ~/gateway
cd ~/gateway
And plase nginx.conf file into ~/gateway/etc/nginx/nginx.conf. The most important is to place this two lines:
...
http {
resolver yourdnsip;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
...
}
For some reason without this lines Lua scripts can’t resolve upstreams.
Create ~/gateway/etc/nginx/conf.d/default.conf file and configure it as descibed in restly-openidc documentation.
Finally you can run it with docker-compose up -d command.
[Linkset] Authorization termination: OAuth reverse proxy
UPDATE Today was released Nginx Plus with a new nginx-openid-connect module.
If you are looking for Authentication Server or OAuth library then OpenID Conect implementations page is a good place to start. I chose Keycloak but also want to look on FreeIPA or https://ipsilon-project.org
Keycloak Security Proxy but I want proxy as Nginx module and I need to implement something non standard.
Also there is some an OpenID/Keycloak Proxy service https://github.com/gambol99/keycloak-proxy
For Apache web server everything is clear:
https://github.com/zmartzone/mod_auth_openidc
But I need something for Nginx .
lua-resty-openidc and it’s intro blog post written in Lua so its easier to extend (so I did for implementing of custom grant flow+ sessions + reference tokens).
https://github.com/tarachandverma/nginx-openidc written fully in C++ and this is interesting because you don’t need to enable Lua on Nginx (believe me, this can be harmful).
What is also interesting is tha module for only one purpose: to use reference tokens (opaque tokens)
https://github.com/curityio/nginx_phantom_token_module it’s written in C so no needs for additional deps.
Authentication Based on Subrequest Result
Actually Nginx already has something that can satisfy 80% of your needs:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/
https://www.nginx.com/blog/nginx-plus-authenticate-users/
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
https://github.com/nginxinc/nginx-ldap-auth
https://redbyte.eu/en/blog/using-the-nginx-auth-request-module/
https://news.ycombinator.com/item?id=7641148
But to use the sebrequest auth your auth server should support this or you need to setup another shim proxy:
https://github.com/bitly/oauth2_proxy
and here is docker container which integrates it https://github.com/sinnerschrader/oauth-proxy-nginx
Or you can use this one which is written in Lua
https://github.com/jirutka/ngx-oauth
Bonus:
Important article from Security researcher Egor Homakov who hacked several times GitHub and Facebook:
stokito on software 