Nginx recipes: CAS (central authorization service)
To prepare the central authorization service we need nginx itself and its plugins encrypted-session , echo , headers-more , auth_request , eval , set-misc . (I gave links to my forks, because I made some changes that I haven’t yet been able to push through to the original repositories. You can also use a ready-made way .)
For the server part, add a token generation to the server configuration from the ESIA , basic or LDAP authorization
And in the configuration of the client server, to begin with, we will set
')
Next, just in case, disable the authorization header
Now we protect everything by authorization
For authorized users, we show content from their folder.
And in the absence of authorization, we redirect to the central authorization service.
After successful authorization, the central authorization service redirects us to the specified
For the server part, add a token generation to the server configuration from the ESIA , basic or LDAP authorization
location =/service { set_decode_base64 $auth_decode $cookie_auth; # set_decrypt_session $auth_decrypt $auth_decode; # if ($auth_decrypt) { # , encrypted_session_expires 60; # 1 (1 * 60 = 60) set_encrypt_session $token_encrypt $auth_decrypt; # set_encode_base64 $token_encode $token_encrypt; # set_escape_uri $token_escape $token_encode; # set_unescape_uri $service_unescape $arg_service; # return 303 $service_unescape&token=$token_escape; # } location =/serviceValidate { set_unescape_uri $token_unescape $arg_token; # set_decode_base64 $token_decode $token_unescape; # set_decrypt_session $token_decrypt $token_decode; # return 200 $token_decrypt; # } And in the configuration of the client server, to begin with, we will set
')
encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456"; Next, just in case, disable the authorization header
more_clear_input_headers Authorization; Now we protect everything by authorization
auth_request /auth; location =/auth { internal; set_decode_base64 $auth_decode $cookie_auth; # set_decrypt_session $auth_decrypt $auth_decode; # if ($auth_decrypt = "") { return 401 UNAUTHORIZED; } # , more_set_input_headers "Authorization: Basic $auth_decrypt"; # basic ( $remote_user) echo -n OK; # } For authorized users, we show content from their folder.
location / { alias html/$remote_user/; } And in the absence of authorization, we redirect to the central authorization service.
error_page 401 = @error401; location @error401 { set_escape_uri $request_uri_escape $request_uri; # set_escape_uri $service_escape $scheme://$server_name:$server_port/login?request_uri=$request_uri_escape; # return 303 https://$cas/service?service=$service_escape; # , $cas - } After successful authorization, the central authorization service redirects us to the specified
location =/login { eval $auth { # ( ) proxy_set_header X-Real-IP $remote_addr; # proxy_pass $scheme://$cas:$server_port/serviceValidate?token=$arg_token; # } if ($auth = "") { return 401 UNAUTHORIZED; } # , encrypted_session_expires 43200; # 12 (12 * 60 * 60 = 43200) set_encrypt_session $auth_encrypt $auth; # - set_encode_base64 $auth_encode $auth_encrypt; # add_header Set-Cookie "Auth=$auth_encode; Max-Age=43200"; # 12 (12 * 60 * 60 = 43200) set $arg_request_uri_or_slash $arg_request_uri; # set_if_empty $arg_request_uri_or_slash "/"; # , set_unescape_uri $request_uri_unescape $arg_request_uri_or_slash; # return 303 $request_uri_unescape; # } Source: https://habr.com/ru/post/456634/
All Articles