Permalink
Find file
41fe333 Sep 17, 2015
86 lines (66 sloc) 2.29 KB
# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
# This is the vserver for the service that you want to protect.
server {
server_name secret.domain.dev;
listen 8080;
# It has one /auth URI which is the endpoint that protected
# resources have to query. The /auth endpoint does not need the
# request_body, but it obviously needs the IP, Host and
# original URI for the request.
location = /auth {
internal;
proxy_pass http://127.0.0.1:8082;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
# This is an example of a protected resource. The first line
# should be auth_request. If you want to pass the headers from
# the authentication backend to your application (Remote-User
# etc), you'll have to include the lines with auth_request_set
# and proxy_set header.
location /secret {
auth_request /auth;
auth_request_set $user $upstream_http_remote_user;
proxy_set_header Remote-User $user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-Groups $groups;
auth_request_set $expiry $upstream_http_remote_expiry;
proxy_set_header Remote-Expiry $expiry;
#return 200 "Open Sesame!";
proxy_pass http://127.0.0.1:52342;
}
}
# This is the vserver for your login service
server {
server_name login.domain.dev;
listen 8080 default_server;
# The login endpoint also needs the Host and real IP of the
# client to build the sso cookie.
location /login {
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://127.0.0.1:8081;
}
}
}