Merge ee600e6 into ee2b2fe

pomerium · Aug 25, 2021 · d3cbe46 · d3cbe46
2 parents ee2b2fe + ee600e6
commit d3cbe46
Show file tree

Hide file tree

Showing 21 changed files with 7,111 additions and 1 deletion.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -100,7 +100,7 @@ jobs:
       matrix:
         go-version: [1.17.x]
         platform: [ubuntu-latest]
-        deployment: [multi, single, traefik]
+        deployment: [multi, nginx, single, traefik]
         idp: [auth0, azure, github, gitlab, google, oidc, okta, onelogin, ping]
     runs-on: ${{ matrix.platform }}
     steps:

diff --git a/integration/clusters/auth0-nginx/compose.yml b/integration/clusters/auth0-nginx/compose.yml
diff --git a/integration/clusters/azure-nginx/compose.yml b/integration/clusters/azure-nginx/compose.yml
diff --git a/integration/clusters/github-nginx/compose.yml b/integration/clusters/github-nginx/compose.yml
diff --git a/integration/clusters/gitlab-nginx/compose.yml b/integration/clusters/gitlab-nginx/compose.yml
diff --git a/integration/clusters/google-nginx/compose.yml b/integration/clusters/google-nginx/compose.yml
diff --git a/integration/clusters/oidc-nginx/compose.yml b/integration/clusters/oidc-nginx/compose.yml
diff --git a/integration/clusters/okta-nginx/compose.yml b/integration/clusters/okta-nginx/compose.yml
diff --git a/integration/clusters/onelogin-nginx/compose.yml b/integration/clusters/onelogin-nginx/compose.yml
diff --git a/integration/clusters/ping-nginx/compose.yml b/integration/clusters/ping-nginx/compose.yml
diff --git a/integration/tpl/backends/nginx.libsonnet b/integration/tpl/backends/nginx.libsonnet
@@ -0,0 +1,181 @@
+local utils = import '../utils.libsonnet';
+local Routes = (import './routes.libsonnet').Routes;
+
+local ProxyConfig() =
+  |||
+    set $pass_access_scheme $scheme;
+    set $pass_server_port $server_port;
+    set $best_http_host $http_host;
+    set $pass_port $pass_server_port;
+    set $proxy_alternative_upstream_name "";
+    client_max_body_size 1m;
+    proxy_set_header Host $best_http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "";
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Host $best_http_host;
+    proxy_set_header X-Forwarded-Port $pass_port;
+    proxy_set_header X-Forwarded-Proto $pass_access_scheme;
+    proxy_set_header X-Scheme $pass_access_scheme;
+    proxy_set_header X-Original-Forwarded-For $http_x_forwarded_for;
+    proxy_set_header Proxy "";
+    proxy_connect_timeout 5s;
+    proxy_send_timeout 60s;
+    proxy_read_timeout 60s;
+    proxy_buffering off;
+    proxy_buffer_size 4k;
+    proxy_buffers 4 4k;
+    proxy_max_temp_file_size 1024m;
+    proxy_request_buffering on;
+    proxy_http_version 1.1;
+    proxy_cookie_domain off;
+    proxy_cookie_path off;
+    proxy_next_upstream error timeout;
+    proxy_next_upstream_timeout 0;
+    proxy_next_upstream_tries 3;
+    proxy_redirect off;
+  |||;
+
+local AuthenticateConfig() =
+  |||
+    server {
+      listen 443 ssl;
+      server_name  authenticate.localhost.pomerium.io forward-authenticate.localhost.pomerium.io;
+      ssl_certificate /etc/_wildcard.localhost.pomerium.io.pem;
+      ssl_certificate_key /etc/_wildcard.localhost.pomerium.io-key.pem;
+
+      location / {
+        proxy_pass http://pomerium;
+        include /etc/nginx/proxy.conf;
+      }
+    }
+    upstream pomerium {
+      server pomerium;
+    }
+  |||;
+
+local AuthzConfig() =
+  |||
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Forwarded-Proto "";
+    proxy_set_header Host forward-authenticate.localhost.pomerium.io;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Auth-Request-Redirect $request_uri;
+
+    proxy_buffering off;
+    proxy_buffer_size 256k;
+    proxy_buffers 4 256k;
+    proxy_busy_buffers_size 256k;
+    proxy_request_buffering on;
+    proxy_http_version 1.1;
+
+    proxy_ssl_server_name on;
+    proxy_pass_request_headers on;
+
+    client_max_body_size 1m;
+
+    set $target http://pomerium/verify?uri=$scheme://$http_host$request_uri;
+    proxy_pass $target;
+  |||;
+
+local RouteLocationConfig(route) =
+  local rule =
+    if std.objectHas(route, 'prefix') then '^~ ' + route.prefix
+    else if std.objectHas(route, 'path') then '= ' + route.path
+    else '/';
+  |||
+    location %s {
+      proxy_pass %s;
+
+      include /etc/nginx/proxy.conf;
+      # If we get a 401, respond with a named location
+      error_page 401 = @authredirect;
+      # this location requires authentication
+      auth_request /ext_authz;
+      auth_request_set $auth_cookie $upstream_http_set_cookie;
+      add_header Set-Cookie $auth_cookie;
+    }
+  ||| % [rule, route.to];
+
+local DomainServerConfig(domain, routes) =
+  local locations = std.join('\n', std.map(function(route) RouteLocationConfig(route), routes));
+  |||
+    server {
+      listen 443 ssl http2;
+      server_name %s;
+      ssl_certificate /etc/_wildcard.localhost.pomerium.io.pem;
+      ssl_certificate_key /etc/_wildcard.localhost.pomerium.io-key.pem;
+
+      location = /ext_authz {
+        internal;
+        include /etc/nginx/authz.conf;
+      }
+
+      location @authredirect {
+        internal;
+        add_header Set-Cookie $auth_cookie;
+        return 302 https://forward-authenticate.localhost.pomerium.io/?uri=$scheme://$host$request_uri;
+      }
+
+      %s
+    }
+  ||| % [domain, locations];
+
+local RoutesConfig(mode, idp, dns_suffix) =
+  local routes = Routes(mode, idp, dns_suffix);
+  local domains = std.set(std.map(function(route) utils.ParseURL(route.from).host, routes));
+  std.join('\n', [
+    local routesForDomain = std.filter(function(route)
+                                         local url = utils.ParseURL(route.from);
+                                         url.host == domain && (url.scheme == 'http' || url.scheme == 'https'),
+                                       routes);
+    DomainServerConfig(domain, routesForDomain)
+    for domain in domains
+  ]);
+
+local WriteFile(path, contents) =
+  |||
+    cat <<-'END_OF_NGINX' | tee %s
+    %s
+    END_OF_NGINX
+  ||| % [path, std.strReplace(contents, '$', '$$')];
+
+local Command(mode, idp, dns_suffix) =
+  [
+    'sh',
+    '-c',
+    std.join('\n\n', [
+      WriteFile('/etc/nginx/conf.d/authenticate.conf', AuthenticateConfig()),
+      WriteFile('/etc/nginx/conf.d/routes.conf', RoutesConfig(mode, idp, dns_suffix)),
+      WriteFile('/etc/nginx/authz.conf', AuthzConfig()),
+      WriteFile('/etc/nginx/proxy.conf', ProxyConfig()),
+      WriteFile('/etc/_wildcard.localhost.pomerium.io.pem', importstr '../files/trusted.pem'),
+      WriteFile('/etc/_wildcard.localhost.pomerium.io-key.pem', importstr '../files/trusted-key.pem'),
+      "nginx -g 'daemon off;'",
+    ]),
+  ];
+
+function(mode, idp, dns_suffix='') {
+  local image = 'nginx:1.21.1',
+
+  compose: {
+    services: utils.ComposeService('nginx', {
+      image: image,
+      depends_on: {
+        'pomerium-ready': {
+          condition: 'service_completed_successfully',
+        },
+      },
+      entrypoint: Command(mode, idp, dns_suffix),
+      ports: [
+        '80:80/tcp',
+        '443:443/tcp',
+      ],
+    }, ['mock-idp.localhost.pomerium.io']),
+  },
+}
diff --git a/integration/tpl/clusters/auth0-nginx/compose.yml.jsonnet b/integration/tpl/clusters/auth0-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('auth0')
diff --git a/integration/tpl/clusters/azure-nginx/compose.yml.jsonnet b/integration/tpl/clusters/azure-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('azure')
diff --git a/integration/tpl/clusters/github-nginx/compose.yml.jsonnet b/integration/tpl/clusters/github-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('github')
diff --git a/integration/tpl/clusters/gitlab-nginx/compose.yml.jsonnet b/integration/tpl/clusters/gitlab-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('gitlab')
diff --git a/integration/tpl/clusters/google-nginx/compose.yml.jsonnet b/integration/tpl/clusters/google-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('google')
diff --git a/integration/tpl/clusters/oidc-nginx/compose.yml.jsonnet b/integration/tpl/clusters/oidc-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('oidc')
diff --git a/integration/tpl/clusters/okta-nginx/compose.yml.jsonnet b/integration/tpl/clusters/okta-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('okta')
diff --git a/integration/tpl/clusters/onelogin-nginx/compose.yml.jsonnet b/integration/tpl/clusters/onelogin-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('onelogin')
diff --git a/integration/tpl/clusters/ping-nginx/compose.yml.jsonnet b/integration/tpl/clusters/ping-nginx/compose.yml.jsonnet
@@ -0,0 +1 @@
+(import '../../deployments/nginx.libsonnet')('ping')
diff --git a/integration/tpl/deployments/nginx.libsonnet b/integration/tpl/deployments/nginx.libsonnet
@@ -0,0 +1,17 @@
+local utils = import '../utils.libsonnet';
+
+function(idp) utils.Merge([
+  (import '../backends/fortio.libsonnet')().compose,
+  (import '../backends/httpdetails.libsonnet')().compose,
+  (import '../backends/mock-idp.libsonnet')(idp).compose,
+  (import '../backends/pomerium.libsonnet')('nginx', idp).compose,
+  (import '../backends/redis.libsonnet')().compose,
+  (import '../backends/verify.libsonnet')('nginx').compose,
+  (import '../backends/websocket-echo.libsonnet')().compose,
+  (import '../backends/nginx.libsonnet')('single', idp).compose,
+  {
+    networks: {
+      main: {},
+    },
+  },
+])