A demo setup for having restricted access to web-sites or specific paths within a website based on nginx. docker-composed
based and deployed via Ansible.
The behavior we want to achieve:
- Documents camn be public, in our case: https://nginxtest.grtnr.io
- Documents can be secret, i.e. only accessible after having logged in with google (any google account will do): https://nginxtest.grtnr.io/secret/
The login flow is as folllows:
That's what happens during the login:
- User sends request w/o being logged in to https://grtnr.io/secret
- nginx checks the credentials by forwarding it to vouch: By routing it to /validate that corresponds to http://vouch:9090/validate (within the docker-compose network)
- Vouch inspects the headers and returns
401 Unauthorized
- For nginx this is an error and it forwards the brwoser to the error page:
https://vouch.grtnr.io/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err
- The browser sends a request to this URL of vouch
- Vouch responds with a
302 Found
and redirects the browser to Google Login. - Browser goes to Google and logs in.
- Google login redirects the browser to the reurn address: https://vouch.ngingtest.grtnr.io/auth
- Browser sends request to the vouch URL
- Vouch redirects browser to nginx: https://grtnr.io/secret
- Browser send request to https://grtnr.io/secret, this time with a JWT
- An example of a vouch configuration with white listing emnail addresses is here.
- A good and thorough explanation of how nginx and Letsencrypt interact within a docker setup: How to set up an easy and secure reverse proxy with Docker, Nginx & Letsencrypt
- May be I want to use Statping
- A complete guide: Add Google Authentication to any Website using Nginx and Oauth Proxy
- This articale also explains how JS Code can run within Nginx: Validating OAuth 2.0 Access Tokens with NGINX and NGINX Plus
- Another alternative to OAuth2 Proxy: Vouch
- Two explanations on how to use Vouch: Use nginx to Add Authentication to Any Application and Enforce Google Authentication for Any Application with nginx and Vouch Proxy
- The docker image I plan to use is from Bitnami