-
Notifications
You must be signed in to change notification settings - Fork 57
Example configuration: nginx
Example nginx configuration contributed by user TiagoTT
This was done on a fresh Debian 9 server and following approximately the installation instructions on the README.md file.
The following packages had to be installed:
apt-get install nginx php php-fpm php-json php-ldap php-pgsql php-mbstring php7.0-intl php-curl postgresql-client postgresql
And the following NGINX server block was defined:
server {
listen 80;
listen 443 ssl;
server_name dns-ui.example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /home/dnsui/dns-ui/public_html;
index init.php;
auth_basic "Opera DNS UI";
auth_basic_user_file /etc/nginx/passwd;
location / {
try_files $uri $uri/ @php;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
}
location /init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
include /etc/nginx/snippets/fastcgi-php.conf;
}
}
Example nginx + LUA + Google OAuth configuration contributed by user TiagoTT
Google Oauth authentication can be made to work with the help of this NGINX+Lua module: https://github.com/cloudflare/nginx-google-oauth
The user details are still fetched from LDAP and only the authenticated user is passed from Lua module into the PHP code. In other words, the LDAP username must match the Oauth username returned from Google.
The following additional packages need to be installed:
apt-get install lua-cjson lua5.1 luarocks
luarocks install lua-resty-http
mkdir /etc/nginx/lua ; git clone https://github.com/cloudflare/nginx-google-oauth /etc/nginx/lua/nginx-google-oauth
And this is how NGINX server block looks:
server {
listen 80;
listen 443 ssl;
server_name dns-ui-example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /home/dnsui/dns-ui/public_html;
index init.php;
access_by_lua_file /etc/nginx/lua/nginx-google-oauth/access.lua;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 3;
# Workaround to avoid IPv6 DNS responses, in case you don't have IPv6 connectivity.
resolver 10.2.2.2 10.2.2.3 ipv6=off;
set $ngo_client_id xxx.apps.googleusercontent.com;
set $ngo_client_secret yyy;
set $ngo_domain example.com;
set $ngo_http_only_cookies true;
set $ngo_secure_cookies true;
set $ngo_token_secret "a very long randomish string";
# Required to get the authenticated user name filled for later usage.
set $ngo_user true;
location / {
try_files $uri $uri/ @php;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
}
location /init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
include /etc/nginx/snippets/fastcgi-php.conf;
# Pass Google Oauth authenticated user name to the PHP code
fastcgi_param PHP_AUTH_USER $ngo_user;
}
}
The Oauth client ID and Secret are obtained from: https://console.developers.google.com/apis/credentials
Example nginx + auth_request + oauth2_proxy configuration contributed by user captainark
In this example, we'll use oauth2_proxy to authenticate against GitHub, and we'll then send the authenticated user to dns-ui.
Make sure to start oauth2_proxy with the --set-xauthrequest parameter.
We also have to create a user with the same name as your username on GitHub in the dns-ui database :
insert into "user" (uid, name, email, admin, active) values ('dns-user', 'DNS User', 'dns-user@example.com', 1, 1);
In dns-ui config.ini, disable ldap and to enable php_auth.
Please note that dns-ui will be accessible from /dns-ui instead of / with this nginx configuration :
server {
listen 80;
listen 443 ssl;
server_name dns-ui.example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /var/www/html;
index index.html;
location /oauth2/ {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $request_uri;
}
location = /oauth2/auth {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
}
location /dns-ui {
alias /var/www/dns-ui/public_html;
auth_request /oauth2/auth;
error_page 401 /oauth2;
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
index init.php;
try_files $uri $uri/ @dnsui;
location /dns-ui/init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param PHP_AUTH_USER $user;
}
}
location @dnsui {
rewrite /dns-ui/(.*)$ /dns-ui/init.php/$1 last;
}
}
As long as the user sent from them matches the one in your database, other oauth2 providers should work. It hasn't been tested, though.