search

TeslaGov / ngx-http-auth-jwt-module

Secure your NGINX locations with JWT
MIT License
316 stars 122 forks source link

Unable to build working docker image #121

Closed dzmitry-kankalovich closed 8 months ago

dzmitry-kankalovich commented 8 months ago

Hello,

I am using my M1 Mac to build nginx with jwt module + I intend to deploy that image to ARM-based VM.

Anyway, the problem is that no matter what I try - build from the sources or inject compiled module - none of it works.

I've tried to pull in compiled module:

FROM nginx:1.24.0

RUN <<`
apt-get update
apt-get -y install libjansson4 libjwt0 wget
cd /etc/nginx
sed -ri '/pid\s+\/var\/run\/nginx\.pid;$/a load_module \/etc\/nginx\/ngx_http_auth_jwt_module\.so;' nginx.conf
wget https://github.com/TeslaGov/ngx-http-auth-jwt-module/releases/download/2.0.1/ngx_http_auth_jwt_module_2.0.1_nginx_1.24.0.tgz
tar -xzf ngx_http_auth_jwt_module_2.0.1_nginx_1.24.0.tgz
rm ngx_http_auth_jwt_module_2.0.1_nginx_1.24.0.tgz
`

Gives me

nginx: [emerg] dlopen() "/etc/nginx/ngx_http_auth_jwt_module.so" failed (/etc/nginx/ngx_http_auth_jwt_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:1

However, if I ssh to that container - I can verify that the file is present and seemingly accessible.

Then I've tried to compile the thing:

ARG NGINX_VERSION=1.22

FROM nginx:${NGINX_VERSION}

RUN apt-get update && apt-get install -y \
    curl \
    gcc \
    libc-dev \
    make \
    libpcre3-dev \
    zlib1g-dev \
    libssl-dev \
    libjansson-dev \
    libjwt-dev \
    pkg-config

RUN curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz
RUN tar -zxf nginx.tar.gz && mv nginx-${NGINX_VERSION} nginx

RUN curl -fSL https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/master.tar.gz -o ngx-http-auth-jwt-module.tar.gz
RUN tar -zxf ngx-http-auth-jwt-module.tar.gz

RUN cd nginx \
    && ./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module-master \
    && make modules

RUN cp /nginx/objs/ngx_http_auth_jwt_module.so /usr/lib/nginx/modules

RUN mkdir -p /etc/nginx/modules-enabled/
RUN echo "load_module modules/ngx_http_auth_jwt_module.so;" > /etc/nginx/modules-enabled/50-mod-http-auth-jwt.conf

COPY nginx.conf /etc/nginx/nginx.conf

Same error:

2024/01/14 14:14:54 [emerg] 7#7: dlopen() "/etc/nginx/ngx_http_auth_jwt_module.so" failed (/etc/nginx/ngx_http_auth_jwt_module.so: cannot open shared object file: No such file or directory) in /etc/nginx/nginx.conf:1

with nginx.conf:

load_module /etc/nginx/modules/ngx_http_auth_jwt_module.so;

events {}

http {
  upstream api_backend {
    server api:8000;
  }

  server {
    listen 80;
    server_name api.whatever.com;
    error_page 401 = @error401;

    location = /login {
        proxy_pass http://api_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location / {
        auth_jwt "closed area";
        auth_jwt_key_file /container/keys/jwt.key.pub;
        auth_jwt_leeway 5;

        proxy_pass http://api_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
  }
}

This time the module is seemingly loaded (no error at least), but I get another error:

src-web-1  | 2024/01/14 14:28:00 [emerg] 1#1: unknown directive "auth_jwt" in /etc/nginx/nginx.conf:34
src-web-1  | nginx: [emerg] unknown directive "auth_jwt" in /etc/nginx/nginx.conf:34

as if no module loaded?

At this point I am pulling out my hair trying to understand what is going on, but no luck.

Maybe you can spot what is the problem?

dzmitry-kankalovich commented 8 months ago

Also tried to borrow elements of Dockerfile and combine with mine, mostly around build flags:

ARG NGINX_VERSION=1.24

FROM nginx:${NGINX_VERSION}

RUN apt-get update && apt-get install -y \
    curl \
    gcc \
    libc-dev \
    make \
    libpcre3-dev \
    zlib1g-dev \
    libssl-dev \
    libjansson-dev \
    libjwt-dev \
    libjansson4 \
    libjwt0 \
    pkg-config

RUN curl -fSL https://nginx.org/download/nginx-${NGINX_VERSION}.tar.gz -o nginx.tar.gz
RUN tar -zxf nginx.tar.gz && mv nginx-${NGINX_VERSION} nginx

RUN curl -fSL https://github.com/TeslaGov/ngx-http-auth-jwt-module/archive/master.tar.gz -o ngx-http-auth-jwt-module.tar.gz
RUN tar -zxf ngx-http-auth-jwt-module.tar.gz
RUN mv /ngx-http-auth-jwt-module-master/ /ngx-http-auth-jwt-module/

RUN <<`
BUILD_FLAGS=''
MAJ=$(echo ${NGINX_VERSION} | cut -f1 -d.)
MIN=$(echo ${NGINX_VERSION} | cut -f2 -d.)
REV=$(echo ${NGINX_VERSION} | cut -f3 -d.)

# NGINX 1.23.0+ changes cookies to use a linked list, and renames `cookies` to `cookie`
if [ "${MAJ}" -gt 1 ] || [ "${MAJ}" -eq 1 -a "${MIN}" -ge 23 ]; then
    BUILD_FLAGS="${BUILD_FLAGS} --with-cc-opt='-DNGX_LINKED_LIST_COOKIES=1'"
fi

cd nginx
./configure --with-compat --add-dynamic-module=../ngx-http-auth-jwt-module ${BUILD_FLAGS}
make modules
`

RUN cp /nginx/objs/ngx_http_auth_jwt_module.so /usr/lib/nginx/modules/

RUN mkdir -p /etc/nginx/modules-enabled/
RUN echo "load_module modules/ngx_http_auth_jwt_module.so;" > /etc/nginx/modules-enabled/50-mod-http-auth-jwt.conf

COPY nginx.conf /etc/nginx/nginx.conf

EXPOSE 80 443

same error 2024/01/14 14:39:00 [emerg] 7#7: unknown directive "auth_jwt" in /etc/nginx/nginx.conf:34

dzmitry-kankalovich commented 8 months ago

UPDATE: found the culprit. This is the last time I rely on AI code assistance to generate config files.

Basically my nginx.conf contained look-alike JWT directives, but not exactly. I've checked agains test.conf and came up with valid configuration.

Sorry for the noise.

JoshMcCullough commented 8 months ago

Most likely those JWT directives were NGINX's version (paid). Glad you got it working!