Wow that's a lot of words. What this is a reverse proxy that stands in front of your application. It proxies ALL calls, no exception. While doing so it can either pass ("whitelist") or require authentication, from an OIDC (OpenID Connect) provider.
This proxy uses the OpenResty version of Nginx, that has Lua support, and uses the lua-resty-openidc
library for
authentication, as well as credstash
to fetch credentials as needed.
etc/conf.d/server.lua
to your liking (in particular app_name
and maybe opts
)For testing, or if credstash isn't being used, you can also pass secrets through environment variables:
discovery_url
: This is the well-known URL for your OIDC provider, such as
https://auth.mozilla.auth0.com/.well-known/openid-configuration
client_id
: This is your OIDC identifier.client_secret
: This is your shared OIDC secret.backend
: This is the service to proxy.allowed_group
: If set, only allow users in this group to log in.httpsredir
: If set to yes
then http will redirect automatically to https, otherwise it won't. (default: yes
).cookiename
: Sets the cookie/session name. Useful if you run multiple proxies with the same domain but different
portssessionsecret
: Sets a session secret.The Callback URL that the Mozilla OIDC Access Proxy uses is /redirect_uri
. You can provide this to the identity provider to add into the list of allowed callback URLs.
You can manually start this as such, if you like:
$ make build
$ make run
cloudformation/README.md
and follow it's instructionshttps://us-west-2.console.aws.amazon.com/ecs/home?region=us-west-2#/repositories/create/new
(or another region)Makefile
and in compose/docker-compose.norebuild.yml
make awslogin
(and wait a while until your image has been uploaded)By default the Access Proxy does NOT configure TLS (HTTPS). This is up to you to either front it with an AWS ELB that supports TLS, or to configure TLS. It is very, very strongly discouraged to run this access proxy without TLS. In other words, do not do that, it's a terrible idea and will lead to compromise of your service. If you need a certificate get it from LetsEncrypt for free.
nginx.conf
conf.d/nginx_lua.conf
conf.d/headers.conf
conf.d/server.conf
conf.d/proxy_auth_bypass.conf
: optionalconf.d/server.lua
: set the opts
settingsconf.d/openidc_layer.lua
: use resty.openidc
to do OIDC auth