Open tomflenner opened 3 years ago
You would put it in your destination hosts container yes. Luckily I've made it easier overall if you continue to track my images.
MODE=HANDLER
with the LLNG Image (I leave my LLNG Handler/Portal/Manager alone and deploy a different one for a handler, with an alias of llng-handler
to make things easier for referencing down the road, and to move the containers to a different host without having to mess with too much configurationtiredofit/nginx
or tiredofit/nginx-php-fpm
containers set AUTHENTICATION_TYPE=LLNG
and then work with the following other options:Parameter | Description | Default |
---|---|---|
NGINX_AUTHENTICATION_TYPE |
Protect the site with BASIC , LDAP , LLNG |
NONE |
NGINX_AUTHENTICATION_LLNG_HANDLER_HOST |
If LLNG chosen use hostname of handler |
llng-handler |
NGINX_AUTHENTICATION_LLNG_HANDLER_PORT |
If LLNG chosen use this port for handler |
2884 |
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1 |
Syntax: HEADER_NAME, Variable, Upstream Variable - See note below | |
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 |
Syntax: HEADER_NAME, Variable, Upstream Variable - See note below |
When working with NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2
you will need to omit any $
chracters from your string. It will be added in upon container startup. Example:
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid
will get converted into HTTP_AUTH_USER,$uid,$upstream_http_uid
and get placed in the appropriate areas in the configuration.
I am watching some of your posts on both FD and LLNG lists, and curious to see how you end up protecting an API with OAuth, when you figure it out, please share the info :)
Oh nice to see that you're aware about what im trying to do :D !
If i get it i will give you a feedback, but my first step is just to protect api call without OAuth (maybe just by asking a lemon-ldap cookie header in api request call).
So the easiest way for me atm is to use you're tiredofit/nginx
with my API inside and protect this container by Lemon ?
I just have some trouble to understand the Handler part. LemonLDAP doesn't provide a basic handler by default ?
This LLNG image does come with a handler yes, I just prefer to keep it seperated from everything else, and setup a secondary handler using REST. I suppose thats way more advanced than it needs to be right now and you want to see things work without learning a million new things so try this:
Setup VHOST for your sample vhost with Default rule as accept
and send with your exported headers uid
| $uid
Setup `tiredofit/nginx-php-fpm:latest' with a working hostname and with the following variables
- NGINX_AUTHENTICATION_TYPE=LLNG
- NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=(your internal lemonldap container name)
- NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid
Obviously in this scenario you'll need to have the nginx-php-fpm container on the same Docker network as the LLNG container.
When you then visit the nginx-php-fpm container hostname you should be redirected to LLNG Login screen. After you pass successful authentication, the default config if you dont map any volunes in the nginx-php-fpm is to show a PHP info screen. At the very bottom you'll see that we've passed $_SERVER_AUTH_USER with the value of your LLNG logged in username. That's the most basic to get you going now. The same thing would work with the tiredofit/nginx but you have no easy way with that image to tell what vars are being passed and to know if its working other than giving you the LLNG login screen.
After trying the example i got an 403 Forbidden when i try to connect to my container hostname.
I checked all the configuration and didnt find any problem on it.
Do you have any idea ?
my docker run command :
docker run -d -e VIRTUAL_HOST=test3.m1miaa.fr -e LETSENCRYPT_HOST=test3.m1miaa.fr -e NGINX_AUTHENTICATION_TYPE=LLNG -e NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=lemonldap-app -e NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid --network=nginx-proxy tiredofit/nginx-php-fpm:latest
I believe the llng container should give information - try the loglevel of debug which will output quite alot of info as to whats happening.
oh my god, im so dumb... i was already logged in sorry... XD
After quick search, my API is a node express app, i maybe need to implement this handler : https://github.com/LemonLDAPNG/node-lemonldap-ng-handler#nginx-authorization-server to protect my express app ?
With a Node Express application you can use the nodejs handler, I've used it successfully in the past, although I dont think I have any documentation off the top of my head. You could avoid using nginx entirely, unless you had a need for it.
Hello,
After adding a new VHOST through Manager, i need to add a .conf file for the new app to protect in /etc/nginx/conf.d with a docker cp or inside container's shell right ?
Tom;