tomflenner commented 3 years ago

Hello,

After adding a new VHOST through Manager, i need to add a .conf file for the new app to protect in /etc/nginx/conf.d with a docker cp or inside container's shell right ?

Tom;

tiredofit commented 3 years ago

You would put it in your destination hosts container yes. Luckily I've made it easier overall if you continue to track my images.

You'll need to expose your handler somehow (or setup another one) using MODE=HANDLER with the LLNG Image (I leave my LLNG Handler/Portal/Manager alone and deploy a different one for a handler, with an alias of llng-handler to make things easier for referencing down the road, and to move the containers to a different host without having to mess with too much configuration
Then you need to configure the webapp. You'll want to in your tiredofit/nginx or tiredofit/nginx-php-fpm containers set AUTHENTICATION_TYPE=LLNG and then work with the following other options:

Parameter	Description	Default
`NGINX_AUTHENTICATION_TYPE`	Protect the site with `BASIC`, `LDAP`, `LLNG`	`NONE`
`NGINX_AUTHENTICATION_LLNG_HANDLER_HOST`	If `LLNG` chosen use hostname of handler	`llng-handler`
`NGINX_AUTHENTICATION_LLNG_HANDLER_PORT`	If `LLNG` chosen use this port for handler	`2884`
`NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1`	Syntax: HEADER_NAME, Variable, Upstream Variable - See note below
`NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2`	Syntax: HEADER_NAME, Variable, Upstream Variable - See note below

When working with NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 you will need to omit any $ chracters from your string. It will be added in upon container startup. Example: NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid will get converted into HTTP_AUTH_USER,$uid,$upstream_http_uid and get placed in the appropriate areas in the configuration.

I am watching some of your posts on both FD and LLNG lists, and curious to see how you end up protecting an API with OAuth, when you figure it out, please share the info :)

tomflenner commented 3 years ago

Oh nice to see that you're aware about what im trying to do :D !

If i get it i will give you a feedback, but my first step is just to protect api call without OAuth (maybe just by asking a lemon-ldap cookie header in api request call).

So the easiest way for me atm is to use you're tiredofit/nginx with my API inside and protect this container by Lemon ?

I just have some trouble to understand the Handler part. LemonLDAP doesn't provide a basic handler by default ?

tiredofit commented 3 years ago

This LLNG image does come with a handler yes, I just prefer to keep it seperated from everything else, and setup a secondary handler using REST. I suppose thats way more advanced than it needs to be right now and you want to see things work without learning a million new things so try this:

Setup VHOST for your sample vhost with Default rule as accept and send with your exported headers uid | $uid

Setup `tiredofit/nginx-php-fpm:latest' with a working hostname and with the following variables

  - NGINX_AUTHENTICATION_TYPE=LLNG
  - NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=(your internal lemonldap container name)
  - NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid

Obviously in this scenario you'll need to have the nginx-php-fpm container on the same Docker network as the LLNG container.

When you then visit the nginx-php-fpm container hostname you should be redirected to LLNG Login screen. After you pass successful authentication, the default config if you dont map any volunes in the nginx-php-fpm is to show a PHP info screen. At the very bottom you'll see that we've passed $_SERVER_AUTH_USER with the value of your LLNG logged in username. That's the most basic to get you going now. The same thing would work with the tiredofit/nginx but you have no easy way with that image to tell what vars are being passed and to know if its working other than giving you the LLNG login screen.

tomflenner commented 3 years ago

After trying the example i got an 403 Forbidden when i try to connect to my container hostname.

I checked all the configuration and didnt find any problem on it.

Do you have any idea ?

EDIT

my docker run command :

docker run -d -e VIRTUAL_HOST=test3.m1miaa.fr -e LETSENCRYPT_HOST=test3.m1miaa.fr -e NGINX_AUTHENTICATION_TYPE=LLNG -e NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=lemonldap-app -e NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid --network=nginx-proxy tiredofit/nginx-php-fpm:latest

tiredofit commented 3 years ago

I believe the llng container should give information - try the loglevel of debug which will output quite alot of info as to whats happening.

tomflenner commented 3 years ago

oh my god, im so dumb... i was already logged in sorry... XD

After quick search, my API is a node express app, i maybe need to implement this handler : https://github.com/LemonLDAPNG/node-lemonldap-ng-handler#nginx-authorization-server to protect my express app ?

tiredofit commented 3 years ago

With a Node Express application you can use the nodejs handler, I've used it successfully in the past, although I dont think I have any documentation off the top of my head. You could avoid using nginx entirely, unless you had a need for it.

tiredofit / docker-lemonldap

Add new VHOST #22

EDIT