search

vouch / vouch-proxy

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
MIT License
2.92k stars 327 forks source link

support for one instance with both publicAccess: true and false at different roots #542

Closed theAlexes closed 11 months ago

theAlexes commented 1 year ago

Describe the problem

I have some resources that are public access, and some that are private, and I want authentication on public resources to be valid for the private resources and the other way around.

To solve this right now I'm running two instances of vouch-proxy that are mostly-identically configured, with the same secrets. The second instance has publicAccess off, is mounted at a different root, the first instance is the other way around, and there's a parallel set of nginx parameter files that pass requests to the right instance via unix socket. This works, but the duplication makes me nervous.

Expected behavior

I can continue doing this, automating away the duplication with config management, or try to implement this feature, if it's necessary.

Additional context

I've considered other options, like leaving off the error_page 401 = @error401 configuration on the public resources, but that feels somewhat more brittle --- relying on the absence of an option makes us collectively "😬". I'm open to advice on nginx configuration here, of course.

A nice way to declare multiple parallel Vouch submounts, where authentication is sufficient but not required, perhaps with different pass-list configurations, would be greatly appreciated.

One thing I haven't tried, however, is putting a satisfy any; in the public resources. Unfortunately, I have no intuition for what this configuration would do in practice, so I've not experimented.

bnfinet commented 11 months ago

@theAlexes if multiple instances gets it done for you I think that's the way to handle this. TBH your setup sounds a bit complicated and with this layering it feels like keeping each side to itself avoids opening access to resources that you are trying to protect.

VP is pretty cheap to run memory wise and the advice for similar scenarios where multiple differing authentication requirements are running in the same domain is to run multiple differently configured Vouch Proxy instances.

I've had good success using satisfy any; for cascading permissions requirements. The docs are pretty straight forward.. http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/