search

vouch / vouch-proxy

an SSO and OAuth / OIDC login solution for Nginx using the auth_request module
MIT License
2.92k stars 327 forks source link

ADFS server is installed in a DMZ #584

Open kosov73 opened 1 week ago

kosov73 commented 1 week ago

Is it possible to use a proxy if the ADFS server is installed in a DMZ with restricted external access? Right now, when I try to access it, I get a 404 Page Not Found error for a GET request.

https://site.example.com/ -> https://adfs.example.com/adfs/oauth2/authorize/?client_id=656646dc-e661-4a62-81e9-a6d26b53ac09&redirect_uri=http://site.example.com/auth&resource=656646dc-e661-4a62-81e9-a6d26b53ac09&response_type=code&scope=openid email profile&state=aRM01CioclUL5cU8MfnoUqd4PwfqTK9S -> 404 Page Not Found

Config vouch

vouch:
  logLevel: debug
  allowAllUsers: true
  cookie:
    secure: false
    domain: example.com
oauth:
  provider: adfs
  client_id: <client_id>
  client_secret: <client_secret>
  auth_url: https://adfs.example.com/adfs/oauth2/authorize/
  token_url: https://adfs.example.com/adfs/oauth2/token/
  scopes:
    - openid
    - email
    - profile
  callback_url: http://site.example.com/auth

Config nginx

server {
    listen 443 ssl http2;
    server_name vouch.example.com;
    ssl_certificate /etc/ssl/nginx/example.pem;
    ssl_certificate_key /etc/ssl/nginx/example-key.pem;

    location / {
      proxy_pass http://127.0.0.1:9090;
      proxy_set_header Host $http_host;
    }
}
server {
    listen 443 ssl http2;
    server_name site.example.com;
    ssl_certificate /etc/ssl/nginx/example.pem;
    ssl_certificate_key /etc/ssl/nginx/example-key.pem;
    auth_request /validate;
    location = /validate {
      proxy_pass http://127.0.0.1:9090/validate;
      proxy_set_header Host $http_host;
      proxy_pass_request_body off;
      proxy_set_header Content-Length "";
      auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
      }
    error_page 401 = @error401;
    location @error401 {
        return 302 https://site.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
    }

    location / {
      proxy_pass http://127.0.0.1:8080;
      proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;
    }
    }

Docker Logs:

{"level":"debug","ts":1731269688.3114388,"msg":"jwt from authorization header: eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJjb21wYW55IjoiaGVhZCIsInVzZXJJZCI6IjdkM2E1NThiLTFmZTMtNDZlOC05MzYzLTQxMDhmNzdmNjRiZSIsIm93bmVyIjp0cnVlLCJpc1BvcnRhbCI6ZmFsc2UsInNlc3Npb25JZCI6ImM4N2ViN2JkLTk0OWQtNTRhYS1iODIzLWNhNDRjNjVjODdjYiIsInByaXZpbGVnZXMiOlsiYWRtaW5pc3RyYXRpb24iLCJzdXBlcnZpc29yIl0sIm5lZWRDaGFuZ2VQYXNzd29yZCI6ZmFsc2UsImNyZWF0ZWRBdCI6MTczMTI1OTk2OSwiaXNzIjoiYXBpIiwiZXhwIjoxNzMzNjc5MjMxLCJpYXQiOjE3MzEyNTk5MTF9.NZwX2Y6-JDAFo7k2Po0fOdZYs17U4w2ekXyzjPwSCojMCWwPUsswEMpZ3CDe2OfPP2HpABwQCv1qjzFfpQXdN5ESFheEAcDnnivs8HGx_7JjFw9Q1NC11iw-fUV05TGRQeQPAqBIbF44yXzdfbcblHxxLAE2P6H9VtOYSjyMsGE"}
{"level":"debug","ts":1731269688.3114595,"msg":"/validate"}
{"level":"debug","ts":1731269688.3114643,"msg":"jwt from authorization header: eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJjb21wYW55IjoiaGVhZCIsInVzZXJJZCI6IjdkM2E1NThiLTFmZTMtNDZlOC05MzYzLTQxMDhmNzdmNjRiZSIsIm93bmVyIjp0cnVlLCJpc1BvcnRhbCI6ZmFsc2UsInNlc3Npb25JZCI6ImM4N2ViN2JkLTk0OWQtNTRhYS1iODIzLWNhNDRjNjVjODdjYiIsInByaXZpbGVnZXMiOlsiYWRtaW5pc3RyYXRpb24iLCJzdXBlcnZpc29yIl0sIm5lZWRDaGFuZ2VQYXNzd29yZCI6ZmFsc2UsImNyZWF0ZWRBdCI6MTczMTI1OTk2OSwiaXNzIjoiYXBpIiwiZXhwIjoxNzMzNjc5MjMxLCJpYXQiOjE3MzEyNTk5MTF9.NZwX2Y6-JDAFo7k2Po0fOdZYs17U4w2ekXyzjPwSCojMCWwPUsswEMpZ3CDe2OfPP2HpABwQCv1qjzFfpQXdN5ESFheEAcDnnivs8HGx_7JjFw9Q1NC11iw-fUV05TGRQeQPAqBIbF44yXzdfbcblHxxLAE2P6H9VtOYSjyMsGE"}
{"level":"debug","ts":1731269688.3114681,"msg":"tokenString length: 593"}
{"level":"debug","ts":1731269688.3114734,"msg":"Error in Base64decode: illegal base64 data at input byte 36"}
{"level":"debug","ts":1731269688.3114777,"msg":"Error reading gzip data: gzip: invalid header"}
{"level":"debug","ts":1731269688.3114796,"msg":"decompressed tokenString length 0"}
{"level":"warn","ts":1731269688.3114843,"msg":"token contains an invalid number of segments"}
{"level":"debug","ts":1731269688.311488,"msg":"setting the cookie domain to example.com"}
{"level":"debug","ts":1731269688.3114958,"msg":"CaptureWriter.Write set w.StatusCode 401"}
{"level":"info","ts":1731269688.3115342,"msg":"|401|     85.1µs /validate","statusCode":401,"request":3320,"latency":0.0000851,"avgLatency":0.000019119,"ipPort":"172.17.0.1:59124","method":"GET","host":"site.example.com","path":"/validate","referer":"https://site.example.com/"}
bnfinet commented 1 week ago

If it's outbound PROXY please take a look at the PROXY instructions in the tips and tricks section of the README.

If that doesn't fix it please read the README on how to request support and adjust your issue accordingly.

kosov73 commented 1 week ago

@bnfinet Can you tell me if there's a working case for this setup? image

bnfinet commented 1 week ago

I think so but I'm not quite clear on your issue. Without seeing your logs or config is just hard to say.

Did you see the HTTP_PROXY instructions? Does that help? What happened when you tried it?