yaws-k · November 8, 2022 06:57
diff --git a/00_SSO_with_NGINX_and_Vouch-Proxy.md b/00_SSO_with_NGINX_and_Vouch-Proxy.md
diff --git a/aad-config.yml b/aad-config.yml
 # Vouch Proxy configuration
 # bare minimum to get Vouch Proxy running with Azure AD
 # https://github.com/vouch/vouch-proxy/issues/290

 vouch:
  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate to Azure AD
  allowAllUsers: true

  cookie:
    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com) 
    # secure: false
    # vouch.cookie.domain must be set when enabling allowAllUsers
    #  domain: yourdomain.com
    domain: example.com

 oauth:
  provider: azure
  client_id: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  client_secret: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
  auth_url: https://login.microsoftonline.com/cccccccccccccccccccccccccccccc/oauth2/v2.0/authorize
  token_url: https://login.microsoftonline.com/cccccccccccccccccccccccccccccc/oauth2/v2.0/token
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.example.com/auth
  azure_token: id_token # access_token and id_token supported
diff --git a/app.example.com b/app.example.com
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name app.example.com;

  # Enable SSL
  include snippets/ssl_example.com.conf;

  # The location and index files depend on your server policy
  root /var/www/app.example.com;
  index index.php;

  # Enable authentication via Vouch-Proxy and Okta
  include snippets/vouch.conf;

  # In this case, assume the app is based on php.
  location ~ \.php($|/) {
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
    
    # This line is required to get the user name in PHP
    fastcgi_param REMOTE_USER $auth_user;
  }
  
  # For the TCP proxy case (with user name: $auth_user)
  #location / {
  #  proxy_set_header Remote-User $auth_user;
  #  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  #  proxy_set_header X-Forwarded-Proto $scheme;
  #  proxy_set_header X-Forwarded-Ssl on;
  #  proxy_set_header X-Forwarded-Port $server_port;
  #  proxy_set_header Host $http_host;
  #  proxy_pass unix:/var/www/some/socket.sock;
  #}
 }
diff --git a/okta-config.yml b/okta-config.yml
 # vouch config
 # bare minimum to get vouch running with OpenID Connect (such as okta)

 vouch:
  # domains:
  # valid domains that the jwt cookies can be set into
  # the callback_urls will be to these domains
  #domains:
  #- example.com
  #- your-mail-domain.com

  # - OR -
  # instead of setting specific domains you may prefer to allow all users...
  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
  # and set vouch.cookie.domain to the domain you wish to protect
  allowAllUsers: true
  cookie:
    domain: example.com

 oauth:
  # Generic OpenID Connect
  # including okta
  provider: oidc
  client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
  auth_url: https://{yourOktaDomain}/oauth2/default/v1/authorize
  token_url: https://{yourOktaDomain}/oauth2/default/v1/token
  user_info_url: https://{yourOktaDomain}/oauth2/default/v1/userinfo
  scopes:
    - openid
    - email
  callback_url: https://vouch.example.com/auth
diff --git a/vouch.conf b/vouch.conf
 # Any request to this server will first be sent to this URL
 auth_request /vouch-validate;

 # Get the authorized user name (email address)
 auth_request_set $auth_user $upstream_http_x_vouch_user;

 location = /vouch-validate {
  internal;
  # This address is where Vouch will be listening on
  proxy_pass http://127.0.0.1:9090/validate;
  proxy_pass_request_body off; # no need to send the POST body

  proxy_set_header Content-Length "";
  proxy_set_header Host $http_host; # This is required according to the Vouch-Proxy official example
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  # these return values are passed to the @error401 call
  auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
  auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
  auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
 }

 error_page 401 = @error401;

 # If the user is not logged in, redirect them to Vouch's login URL
 location @error401 {
  return 302 https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
 }
diff --git a/vouch.example.com b/vouch.example.com
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name vouch.example.com;

  # Enable SSL
  include snippets/ssl_example.com.conf;

  # Proxy to your Vouch instance
  location / {
    proxy_set_header  Host vouch.example.com;
    proxy_set_header  X-Forwarded-Proto https;
    proxy_pass        http://localhost:9090;
  }
 }
	# Vouch Proxy configuration
	# bare minimum to get Vouch Proxy running with Azure AD
	# https://github.com/vouch/vouch-proxy/issues/290

	vouch:
	# set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate to Azure AD
	allowAllUsers: true

	cookie:
	# allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com)
	# secure: false
	# vouch.cookie.domain must be set when enabling allowAllUsers
	# domain: yourdomain.com
	domain: example.com

	oauth:
	provider: azure
	client_id: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
	client_secret: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
	auth_url: https://login.microsoftonline.com/cccccccccccccccccccccccccccccc/oauth2/v2.0/authorize
	token_url: https://login.microsoftonline.com/cccccccccccccccccccccccccccccc/oauth2/v2.0/token
	scopes:
	- openid
	- email
	- profile
	callback_url: https://vouch.example.com/auth
	azure_token: id_token # access_token and id_token supported
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name app.example.com;

	# Enable SSL
	include snippets/ssl_example.com.conf;

	# The location and index files depend on your server policy
	root /var/www/app.example.com;
	index index.php;

	# Enable authentication via Vouch-Proxy and Okta
	include snippets/vouch.conf;

	# In this case, assume the app is based on php.
	location ~ \.php($\|/) {
	include snippets/fastcgi-php.conf;
	fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;

	# This line is required to get the user name in PHP
	fastcgi_param REMOTE_USER $auth_user;
	}

	# For the TCP proxy case (with user name: $auth_user)
	#location / {
	# proxy_set_header Remote-User $auth_user;
	# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	# proxy_set_header X-Forwarded-Proto $scheme;
	# proxy_set_header X-Forwarded-Ssl on;
	# proxy_set_header X-Forwarded-Port $server_port;
	# proxy_set_header Host $http_host;
	# proxy_pass unix:/var/www/some/socket.sock;
	#}
	}
	# vouch config
	# bare minimum to get vouch running with OpenID Connect (such as okta)

	vouch:
	# domains:
	# valid domains that the jwt cookies can be set into
	# the callback_urls will be to these domains
	#domains:
	#- example.com
	#- your-mail-domain.com

	# - OR -
	# instead of setting specific domains you may prefer to allow all users...
	# set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at the configured provider
	# and set vouch.cookie.domain to the domain you wish to protect
	allowAllUsers: true
	cookie:
	domain: example.com

	oauth:
	# Generic OpenID Connect
	# including okta
	provider: oidc
	client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
	client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
	auth_url: https://{yourOktaDomain}/oauth2/default/v1/authorize
	token_url: https://{yourOktaDomain}/oauth2/default/v1/token
	user_info_url: https://{yourOktaDomain}/oauth2/default/v1/userinfo
	scopes:
	- openid
	- email
	callback_url: https://vouch.example.com/auth
	# Any request to this server will first be sent to this URL
	auth_request /vouch-validate;

	# Get the authorized user name (email address)
	auth_request_set $auth_user $upstream_http_x_vouch_user;

	location = /vouch-validate {
	internal;
	# This address is where Vouch will be listening on
	proxy_pass http://127.0.0.1:9090/validate;
	proxy_pass_request_body off; # no need to send the POST body

	proxy_set_header Content-Length "";
	proxy_set_header Host $http_host; # This is required according to the Vouch-Proxy official example
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	# these return values are passed to the @error401 call
	auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
	auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
	auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
	}

	error_page 401 = @error401;

	# If the user is not logged in, redirect them to Vouch's login URL
	location @error401 {
	return 302 https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
	}