Makussu/bunkerweb
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

init support for auth_request and add authentik example

Browse Source
This commit is contained in:
florian
2022-06-13 13:06:03 +02:00
parent e852298352
commit e0f8895e9a
7 changed files with 270 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
core/reverseproxy/confs/server-http/reverse-proxy.conf
View File

@@ -6,59 +6,81 @@ proxy_intercept_errors on;
proxy_intercept_errors off;
{% endif +%}
{% if USE_PROXY_CACHE == "yes" +%}
{% if USE_PROXY_CACHE == "yes" +%}
proxy_cache proxycache;
proxy_cache_methods {{ PROXY_CACHE_METHODS }};
proxy_cache_min_uses {{ PROXY_CACHE_MIN_USES }};
proxy_cache_key {{ PROXY_CACHE_KEY }};
proxy_no_cache {{ PROXY_NO_CACHE }};
proxy_cache_bypass {{ PROXY_CACHE_BYPASS }};
{% if PROXY_CACHE_VALID != "" +%}
{% for element in PROXY_CACHE_VALID.split(" ") +%}
{% if PROXY_CACHE_VALID != "" +%}
{% for element in PROXY_CACHE_VALID.split(" ") +%}
proxy_cache_valid {{ element.split("=")[0] }} {{ element.split("=")[1] }};
{% endfor %}
{% endfor %}
add_header X-Proxy-Cache $upstream_cache_status;
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% set counter = namespace(value=1) %}
{% for k, v in all.items() %}
{% if k.startswith("REVERSE_PROXY_URL") and v != "" +%}
{% set url = v %}
{% set host = all[k.replace("URL", "HOST")] if k.replace("URL", "HOST") in all else "" %}
{% set ws = all[k.replace("URL", "WS")] if k.replace("URL", "WS") in all else "" %}
{% set headers = all[k.replace("URL", "HEADERS")] if k.replace("URL", "HEADERS") in all else "" %}
{% set headers_client = all[k.replace("URL", "HEADERS_CLIENT")] if k.replace("URL", "HEADERS_CLIENT") in all else "" %}
{% set buffering = all[k.replace("URL", "BUFFERING")] if k.replace("URL", "BUFFERING") in all else "yes" %}
{% set keepalive = all[k.replace("URL", "KEEPALIVE")] if k.replace("URL", "KEEPALIVE") in all else "yes" %}
{% set auth_request = all[k.replace("URL", "AUTH_REQUEST")] if k.replace("URL", "AUTH_REQUEST") in all else "" %}
{% set auth_request_signin_url = all[k.replace("URL", "AUTH_REQUEST_SIGNIN_URL")] if k.replace("URL", "AUTH_REQUEST_SIGNIN_URL") in all else "" %}
{% set auth_request_sets = all[k.replace("URL", "AUTH_REQUEST_SET")] if k.replace("URL", "AUTH_REQUEST_SET") in all else "" %}
location {{ url }} {% raw %}{{% endraw +%}
etag off;
set $backend "{{ host }}";
proxy_pass $backend;
set $backend{{ counter.value }} "{{ host }}";
proxy_pass $backend{{ counter.value }};
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
{% if buffering == "yes" +%}
{% if buffering == "yes" +%}
proxy_buffering on;
{% else +%}
{% else +%}
proxy_buffering off;
{% endif %}
{% if ws == "yes" +%}
{% endif %}
{% if ws == "yes" +%}
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{% elif keepalive == "yes" +%}
{% elif keepalive == "yes" +%}
proxy_http_version 1.1;
proxy_set_header Connection "";
{% endif %}
{% if headers != "" %}
{% for header in headers.split(";") +%}
{% endif %}
{% if auth_request != "" +%}
auth_request {{ auth_request }};
{% endif +%}
{% if auth_request_signin_url != "" +%}
error_page 401 =302 {{ auth_request_signin_url }};
{% endif +%}
{% if auth_request_sets != "" +%}
{% for auth_request_set in auth_request_sets.split(";") +%}
auth_request_set {{ auth_request_set }};
{% endfor +%}
{% endif +%}
{% if headers != "" +%}
{% for header in headers.split(";") +%}
proxy_set_header {{ header }};
{% endfor %}
{% endif %}
{% endfor +%}
{% endif +%}
{% if headers_client != "" +%}
{% for header_client in headers_client.split(";") +%}
add_header {{ header_client }};
{% endfor +%}
{% endif +%}
{% raw %}}{% endraw %}
{% endif %}
{% set counter.value = counter.value + 1 %}
{% endfor %}
{% endif %}

42
core/reverseproxy/plugin.json
View File

@@ -56,13 +56,23 @@
"REVERSE_PROXY_HEADERS": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to proxied resource.",
"help": "List of HTTP headers to send to proxied resource separated with ; (values for proxy_set_header directive).",
"id": "reverse-proxy-headers",
"label": "Reverse proxy headers",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_HEADERS_CLIENT": {
"context": "multisite",
"default": "",
"help": "List of HTTP headers to send to client separated with ; (values for add_header directive).",
"id": "reverse-proxy-headers-client",
"label": "Reverse proxy headers-client",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_BUFFERING": {
"context": "multisite",
"default": "yes",
@@ -83,6 +93,36 @@
"type": "check",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST": {
"context": "multisite",
"default": "",
"help": "Enable authentication using an external provider (value of auth_request directive).",
"id": "reverse-proxy-auth-request",
"label": "Reverse proxy auth request",
"regex": "^/.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SIGNIN_URL": {
"context": "multisite",
"default": "",
"help": "Redirect clients to signin URL when using REVERSE_PROXY_AUTH_REQUEST (used when auth_request call returned 401).",
"id": "reverse-proxy-auth-request-signin-url",
"label": "Auth request signin URL",
"regex": "^http.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"REVERSE_PROXY_AUTH_REQUEST_SET": {
"context": "multisite",
"default": "",
"help": "List of variables to set from the authentication provider, separated with ; (values of auth_request_set directives).",
"id": "reverse-proxy-auth-request-set",
"label": "Reverse proxy auth request set",
"regex": "^.*$",
"type": "text",
"multiple": "reverse-proxy"
},
"USE_PROXY_CACHE": {
"context": "multisite",
"default": "no",