This auth portal can be seen as a prettified basic auth. Through the nginx auth module we check if a user is authorized to access an app. People who are not authorized are redirected to an SSO style login screen, where they can log in with an email address and password. Users are stored in the Apache Basic Authentication format.
Make sure you have Node.JS 14.x installed then run the following commands in your terminal:
./app-install-dependencies.sh
./app-run.sh
The Auth portal is available for your own applications. Follow the guide below to install the portal onto your server:
- Create a docker-compose.yml file with the following contents:
version: '2'
services:
auth:
image: glenndehaan/auth-portal
ports:
- '9897:3000'
# Optional Volume for JSON users
#volumes:
# - './db:/db'
# Optional Settings
#environment:
#
# General App Settings
#
#APP_TITLE: 'Auth Portal'
#APP_HEADER: 'Welcome'
#LOGO: 'https://upload.wikimedia.org/wikipedia/commons/thumb/9/91/Octicons-mark-github.svg/2048px-Octicons-mark-github.svg.png'
#LOGO_URL: 'https://github.com'
#BANNER_IMAGE: 'https://images.unsplash.com/photo-1619976336288-38db38e4c503?ixlib=rb-1.2.1&ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&auto=format&fit=crop&w=627&q=80'
#INFO_BANNER: 'For more info contact the IT team'
#EMAIL_PLACEHOLDER: '[email protected]'
#
# Auth behaviour Settings (Used for loadbalancers like: Traefik, since they forward the redirect)
#
#ENABLE_DIRECT_REDIRECT: 'true'
#AUTH_URL: 'https://login.example.com/login'
#
# Cookie Settings
#
#COOKIE_NAME: '__auth_portal'
#COOKIE_DOMAIN: 'example.com'
#
# User Settings
#
# To create more users run `htpasswd -nm username` then copy the result into here. To specify multiple users add a `\n` after each string
#USERS: "[email protected]:$apr1$jI2jqzEg$MyNJQxhcZFNygXP79xT/p.\n"
# If you want to use a JSON file for users enable this option, also make sure the volume is mounted so you can update the JSON on the host machine. This also enables the user activation flow
#USERS_JSON: 'true'
# Enables the /admin portal for managing JSON users. Caution: This portal is by default open. We recommend to protect it with for example an IP block.
#USERS_JSON_ADMIN: 'true'
#
# OAuth Provider Settings
#
# Google OAuth Config
#PROVIDER_GOOGLE: 'true'
#PROVIDER_GOOGLE_CLIENT_ID: 'xxxxxxxxxx'
#PROVIDER_GOOGLE_CLIENT_SECRET: 'xxxxxxxxxx'
#PROVIDER_GOOGLE_DOMAIN: 'example.com'
#
# JWT (JsonWebToken) Settings
#
#JWT_SECRET: 'xxxxxxxxxx'
#JWT_EXPIRATION: '24h'
- Run
docker-compose up -d
this pulls the auth portal and starts it headless - Create a nginx host file to proxy the auth portal, example:
server {
listen 80;
server_name login.example.com;
access_log /var/log/nginx/access_login.example.com.log;
error_log /var/log/nginx/error_login.example.com.log;
location / {
proxy_pass http://127.0.0.1:9897;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Now add the following snippet to any application you would like to protect with the auth portal:
# Any request to this server will first be sent to this URL
auth_request /sso;
auth_request_set $auth_user $upstream_http_x_auth_portal_user;
auth_request_set $auth_resp_err $upstream_http_x_auth_portal_error;
location = /sso {
proxy_pass http://127.0.0.1:9897/validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 401 = @error401;
location @error401 {
return 302 https://login.example.com/login?host=$scheme://$http_host&url=$scheme://$http_host$request_uri&error=$auth_resp_err;
}
Below you will find a complete nginx host file for the secure.example.com
app:
server {
listen 80;
server_name secure.example.com;
root /var/www;
access_log /var/log/nginx/access_secure.example.com.log;
error_log /var/log/nginx/error_secure.example.com.log;
# Any request to this server will first be sent to this URL
auth_request /sso;
auth_request_set $auth_user $upstream_http_x_auth_portal_user;
auth_request_set $auth_resp_err $upstream_http_x_auth_portal_error;
location = /sso {
proxy_pass http://127.0.0.1:9897/validate;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 401 = @error401;
location @error401 {
return 302 https://login.example.com/login?host=$scheme://$http_host&url=$scheme://$http_host$request_uri&error=$auth_resp_err;
}
}
Below you will find a traefik docker compose example file:
version: '3.8'
services:
traefik:
image: traefik:v2.6
command:
- --providers.docker
# Don't expose containers per default
- --providers.docker.exposedByDefault=false
- --providers.docker.swarmMode=true
# Entrypoints (ports) for the routers
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Logging
- --accesslog
- --log.level=debug
# Enable the dashboard
- --api
## Traefik Pilot
- --pilot.dashboard=false
deploy:
restart_policy:
condition: on-failure
placement:
constraints:
- node.role == manager
labels:
# traefik.enable is required because we don't expose all containers automatically
- traefik.enable=true
# Extra middlewares
- traefik.http.middlewares.traefik-auth-portal.forwardauth.address=https://login.example.com/validate
- traefik.http.middlewares.traefik-auth-portal.forwardauth.trustForwardHeader=true
- traefik.http.middlewares.traefik-auth-portal.forwardauth.authResponseHeaders=X-Auth-Portal-User
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
If you would like your app to have access to the currently logged-in users email address Added the following line to your proxy or cgi process:
proxy_set_header Remote-User $auth_user;
In express, you are now able to retrieve the user like this:
app.get('/', (req, res) => {
res.send(`Hello, ${req.headers['remote-user']}!`);
});
fastcgi_param REMOTE_USER $auth_user;
In PHP, you are now able to retrieve the user like this:
<?php
echo 'Hello, ' . $_SERVER['REMOTE_USER'] . '!';
- Create a project within Google's Cloud portal: https://console.cloud.google.com
- Set up the OAuth consent screen. Next ensure the following scopes are selected:
- Create a new OAuth credential and set up the authorized redirects as follows:
MIT