docker-lemonldap icon indicating copy to clipboard operation
docker-lemonldap copied to clipboard

Published 20 hours ago verified publisher icon tiredofit

Add new VHOST

Open tomflenner opened this issue 4 years ago • 7 comments

Hello,

After adding a new VHOST through Manager, i need to add a .conf file for the new app to protect in /etc/nginx/conf.d with a docker cp or inside container's shell right ?

Tom;

tomflenner avatar May 14 '21 14:05 tomflenner

You would put it in your destination hosts container yes. Luckily I've made it easier overall if you continue to track my images.

  • You'll need to expose your handler somehow (or setup another one) using MODE=HANDLER with the LLNG Image (I leave my LLNG Handler/Portal/Manager alone and deploy a different one for a handler, with an alias of llng-handler to make things easier for referencing down the road, and to move the containers to a different host without having to mess with too much configuration
  • Then you need to configure the webapp. You'll want to in your tiredofit/nginx or tiredofit/nginx-php-fpm containers set AUTHENTICATION_TYPE=LLNG and then work with the following other options:
Parameter Description Default
NGINX_AUTHENTICATION_TYPE Protect the site with BASIC, LDAP, LLNG NONE
NGINX_AUTHENTICATION_LLNG_HANDLER_HOST If LLNG chosen use hostname of handler llng-handler
NGINX_AUTHENTICATION_LLNG_HANDLER_PORT If LLNG chosen use this port for handler 2884
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1 Syntax: HEADER_NAME, Variable, Upstream Variable - See note below
NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 Syntax: HEADER_NAME, Variable, Upstream Variable - See note below

When working with NGINX_AUTHENTICATION_LLNG_ATTRIBUTE2 you will need to omit any $ chracters from your string. It will be added in upon container startup. Example: NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid will get converted into HTTP_AUTH_USER,$uid,$upstream_http_uid and get placed in the appropriate areas in the configuration.

I am watching some of your posts on both FD and LLNG lists, and curious to see how you end up protecting an API with OAuth, when you figure it out, please share the info :)

tiredofit avatar May 14 '21 15:05 tiredofit

Oh nice to see that you're aware about what im trying to do :D !

If i get it i will give you a feedback, but my first step is just to protect api call without OAuth (maybe just by asking a lemon-ldap cookie header in api request call).

So the easiest way for me atm is to use you're tiredofit/nginx with my API inside and protect this container by Lemon ?

I just have some trouble to understand the Handler part. LemonLDAP doesn't provide a basic handler by default ?

tomflenner avatar May 14 '21 15:05 tomflenner

This LLNG image does come with a handler yes, I just prefer to keep it seperated from everything else, and setup a secondary handler using REST. I suppose thats way more advanced than it needs to be right now and you want to see things work without learning a million new things so try this:

Setup VHOST for your sample vhost with Default rule as accept and send with your exported headers uid | $uid image image

Setup `tiredofit/nginx-php-fpm:latest' with a working hostname and with the following variables

  - NGINX_AUTHENTICATION_TYPE=LLNG
  - NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=(your internal lemonldap container name)
  - NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid

Obviously in this scenario you'll need to have the nginx-php-fpm container on the same Docker network as the LLNG container.

When you then visit the nginx-php-fpm container hostname you should be redirected to LLNG Login screen. After you pass successful authentication, the default config if you dont map any volunes in the nginx-php-fpm is to show a PHP info screen. At the very bottom you'll see that we've passed $_SERVER_AUTH_USER with the value of your LLNG logged in username. That's the most basic to get you going now. The same thing would work with the tiredofit/nginx but you have no easy way with that image to tell what vars are being passed and to know if its working other than giving you the LLNG login screen.

tiredofit avatar May 14 '21 15:05 tiredofit

After trying the example i got an 403 Forbidden when i try to connect to my container hostname.

I checked all the configuration and didnt find any problem on it.

Do you have any idea ?

EDIT

my docker run command :

docker run -d -e VIRTUAL_HOST=test3.m1miaa.fr -e LETSENCRYPT_HOST=test3.m1miaa.fr -e NGINX_AUTHENTICATION_TYPE=LLNG -e NGINX_AUTHENTICATION_LLNG_HANDLER_HOST=lemonldap-app -e NGINX_AUTHENTICATION_LLNG_ATTRIBUTE1=HTTP_AUTH_USER,uid,upstream_http_uid --network=nginx-proxy tiredofit/nginx-php-fpm:latest

tomflenner avatar May 14 '21 15:05 tomflenner

I believe the llng container should give information - try the loglevel of debug which will output quite alot of info as to whats happening.

tiredofit avatar May 14 '21 16:05 tiredofit

oh my god, im so dumb... i was already logged in sorry... XD

After quick search, my API is a node express app, i maybe need to implement this handler : https://github.com/LemonLDAPNG/node-lemonldap-ng-handler#nginx-authorization-server to protect my express app ?

tomflenner avatar May 14 '21 16:05 tomflenner

With a Node Express application you can use the nodejs handler, I've used it successfully in the past, although I dont think I have any documentation off the top of my head. You could avoid using nginx entirely, unless you had a need for it.

tiredofit avatar May 14 '21 17:05 tiredofit