fossilfranv/nginx_docker-swag
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Structure changes

Browse Source
This commit is contained in:
Eric Nemchik 2021-11-26 20:52:14 -06:00
parent c370caafee
commit daf99713a9
8 changed files with 164 additions and 187 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
root/defaults/nginx/location-confs/ldap-location.conf.sample Normal file
View File

@ -0,0 +1,4 @@
## Version 2021/04/21 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/location-confs/ldap-location.conf.sample
auth_request /auth;
error_page 401 =200 /ldaplogin;

8
root/defaults/nginx/location-confs/proxy.conf.sample
View File

@ -25,7 +25,11 @@ proxy_set_header Host $host;
proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;

45
root/defaults/nginx/server-confs/authelia-server.conf.sample
View File

@ -3,9 +3,11 @@
location ^~ /authelia {
include /config/nginx/location-confs/*.conf;
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass http://$upstream_authelia:9091;
set $upstream_app authelia;
set $upstream_port 9091;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location = /authelia/api/verify {
@ -13,40 +15,19 @@ location = /authelia/api/verify {
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
return 401;
}
include /config/nginx/resolver.conf;
set $upstream_authelia authelia;
proxy_pass_request_body off;
proxy_pass http://$upstream_authelia:9091;
proxy_set_header Content-Length "";
include /config/nginx/location-confs/*.conf;
set $upstream_app authelia;
set $upstream_port 9091;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
proxy_pass_request_body off;
proxy_set_header Content-Length "";
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

29
root/defaults/nginx/server-confs/geoip2.conf.sample
View File

@ -58,7 +58,6 @@ geo $allow_list {
# return 444;
# }
#########################################
# Add the following if statements inside any server context where you want to geo block cities.
########################################
# if ($allow_list = yes) {
@ -72,13 +71,10 @@ geo $allow_list {
# Example using a config from proxy-confs
# server {
# listen 443 ssl;
# listen [::]:443 ssl;
#
# server_name unifi.*;
#
# include /config/nginx/server-confs/*.conf;
#
# server_name unifi.*;
# client_max_body_size 0;
# # Allow lan access if default is set to no
@ -90,24 +86,19 @@ geo $allow_list {
# return 444;
# }
#
# set $htpasswd_file /config/nginx/.htpasswd;
# set $auth_basic "Restricted";
# if (!-f $htpasswd_file) {
# set $auth_basic off;
# }
# location / {
# # enable the next two lines for http auth
# #auth_basic "Restricted";
# #auth_basic_user_file /config/nginx/.htpasswd;
#
# # enable the next two lines for ldap auth
# #auth_request /auth;
# #error_page 401 =200 /ldaplogin;
#
# include /config/nginx/location-confs/*.conf;
# resolver 127.0.0.11 valid=30s;
# set $upstream_app unifi-controller;
# set $upstream_port 8443;
# set $upstream_proto https;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#
# proxy_buffering off;
# }
# }

92
root/defaults/nginx/server-confs/ldap-server.conf.sample Normal file
View File

@ -0,0 +1,92 @@
## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample
## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
## see the heimdall example in the default site config for info on enabling ldap auth
## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
location /ldaplogin {
include /config/nginx/server-confs/*.conf;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 9000;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_set_header X-Target $request_uri;
}
location = /auth {
include /config/nginx/server-confs/*.conf;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 8888;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
#proxy_cache auth_cache;
#proxy_cache_valid 200 10m;
#proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://example.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
# If AD, use "root@test.local"
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}

92
root/defaults/nginx/server-confs/ldap.conf.sample
View File

@ -1,92 +0,0 @@
## Version 2020/06/02 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/server-confs/ldap.conf.sample
## this conf is meant to be used in conjunction with our ldap-auth image: https://github.com/linuxserver/docker-ldap-auth
## see the heimdall example in the default site config for info on enabling ldap auth
## for further instructions on this conf, see https://github.com/nginxinc/nginx-ldap-auth
location /ldaplogin {
resolver 127.0.0.11 valid=30s;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 9000;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_set_header X-Target $request_uri;
}
location = /auth {
resolver 127.0.0.11 valid=30s;
set $upstream_auth_app ldap-auth;
set $upstream_auth_port 8888;
set $upstream_auth_proto http;
proxy_pass $upstream_auth_proto://$upstream_auth_app:$upstream_auth_port;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
#Before enabling the below caching options, make sure you have the line "proxy_cache_path cache/ keys_zone=auth_cache:10m;" at the bottom your default site config
#proxy_cache auth_cache;
#proxy_cache_valid 200 10m;
#proxy_cache_key "$http_authorization$cookie_nginxauth";
# As implemented in nginx-ldap-auth-daemon.py, the ldap-auth daemon
# communicates with a LDAP server, passing in the following
# parameters to specify which user account to authenticate. To
# eliminate the need to modify the Python code, this file contains
# 'proxy_set_header' directives that set the values of the
# parameters. Set or change them as instructed in the comments.
#
# Parameter Proxy header
# ----------- ----------------
# url X-Ldap-URL
# starttls X-Ldap-Starttls
# basedn X-Ldap-BaseDN
# binddn X-Ldap-BindDN
# bindpasswd X-Ldap-BindPass
# cookiename X-CookieName
# realm X-Ldap-Realm
# template X-Ldap-Template
# (Required) Set the URL and port for connecting to the LDAP server,
# by replacing 'example.com'.
# Do not mix ldaps-style URL and X-Ldap-Starttls as it will not work.
proxy_set_header X-Ldap-URL "ldap://example.com";
# (Optional) Establish a TLS-enabled LDAP session after binding to the
# LDAP server.
# This is the 'proper' way to establish encrypted TLS connections, see
# http://www.openldap.org/faq/data/cache/185.html
#proxy_set_header X-Ldap-Starttls "true";
# (Required) Set the Base DN, by replacing the value enclosed in
# double quotes.
proxy_set_header X-Ldap-BaseDN "cn=Users,dc=test,dc=local";
# (Required) Set the Bind DN, by replacing the value enclosed in
# double quotes.
# If AD, use "root@test.local"
proxy_set_header X-Ldap-BindDN "cn=root,dc=test,dc=local";
# (Required) Set the Bind password, by replacing 'secret'.
proxy_set_header X-Ldap-BindPass "secret";
# (Required) The following directives set the cookie name and pass
# it, respectively. They are required for cookie-based
# authentication. Comment them out if using HTTP basic
# authentication.
proxy_set_header X-CookieName "nginxauth";
proxy_set_header Cookie nginxauth=$cookie_nginxauth;
# (Required if using Microsoft Active Directory as the LDAP server)
# Set the LDAP template by uncommenting the following directive.
#proxy_set_header X-Ldap-Template "(sAMAccountName=%(username)s)";
# (Optional if using OpenLDAP as the LDAP server) Set the LDAP
# template by uncommenting the following directive and replacing
# '(cn=%(username)s)' which is the default set in
# nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Template "(cn=%(username)s)";
# (Optional) Set the realm name, by uncommenting the following
# directive and replacing 'Restricted' which is the default set
# in nginx-ldap-auth-daemon.py.
#proxy_set_header X-Ldap-Realm "Restricted";
}

23
root/defaults/nginx/site-confs/default.conf.sample
View File

@ -14,13 +14,15 @@ server {
# main server block
server {
include /config/nginx/server-confs/*.conf;
server_name _;
root /config/www;
index index.html index.htm index.php;
# enable subfolder method reverse proxy confs
include /config/nginx/subfolder-confs/*.subfolder.conf;
include /config/nginx/server-confs/*.conf;
include /config/nginx/subfolder-confs/*.conf;
set $htpasswd_file /config/nginx/.htpasswd;
set $auth_basic "Restricted";
@ -28,21 +30,16 @@ server {
set $auth_basic off;
}
location / {
include /config/nginx/location-confs/*.conf;
auth_basic $auth_basic;
auth_basic_user_file $htpasswd_file;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/location-confs/authelia-location.conf;
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
location ~ ^(.+\.php)(.*)$ {
fastcgi_split_path_info ^(.+\.php)(.*)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
@ -55,6 +52,6 @@ server {
}
# enable subdomain method reverse proxy confs
include /config/nginx/subdomain-confs/*.subdomain.conf;
include /config/nginx/subdomain-confs/*.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;