Gitlab-Migration/demo-websites
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add OpenID authentication via Keycloak and integrate auth.lua into nginx setup

Browse Source
This commit is contained in:
Thatsaphorn
2025-06-09 10:20:30 +02:00
parent ba7d00c788
commit 7de107ea6e
4 changed files with 51 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitlab-ci-template.yml
View File

@@ -66,6 +66,7 @@
ssh -p "$PORT" "$DEPLOY_USER@$HOST" "mkdir -p $REMOTE_ENV_PATH" ssh -p "$PORT" "$DEPLOY_USER@$HOST" "mkdir -p $REMOTE_ENV_PATH"
scp -P "$PORT" docker-compose.yml "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/docker-compose.yml" scp -P "$PORT" docker-compose.yml "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/docker-compose.yml"
scp -P "$PORT" nginx.conf "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/nginx.conf" scp -P "$PORT" nginx.conf "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/nginx.conf"
scp -P "$PORT" auth.lua "$DEPLOY_USER@$HOST:$REMOTE_ENV_PATH/auth.lua"
echo "Deploying DEMO on $HOST" echo "Deploying DEMO on $HOST"
ssh -p "$PORT" "$DEPLOY_USER@$HOST" " ssh -p "$PORT" "$DEPLOY_USER@$HOST" "

22
auth.lua Normal file
View File

@@ -0,0 +1,22 @@
local openidc = require("resty.openidc")
local opts = {
redirect_uri_path = "/redirect_uri",
discovery = "https://kc.boomlab.party/realms/rhein-sw/.well-known/openid-configuration",
client_id = "demo-sso",
client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET"),
redirect_uri_scheme = "https",
scope = "openid email profile"
}
local res, err = openidc.authenticate(opts)
if err then
ngx.status = 403
ngx.say("Authentication failed: " .. err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
-- Optional: Forward useful info to upstream
ngx.req.set_header("X-User", res.user.preferred_username or "")
ngx.req.set_header("X-Email", res.user.email or "")

5
docker-compose.yml
View File

@@ -6,6 +6,11 @@ services:
- "25700:80" - "25700:80"
volumes: volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./auth.lua:/etc/nginx/auth.lua:ro
environment:
- KEYCLOAK_CLIENT_SECRET=${KEYCLOAK_CLIENT_SECRET}
env_file:
- .env
networks: networks:
- demos-net - demos-net

27
nginx.conf
View File

@@ -5,6 +5,11 @@ events {
} }
http { http {
lua_package_path "/etc/nginx/lua/?.lua;;";
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
lua_shared_dict sessions 10m;
include mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
sendfile on; sendfile on;
@@ -15,10 +20,11 @@ http {
# Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.) # Automatically redirect URLs missing trailing slash (but not files like .js, .css, etc.)
#if ($request_uri ~ ^([^.\?\#]*[^/])$) { #if ($request_uri ~ ^([^.\?\#]*[^/])$) {
# return 301 $request_uri/; # return 301 $request_uri/;
# } # }
location / { # Public route: /auth selection page, no login required
location /auth {
proxy_pass http://main-website:3000; proxy_pass http://main-website:3000;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
@@ -26,10 +32,23 @@ http {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
# Protected root route (main site)
location / {
access_by_lua_file /etc/nginx/auth.lua;
proxy_pass http://main-website:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Protected demo route
location /lawfirm/demo1/ { location /lawfirm/demo1/ {
proxy_pass http://ld1:3000/; access_by_lua_file /etc/nginx/auth.lua;
rewrite ^/lawfirm/demo1(/.*)$ $1 break; rewrite ^/lawfirm/demo1(/.*)$ $1 break;
proxy_pass http://ld1:3000;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;