Simple Auth

# NGINX Authentication Request

NGINX's auth_request (opens new window) tells nginx to make a sub-request to an external server in order to validate the user is authorized to access a resource.

graph LR A{User} -- Web Request --> B[NGINX] B -- auth_request --> C[Simple Auth] B -- proxy_pass --> D[Backend]

# Setting up Simple-Auth with auth_request

In order to set this up, you need to do a few things:

  1. Enable vouch endpoint
  2. Set up nginx to sit infront of simple-auth to make an auth_request (vouch) to simple-auth
  3. Set up nginx to proxy simple-auth UI
  4. Run simple-auth server that can be proxied to by nginx

# Enabling vouch endpoint

authenticators:
    vouch:
        enabled: true

# Docker

The following example will set up a docker-compose stack that has a static page sit behind simple-auth's security.

# docker-compose.yml

version: '3.3'
services:
  nginx:
    build:
      context: .
      dockerfile: nginx.Dockerfile # nginx that uses `nginx.conf` file
    ports: 
      - "8082:80"
    environment:
      NGINX_PORT: 80
  simpleauth:
    image: zix99/simple-auth:latest
    environment:
      SA_WEB_LOGIN_COOKIE_JWT_SIGNINGKEY: a-unqiue-signing-key
      SA_VERBOSE: 'true'
      SA_WEB_LOGIN_SETTINGS_ROUTEONLOGIN: "/"
      SA_AUTHENTICATORS_VOUCH_ENABLED: 'true'
      # SA_WEB_LOGIN_SETTINGS_CREATEACCOUNTENABLED: 'false'
    volumes:
      - sadb:/var/lib/simple-auth

volumes:
  sadb: {}

# nginx.conf

server {
  listen 80;

  # What is being served (eg. could be a proxy_pass instead)
  location / {
    # Where to check auth is valid (cookie); points to route below
    auth_request /auth-validate;

    # Content
    root /usr/share/nginx/html;
    index index.html index.html;
  }

  # Path to vouch for auth
  location = /auth-validate {
    internal;
    proxy_pass http://simpleauth/api/v1/auth/vouch;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
  }

  # If would return a 401 (eg because of a 401 from vouch)
  error_page 401 = @error401;
  location @error401 {
    return 302 $scheme://$http_host/auth/; # Redirect to /auth
  }

  # In /auth, proxy_pass to simpleauth to authenticate
  # simple-auth will redirect back once authenticated
  location /auth {
    rewrite /auth/(.*) /$1 break; # Remove /auth prefix from URl passed to simple-auth
    proxy_pass http://simpleauth;
  }
}

Traefik Simple-Auth