Skip to content

Example configuration: nginx

Jump to bottom
Thomas Pike edited this page Jan 27, 2019 · 3 revisions

Example nginx configuration contributed by user TiagoTT

This was done on a fresh Debian 9 server and following approximately the installation instructions on the README.md file.

The following packages had to be installed:

apt-get install nginx php php-fpm php-json php-ldap php-pgsql php-mbstring php7.0-intl php-curl postgresql-client postgresql

And the following NGINX server block was defined:

server {
	listen 80;
	listen 443 ssl;
	server_name dns-ui.example.com;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	root /home/dnsui/dns-ui/public_html;
	index init.php;

	auth_basic "Opera DNS UI";
	auth_basic_user_file /etc/nginx/passwd;

	location / {
		try_files $uri $uri/ @php;
	}

	location @php {
		rewrite ^/(.*)$ /init.php/$1 last;
	}

	location /init.php {
		# Mitigate https://httpoxy.org/ vulnerabilities
		fastcgi_param HTTP_PROXY "";
		fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
		include /etc/nginx/snippets/fastcgi-php.conf;
	}
}

Example using nginx + LUA module to authenticate with Google OAuth

Example nginx + LUA + Google OAuth configuration contributed by user TiagoTT

Google Oauth authentication can be made to work with the help of this NGINX+Lua module: https://github.com/cloudflare/nginx-google-oauth

The user details are still fetched from LDAP and only the authenticated user is passed from Lua module into the PHP code. In other words, the LDAP username must match the Oauth username returned from Google.

The following additional packages need to be installed:

apt-get install lua-cjson lua5.1 luarocks
luarocks install lua-resty-http
mkdir /etc/nginx/lua ; git clone https://github.com/cloudflare/nginx-google-oauth /etc/nginx/lua/nginx-google-oauth

And this is how NGINX server block looks:

server {
	listen 80;
	listen 443 ssl;
	server_name dns-ui-example.com;
	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	root /home/dnsui/dns-ui/public_html;
	index init.php;

	access_by_lua_file		/etc/nginx/lua/nginx-google-oauth/access.lua;
	lua_ssl_trusted_certificate	/etc/ssl/certs/ca-certificates.crt;
	lua_ssl_verify_depth		3;
	# Workaround to avoid IPv6 DNS responses, in case you don't have IPv6 connectivity.
	resolver			10.2.2.2 10.2.2.3 ipv6=off;
	set $ngo_client_id		xxx.apps.googleusercontent.com;
	set $ngo_client_secret		yyy;
	set $ngo_domain			example.com;
	set $ngo_http_only_cookies	true;
	set $ngo_secure_cookies		true;
	set $ngo_token_secret		"a very long randomish string";
	# Required to get the authenticated user name filled for later usage.
	set $ngo_user			true;

	location / {
		try_files $uri $uri/ @php;
	}

	location @php {
		rewrite ^/(.*)$ /init.php/$1 last;
	}

	location /init.php {
		# Mitigate https://httpoxy.org/ vulnerabilities
		fastcgi_param HTTP_PROXY "";
		fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
		include /etc/nginx/snippets/fastcgi-php.conf;
		# Pass Google Oauth authenticated user name to the PHP code
		fastcgi_param PHP_AUTH_USER $ngo_user;
	}
}

The Oauth client ID and Secret are obtained from: https://console.developers.google.com/apis/credentials

Example using nginx + auth_request module to authenticate with oauth2_proxy

Example nginx + auth_request + oauth2_proxy configuration contributed by user captainark

In this example, we'll use oauth2_proxy to authenticate against GitHub, and we'll then send the authenticated user to dns-ui.

Make sure to start oauth2_proxy with the --set-xauthrequest parameter.

We also have to create a user with the same name as your username on GitHub in the dns-ui database :

insert into "user" (uid, name, email, admin, active) values ('dns-user', 'DNS User', '[email protected]', 1, 1);

In dns-ui config.ini, disable ldap and to enable php_auth.

Please note that dns-ui will be accessible from /dns-ui instead of / with this nginx configuration :

server {
  listen 80;
  listen 443 ssl;
  server_name dns-ui.example.com;
  ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
  ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

  root /var/www/html;
  index index.html;

  location /oauth2/ {
    proxy_pass http://127.0.0.1:4180;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }
  location = /oauth2/auth {
    proxy_pass http://127.0.0.1:4180;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    # nginx auth_request includes headers but not body
    proxy_set_header Content-Length "";
    proxy_pass_request_body off;
  }

  location /dns-ui {
    alias /var/www/dns-ui/public_html;
    auth_request /oauth2/auth;
    error_page 401 /oauth2;
    auth_request_set $user $upstream_http_x_auth_request_user;
    auth_request_set $email $upstream_http_x_auth_request_email;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;
    index init.php;
    try_files $uri $uri/ @dnsui;

    location /dns-ui/init.php {
      # Mitigate https://httpoxy.org/ vulnerabilities
      fastcgi_param HTTP_PROXY "";
      fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
      include snippets/fastcgi-php.conf;
      fastcgi_param SCRIPT_FILENAME $request_filename;
      fastcgi_param PHP_AUTH_USER $user;
    }
  }

  location @dnsui {
    rewrite /dns-ui/(.*)$ /dns-ui/init.php/$1 last;
  }
}

As long as the user sent from them matches the one in your database, other oauth2 providers should work. It hasn't been tested, though.

Clone this wiki locally