use nginx auth_request module and Lasso to protect all of your private applicati...
source link: https://www.tuicool.com/articles/hit/MZvuaaY
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Enforce Google Authentication for Any Application with nginx and Lasso
By configuring your nginx webserver to use the auth_request
module and Lasso you can protect any website with Google Authentication.
Lasso, written in Go, performs a one time authentication against Google (or any other OAuth provider) and then for the next four hours (or more or less if you like) validates requests in less than 1ms using a JSON Web Token (JWT).
This is the first in a series of posts showing how to setup nginx and Lasso with a variety of OAuth providers.
L ets say you help to administer a network for an organization that uses GSuite by Google for GMail, Drive, Docs, Groups, Calendar, etc. As team members join or leave the organization you add and remove access to the organization’s Google account. At the same time you provide access to other web based tools your group uses hosted privately on your own servers.
With Nginx’s auth_request
module and Lasso, you can enforce OAuth login to GSuite . As your team members change, you can add and remove accounts via Google and be assured that proper access rights are being maintained without having to touch every application you’re running and manage access on each application individually. No Puppet, no Chef, no Ansible, no re-deployments, no running around trying to be sure you got them all.
Nginx and Lasso to the Rescue!
For every request received for private.yourcorp.com nginx first forwards the request to Lasso via the auth_request
module. Lasso reviews the request headers and responds to nginx with 200 OK
for authorized requests or with 401 Not Authorized
. Authorization takes less than 1ms.
If the request is authorized it will be forwarded through to private.yourcorp.com
If the request is not authorized then nginx 302 redirect
the end user’s browser first to Lasso, which immediately 302 redirect
the end user on to Google’s OAuth Login screen…
After successful login, Google returns the user back to Lasso. Lasso sets the JWT into a cookie and 302 redirect
back to private.yourcorp.com.
While the end user interacts with Lasso twice, its unlikely that they will even notice that Lasso was involved.
4 Easy Steps to Install Lasso and Configure Nginx
Should take less than 20 Minutes
Step 1: install Lasso
go get github.com/LassoProject/lasso cd ~/go/src/github.com/LassoProject/lasso go build cp config/config.yml_example_google config/config.yml
Lasso can also be run as a Docker container
Step 2: create a Google OAuth App and configure Lasso
use Google’s developer console to generate the client_id
and the client_secret
and to set your callback_urls .
Add these to config/config.yml
Also add your top level domains and/or private domains to the lasso.domains
configuration option
Add the following to the nginx server {}
block for each webapp you’d like to secure..
Step 4: run Lasso!
./lasso
And that’s it! It really should be that easy.
But if it’s not, please do reach out to us on github or on the freenode irc channel#lasso. We‘re happy to help you get Lasso up and running.
If you find Lasso to be of use to you, please do us the kind favor of letting one other devops professional know about Lasso.
Benjamin Foote is a Systems Engineer and devops pro from Portland Oregon. During his 20 year career Ben has worked with Fortune 500 Corporations, startups and everything in between. Ben has thruhiked the Pacific Crest Trail (2000) and 90% of the Continent Divide Trail (2013). Ben serves as the Board President of Umbrella , a 501c(3) and Oregon non profit organization which sponsors many wonderful projects throughout Portland. When he’s not riding his bicycle to another meeting he can be found tending to his garden.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK