Auth::Proxy
External auth for your web services.
IMPORTANT: This is still under development and untested
Usage
Create a directorry for your auth-proxy app.
Create a Gemfile and add the auth-proxy gem and any omniauth gems you want to use:
gem "auth-proxy"
gem "omniauth-facebook"
gem "omniauth-twitter"And then execute:
$ bundle install
Create a config.ru file:
require "auth-proxy"
require "omniauth-facebook"
AuthProxy.configure do |config|
config.ssl = true
config.register :facebook,
display_name: "Facebook",
app_id: "ID",
app_secret: "SECRET"
end
run AuthProxy.appAnd then execute
$ AUTH_PROXY_APP_DOMAIN=auth.my.domain AUTH_PROXY_COOKIE_DOMAIN=my.domain rackup config.ru
Now you can proxy requests through this app to be authenticated. One nice way of doing this is using nginx's
auth_request directive. Assuming you have different services under ops.company.tld domain
(service1.ops.company.tld service2.ops.company.tld etc) you would setup auth-proxy to run under
auth.ops.company.tld and keep the cookies under ops.company.tld so they will be available on all services:
$ AUTH_PROXY_APP_DOMAIN=auth.ops.company.tld AUTH_PROXY_COOKIE_DOMAIN=ops.company.tld rackup -p 5000 config.ru
In front of the auth-proxy you will have an nginx (or more nginx loadbalancers) with the following config:
worker_processes 1;
events {
worker_connections 1024;
}
http {
upstream auth {
server 127.0.0.1:6000 fail_timeout=0;
}
server {
listen 80;
server_name auth.ops.company.tld;
location / {
proxy_pass http://auth;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Now for each app that needs to be authenticated you will need a nginx in front of it with the following config:
worker_processes 1;
events {
worker_connections 1024;
}
http {
upstream service1 {
server 127.0.0.1:7000 fail_timeout=0;
}
server {
listen 7000;
server_name service1.ops.company.tld;
auth_request /auth/try;
# optional - if you need to pass to your app headers set by the auth-proxy
auth_request_set $auth_proxy_user_name $upstream_http_x_auth_proxy_user_name;
auth_request_set $auth_proxy_user_email $upstream_http_x_auth_proxy_user_email;
auth_request_set $auth_proxy_user_id $upstream_http_x_auth_proxy_user_id;
auth_request_set $auth_proxy_user_provider $upstream_http_x_auth_proxy_user_provider;
auth_request_set $auth_proxy_user_token $upstream_http_x_auth_proxy_user_token;
# optional end
error_page 401 403 =200 @login;
location @login {
return 301 https://auth.ops.company.tld/login?return_to=https://$http_host$request_uri;
}
location = /auth/try {
proxy_pass http://auth..ops.company.tld;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
proxy_pass http://service1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# optional - if you need to pass to your app headers set by the auth-proxy
proxy_set_header X-Auth-Proxy-User-Name $auth_proxy_user_name;
proxy_set_header X-Auth-Proxy-User-Email $auth_proxy_user_email;
proxy_set_header X-Auth-Proxy-User-ID $auth_proxy_user_id;
proxy_set_header X-Auth-Proxy-User-provider $auth_proxy_user_provider;
proxy_set_header X-Auth-Proxy-User-token $auth_proxy_user_token;
# optional end
}
}
}
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/cristianbica/auth-proxy.