Identity-aware proxy based on NGINX, OpenResty and lua-resty-openidc.
Create an OpenID Connect Client in your IDP using the following information:
- Client Name: IPAx
- Scopes: profile, openid
- Grant Types: authorization_code
- Redirect URIs: Include values like: "https://myapp.identicum.com/private/redirect_uri" (suffix is handled by
lua-resty-openidc, can be adjusted using theOIDC_REDIRECT_URIenvironment variable)
Samples are provided in the conf.samples folder.
Customize your files and put them into your local ./conf.d/ directory.
Run the image, mounting a local directory for configuration:
docker run -d \
-p 80:80 \
-e OIDC_DISCOVERY="https://idp.identicum.com/.well-known/openid-configuration" \
-e OIDC_CLIENT_ID="my_client_id" \
-e OIDC_CLIENT_SECRET="my_client_secret" \
-e OIDC_SCOPE="openid profile" \
-e OIDC_REDIRECT_URI="/private/redirect_uri" \
-e OIDC_SESSION_SECRET="some_uuid_secret" \
-e OIDC_POST_LOGOUT_REDIRECT_URI="https://myapp.identicum.com/logoutSuccess.html" \
-e OIDC_ACR_VALUES="loa-3" \
-v $(pwd)/conf.d/:/etc/ipax/conf.d/:ro \
identicum/ipax:latestTo use PKCE, remove
OIDC_CLIENT_SECRETand addOIDC_USE_PKCEwith value "true"
Issue as many certificates as necessary to be used in your reverse proxy. IPAx supports wildcard certificates and SNI.
If you want to use HTTPS, add mapping for port 443 and mount volume ./certs/ as /etc/ipax/certs/
To test using a self-signed certificate, run the following command (replace with your domain):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout wildcard_identicum_com.key -out wildcard_identicum_com.cerCountry Name (2 letter code) [XX]: `AR`
State or Province Name (full name) []: `CABA`
Locality Name (eg, city) [Default City]: `Buenos Aires`
Organization Name (eg, company) [Default Company Ltd]: `Identicum`
Organizational Unit Name (eg, section) []: ` `
Common Name (eg, your name or your server hostname) []: `*.identicum.com`
Email Address []: `no-reply@identicum.com`
Put the generated certificate files into your local ./certs/ directory.