/nginx-meiling-proxy

Authenticate nginx requests through OAuth

Primary LanguagePythonMIT LicenseMIT

Nginx Meiling Proxy

CircleCI

Named after the mythical gatekeeper Hong Meiling, the Nginx Meiling Proxy handles auth_requests from your Nginx.

Usage

Suppose you want to run a service, but you want finer controls over who has access to it. It's easy to accomplish this with Nginx and Meiling!

First, you need to update your Nginx config to include an internal auth_request endpoint, and sett auth_request for the location that you want to protect, like so (assuming you have Meiling running at 127.0.0.1:8000):

server {
    server_name grafana.example.com;
    listen 443 ssl;

    error_page 401 = @error401;

    location @error401 {
        return 302 https://meiling.example.net/oauth?next_url=$scheme%3A%2F%2F$host$request_uri;
    }

    location = /nginx/auth_request {
        internal;
        proxy_pass http://127.0.0.1:8000;
        proxy_pass_request_body off;
        proxy_set_header X-Nginx-Host $host;
        proxy_set_header X-Nginx-Request-Method $request_method;
        proxy_set_header X-Nginx-Request-Uri $request_uri;
    }

    location / {
        auth_request /nginx/auth_request;
        auth_request_set $meiling_user $upstream_http_x_meiling_user;

        proxy_set_header X-Webauth-User $meiling_user;
        proxy_pass http://127.0.0.1:8000/;

        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
    }
}

Then, create a config file, following the example in sample_config.toml.

Then, I run it like so:

$ MEILING_CONFIG=~/meiling_config.toml gunicorn meiling:create_app\(\) --reload -b 0.0.0.0:8000 --access-logfile - --log-level info