-
Notifications
You must be signed in to change notification settings - Fork 58
Example configuration: nginx
Example nginx configuration contributed by user TiagoTT
This was done on a fresh Debian 9 server and following approximately the installation instructions on the README.md file.
The following packages had to be installed:
apt-get install nginx php php-fpm php-json php-ldap php-pgsql php-mbstring php7.0-intl php-curl postgresql-client postgresql
And the following NGINX server block was defined:
server {
listen 80;
listen 443 ssl;
server_name dns-ui.example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /home/dnsui/dns-ui/public_html;
index init.php;
auth_basic "Opera DNS UI";
auth_basic_user_file /etc/nginx/passwd;
location / {
try_files $uri $uri/ @php;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
}
location /init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
include /etc/nginx/snippets/fastcgi-php.conf;
}
}
Example nginx + LUA + Google OAuth configuration contributed by user TiagoTT
Google Oauth authentication can be made to work with the help of this NGINX+Lua module: https://github.com/cloudflare/nginx-google-oauth
The user details are still fetched from LDAP and only the authenticated user is passed from Lua module into the PHP code. In other words, the LDAP username must match the Oauth username returned from Google.
The following additional packages need to be installed:
apt-get install lua-cjson lua5.1 luarocks
luarocks install lua-resty-http
mkdir /etc/nginx/lua ; git clone https://github.com/cloudflare/nginx-google-oauth /etc/nginx/lua/nginx-google-oauth
And this is how NGINX server block looks:
server {
listen 80;
listen 443 ssl;
server_name dns-ui-example.com;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
root /home/dnsui/dns-ui/public_html;
index init.php;
access_by_lua_file /etc/nginx/lua/nginx-google-oauth/access.lua;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 3;
# Workaround to avoid IPv6 DNS responses, in case you don't have IPv6 connectivity.
resolver 10.2.2.2 10.2.2.3 ipv6=off;
set $ngo_client_id xxx.apps.googleusercontent.com;
set $ngo_client_secret yyy;
set $ngo_domain example.com;
set $ngo_http_only_cookies true;
set $ngo_secure_cookies true;
set $ngo_token_secret "a very long randomish string";
# Required to get the authenticated user name filled for later usage.
set $ngo_user true;
location / {
try_files $uri $uri/ @php;
}
location @php {
rewrite ^/(.*)$ /init.php/$1 last;
}
location /init.php {
# Mitigate https://httpoxy.org/ vulnerabilities
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/php/php7.0-fpm.sock ;
include /etc/nginx/snippets/fastcgi-php.conf;
# Pass Google Oauth authenticated user name to the PHP code
fastcgi_param PHP_AUTH_USER $ngo_user;
}
}
The Oauth client ID and Secret are obtained from: https://console.developers.google.com/apis/credentials