So first of all, I'm very new to NGINX, Docker etc..
But here is my scenario:
I've created a 2 docker images which display a simple website, website1 and website2.
Both of them are created in a dockerfile, using the nginx image.
I put them in 2 seperate containers.
By visiting localhost:8080 I got website1.
By visiting localhost:8081 I got website2.
Then I wanted just 1 entrypoint (localhost) and by using a /, going to my websites.
So I created a new container, called reverseproxy.
I used default.conf of NGINX to proxy pass to my containers.
I did the following:
in default.conf, I have 3 locations. localhost (which shows the default NGINX page)
localhost/website1, which proxy passes this to my website1
localhost/webiste2, which proxy passes this to my website2
I put all of this is a docker-compose.yaml file and it runs just fine.
Then for website1, I wanted basic authentication. With using apache-utils and adding basic authentication to my /webiste1 and /website2 end points, it works great.
But now I want to restrict access to my endpoints (website 1 and website 2) based on specific roles.
So when I visit website1, enter credentials using basic_auth, I want to be able to check whether this user has the role of user for example.
And when visiting /website2, I want to be able to login, but then restrict access because this user may not access this website, only with the "admin" role for example.
I've been stuck on this for a few days now...
Anyone have any idea?
Just some extra information: I don't want to use Kubernetes. I know this has RBAC (Role based Access Control) but I'd like to keep it more simple.
Thanks for your input in advance :)
Completely stuck..
You can use and leverage the OAuth-proxy : https://github.com/oauth2-proxy/oauth2-proxy
Here is the demo on Github if you are looking for same : https://github.com/deskoh/nginx-oauth2-proxy-demo
You can also use the ngx_openresty
Related
Inside the same openshift project, I have an application1 (APP1) in POD1 and another application (APP2) in POD2.
Both these applications are offering REST API services. These 2 applications are accesible using 2 differents openshift route.
Acessing the two applications from outside the PAAS (openshift) is working fine: meaning doing a CURL to APP1/APP2 using openhsift route from a client outside the PAAS is working.
But when APP1 in POD1 is targeeting the REST service offered by APP2 in POD2 using APP2's openshift route. It is failing.
Similarly doing a CURL from APP1's container (using oc rsh) to APP2 using openshift route is failing.
However if APP1 is deployed outside this PAAS, the client call to APP2 using open shift route is working.
Similarly doing a CURL to APP2 using openshift route is working fine from outside the PAAS.
Also if I use service PAAS internal IP/PORT (10.224.x.y), this will solve the issue. But implies to use two different adresses depending if we target APP2 from inside or outside the PAAS.
So the question is how to make an openshift route visible from inside and outside the PAAS?
Or is is there an alternative way to share same hostname/port to access APP2 from inside and outside the PAAS?
You may want to have a look at:
https://docs.openshift.com/container-platform/3.7/architecture/networking/networking.html
For internal communication it is sufficient to use the name of the service (in your case use app1-svc in app2 to communicate with app1).
You can find the name of your service when you visit the routes view - the column "Routes To" shows you the service name.
How services work and how they are configured is explained here in detail:
https://docs.openshift.com/container-platform/3.7/architecture/core_concepts/pods_and_services.html#services
I'll be using swift as like S3, where it will host number of files for my site.
I've set my container as public, and so
Here is the URL for a file.
https://provider/v1/auth_1293kdfj/folder/file.mp4
There are two problems:
Is it correct in using above format uri in public setting? It feels kinda dangerous because it has the auth_bit.
If I visit https://provider/v1/auth_1293kdfj/folder/ it lists all files/bojects in container folder. I wish to turn this off, how would I do so? Should I make my container private and assign temp url to ALL objects?
Thanks for your help!
1 - Yes. It's correct. Probably your authentication server is protected behind a firewall. This is just the project id. However if you are really worried about security you can configure your webserver to hide this info.
2 - Probably your container has the following acl:
.r:*,.rlistings
If you set by yourself (what I believe is the most common) you should change it just to:
.r:*
I'm testing a webpage, which would connect some external Links .
I don't want the page to take too much time to connect them .
So is there any light http-proxy or firewall software, it can be set a white list,
and return 500 directly to all other links that are not in the white list.
Thanks. better if it supports https
I am working with PHP/PHPunit/Win7
duplicate with another question of mine:
Webdriver(Selenium2) - How to make selenium operate elements without wating for connecting to external AD links?
I finally found a simple solution for my condition.
I want to block these Ad requests and tried some firewall and proxy softwares,for example,
comodo,privatefirewall, etc.
comodo is too heavy and complex ,privatefirewall doesn't support wildcards, and firewall would interrupt tests. At last I choosed a proxy software CCproxy.
I create a rule for localhost ,to make it can request my test website domain only, and all other requests are rejected.
Running a test costs about 1-2 minutes before and only 30 seconds now ,it's apparently more stable and fast without connecting to the useless Ad links.
Here're configuration steps:
1.launch CCproxy with Administor privilege( you should set it using Adminisrator in the file property)
2.click Options, select AutoStartup,select AutoDetected for Local IP Address. click OK.
3.create a txt file ,input your domains,like "*.rong360.com*;*.rong360.*;"
4.click Account, select PermitOnly for Permit Category;
click New, input 127.0.0.1 for IP Address/Range;
select WebFilter,click the E button at right side to create a filter;
click the ... button,select the text file you create at Step3,
select PermittedSites. click OK
click OK.
5.click OK to return to the main UI of CCproxy.
6.launch IE and config the local proxy with 127.0.0.1:808
now you can run the tests again , you'll feel better if have same condition :)
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.
I am curious as to how companies such as Google App Engine, Weebly, ThinkTank allow clients to host their domains such as stackquestion.com to their application website such as stackquestion.stackapplication.com?
An Example with Weebly which uses A Records:
http://www.weebly.com/support/index.php?pg=kb.page&id=4
Google App Engine uses CNAME Records.
Are there differences in the approach? Are there any limitations of using one over the other?
It is exactly like the question here: How do I allow users to map their domains to a url on my site? but would it be possible to outline what needs to be done from the application side (ASP.NET MVC) and the server side (IIS)?
At IIS 7:
- Create Web site, put your application to Root.
- Then create several bindings to your website, i.e. stackquestion.stackapplication.com port 80, anotherthing.stackapplication.com port 80
- In case if you need more domain names, you should use wildcards in bindings like *.stackapplication.com, which is little bit tricky:
http://dirk.net/2008/05/28/wildcard-host-header-binding-and-subdomains-with-iis7/
At your controller:
-Then in Login controller you may check from which subdomain user is connecting, something like:
public string GetSubDomain()
{
return Request.Url.Host.Split('.')[0];
}