How to make vouch to secure https?

[jayb1122]

Unless I didn't see it, the README doesn't talk about how to enable secure https. If I wanted to provide my own certs, where would I put them? Btw, the latest NGINX complains about non-secure connections - suspect those are from using the vouch server section (running with Chrome, F12 and monitoring Network traffic). Great app! This was the only complete openid client solution I found that actually works in a production environment.

[bnfinet]

I've put vouch proxy behind the same nginx instance serving the protected sites. The proxy pass directive of /validate uses the upstream config. See the nginx docs for 'upstream' and 'internal': https://nginx.org/en/docs/http/ngx_http_upstream_module.html https://nginx.org/en/docs/http/ngx_http_core_module.html#internal If you have a cert issued from letsencrypt it's pretty straight forward to get that running.

…

On Sun, Feb 3, 2019, 6:18 AM jayb1122 ***@***.*** wrote: Unless I didn't see it, the README doesn't talk about how to enable secure https. If I wanted to provide my own certs, where would I put them? Btw, the latest NGINX complains about non-secure connections - suspect those are from using the vouch server section (running with Chrome, F12 and monitoring Network traffic). Great app! This was the only complete openid client solution I found that actually works in a production environment. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#64>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK67RBZZbuz1px3-bw3Afw4HlEcGSsks5vJu-0gaJpZM4agIPm> .

[bnfinet]

Were you able to get nginx configured with https in front of Vouch Proxy?

[jayb1122]

Not yet. Not sure how to get my certs into the scratch-built container or where to place them. Maybe during Docker image build or perhaps using config file? Maybe I'm overthinking this... On Tuesday, February 5, 2019, 3:52:21 AM MST, Benjamin Foote <notifications@github.com> wrote: Were you able to get nginx configured with https in front of Vouch Proxy? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[bnfinet]

Is there a reason you can't use the same nginx reverse proxy? I'd like to better understand your use case.

…

On Tue, Feb 5, 2019, 7:04 AM jayb1122 ***@***.*** wrote: Not yet. Not sure how to get my certs into the scratch-built container or where to place them. Maybe during Docker image build or perhaps using config file? Maybe I'm overthinking this... On Tuesday, February 5, 2019, 3:52:21 AM MST, Benjamin Foote < ***@***.***> wrote: Were you able to get nginx configured with https in front of Vouch Proxy? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#64 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK66je-hcsDbOwZKchl8AwH3aJEj8kks5vKZ2LgaJpZM4agIPm> .

[jayb1122]

Hope this helps... Here are my nginx and vouch-proxy config.yml settings. Both are running as services in a docker swarm.

• Main Nginx server listens on ports 80 and 443
• Nginx redirects port 8443 (https) to vouch-proxy service at port 3012 (http)
• Oauth is configured use callback at https://192.168.56:8443/auth

Does this look correct for the case of deploying a vouch-proxy with a secure front-end?

Thanks!
nginx.conf

user  root;
worker_processes  1;
error_log  /home/nginx/log/error.log  notice;
pid    /home/nginx/nginx.pid;
events {
    worker_connections  1024;
}

http {
    default_type  application/octet-stream;
    include       /home/nginx/conf.d/mime.types;

    log_format log_fmt '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    sendfile             on;
    keepalive_timeout    75;
    client_max_body_size 50M;

    server {
        listen 80;
        listen 443 ssl http2;
        server_name react;

        ssl_certificate     /home/nginx/ssl/mydomain.com.cer;
        ssl_certificate_key /home/nginx/ssl/mydomain.com.key;
        ssl_prefer_server_ciphers on;
        ssl_ciphers      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        access_log /home/nginx/log/react.access.log log_fmt;
        error_log  /home/nginx/log/react.error.log debug; #warn;

        location / {
            auth_request /request-validate;
            auth_request_set $auth_status $upstream_status;

            # Invoke protected backend web pages
            root   /home/web/react;
            index  index.html index.htm;
        }

        location = /request-validate {
            internal;
            resolver 127.0.0.11 valid=5s ipv6=off;
            set $upstream auth.service;
            proxy_pass https://$host:8443/validate;

            proxy_pass_request_body            off;
            proxy_set_header Content-Length    "";
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Original-URI    $request_uri;

            auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

            auth_request_set $auth_resp_jwt       $upstream_http_x_vouch_jwt;
            auth_request_set $auth_resp_err       $upstream_http_x_vouch_err;
            auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
        }

        error_page 401 = @error401;

        location @error401 {
            return 302 https://$host:8443/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
        }

        error_page  404  /404.html;
        error_page  500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

    #
    # Proxy request to backend VouchProxy auth server
    # for:  /login /logout /auth
    #
    server {
        listen 8443 ssl http2;
        server_name authproxy;
        
        ssl_certificate     /home/nginx/ssl/mydomain.com.cer;
        ssl_certificate_key /home/nginx/ssl/mydomain.com.key;
        ssl_prefer_server_ciphers on;
        ssl_ciphers      EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_protocols    TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        access_log /home/nginx/log/authproxy.access.log log_fmt;
        error_log  /home/nginx/log/authproxy.error.log debug; #warn;

        # Proxy to VouchProxy instance
        location / {
            proxy_set_header  Host authproxy;
            proxy_set_header  X-Forwarded-Proto  https;
            proxy_pass        http://auth.service:3012;
        }
    }
}

Vouch-Proxy config.yml

vouch:
  logLevel: debug
  listen: 0.0.0.0
  port: 3012
  allowAllUsers: true
  publicAccess: false
  jwt:
    secret: xxxxx-876-4589809
    issuer: Vouch
    maxAge: 240
    compress: true
  db:
    file: /data/lasso_bolt.db
cookie:
    name: VouchCookie
    #domain: test.com
    secure: false
    httpOnly: false
session:
    name: VouchSession
oauth:
  provider:      oidc
  client_id:     xxxxx
  client_secret: yyyyy
  auth_url:      https://dev-145431.oktapreview.com/oauth2/default/v1/authorize
  token_url:     https://dev-145431.oktapreview.com/oauth2/default/v1/token
  user_info_url: https://dev-145431.oktapreview.com/oauth2/default/v1/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url:  https://192.168.56.101:8443/auth

[bnfinet]

That looks generally correct though personally I'd use upstream. And I believe you'll want to use full fqdn for server_name
http://nginx.org/en/docs/http/server_names.html
https://nginx.org/en/docs/http/ngx_http_upstream_module.html

both server_name and your callback need to be in the domain you are protecting (mydomain.com)

[bnfinet]

here's an example I like...

# private.yourdomain.com
upstream private.yourdomain.com {
			server 172.17.1.10:80;
}
# cert: private.yourdomain.com
server {
	server_name private.yourdomain.com;
	listen 80 ;
	access_log /var/log/nginx/$host-access.log;
	# return 302 to prevent cacheing
	return 302 https://$host$request_uri;
}
server {
	server_name private.yourdomain.com;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/$host-access.log;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/private.yourdomain.com.fullchain.cer;
	ssl_certificate_key /etc/nginx/certs/private.yourdomain.com.key;
	# https://jguru.fi/setting-https-lets-encrypt-nginx.html
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4;
	ssl_trusted_certificate /etc/nginx/certs/private.yourdomain.com.ca.cer;
	ssl_dhparam /etc/nginx/certs/dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000";

	auth_request /validate;
	# if validate returns `401 not authorized` then forward the request to the error401block
	error_page 401 = @error401;

	location = /validate {
		# vouch can run behind the same nginx-revproxy
		# May need to add "internal", and comply to "upstream" server naming
		proxy_pass http://vouch.yourdomain.com;

		# vouch only acts on the request headers
		proxy_pass_request_body off;
		proxy_set_header Content-Length "";

		# pass X-Vouch-User along with the request
		auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;

		# these return values are used by the @error401 call
		auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
		auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
		auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
	}

	location @error401 {
			# redirect to vouch for login
			return 302 https://vouch.yourdomain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
	}


	location / {
		proxy_pass http://private.yourdomain.com;
	}
}


# vouch.yourdomain.com
upstream vouch.yourdomain.com {
				## Can be connect with "bridge" network
			# vouch-proxy
			server 172.17.1.0:9090;
}
# cert: vouch.yourdomain.com
server {
	server_name vouch.yourdomain.com;
	listen 80 ;
	access_log /var/log/nginx/$host-access.log;
	# return 302 to prevent cacheing
	return 302 https://$host$request_uri;
}
server {
	server_name vouch.yourdomain.com;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/$host-access.log;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/vouch.yourdomain.com.fullchain.cer;
	ssl_certificate_key /etc/nginx/certs/vouch.yourdomain.com.key;
	# https://jguru.fi/setting-https-lets-encrypt-nginx.html
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4;
	ssl_trusted_certificate /etc/nginx/certs/vouch.yourdomain.com.ca.cer;
	ssl_dhparam /etc/nginx/certs/dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000";
	location / {
		proxy_pass http://vouch.yourdomain.com;
	}
}

[bnfinet]

@jayb1122 did you have an opportunity to try this out?

[jayb1122]

Thanks! With your help, I've deployed vouch proxy into a production swarm.

[bnfinet]

I'm so glad to hear it!

…

On Mon, Feb 25, 2019, 9:36 PM jayb1122 ***@***.***> wrote: Thanks! With your help, I've deployed vouch proxy into a production swarm. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#64 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK68x_XHFNt7lP13l__2rJbNUtHdpgks5vRAoFgaJpZM4agIPm> .