├── CHANGELOG ├── LICENSE ├── README.md ├── access.lua ├── body_filter.lua ├── chef └── source-lua.rb └── test ├── README.md ├── oauth.conf └── setup.sh /CHANGELOG: -------------------------------------------------------------------------------- 1 | master 2 | ====== 3 | 4 | * Added dev/test environment setup. 5 | 6 | 1.1.0 7 | ====== 8 | 9 | * Fixed font color for body filter 10 | * Security and usability enhancements from @eschwim 11 | 12 | 1.0.0 13 | ===== 14 | 15 | * First offical release 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 Aaron Westendorf 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | nginx-google-oauth 2 | ================== 3 | 4 | Lua module to add Google OAuth to nginx. 5 | 6 | ## Installation 7 | 8 | You can copy `access.lua` to your nginx configurations, or clone the 9 | repository. Your installation of nginx must already be built with Lua 10 | support, and you will need the ``json`` and ``luasec`` modules as well. 11 | 12 | ### Ubuntu 13 | 14 | You will need to install the following packages. 15 | 16 | ``` 17 | lua5.1 18 | liblua5.1-0 19 | liblua5.1-0-dev 20 | liblua5.1-sec-dev 21 | liblua5.1-json 22 | ``` 23 | 24 | You will also need to download and build the following and link them 25 | with nginx 26 | 27 | ``` 28 | ngx_devel_kit 29 | lua-nginx-module 30 | ``` 31 | 32 | See ``/chef/source-lua.rb`` for a Chef recipe to install nginx and Lua 33 | with all of the requirements. 34 | 35 | 36 | ## Configuration 37 | 38 | Add the access controls in your configuration. Because oauth tickets will be 39 | included in cookies (and you are presumably protecting something very 40 | important), it is strongly recommended that you use SSL. 41 | 42 | ``` 43 | server { 44 | server_name supersecret.net; 45 | listen 443; 46 | 47 | ssl on; 48 | ssl_certificate /etc/nginx/certs/supersecret.net.pem; 49 | ssl_certificate_key /etc/nginx/certs/supersecret.net.key; 50 | 51 | set $ngo_client_id "abc-def.apps.googleusercontent.com"; 52 | set $ngo_client_secret "abcdefg-123-xyz"; 53 | set $ngo_token_secret "a very long randomish string"; 54 | set $ngo_secure_cookies "true"; 55 | access_by_lua_file "/etc/nginx/nginx-google-oauth/access.lua"; 56 | } 57 | 58 | ``` 59 | 60 | The access controls can be configured using nginx variables. The supported 61 | variables are: 62 | 63 | - **$ngo_client_id** This is the client id key 64 | - **$ngo_client_secret** This is the client secret 65 | - **$ngo_token_secret** The key used to encrypt the session token stored in the user cookie. Should be long & unguessable. 66 | - **$ngo_domain** The domain to use for validating users when not using white- or blacklists 67 | - **$ngo_whitelist** Optional list of authorized email addresses 68 | - **$ngo_blacklist** Optional list of unauthorized email addresses 69 | - **$ngo_callback_scheme** The scheme for the callback URL, defaults to that of the request (e.g. ``https``) 70 | - **$ngo_callback_host** The host for the callback, defaults to first entry in the ``server_name`` list (e.g ``supersecret.net``) 71 | - **$ngo_callback_uri** The URI for the callback, defaults to "/_oauth" 72 | - **$ngo_debug** If defined, will enable debug logging through nginx error logger 73 | - **$ngo_secure_cookies** If defined, will ensure that cookies can only be transfered over a secure connection 74 | - **$ngo_css** An optional stylesheet to replace the default stylesheet when using the body_filter 75 | - **$ngo_user** If set, will be populated with the OAuth username returned from Google (portion left of '@' in email) 76 | - **$ngo_email_as_user** If set and $ngo_user is defined, username returned will be full email address 77 | 78 | ## Configuring OAuth Access 79 | 80 | Visit https://console.developers.google.com. If you're signed in to multiple 81 | Google accounts, be sure to switch to the one which you want to host the OAuth 82 | credentials (usually your company's Apps domain). This should match 83 | ``$ngo_domain`` (e.g. "yourcompany.com"). 84 | 85 | From the dashboard, create a new project. After selecting that project, you 86 | should see an "APIs & Auth" section in the left-hand navigation. Within that 87 | section, select "Credentials". This will present a page in which you can 88 | generate a Client ID and configure access. Choose "Web application" for the 89 | application type, and enter all origins and redirect URIs you plan to use. 90 | 91 | In the "Authorized Javascript Origins" field, enter all the protocols and 92 | domains from which you plan to perform authorization 93 | (e.g. ``https://supersecret.net``), separated by a newline. 94 | 95 | In the "Authorized Redirect URI", enter all of the URLs which the Lua module 96 | will send to Google to redirect after the OAuth workflow has been completed. 97 | By default, this will be the protocol, server_name and ``/_oauth`` (e.g. 98 | ``https://supersecret.net/_oauth``. You can override these defaults using the 99 | ``$ngo_callback_*`` settings. 100 | 101 | After completing the form you will be presented with the Client ID and 102 | Client Secret which you can use to configure ``$ngo_client_id`` and 103 | ``$ngo_client_secret`` respectively. 104 | 105 | If you need to further limit access within your organization, you can use 106 | ``$ngo_whitelist`` and/or ``$ngo_blacklist``. Both should be formatted as 107 | a space-separated list of allowed (whitelist) or rejected (blacklist) email 108 | addresses. If either of these values are defined, the ``$ngo_domain`` will 109 | not be used for validating that the user is authorized to access the protected 110 | resource. 111 | 112 | ## Body filter 113 | 114 | If you want visual confirmation of successful authentication, you can use the 115 | ``body_filter.lua`` script to inject a header into your web application. Your 116 | nginx configuration should look something like this: 117 | 118 | ``` 119 | server { 120 | server_name supersecret.net; 121 | listen 443; 122 | 123 | set $ngo_client_id 'abc-def.apps.googleusercontent.com'; 124 | set $ngo_client_secret 'abcdefg-123-xyz'; 125 | set $ngo_token_secret 'a very long randomish string'; 126 | access_by_lua_file "/etc/nginx/nginx-google-oauth/access.lua"; 127 | 128 | location / { 129 | header_filter_by_lua "ngx.header.content_length = nil"; 130 | body_filter_by_lua_file "/etc/nginx/nginx-google-oauth/body_filter.lua"; 131 | 132 | proxy_set_header Accept-Encoding ""; 133 | proxy_pass http://supersecret-backend; 134 | } 135 | } 136 | 137 | ``` 138 | 139 | The ``header_filter_by_lua`` directive is required so that the 140 | ``content_length`` header returned by the backend is stripped and re-calculated 141 | after the body filter has been applied. 142 | 143 | The ``Accept-Encoding`` directive is recommended in cases where the backend 144 | may be returning a gzipped document, in which case nginx will not decompress 145 | the document before sending it to the body filter. 146 | 147 | The ``body_filter_by_lua_file`` directive causes all responses from the backend 148 | to be routed through a lua script that will inject a div just after the opening 149 | ```` element. The div will take the form of: 150 | 151 | ```html 152 |
153 | 154 | google-oauth-user-name 155 | google-oauth-email 156 | Signout 157 |
158 | ``` 159 | 160 | If ``$ngo_css`` is defined, the default stylesheet will be overridden, 161 | otherwise the stylesheet will be: 162 | 163 | ```css 164 | 171 | 172 | ``` 173 | 174 | The filter operates by performing a regular expression match on ````, 175 | and so should act as a no-op for non-HTML content types. It may be necessary 176 | to use the body filter only on a subset of routes depending on your application. 177 | 178 | ## Username variable 179 | 180 | If you wish to pass the username returned from Google to an external FastCGI/UWSGI script, consider using the ``$ngo_user`` variable: 181 | 182 | ``` 183 | server { 184 | server_name supersecret.net; 185 | listen 443; 186 | 187 | ssl on; 188 | ssl_certificate /etc/nginx/certs/supersecret.net.pem; 189 | ssl_certificate_key /etc/nginx/certs/supersecret.net.key; 190 | 191 | set $ngo_client_id "abc-def.apps.googleusercontent.com"; 192 | set $ngo_client_secret "abcdefg-123-xyz"; 193 | set $ngo_token_secret "a very long randomish string"; 194 | set $ngo_secure_cookies "true"; 195 | access_by_lua_file "/etc/nginx/nginx-google-oauth/access.lua"; 196 | 197 | set $ngo_user "unknown@unknown.com"; 198 | 199 | include uwsgi_params; 200 | uwsgi_param REMOTE_USER $ngo_user; 201 | uwsgi_param AUTH_TYPE Basic; 202 | uwsgi_pass 127.0.0.1:3031; 203 | } 204 | ``` 205 | 206 | If you wish the full email address returned from Google to be set as the username, set the ``$ngo_email_as_user`` variable to any non-empty value. 207 | 208 | ## Development 209 | 210 | See `test/README.md`. 211 | 212 | Bug reports and pull requests are [welcome](https://github.com/agoragames/nginx-google-oauth). 213 | 214 | It can be useful to turn off [lua_code_cache](http://wiki.nginx.org/HttpLuaModule#lua_code_cache) 215 | while you're iterating. 216 | 217 | ## Roadmap 218 | 219 | - Add support for non-blocking sockets in obtaining an auth token 220 | - Support auth token refresh and timeouts 221 | - Continue support for Ubuntu but make imports work on other platforms as well 222 | - 401 page that allows signing out and back in with a different account 223 | - whitelist and blacklist is checked on every request 224 | 225 | ## Copyright 226 | 227 | Copyright 2014 Aaron Westendorf 228 | 229 | ## License 230 | 231 | MIT 232 | 233 | ## Thanks 234 | 235 | This project wouldn't have gone beyond the idea stage without the excellent 236 | example provided by [SeatGeek](http://chairnerd.seatgeek.com/oauth-support-for-nginx-with-lua/). 237 | 238 | Thank you to @eschwim for some much-needed usability and security [fixes](https://github.com/agoragames/nginx-google-oauth/pull/4). 239 | -------------------------------------------------------------------------------- /access.lua: -------------------------------------------------------------------------------- 1 | 2 | -- import requirements 3 | 4 | -- allow either cjson, or th-LuaJSON 5 | local has_cjson, jsonmod = pcall(require, "cjson") 6 | if not has_cjson then 7 | jsonmod = require "json" 8 | end 9 | 10 | -- Ubuntu broke the install. Puts the source in /usr/share/lua/5.1/https.lua, 11 | -- but since the source defines itself as the module "ssl.https", after we 12 | -- load the source, we need to grab the actual thing. 13 | pcall(require,"https") 14 | local https = require "ssl.https" -- /usr/share/lua/5.1/https.lua 15 | local ltn12 = require("ltn12") 16 | 17 | local uri = ngx.var.uri 18 | local uri_args = ngx.req.get_uri_args() 19 | local scheme = ngx.var.scheme 20 | local server_name = ngx.var.server_name 21 | 22 | -- setup some app-level vars 23 | local client_id = ngx.var.ngo_client_id 24 | local client_secret = ngx.var.ngo_client_secret 25 | local domain = ngx.var.ngo_domain 26 | local cb_scheme = ngx.var.ngo_callback_scheme or scheme 27 | local cb_server_name = ngx.var.ngo_callback_host or server_name 28 | local cb_uri = ngx.var.ngo_callback_uri or "/_oauth" 29 | local cb_url = cb_scheme.."://"..cb_server_name..cb_uri 30 | local redir_url = cb_scheme.."://"..cb_server_name..uri 31 | local signout_uri = ngx.var.ngo_signout_uri or "/_signout" 32 | local debug = ngx.var.ngo_debug 33 | local whitelist = ngx.var.ngo_whitelist 34 | local blacklist = ngx.var.ngo_blacklist 35 | local secure_cookies = ngx.var.ngo_secure_cookies 36 | local token_secret = ngx.var.ngo_token_secret or "UNSET" 37 | local set_user = ngx.var.ngo_user 38 | local email_as_user = ngx.var.ngo_email_as_user 39 | 40 | -- Force the user to set a token secret 41 | if token_secret == "UNSET" then 42 | ngx.log(ngx.ERR, "$ngo_token_secret must be set in Nginx config!") 43 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 44 | end 45 | 46 | -- See https://developers.google.com/accounts/docs/OAuth2WebServer 47 | if uri == signout_uri then 48 | ngx.header["Set-Cookie"] = "OauthAccessToken==deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT" 49 | return ngx.redirect(cb_scheme.."://"..server_name) 50 | end 51 | 52 | -- Enforce token security and expiration 53 | local oauth_expires = tonumber(ngx.var.cookie_OauthExpires) or 0 54 | local oauth_email = ngx.unescape_uri(ngx.var.cookie_OauthEmail or "") 55 | local oauth_access_token = ngx.unescape_uri(ngx.var.cookie_OauthAccessToken or "") 56 | local expected_token = ngx.encode_base64(ngx.hmac_sha1(token_secret, cb_server_name .. oauth_email .. oauth_expires)) 57 | 58 | if oauth_access_token == expected_token and oauth_expires and oauth_expires > ngx.time() then 59 | -- Populate the nginx 'ngo_user' variable with our Oauth username, if requested 60 | if set_user then 61 | local oauth_user, oauth_domain = oauth_email:match("([^@]+)@(.+)") 62 | if email_as_user then 63 | ngx.var.ngo_user = email 64 | else 65 | ngx.var.ngo_user = oauth_user 66 | end 67 | end 68 | return 69 | else 70 | -- If no access token and this isn't the callback URI, redirect to oauth 71 | if uri ~= cb_uri then 72 | -- Redirect to the /oauth endpoint, request access to ALL scopes 73 | return ngx.redirect("https://accounts.google.com/o/oauth2/auth?client_id="..client_id.."&scope=email&response_type=code&redirect_uri="..ngx.escape_uri(cb_url).."&state="..ngx.escape_uri(redir_url).."&login_hint="..ngx.escape_uri(domain)) 74 | end 75 | 76 | -- Fetch teh authorization code from the parameters 77 | local auth_code = uri_args["code"] 78 | local auth_error = uri_args["error"] 79 | 80 | if auth_error then 81 | ngx.log(ngx.ERR, "received "..auth_error.." from https://accounts.google.com/o/oauth2/auth") 82 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 83 | end 84 | 85 | if debug then 86 | ngx.log(ngx.ERR, "DEBUG: fetching token for auth code "..auth_code) 87 | end 88 | 89 | -- TODO: Switch to NBIO sockets 90 | -- If I get around to working luasec, this says how to pass a function which 91 | -- can generate a socket, needed for NBIO using nginx cosocket 92 | -- http://lua-users.org/lists/lua-l/2009-02/msg00251.html 93 | local res, code, headers, status = https.request( 94 | "https://accounts.google.com/o/oauth2/token", 95 | "code="..ngx.escape_uri(auth_code).."&client_id="..client_id.."&client_secret="..client_secret.."&redirect_uri="..ngx.escape_uri(cb_url).."&grant_type=authorization_code" 96 | ) 97 | 98 | if debug then 99 | ngx.log(ngx.ERR, "DEBUG: token response "..res..code..status) 100 | end 101 | 102 | if code~=200 then 103 | ngx.log(ngx.ERR, "received "..code.." from https://accounts.google.com/o/oauth2/token") 104 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 105 | end 106 | 107 | -- use version 1 cookies so we don't have to encode. MSIE-old beware 108 | local json = jsonmod.decode( res ) 109 | local access_token = json["access_token"] 110 | local expires = ngx.time() + json["expires_in"] 111 | local cookie_tail = ";version=1;path=/;Max-Age="..json["expires_in"] 112 | if secure_cookies then 113 | cookie_tail = cookie_tail..";secure" 114 | end 115 | 116 | local send_headers = { 117 | Authorization = "Bearer "..access_token, 118 | } 119 | 120 | local result_table = {} 121 | local res2, code2, headers2, status2 = https.request({ 122 | url = "https://www.googleapis.com/oauth2/v2/userinfo", 123 | method = "GET", 124 | headers = send_headers, 125 | sink = ltn12.sink.table(result_table), 126 | }) 127 | 128 | if code2~=200 then 129 | ngx.log(ngx.ERR, "received "..code2.." from https://www.googleapis.com/oauth2/v2/userinfo") 130 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 131 | end 132 | 133 | if debug then 134 | ngx.log(ngx.ERR, "DEBUG: userinfo response "..res2..code2..status2..table.concat(result_table)) 135 | end 136 | 137 | json = jsonmod.decode( table.concat(result_table) ) 138 | 139 | local name = json["name"] 140 | local email = json["email"] 141 | local picture = json["picture"] 142 | local token = ngx.encode_base64(ngx.hmac_sha1(token_secret, cb_server_name .. email .. expires)) 143 | 144 | local oauth_user, oauth_domain = email:match("([^@]+)@(.+)") 145 | 146 | -- If no whitelist or blacklist, match on domain 147 | if not whitelist and not blacklist and domain then 148 | if oauth_domain ~= domain then 149 | if debug then 150 | ngx.log(ngx.ERR, "DEBUG: "..email.." not in "..domain) 151 | end 152 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 153 | end 154 | end 155 | 156 | if whitelist then 157 | if not string.find(" " .. whitelist .. " ", " " .. email .. " ") then 158 | if debug then 159 | ngx.log(ngx.ERR, "DEBUG: "..email.." not in whitelist") 160 | end 161 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 162 | end 163 | end 164 | 165 | if blacklist then 166 | if string.find(" " .. blacklist .. " ", " " .. email .. " ") then 167 | if debug then 168 | ngx.log(ngx.ERR, "DEBUG: "..email.." in blacklist") 169 | end 170 | return ngx.exit(ngx.HTTP_UNAUTHORIZED) 171 | end 172 | end 173 | 174 | ngx.header["Set-Cookie"] = { 175 | "OauthAccessToken="..ngx.escape_uri(token)..cookie_tail, 176 | "OauthExpires="..expires..cookie_tail, 177 | "OauthName="..ngx.escape_uri(name)..cookie_tail, 178 | "OauthEmail="..ngx.escape_uri(email)..cookie_tail, 179 | "OauthPicture="..ngx.escape_uri(picture)..cookie_tail 180 | } 181 | 182 | -- Poplate our ngo_user variable 183 | if set_user then 184 | if email_as_user then 185 | ngx.var.ngo_user = email 186 | else 187 | ngx.var.ngo_user = oauth_user 188 | end 189 | end 190 | 191 | -- Redirect 192 | if debug then 193 | ngx.log(ngx.ERR, "DEBUG: authorized "..json["email"]..", redirecting to "..uri_args["state"]) 194 | end 195 | return ngx.redirect(uri_args["state"]) 196 | end 197 | -------------------------------------------------------------------------------- /body_filter.lua: -------------------------------------------------------------------------------- 1 | 2 | -- Will filter the output and put in a header implying login 3 | if ngx.var.cookie_OauthAccessToken then 4 | local signout_uri = ngx.var.ngo_signout_uri or "/_signout" 5 | 6 | local img = "" 7 | local user = ""..ngx.unescape_uri(ngx.var.cookie_OauthName).."" 8 | local email = ""..ngx.unescape_uri(ngx.var.cookie_OauthEmail).."" 9 | local signout = "Signout" 10 | local div = "
"..img..user..email..signout.."
" 11 | 12 | local css = ngx.var.ngo_css 13 | if not css then 14 | css = [[ 15 | 22 | ]] 23 | end 24 | div = css..div 25 | 26 | ngx.arg[1] = ngx.re.sub(ngx.arg[1], "", ""..div) 27 | end 28 | -------------------------------------------------------------------------------- /chef/source-lua.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: nginx 3 | # Recipe:: source-lua 4 | # 5 | # Example recipe, may not be complete. Intended for Ubuntu. 6 | # 7 | 8 | include_recipe "build-essential" 9 | 10 | # TODO: docs recommend LuaJIT if possible 11 | # http://wiki.nginx.org/HttpLuaModule#Installation_on_Ubuntu_11.10 12 | # TODO: try using "lua-json" instead of lua-cjson 13 | # https://launchpad.net/ubuntu/+source/lua-json 14 | %w{libpcre3 libpcre3-dev libssl-dev liblwp-useragent-determined-perl libpam0g-dev lua5.1 liblua5.1-0 liblua5.1-0-dev cmake liblua5.1-sec-dev liblua5.1-json}.each do |devpkg| 15 | package devpkg 16 | end 17 | 18 | nginx_version = node[:nginx][:version] 19 | configure_flags = node[:nginx][:configure_flags].join(" ") 20 | 21 | # download sources 22 | # ---------------- 23 | 24 | remote_file "/tmp/nginx-#{nginx_version}.tar.gz" do 25 | source "http://nginx.org/download/nginx-#{nginx_version}.tar.gz" 26 | action :create_if_missing 27 | end 28 | 29 | remote_file "/tmp/ngx_devel_kit-0.2.19.tar.gz" do 30 | source "https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz" 31 | action :create_if_missing 32 | end 33 | 34 | remote_file "/tmp/nginx-lua-0.9.6.tar.gz" do 35 | source "https://github.com/chaoslawful/lua-nginx-module/archive/v0.9.6.tar.gz" 36 | action :create_if_missing 37 | end 38 | 39 | # compile nginx 40 | # ------------- 41 | 42 | bash "compile_nginx_source" do 43 | cwd "/tmp" 44 | code <<-END 45 | # extract 46 | tar zxf nginx-#{nginx_version}.tar.gz 47 | tar zxf ngx_devel_kit-0.2.19.tar.gz 48 | tar zxf nginx-lua-0.9.6.tar.gz 49 | 50 | # Lua paths. Requires hack to get linking right. 51 | ln -s `find /usr/lib -iname liblua5.1.so` /usr/lib/liblua.so 52 | export LUA_LIB=/usr/lib/ 53 | export LUA_INC=/usr/include/lua5.1 54 | 55 | # compileize 56 | cd nginx-#{nginx_version} 57 | ./configure #{configure_flags} \ 58 | --add-module=/tmp/ngx_devel_kit-0.2.19 \ 59 | --add-module=/tmp/lua-nginx-module-0.9.6 60 | make 61 | make install 62 | END 63 | creates node[:nginx][:src_binary] 64 | end 65 | -------------------------------------------------------------------------------- /test/README.md: -------------------------------------------------------------------------------- 1 | # Ubuntu 12.04 2 | 3 | Run `setup.sh` to install all apt requirements, download and build nginx with lua support. All prefixes will match this directory. 4 | 5 | To run nginx, edit `oauth.conf` to use the correct domain and certificates, and then start the server with `sbin/nginx -c oauth.conf`. You should now be able to access the server 6 | -------------------------------------------------------------------------------- /test/oauth.conf: -------------------------------------------------------------------------------- 1 | worker_processes 1; 2 | 3 | events { 4 | worker_connections 1024; 5 | } 6 | 7 | http { 8 | server { 9 | server_name supersecret.net; 10 | listen 443; 11 | 12 | ssl on; 13 | ssl_certificate supersecret_net.pem; 14 | ssl_certificate_key supersecret_net.pem; 15 | 16 | set $ngo_client_id "abc-def.apps.googleusercontent.com"; 17 | set $ngo_client_secret "abcdefg-123-xyz"; 18 | set $ngo_secure_cookies "true"; 19 | set $ngo_token_secret "SuPeRsEcReT"; 20 | 21 | lua_code_cache off; 22 | access_by_lua_file "../access.lua"; 23 | 24 | header_filter_by_lua "ngx.header.content_length = nil"; 25 | body_filter_by_lua_file "../body_filter.lua"; 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /test/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This has been tested to work on Ubuntu 12.04. YMMV 4 | PACKAGES="libpcre3 libpcre3-dev libssl-dev liblwp-useragent-determined-perl libpam0g-dev lua5.1 liblua5.1-0 liblua5.1-0-dev cmake liblua5.1-sec-dev liblua5.1-json" 5 | echo "Installing lua and supporting packages" 6 | sudo apt-get install $PACKAGES 7 | 8 | mkdir src 9 | cd src 10 | 11 | VERSION="1.6.2" 12 | echo "Downloading nginx $VERSION" 13 | wget "http://nginx.org/download/nginx-$VERSION.tar.gz" 14 | 15 | echo "Downloading ngx_devel_kit" 16 | wget "https://github.com/simpl/ngx_devel_kit/archive/v0.2.19.tar.gz" 17 | mv v0.2.19.tar.gz ngx_devel_kit-0.2.19.tar.gz 18 | 19 | echo "Downloading nginx-lua" 20 | wget "https://github.com/chaoslawful/lua-nginx-module/archive/v0.9.6.tar.gz" 21 | mv v0.9.6.tar.gz nginx-lua-0.9.6.tar.gz 22 | 23 | echo "Untarring" 24 | tar zxf nginx-$VERSION.tar.gz 25 | tar zxf ngx_devel_kit-0.2.19.tar.gz 26 | tar zxf nginx-lua-0.9.6.tar.gz 27 | 28 | echo "Linking libua to /usr/lib/liblua.so" 29 | sudo ln -s `find /usr/lib -iname liblua5.1.so` /usr/lib/liblua.so 30 | 31 | echo "Building nginx" 32 | cd nginx-$VERSION 33 | ./configure --add-module=../ngx_devel_kit-0.2.19 --add-module=../lua-nginx-module-0.9.6 --prefix=`readlink -f ../..` --with-http_ssl_module 34 | make install 35 | cd .. 36 | --------------------------------------------------------------------------------