├── Dockerfile
├── LICENSE
├── README.md
├── nginx
    ├── nginx.conf
    └── nginx.default
└── start.sh


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM ubuntu:trusty
 2 | ENV DEBIAN_FRONTEND noninteractive
 3 | 
 4 | # nginx
 5 | RUN apt-get update -q
 6 | RUN apt-get install -yf build-essential python-software-properties software-properties-common
 7 | RUN add-apt-repository ppa:nginx/stable
 8 | RUN apt-get update -q
 9 | RUN apt-get -y install -y curl
10 | 
11 | # build nginx from source with http auth module enabled
12 | RUN apt-get -y install libpcre3-dev zlib1g-dev libssl-dev
13 | RUN curl -O http://nginx.org/download/nginx-1.6.1.tar.gz
14 | RUN tar -xzf nginx-1.6.1.tar.gz
15 | WORKDIR nginx-1.6.1
16 | RUN ./configure --with-http_ssl_module --with-http_auth_request_module && make && make install
17 | 
18 | # install pystache
19 | RUN apt-get -y install python-pip
20 | RUN pip install pystache
21 | 
22 | # nginx configuration
23 | ADD nginx/nginx.conf /usr/local/nginx/conf/nginx.conf
24 | ADD nginx/nginx.default /usr/local/nginx/conf/sites-enabled/default.template
25 | ADD start.sh /start.sh
26 | 
27 | EXPOSE 80
28 | CMD /start.sh
29 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2014, OpenDNS, Inc.
 2 | All rights reserved.
 3 | 
 4 | Redistribution and use in source and binary forms, with or without
 5 | modification, are permitted provided that the following conditions are met:
 6 | 
 7 | * Redistributions of source code must retain the above copyright notice, this
 8 |   list of conditions and the following disclaimer.
 9 | 
10 | * Redistributions in binary form must reproduce the above copyright notice,
11 |   this list of conditions and the following disclaimer in the documentation
12 |   and/or other materials provided with the distribution.
13 | 
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Nginx authentication proxy
 2 | ==========================
 3 | 
 4 | Simple proxy used to send the request using the proxy_pass directive to an authentication backend specified using the AUTH_BACKEND environment variable. Traffic that passes the authentication backend will then be sent to the backend specified using the BACKEND environment variable.
 5 | 
 6 | Running the docker container:
 7 | ```
 8 | ubuntu@trusty-64:/nginx-auth# docker build -t nginx-auth
 9 | ubuntu@trusty-64:/nginx-auth# docker run -e AUTH_BACKEND=https://someauthapi -e BACKEND=http://youprivateregistry -p 0.0.0.0:8080:80 nginx-auth
10 | ```
11 | 


--------------------------------------------------------------------------------
/nginx/nginx.conf:
--------------------------------------------------------------------------------
 1 | user www-data;
 2 | worker_rlimit_nofile 32768;
 3 | pid /var/run/nginx.pid;
 4 | 
 5 | events {
 6 |   worker_connections 8192;
 7 | }
 8 | 
 9 | http {
10 | 
11 |   ##
12 |   # Basic Settings
13 |   ##
14 | 
15 |   sendfile on;
16 |   tcp_nopush on;
17 |   tcp_nodelay on;
18 |   keepalive_timeout 65;
19 |   types_hash_max_size 2048;
20 |   # server_tokens off;
21 | 
22 |   # server_names_hash_bucket_size 64;
23 |   # server_name_in_redirect off;
24 | 
25 |   include /usr/local/nginx/conf/mime.types;
26 |   default_type application/octet-stream;
27 | 
28 |   ##
29 |   # Logging Settings
30 |   ##
31 | 
32 |   access_log /dev/stdout;
33 |   error_log /dev/stdout;
34 | 
35 |   ##
36 |   # Gzip Settings
37 |   ##
38 | 
39 |   gzip on;
40 |   gzip_disable "msie6";
41 | 
42 |   # gzip_vary on;
43 |   # gzip_proxied any;
44 |   # gzip_comp_level 6;
45 |   # gzip_buffers 16 8k;
46 |   # gzip_http_version 1.1;
47 |   # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
48 | 
49 |   ##
50 |   # nginx-naxsi config
51 |   ##
52 |   # Uncomment it if you installed nginx-naxsi
53 |   ##
54 | 
55 |   #include /etc/nginx/naxsi_core.rules;
56 | 
57 |   ##
58 |   # nginx-passenger config
59 |   ##
60 |   # Uncomment it if you installed nginx-passenger
61 |   ##
62 |   
63 |   #passenger_root /usr;
64 |   #passenger_ruby /usr/bin/ruby;
65 | 
66 |   ##
67 |   # Virtual Host Configs
68 |   ##
69 | 
70 |   include /usr/local/nginx/conf/conf.d/*.conf;
71 |   include /usr/local/nginx/conf/sites-enabled/default;
72 | }
73 | 
74 | daemon off;
75 | 


--------------------------------------------------------------------------------
/nginx/nginx.default:
--------------------------------------------------------------------------------
 1 | server {
 2 |   listen 80;
 3 |   server_name _;
 4 | 
 5 |   client_max_body_size 0;                  # disable any limits to avoid HTTP 413 for large image uploads
 6 |   chunked_transfer_encoding on;            # required to avoid HTTP 411: see Issue #1486 (https://github.com/dotcloud/docker/issues/1486)
 7 |   proxy_set_header Host      $http_host;   # required for docker client's sake
 8 |   proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
 9 | 
10 |   root  /usr/local/nginx/html;
11 |   index  index.html index.htm;
12 | 
13 | 
14 |   location = /auth {
15 |     proxy_pass {{auth_backend}};
16 |     proxy_pass_request_body off;
17 |     proxy_set_header Content-Length "";
18 |     proxy_set_header X-Original-URI $request_uri;
19 |     proxy_set_header X-Docker-Token "";
20 |   }
21 | 
22 |   location / {
23 |     proxy_pass {{backend}};
24 |     auth_request /auth;
25 |     proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
26 |     proxy_buffering off;
27 |   }
28 |   location /v1/_ping {
29 |     auth_basic off;
30 |     proxy_pass {{backend}};
31 |   }
32 |   location /_ping {
33 |     auth_basic off;
34 |     proxy_pass {{backend}};
35 |   }
36 | }
37 | 


--------------------------------------------------------------------------------
/start.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | NGINX=/usr/local/nginx
4 | 
5 | pystache "`cat ${NGINX}/conf/sites-enabled/default.template`" "{\"auth_backend\":\"${AUTH_BACKEND}\", \"backend\":\"${BACKEND}\"}" > ${NGINX}/conf/sites-enabled/default
6 | 
7 | ${NGINX}/sbin/nginx
8 | 


--------------------------------------------------------------------------------