add dsvpn

2025-11-25 22:22:29 +02:00 · 2019-12-12 20:19:46 +08:00
parent de973aa032
commit 531096b358
9 changed files with 198 additions and 0 deletions
--- a/nginx-sso/nginx/conf.d/include/ssl.inc
+++ b/nginx-sso/nginx/conf.d/include/ssl.inc
@@ -0,0 +1,8 @@
+ssl_certificate     /etc/nginx/certs/yourdomain.com.crt;
+ssl_certificate_key /etc/nginx/certs/yourdomain.com.key;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
--- a/nginx-sso/nginx/conf.d/include/sso.inc
+++ b/nginx-sso/nginx/conf.d/include/sso.inc
@@ -0,0 +1,36 @@
+# Protect this location using the auth_request
+auth_request /sso-auth;
+
+# Redirect the user to the login page when they are not logged in
+error_page 401 = @error401;
+
+location /sso-auth {
+    # Do not allow requests from outside
+    internal;
+
+    # Access /auth endpoint to query login state
+    proxy_pass http://172.17.0.1:8082/auth;
+
+    # Do not forward the request body (nginx-sso does not care about it)
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+
+    # Set custom information for ACL matching: Each one is available as
+    # a field for matching: X-Host = x-host, ...
+    proxy_set_header X-Origin-URI $request_uri;
+    proxy_set_header X-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+# If the user is lead to /logout redirect them to the logout endpoint
+# of ngninx-sso which then will redirect the user to / on the current host
+location /sso-logout {
+    return 302 https://login.yourdomain.com/logout?go=$scheme://$http_host/;
+}
+
+# Define where to send the user to login and specify how to get back
+location @error401 {
+    return 302 https://login.yourdomain.com/login?go=$scheme://$http_host$request_uri;
+}
--- a/nginx-sso/nginx/sites-enabled/000-nginx-sso.conf
+++ b/nginx-sso/nginx/sites-enabled/000-nginx-sso.conf
@@ -0,0 +1,22 @@
+# Redirect all requests to this server to https
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+}
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name login.yourdomain.com;
+
+        access_log  /var/log/nginx/login.yourdomain.com_access.log;
+        error_log   /var/log/nginx/login.yourdomain.com_error.log;
+
+        include conf.d/include/ssl.inc;
+
+        location / {
+                proxy_pass http://172.17.0.1:8082/;
+        }
+}
--- a/nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf
+++ b/nginx-sso/nginx/sites-enabled/hass.yourdomain.com.conf
@@ -0,0 +1,31 @@
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name hass.yourdomain.com;
+
+        access_log  /var/log/nginx/hass.yourdomain.com_access.log;
+        error_log   /var/log/nginx/hass.yourdomain.com_error.log;
+
+        include conf.d/include/ssl.inc;
+        include conf.d/include/sso.inc;
+
+        location / {
+                # Automatically renew SSO cookie on request
+                auth_request_set $cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $cookie;
+
+                proxy_pass http://172.17.0.1:8123/;
+
+                proxy_set_header Host $host;
+                proxy_redirect http:// https://;
+                proxy_http_version 1.1;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+        }
+}
--- a/nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf
+++ b/nginx-sso/nginx/sites-enabled/portainer.yourdomain.com.conf
@@ -0,0 +1,19 @@
+server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name portainer.yourdomain.com;
+
+        access_log  /var/log/nginx/portainer.yourdomain.com_access.log;
+        error_log   /var/log/nginx/portainer.yourdomain.com_error.log;
+
+        include conf.d/include/ssl.inc;
+        include conf.d/include/sso.inc;
+
+        location / {
+                # Automatically renew SSO cookie on request
+                auth_request_set $cookie $upstream_http_set_cookie;
+                add_header Set-Cookie $cookie;
+
+                proxy_pass http://172.17.0.1:9000/;
+        }
+}