Skip to content

NGINX module updates #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

NGINX module updates #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion deployments/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ fi
#
if [ "$OAUTH_PROXY" == 'NGINX' ]; then

docker build --no-cache -f nginx/Dockerfile -t custom_nginx:1.25.5-alpine .
docker build --no-cache -f nginx/Dockerfile -t custom_nginx:1.27.4-alpine .
if [ $? -ne 0 ]; then
echo "Problem encountered building the NGINX docker image"
exit 1
Expand Down
6 changes: 3 additions & 3 deletions deployments/financial/components/api-gateway/nginx/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
FROM nginx:1.25.5-alpine
FROM nginx:1.27.4-alpine

# Download the built modules from Curity GitHub repo
RUN curl -s -L 'https://github.com/curityio/nginx_phantom_token_module/releases/download/1.6.0/alpine.ngx_curity_http_phantom_token_module_1.25.5.so' > /usr/lib/nginx/modules/ngx_curity_http_phantom_token_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_oauth_proxy_module/releases/download/1.5.0/alpine.ngx_curity_http_oauth_proxy_module_1.25.5.so' > /usr/lib/nginx/modules/ngx_curity_http_oauth_proxy_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_phantom_token_module/releases/download/2.0.0/alpine.ngx_curity_http_phantom_token_module_1.27.4.so' > /usr/lib/nginx/modules/ngx_curity_http_phantom_token_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_oauth_proxy_module/releases/download/1.6.0/alpine.ngx_curity_http_oauth_proxy_module_1.27.4.so' > /usr/lib/nginx/modules/ngx_curity_http_oauth_proxy_module.so
15 changes: 12 additions & 3 deletions deployments/financial/components/api-gateway/nginx/default.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ server {

# Then run the Phantom Token plugin to translate opaque access tokens to JWT access tokens
phantom_token on;
phantom_token_client_credential api-gateway-client Password1;
phantom_token_introspection_endpoint curity;

# Then forward the JWT to the below API
Expand All @@ -56,11 +55,21 @@ server {
# Use the Docker embedded DNS server
resolver 127.0.0.11;

# Do the introspection when required
proxy_pass $INTROSPECTION_ENDPOINT;
# Avoid exposing this route externally
internal;

# Configure introspection headers
proxy_pass_request_headers off;
proxy_set_header Accept "application/jwt";
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Basic $INTROSPECTION_CREDENTIAL";

# Configure the introspection results cache
proxy_cache_methods POST;
proxy_cache api_cache;
proxy_cache_key §request_body;
proxy_ignore_headers Set-Cookie;

proxy_pass $INTROSPECTION_ENDPOINT;
}
}
1 change: 1 addition & 0 deletions deployments/financial/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ if [ "$OAUTH_PROXY" == 'KONG' ]; then

elif [ "$OAUTH_PROXY" == 'NGINX' ]; then

export INTROSPECTION_CREDENTIAL="$(echo -n 'api-gateway-client:Password1' | base64)"
envsubst < ./nginx/default.conf.template | sed -e 's/§/$/g' > ./nginx/default.conf

elif [ "$OAUTH_PROXY" == 'OPENRESTY' ]; then
Expand Down
2 changes: 1 addition & 1 deletion deployments/financial/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ services:
# A gateway that uses NGINX and C modules
#
nginx-api-gateway:
image: custom_nginx:1.25.5-alpine
image: custom_nginx:1.27.4-alpine
hostname: apigateway
ports:
- 443:3000
Expand Down
6 changes: 3 additions & 3 deletions deployments/standard/components/api-gateway/nginx/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
FROM nginx:1.25.5-alpine
FROM nginx:1.27.4-alpine

# Download the built modules from Curity GitHub repo
RUN curl -s -L 'https://github.com/curityio/nginx_phantom_token_module/releases/download/1.6.0/alpine.ngx_curity_http_phantom_token_module_1.25.5.so' > /usr/lib/nginx/modules/ngx_curity_http_phantom_token_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_oauth_proxy_module/releases/download/1.5.0/alpine.ngx_curity_http_oauth_proxy_module_1.25.5.so' > /usr/lib/nginx/modules/ngx_curity_http_oauth_proxy_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_phantom_token_module/releases/download/2.0.0/alpine.ngx_curity_http_phantom_token_module_1.27.4.so' > /usr/lib/nginx/modules/ngx_curity_http_phantom_token_module.so
RUN curl -s -L 'https://github.com/curityio/nginx_oauth_proxy_module/releases/download/1.6.0/alpine.ngx_curity_http_oauth_proxy_module_1.27.4.so' > /usr/lib/nginx/modules/ngx_curity_http_oauth_proxy_module.so
15 changes: 12 additions & 3 deletions deployments/standard/components/api-gateway/nginx/default.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@ server {

# Then run the Phantom Token plugin to translate opaque access tokens to JWT access tokens
phantom_token on;
phantom_token_client_credential api-gateway-client Password1;
phantom_token_introspection_endpoint curity;

# Then forward the JWT to the below API
Expand All @@ -52,11 +51,21 @@ server {
# Use the Docker embedded DNS server
resolver 127.0.0.11;

# Do the introspection when required
proxy_pass $INTROSPECTION_ENDPOINT;
# Avoid exposing this route externally
internal;

# Configure introspection headers
proxy_pass_request_headers off;
proxy_set_header Accept "application/jwt";
proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization "Basic $INTROSPECTION_CREDENTIAL";

# Configure the introspection results cache
proxy_cache_methods POST;
proxy_cache api_cache;
proxy_cache_key §request_body;
proxy_ignore_headers Set-Cookie;

proxy_pass $INTROSPECTION_ENDPOINT;
}
}
1 change: 1 addition & 0 deletions deployments/standard/deploy.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ if [ "$OAUTH_PROXY" == 'KONG' ]; then

elif [ "$OAUTH_PROXY" == 'NGINX' ]; then

export INTROSPECTION_CREDENTIAL="$(echo -n 'api-gateway-client:Password1' | base64)"
envsubst < './nginx/default.conf.template' | sed -e 's/§/$/g' > ./nginx/default.conf

elif [ "$OAUTH_PROXY" == 'OPENRESTY' ]; then
Expand Down
2 changes: 1 addition & 1 deletion deployments/standard/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ services:
# Use NGINX and C modules
#
nginx-api-gateway:
image: custom_nginx:1.25.5-alpine
image: custom_nginx:1.27.4-alpine
hostname: apigateway
ports:
- 80:3000
Expand Down