From 55777fd948e1fb18683ac833ba72cdc78c95ec75 Mon Sep 17 00:00:00 2001 From: Brendan Cazier <520246+cazier@users.noreply.github.com> Date: Wed, 3 Jun 2020 10:16:17 -0500 Subject: [PATCH 1/3] Added REMOTE_USER auth --- recipes/middleware.py | 4 ++++ recipes/settings.py | 6 ++++++ 2 files changed, 10 insertions(+) create mode 100644 recipes/middleware.py diff --git a/recipes/middleware.py b/recipes/middleware.py new file mode 100644 index 000000000..f0340c19a --- /dev/null +++ b/recipes/middleware.py @@ -0,0 +1,4 @@ +from django.contrib.auth.middleware import RemoteUserMiddleware + +class CustomRemoteUser(RemoteUserMiddleware): + header = getenv('PROXY_HEADER', 'HTTP_REMOTE_USER') \ No newline at end of file diff --git a/recipes/settings.py b/recipes/settings.py index f87b1a552..5b4169441 100644 --- a/recipes/settings.py +++ b/recipes/settings.py @@ -67,6 +67,12 @@ MIDDLEWARE = [ 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.locale.LocaleMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', + 'recipes.middleware.CustomRemoteUser', + ] + +AUTHENTICATION_BACKENDS = [ + 'django.contrib.auth.backends.RemoteUserBackend', + 'django.contrib.auth.backends.ModelBackend', ] ROOT_URLCONF = 'recipes.urls' From 81cd551975618dc85342a047bb507b312e889358 Mon Sep 17 00:00:00 2001 From: Brendan Cazier <520246+cazier@users.noreply.github.com> Date: Wed, 3 Jun 2020 10:40:12 -0500 Subject: [PATCH 2/3] Added some basic documentation --- .../README.md | 15 +++++++ .../docker-compose.yml | 43 +++++++++++++++++++ .../nginx/conf.d/Recipes.conf | 37 ++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 docs/docker/nginx-proxy with proxy authentication/README.md create mode 100644 docs/docker/nginx-proxy with proxy authentication/docker-compose.yml create mode 100644 docs/docker/nginx-proxy with proxy authentication/nginx/conf.d/Recipes.conf diff --git a/docs/docker/nginx-proxy with proxy authentication/README.md b/docs/docker/nginx-proxy with proxy authentication/README.md new file mode 100644 index 000000000..fda7a7871 --- /dev/null +++ b/docs/docker/nginx-proxy with proxy authentication/README.md @@ -0,0 +1,15 @@ +This is a further example combining the power of nginx with the reverse proxy authentication service, [Authelia](https://github.com/authelia/authelia). + +Please refer to the appropriate documentation on how to setup the reverse proxy, authentication, and networks. + +Ensure users have been configured for Authelia, and that the endpoint that recipes is pointed to is protected, but available. + +There is a good guide to the other additional files that need to be added to your Nginx set up at the [Authelia Docs](https://docs.authelia.com/deployment/supported-proxies/nginx.html). + +Remember to add the appropriate environment variables to `.env` file: +``` +VIRTUAL_HOST= +LETSENCRYPT_HOST= +LETSENCRYPT_EMAIL= +PROXY_HEADER= +``` \ No newline at end of file diff --git a/docs/docker/nginx-proxy with proxy authentication/docker-compose.yml b/docs/docker/nginx-proxy with proxy authentication/docker-compose.yml new file mode 100644 index 000000000..db36ac5dd --- /dev/null +++ b/docs/docker/nginx-proxy with proxy authentication/docker-compose.yml @@ -0,0 +1,43 @@ +version: "3" +services: + db_recipes: + restart: always + image: postgres:11-alpine + volumes: + - ./postgresql:/var/lib/postgresql/data + env_file: + - ./.env + networks: + - default + + web_recipes: + image: vabene1111/recipes + restart: always + env_file: + - ./.env + volumes: + - ./staticfiles:/opt/recipes/staticfiles + - ./mediafiles:/opt/recipes/mediafiles + depends_on: + - db_recipes + networks: + - default + + nginx_recipes: + image: nginx:mainline-alpine + restart: always + env_file: + - ./.env + volumes: + - ./nginx/conf.d:/etc/nginx/conf.d + - ./staticfiles:/static + - ./mediafiles:/media + networks: + - default + - nginx-proxy + +networks: + default: + nginx-proxy: + external: + name: nginx-proxy \ No newline at end of file diff --git a/docs/docker/nginx-proxy with proxy authentication/nginx/conf.d/Recipes.conf b/docs/docker/nginx-proxy with proxy authentication/nginx/conf.d/Recipes.conf new file mode 100644 index 000000000..f93ca12c5 --- /dev/null +++ b/docs/docker/nginx-proxy with proxy authentication/nginx/conf.d/Recipes.conf @@ -0,0 +1,37 @@ +server { + listen 80; + server_name localhost; + + client_max_body_size 16M; + + # serve static files + location /static/ { + alias /static/; + } + # serve media files + location /media/ { + alias /media/; + } + + # Authelia endpoint for authentication requests + include /config/nginx/auth.conf; + + # pass requests for dynamic content to gunicorn + location / { + proxy_set_header Host $host; + proxy_pass http://web_recipes:8080; + + # Ensure Authelia is specifically required for this endpoint + # This line is important as it will return a 401 error if the user doesn't have access + include /config/nginx/authelia.conf; + + auth_request_set $user $upstream_http_remote_user; + proxy_set_header REMOTE-USER $user; + } + + # Required to allow user to logout of authentication from within Recipes + # Ensure the below is changed to actual the authentication url + location /accounts/logout/ { + return 301 http:///logout + } +} \ No newline at end of file From cdf4c0d1bb7ff9e7b020ddb6d7da492682efccde Mon Sep 17 00:00:00 2001 From: Brendan Cazier <520246+cazier@users.noreply.github.com> Date: Thu, 4 Jun 2020 07:51:43 -0500 Subject: [PATCH 3/3] Re-adding import statement --- recipes/middleware.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/recipes/middleware.py b/recipes/middleware.py index f0340c19a..662d61d8a 100644 --- a/recipes/middleware.py +++ b/recipes/middleware.py @@ -1,4 +1,5 @@ from django.contrib.auth.middleware import RemoteUserMiddleware +from os import getenv class CustomRemoteUser(RemoteUserMiddleware): - header = getenv('PROXY_HEADER', 'HTTP_REMOTE_USER') \ No newline at end of file + header = getenv('PROXY_HEADER', 'HTTP_REMOTE_USER')