Minor edits and documentation

2020-01-07 15:41:36 +00:00 · 2020-01-07 15:41:36 +00:00 · 3b43538f90
parent 2d73384e17
commit 3b43538f90
3 changed files with 46 additions and 13 deletions
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 # lucidAuth [![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#)  
 > *Respect* the unexpected, mitigate your risks  

-Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
+Forward Authentication for use with loadbalancers/proxies/webservers (Apache, ~~Caddy~~, Lighttpd, NGINX, Traefik, etc)

 ## Usage
 - Create a new folder, navigate to it in a commandprompt and run the following command:  
@ -9,12 +9,39 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
 - Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`  
 - Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder  
 - Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)  
- Edit your proxy's configuration to use the new website as forward proxy:  
-  - #### ~~in Caddy/nginx~~    <small>(planned for a later stage)</small>
+- Edit your webserver's/proxy's configuration to use the new website for forward authentication:  
+  - #### ~~in Apache~~    <small>(Soon™)</small>  
+
+  - #### ~~in Caddy~~    <small>(Never, due to lacking functionality)</small>  
+
+  - #### ~~in Lighttpd~~    <small>(Soon™)</small>  
+
+  - #### in NGINX
+  Add the following lines (adjust to reflect your existing configuration - more [details](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)):  
+  ```
+  http {
+          #...
+          server {
+          #...
+            location /private/ {
+              auth_request     /auth;
+              auth_request_set $auth_status $upstream_status;
+            }
+
+            location = /auth {
+              internal;
+              proxy_pass              https://<fqdn>/lucidAuth.validateRequest.php;
+              proxy_pass_request_body off;
+              proxy_set_header        Content-Length "";
+              proxy_set_header        X-Original-URI $request_uri;
+            }
+          }
+  }
+  ```

  - #### in Traefik  
  Add the following lines (change to reflect your existing configuration):  
-#####   1.7  
+#####   1.7.x (more [details](https://docs.traefik.io/v1.7/configuration/entrypoints/#forward-authentication))  
  ```
  [frontends.server1]
          entrypoints = ["https"]
@ -25,7 +52,7 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
            [frontends.server1.routes.ext]
              rule = "Host:<fqdn>"
  ```
-#####   2.0  
+#####   2.x (more [details](https://docs.traefik.io/middlewares/forwardauth/))  
  Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration:  
  ```
  entryPoints:
--- a/public/lucidAuth.manage.php
+++ b/public/lucidAuth.manage.php
@ -9,6 +9,9 @@

 	if ($validateTokenResult['status'] === "Success") {
        switch ($_REQUEST['do']) {
+            case 'mutateusers':
+// Do magic!
+                break;
            case 'retrievesessions':
                $storedTokens = [];

--- a/public/misc/script.manage.js
+++ b/public/misc/script.manage.js
@ -10,6 +10,7 @@ jQuery.fn.ConfirmDelete = function() {
                'data-translation': 'button_yes',
                'data-sessionid': sessionID
            }).on('click', function() {
+// Move this out of 'ConfirmDelete()'
                var pressedButton = $(this);
                $(pressedButton).prop('disabled', true).css({
                    'background':	'#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center',
@ -57,6 +58,7 @@ jQuery.fn.ConfirmDelete = function() {
                'data-translation': 'button_no',
                'data-sessionid': sessionID
            }).on('click', function() {
+// Move this out of 'ConfirmDelete()'
                var pressedButton = $(this);
                $(pressedButton).closest('td').empty()
                .append(
@ -185,14 +187,15 @@ $(document).ready(function(){
        });

 console.log({'new': newEntries, 'removed': removedEntries});
-
-/*        $.get("psworker.php", {
-			do: "mutate",
-			mutations: {
-				new: newEntries,
-				removed: removedEntries
-			}
-		})*/
+/*
+        $.post("lucidAuth.manage.php", {
+            do: "mutateusers",
+            new: newEntries,
+            removed: removedEntries
+        })
+        .done(function(data,_status) {
+        }
+*/
    });

    $('#btncancel').click(function() {