Minor edits and documentation

This commit is contained in:
Danny Bessems 2020-01-07 15:41:36 +00:00
parent 2d73384e17
commit 3b43538f90
3 changed files with 46 additions and 13 deletions

View File

@ -1,7 +1,7 @@
# lucidAuth [![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#) # lucidAuth [![](https://img.shields.io/badge/status-in%20production-%23003399.svg)](#) [![](https://img.shields.io/badge/contributors-1-green.svg) ](#)
> *Respect* the unexpected, mitigate your risks > *Respect* the unexpected, mitigate your risks
Forward Authentication for use with proxies (caddy, nginx, traefik, etc) Forward Authentication for use with loadbalancers/proxies/webservers (Apache, ~~Caddy~~, Lighttpd, NGINX, Traefik, etc)
## Usage ## Usage
- Create a new folder, navigate to it in a commandprompt and run the following command: - Create a new folder, navigate to it in a commandprompt and run the following command:
@ -9,12 +9,39 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
- Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php` - Edit `include/lucidAuth.config.php.example` to reflect your configuration and save as `include/lucidAuth.config.php`
- Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder - Create a new website (within any php-capable webserver) and make sure that the documentroot points to the `public` folder
- Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on) - Check if you are able to browse to `https://<fqdn>/lucidAuth.login.php` (where `<fqdn>` is the actual domain -or IP address- your webserver is listening on)
- Edit your proxy's configuration to use the new website as forward proxy: - Edit your webserver's/proxy's configuration to use the new website for forward authentication:
- #### ~~in Caddy/nginx~~ <small>(planned for a later stage)</small> - #### ~~in Apache~~ <small>(Soon™)</small>
- #### ~~in Caddy~~ <small>(Never, due to lacking functionality)</small>
- #### ~~in Lighttpd~~ <small>(Soon™)</small>
- #### in NGINX
Add the following lines (adjust to reflect your existing configuration - more [details](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)):
```
http {
#...
server {
#...
location /private/ {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
}
location = /auth {
internal;
proxy_pass https://<fqdn>/lucidAuth.validateRequest.php;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
}
}
}
```
- #### in Traefik - #### in Traefik
Add the following lines (change to reflect your existing configuration): Add the following lines (change to reflect your existing configuration):
##### 1.7 ##### 1.7.x (more [details](https://docs.traefik.io/v1.7/configuration/entrypoints/#forward-authentication))
``` ```
[frontends.server1] [frontends.server1]
entrypoints = ["https"] entrypoints = ["https"]
@ -25,7 +52,7 @@ Forward Authentication for use with proxies (caddy, nginx, traefik, etc)
[frontends.server1.routes.ext] [frontends.server1.routes.ext]
rule = "Host:<fqdn>" rule = "Host:<fqdn>"
``` ```
##### 2.0 ##### 2.x (more [details](https://docs.traefik.io/middlewares/forwardauth/))
Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration: Either whitelist IP's which should be trusted to send `HTTP_X-Forwarded-*` headers, ór enable insecure-mode in your static configuration:
``` ```
entryPoints: entryPoints:

View File

@ -9,6 +9,9 @@
if ($validateTokenResult['status'] === "Success") { if ($validateTokenResult['status'] === "Success") {
switch ($_REQUEST['do']) { switch ($_REQUEST['do']) {
case 'mutateusers':
// Do magic!
break;
case 'retrievesessions': case 'retrievesessions':
$storedTokens = []; $storedTokens = [];

View File

@ -10,6 +10,7 @@ jQuery.fn.ConfirmDelete = function() {
'data-translation': 'button_yes', 'data-translation': 'button_yes',
'data-sessionid': sessionID 'data-sessionid': sessionID
}).on('click', function() { }).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this); var pressedButton = $(this);
$(pressedButton).prop('disabled', true).css({ $(pressedButton).prop('disabled', true).css({
'background': '#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center', 'background': '#999 url(data:image/gif;base64,R0lGODlhEAAQAPIAAJmZmf///7CwsOPj4////9fX18rKysPDwyH+GkNyZWF0ZWQgd2l0aCBhamF4bG9hZC5pbmZvACH5BAAKAAAAIf8LTkVUU0NBUEUyLjADAQAAACwAAAAAEAAQAAADMwi63P4wyklrE2MIOggZnAdOmGYJRbExwroUmcG2LmDEwnHQLVsYOd2mBzkYDAdKa+dIAAAh+QQACgABACwAAAAAEAAQAAADNAi63P5OjCEgG4QMu7DmikRxQlFUYDEZIGBMRVsaqHwctXXf7WEYB4Ag1xjihkMZsiUkKhIAIfkEAAoAAgAsAAAAABAAEAAAAzYIujIjK8pByJDMlFYvBoVjHA70GU7xSUJhmKtwHPAKzLO9HMaoKwJZ7Rf8AYPDDzKpZBqfvwQAIfkEAAoAAwAsAAAAABAAEAAAAzMIumIlK8oyhpHsnFZfhYumCYUhDAQxRIdhHBGqRoKw0R8DYlJd8z0fMDgsGo/IpHI5TAAAIfkEAAoABAAsAAAAABAAEAAAAzIIunInK0rnZBTwGPNMgQwmdsNgXGJUlIWEuR5oWUIpz8pAEAMe6TwfwyYsGo/IpFKSAAAh+QQACgAFACwAAAAAEAAQAAADMwi6IMKQORfjdOe82p4wGccc4CEuQradylesojEMBgsUc2G7sDX3lQGBMLAJibufbSlKAAAh+QQACgAGACwAAAAAEAAQAAADMgi63P7wCRHZnFVdmgHu2nFwlWCI3WGc3TSWhUFGxTAUkGCbtgENBMJAEJsxgMLWzpEAACH5BAAKAAcALAAAAAAQABAAAAMyCLrc/jDKSatlQtScKdceCAjDII7HcQ4EMTCpyrCuUBjCYRgHVtqlAiB1YhiCnlsRkAAAOwAAAAAAAAAAAA==) no-repeat center',
@ -57,6 +58,7 @@ jQuery.fn.ConfirmDelete = function() {
'data-translation': 'button_no', 'data-translation': 'button_no',
'data-sessionid': sessionID 'data-sessionid': sessionID
}).on('click', function() { }).on('click', function() {
// Move this out of 'ConfirmDelete()'
var pressedButton = $(this); var pressedButton = $(this);
$(pressedButton).closest('td').empty() $(pressedButton).closest('td').empty()
.append( .append(
@ -185,14 +187,15 @@ $(document).ready(function(){
}); });
console.log({'new': newEntries, 'removed': removedEntries}); console.log({'new': newEntries, 'removed': removedEntries});
/*
/* $.get("psworker.php", { $.post("lucidAuth.manage.php", {
do: "mutate", do: "mutateusers",
mutations: {
new: newEntries, new: newEntries,
removed: removedEntries removed: removedEntries
})
.done(function(data,_status) {
} }
})*/ */
}); });
$('#btncancel').click(function() { $('#btncancel').click(function() {