Go to file
Danny Bessems c0ffd0a7ba Enable `secure` for JWT-cookie 2020-06-05 15:09:43 +00:00
include Enable `secure` for JWT-cookie 2020-06-05 15:09:43 +00:00
public Enable `secure` for JWT-cookie 2020-06-05 15:09:43 +00:00
LICENSE.md Periodic merge upstream (#1) 2019-02-28 14:31:10 +00:00
README.md Minor edits and documentation 2020-01-07 15:41:36 +00:00
lucidAuth.config.php.example Added initial config for TOTP; for use with the Spomky-Labs/otphp class 2019-08-20 11:48:40 +00:00

README.md

lucidAuth

Respect the unexpected, mitigate your risks

Forward Authentication for use with loadbalancers/proxies/webservers (Apache, Caddy, Lighttpd, NGINX, Traefik, etc)

Usage

  • Create a new folder, navigate to it in a commandprompt and run the following command:
    git clone https://code.spamasaurus.com/djpbessems/lucidAuth.git

  • Edit include/lucidAuth.config.php.example to reflect your configuration and save as include/lucidAuth.config.php

  • Create a new website (within any php-capable webserver) and make sure that the documentroot points to the public folder

  • Check if you are able to browse to https://<fqdn>/lucidAuth.login.php (where <fqdn> is the actual domain -or IP address- your webserver is listening on)

  • Edit your webserver's/proxy's configuration to use the new website for forward authentication:

    • in Apache (Soon™)

    • in Caddy (Never, due to lacking functionality)

    • in Lighttpd (Soon™)

    • in NGINX

    Add the following lines (adjust to reflect your existing configuration - more details):

    http {
            #...
            server {
            #...
              location /private/ {
                auth_request     /auth;
                auth_request_set $auth_status $upstream_status;
              }
    
              location = /auth {
                internal;
                proxy_pass              https://<fqdn>/lucidAuth.validateRequest.php;
                proxy_pass_request_body off;
                proxy_set_header        Content-Length "";
                proxy_set_header        X-Original-URI $request_uri;
              }
            }
    }
    
    • in Traefik

    Add the following lines (change to reflect your existing configuration):

1.7.x (more details)
[frontends.server1]
        entrypoints = ["https"]
        backend = "server1"
        [frontends.server1.auth.forward]
          address = "https://<fqdn>/lucidAuth.validateRequest.php"
        [frontends.server1.routes]
          [frontends.server1.routes.ext]
            rule = "Host:<fqdn>"
2.x (more details)

Either whitelist IP's which should be trusted to send HTTP_X-Forwarded-* headers, ór enable insecure-mode in your static configuration:

entryPoints:
        https:
          address: :443
          forwardedHeaders:
            trustedIPs:
              - "127.0.0.1/32"
              - "192.168.1.0/24"
      #      insecure: true

Define a middleware that tells Traefik to forward requests for authentication in your dynamic file provider:

https:
        middlewares:
          ldap-authentication:
            forwardAuth:
              address: "https://<fqdn>/lucidAuth.validateRequest.php"
              trustForwardHeader: true

And finally add the new middleware to your service (different methods; this depends on your configuration):

# as a label (when using Docker provider)
traefik.http.routers.router1.middlewares: "ldap-authentication@file"
# as yaml (when using file provider)
routers:
        router1:
          middlewares:
            - "ldap-authentication"
  • Important!

    The domainname of the website made in step 3, needs to match the domainname (ignoring subdomains, if any) of the resource utilizing this authentication proxy.

Questions or bugs

Feel free to open issues in this repository.