own auth

2026-01-29 00:51:53 +08:00 · 2018-12-15 04:29:40 +03:00
parent 3445766a50
commit 3c33bd3719
74 changed files with 388 additions and 136 deletions
--- a/configs/nginx/nginx.conf
+++ b/configs/nginx/nginx.conf
@@ -1,5 +1,3 @@
-load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
-
 user http;
 worker_processes 4;

@@ -28,6 +26,7 @@ http {
 	tcp_nodelay on;
 	tcp_nopush on;
 	keepalive_timeout 10;
+	client_max_body_size 4k;

 	client_body_temp_path	/tmp/nginx.client_body_temp;
 	fastcgi_temp_path		/tmp/nginx.fastcgi_temp;
@@ -45,11 +44,6 @@ http {

 	include /usr/share/kvmd/extras/*/nginx.http-ctx.conf;

-#PROD	lua_shared_dict WS_TOKENS 10m;
-#PROD	init_by_lua_block {
-#PROD		WS_TOKEN_EXPIRES = 10;
-#PROD	}
-
 #PROD	server {
 #PROD		listen 80;
 #PROD		server_name localhost;
@@ -67,34 +61,47 @@ http {

 #PROD		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

-#PROD		auth_basic "Restricted Area";
-#PROD		auth_basic_user_file /etc/nginx/htpasswd;
+		auth_request /auth;
+
+		location = /auth {
+			internal;
+			proxy_pass http://kvmd/auth/check;
+			proxy_pass_request_body off;
+			proxy_set_header Content-Length "";
+			auth_request off;
+		}

 		location / {
 			root /usr/share/kvmd/web;
+			error_page 401 = @login;
+			error_page 403 = @login;
 		}

-		location /ws_auth {
-			# Workaround for Safari: https://bugs.webkit.org/show_bug.cgi?id=80362
-#PROD			access_by_lua_block {
-#PROD				local token = ngx.encode_base64(ngx.sha1_bin(ngx.var.http_Authorization));
-#PROD				ngx.shared.WS_TOKENS:set(token, token, WS_TOKEN_EXPIRES);
-#PROD				ngx.header["Set-Cookie"] = "WS_ACCESS_TOKEN=" .. token .. "; Path=/; Expires=" .. ngx.cookie_time(ngx.time() + WS_TOKEN_EXPIRES);
-#PROD			}
-			content_by_lua_block {
-				ngx.say("ok");
-			}
+		location @login {
+			return 302 /login;
+		}
+
+		location /login {
+			root /usr/share/kvmd/web;
+			auth_request off;
+		}
+
+		location /share {
+			root /usr/share/kvmd/web;
+			auth_request off;
+		}
+
+		location = /favicon.ico {
+			alias /usr/share/kvmd/web/favicon.ico;
+			auth_request off;
+		}
+
+		location = /robots.txt {
+			alias /usr/share/kvmd/web/robots.txt;
+			auth_request off;
 		}

 		location /kvmd/ws {
-#PROD			auth_basic off;
-#PROD			access_by_lua_block {
-#PROD				local token = ngx.var.cookie_WS_ACCESS_TOKEN;
-#PROD				local value, _ = ngx.shared.WS_TOKENS:get(token);
-#PROD				if value == nil then
-#PROD					ngx.exec("/ws_auth");
-#PROD				end
-#PROD			}
 			rewrite ^/kvmd/ws$ /ws break;
 			rewrite ^/kvmd/ws\?(.*)$ /ws?$1 break;
 			proxy_pass http://kvmd;
@@ -104,6 +111,7 @@ http {
 			proxy_connect_timeout 7d;
 			proxy_send_timeout 7d;
 			proxy_read_timeout 7d;
+			auth_request off;
 		}

 		location /kvmd/msd/write {
@@ -115,6 +123,7 @@ http {
 			limit_rate_after 50k;
 			client_max_body_size 0;
 			proxy_request_buffering off;
+			auth_request off;
 		}

 		location /kvmd/log {
@@ -126,6 +135,7 @@ http {
 			postpone_output 0;
 			proxy_buffering off;
 			proxy_ignore_headers X-Accel-Buffering;
+			auth_request off;
 		}

 		location /kvmd {
@@ -133,6 +143,7 @@ http {
 			rewrite ^/kvmd/(.*)$ /$1 break;
 			proxy_pass http://kvmd;
 			include /etc/nginx/proxy-params.conf;
+			auth_request off;
 		}

 		location /streamer {