# to run vouch, cd to vouch-proxy directory and docker run --rm -d -p 9090:9090 -v $PWD:/config voucher/vouch-proxy:latest-arm (rpi) # vouch uses the config file in the directory upstream vouch { # set this to location of the vouch proxy server localhost:9090; } server { listen 443 ssl http2; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH; server_name yourdomain; root /var/www/html/public; # HSTS add_header Strict-Transport-Security "max-age=31536000"; ssl_certificate fullchain.pem; ssl_certificate_key privkey.pem; # This location serves all of the paths vouch uses location ~ /(auth|login|logout|static) { proxy_pass http://vouch; proxy_set_header Host $http_host; } location = /validate { # forward the /validate request to Vouch Proxy proxy_pass http://vouch/validate; # be sure to pass the original host header proxy_set_header Host $http_host; # Vouch Proxy only acts on the request headers proxy_pass_request_body off; proxy_set_header Content-Length ""; # optionally add X-Vouch-User as returned by Vouch Proxy along with the request auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # these return values are used by the @error401 call auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt; auth_request_set $auth_resp_err $upstream_http_x_vouch_err; auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; } # if validate returns `401 not authorized` then forward the request to the error401block error_page 401 = @error401; proxy_cache_valid 302 10m; #only cache this for 10m in case we keep changing the port # to clear it by force in FF, go to your history and right click Forget This location @error401 { # redirect to Vouch Proxy for login return 302 $scheme://$http_host/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err; # you usually *want* to redirect to Vouch running behind the same Nginx config proteced by https # but to get started you can just forward the end user to the port that vouch is running on } # proxy pass authorized requests to your service location /openhab-tesla/ { # send all requests to the `/validate` endpoint for authorization auth_request /validate; # forward authorized requests to your service protectedapp.yourdomain.com proxy_pass http://localhost:8080/; # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; proxy_set_header Host $http_host/openhab-tesla; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # add the real ip of the client proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; # change the normal "start" redirect directly to the basic ui; proxy_redirect http://openhab-tesla/start/index /openhab-tesla/basicui/app; sub_filter_types application/javascript text/xml text/css text/javascript application/json text/plain; sub_filter_once off; sub_filter '/rest/' '/openhab-tesla/rest/'; sub_filter '"/icon/' '"/openhab-tesla/icon/'; sub_filter '"/basicui/' '"/openhab-tesla/basicui/'; sub_filter '"/chart' '"/openhab-tesla/chart'; # set user header (usually an email) proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; # optionally pass any custom claims you are tracking # proxy_set_header X-Vouch-IdP-Claims-Groups $auth_resp_x_vouch_idp_claims_groups; # proxy_set_header X-Vouch-IdP-Claims-Given_Name $auth_resp_x_vouch_idp_claims_given_name; # optionally pass the accesstoken or idtoken # proxy_set_header X-Vouch-IdP-AccessToken $auth_resp_x_vouch_idp_accesstoken; # proxy_set_header X-Vouch-IdP-IdToken $auth_resp_x_vouch_idp_idtoken; } # https://nginx.org/en/docs/http/ngx_http_auth_request_module.html says auth_request may not be combined with auth_basic, # This is because 401 redirects to vouch, and you never get the basic auth form. # However, openhab apps are configured and send the correct auth info without triggering 401, so this works for that case. location /openhab/ { auth_basic "Username and Password Required"; auth_basic_user_file /etc/nginx/passwords/openhab; #htpasswd -c openhab username proxy_pass http://localhost:8080/; proxy_set_header Host $http_host/openhab; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # add the real ip of the client proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; # change the normal "start" redirect directly to the basic ui; proxy_redirect http://openhab/start/index /openhab/basicui/app; sub_filter_types application/javascript text/xml text/css text/javascript application/json text/plain; sub_filter_once off; sub_filter '/rest/' '/openhab/rest/'; sub_filter '"/icon/' '"/openhab/icon/'; sub_filter '"/basicui/' '"/openhab/basicui/'; sub_filter '"/chart' '"/openhab/chart'; } location /.well-known/acme-challenge/ { root /var/www/acme-challenge; } }