FunDeckHermit · July 4, 2021 18:23
diff --git a/Gitea: docker-compose.yml b/Gitea: docker-compose.yml
 version: "3"

 services:
  server:
    image: gitea/gitea:latest
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always
    volumes:
      - ./data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "3000:3000"
      - "222:22"
diff --git a/music.example.com.conf b/music.example.com.conf
 server {
    server_name music.example.com;
    client_max_body_size 0;
    client_body_temp_path /srv/tmp;

    location / {
        auth_request_set $pusername Kevin;

        #echo to test headers
        #proxy_pass         http://127.0.0.1:8888;

        proxy_pass         http://127.0.0.1:4533;
        proxy_set_header x-vouch-my-magic-header $pusername;
        proxy_pass_request_headers      on;
    }
    listen 80;
 }
diff --git a/Navidrome: docker-compose.yml b/Navidrome: docker-compose.yml
 version: "3"
 services:
  navidrome1:
    image: deluan/navidrome
    ports:
      - "4533:4533"
    environment:
      # All options with their default values:
      ND_MUSICFOLDER: /music
      ND_DATAFOLDER: /data
      ND_SCANSCHEDULE: '@every 1m'
      ND_LOGLEVEL: info
      ND_PORT: 4533
      ND_TRANSCODINGCACHESIZE: 100MB
      ND_SESSIONTIMEOUT: 30m
      ND_BASEURL: ""
      ND_REVERSEPROXYUSERHEADER: "x-vouch-my-magic-header"
      ND_REVERSEPROXYWHITELIST: "0.0.0.0/0"
    volumes:
      - "./data:/data"
      - "~/music:/music:ro"
diff --git a/Navidrome: new Nginx config b/Navidrome: new Nginx config
 server {
    server_name music.example.com;
    auth_request /validate;
    client_max_body_size 0;
    client_body_temp_path /srv/tmp;

    location = /validate {
        # /validate proxies all the requests to lasso
        # lasso can also run behind the same nginx-revproxy
        proxy_pass http://127.0.0.1:9090/validate;
        proxy_set_header Host $http_host;

        # vouch only acts on the request headers
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";

       # valid user!
       # add X-Vouch-User to the request
       # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_name;

      auth_request_set $pusername $upstream_http_x_vouch_idp_claims_preferred_username;


      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

    }

    # if validate returns `401 not authorized` then forward the request to the error401block
    error_page 401 = @error401;

    location @error401 {
       return 302 https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
    }


    location / {
        auth_request_set $pusername $upstream_http_x_vouch_idp_claims_preferred_username;
        # auth_request_set $pusername Kevin;
        #echo om de headers te testen
        #proxy_pass         http://127.0.0.1:8888;

        proxy_pass         http://127.0.0.1:4533;
        proxy_set_header x-vouch-my-magic-header $pusername;
        proxy_pass_request_headers      on;
    }

    listen 80;
 }
diff --git a/vouch: config.yml b/vouch: config.yml
 vouch:
  logLevel: info
  testing: false

  #loglevel: debug
  #testing: true

  listen: 0.0.0.0
  port: 9090


  allowAllUsers: true
  publicAccess: false

  jwt:
    secret: {SECRET}
    issuer: Vouch
    # number of minutes until jwt expires
    maxAge: 240
    # compress the jwt
    compress: true

  cookie:
    # name of cookie to store the jwt
    name: KevinCookieDomain
    domain: example.com
    secure: true
    httpOnly: true
    # Set cookie maxAge to 0 to delete the cookie every time the browser is closed.
    maxAge: 240

  session:
    # name of session variable stored locally
    name: VouchSessionDomain
    key: {KEY}

  headers:
    jwt: X-Vouch-Token
    querystring: access_token
    redirect: X-Vouch-Requested-URI
    claims:
      - groups
      - given_name

  #db:
  #  file: data/vouch_bolt.db

  test_url: http://example.com

 # Gitea = auth.example.com
 oauth:
  provider: oidc
  client_id: {secret}
  client_secret: {secret}
  auth_url: https://auth.example.com/login/oauth/authorize
  token_url: https://auth.example.com/login/oauth/access_token
  user_info_url: https://auth.example.com/login/oauth/userinfo
  scopes:
    - openid
    - email
    - profile
  callback_url: https://vouch.example.com/auth
diff --git a/vouch: docker-compose.yml b/vouch: docker-compose.yml
 version: '3.0'
 services:
    vouch1:
      container_name: vouch_domain
      image: voucher/vouch-proxy
      ports:
       - 9090:9090
      volumes:
       - './config1:/config'
       - './data1:/data'
      restart: unless-stopped
	version: "3"

	services:
	server:
	image: gitea/gitea:latest
	environment:
	- USER_UID=1000
	- USER_GID=1000
	restart: always
	volumes:
	- ./data:/data
	- /etc/timezone:/etc/timezone:ro
	- /etc/localtime:/etc/localtime:ro
	ports:
	- "3000:3000"
	- "222:22"
	server {
	server_name music.example.com;
	client_max_body_size 0;
	client_body_temp_path /srv/tmp;

	location / {
	auth_request_set $pusername Kevin;

	#echo to test headers
	#proxy_pass http://127.0.0.1:8888;

	proxy_pass http://127.0.0.1:4533;
	proxy_set_header x-vouch-my-magic-header $pusername;
	proxy_pass_request_headers on;
	}
	listen 80;
	}
	version: "3"
	services:
	navidrome1:
	image: deluan/navidrome
	ports:
	- "4533:4533"
	environment:
	# All options with their default values:
	ND_MUSICFOLDER: /music
	ND_DATAFOLDER: /data
	ND_SCANSCHEDULE: '@every 1m'
	ND_LOGLEVEL: info
	ND_PORT: 4533
	ND_TRANSCODINGCACHESIZE: 100MB
	ND_SESSIONTIMEOUT: 30m
	ND_BASEURL: ""
	ND_REVERSEPROXYUSERHEADER: "x-vouch-my-magic-header"
	ND_REVERSEPROXYWHITELIST: "0.0.0.0/0"
	volumes:
	- "./data:/data"
	- "~/music:/music:ro"
	server {
	server_name music.example.com;
	auth_request /validate;
	client_max_body_size 0;
	client_body_temp_path /srv/tmp;

	location = /validate {
	# /validate proxies all the requests to lasso
	# lasso can also run behind the same nginx-revproxy
	proxy_pass http://127.0.0.1:9090/validate;
	proxy_set_header Host $http_host;

	# vouch only acts on the request headers
	proxy_pass_request_body off;
	proxy_set_header Content-Length "";

	# valid user!
	# add X-Vouch-User to the request
	# auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_name;

	auth_request_set $pusername $upstream_http_x_vouch_idp_claims_preferred_username;


	auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
	auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
	auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;

	}

	# if validate returns `401 not authorized` then forward the request to the error401block
	error_page 401 = @error401;

	location @error401 {
	return 302 https://vouch.example.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
	}


	location / {
	auth_request_set $pusername $upstream_http_x_vouch_idp_claims_preferred_username;
	# auth_request_set $pusername Kevin;
	#echo om de headers te testen
	#proxy_pass http://127.0.0.1:8888;

	proxy_pass http://127.0.0.1:4533;
	proxy_set_header x-vouch-my-magic-header $pusername;
	proxy_pass_request_headers on;
	}

	listen 80;
	}
	vouch:
	logLevel: info
	testing: false

	#loglevel: debug
	#testing: true

	listen: 0.0.0.0
	port: 9090


	allowAllUsers: true
	publicAccess: false

	jwt:
	secret: {SECRET}
	issuer: Vouch
	# number of minutes until jwt expires
	maxAge: 240
	# compress the jwt
	compress: true

	cookie:
	# name of cookie to store the jwt
	name: KevinCookieDomain
	domain: example.com
	secure: true
	httpOnly: true
	# Set cookie maxAge to 0 to delete the cookie every time the browser is closed.
	maxAge: 240

	session:
	# name of session variable stored locally
	name: VouchSessionDomain
	key: {KEY}

	headers:
	jwt: X-Vouch-Token
	querystring: access_token
	redirect: X-Vouch-Requested-URI
	claims:
	- groups
	- given_name

	#db:
	# file: data/vouch_bolt.db

	test_url: http://example.com

	# Gitea = auth.example.com
	oauth:
	provider: oidc
	client_id: {secret}
	client_secret: {secret}
	auth_url: https://auth.example.com/login/oauth/authorize
	token_url: https://auth.example.com/login/oauth/access_token
	user_info_url: https://auth.example.com/login/oauth/userinfo
	scopes:
	- openid
	- email
	- profile
	callback_url: https://vouch.example.com/auth
	version: '3.0'
	services:
	vouch1:
	container_name: vouch_domain
	image: voucher/vouch-proxy
	ports:
	- 9090:9090
	volumes:
	- './config1:/config'
	- './data1:/data'
	restart: unless-stopped