Netbox LetsEncrypt and SSO with OpenResty

_01.md

Netbox LetsEncrypt and SSO with OpenResty

sudo apt-get -y install --no-install-recommends wget gnupg ca-certificates
wget -O - https://openresty.org/package/pubkey.gpg | sudo apt-key add -

echo "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main" \
    | sudo tee /etc/apt/sources.list.d/openresty.list

sudo apt-get update

sudo apt-get -y install openresty
sudo apt -y install luarocks

sudo luarocks install lua-resty-auto-ssl
sudo mkdir /etc/resty-auto-ssl
sudo chown www-data /etc/resty-auto-ssl

sudo opm install zmartzone/lua-resty-openidc

auth.conf

set $session_cipher none;                 # don't need to encrypt the session content, it's an opaque identifier
set $session_storage shm;                 # use shared memory
set $session_cookie_persistent on;        # persist cookie between browser sessions
set $session_cookie_renew      3600;      # new cookie every hour
set $session_cookie_lifetime   86400;     # lifetime for persistent cookies
set $session_name              sess_auth; # name of the cookie to store the session identifier in

set $session_shm_store         sessions;  # name of the dict to store sessions in
# See https://github.com/bungle/lua-resty-session#shared-dictionary-storage-adapter for the following options
set $session_shm_uselocking    off;
set $session_shm_lock_exptime  3;
set $session_shm_lock_timeout  2;
set $session_shm_lock_step     0.001;
set $session_shm_lock_ratio    1;
set $session_shm_lock_max_step 0.5;


access_by_lua_block {
  local opts = {
    discovery = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/.well-known/oauth-authorization-server",
    -- Create an application with your OIDC provider and use the returned client ID and secret here
    client_id = "CLIENT_ID",
    client_secret = "CLIENT_SECRET",
    redirect_uri_path = "/auth",
    redirect_uri_scheme = "https",
    logout_path = "/logout",
    -- Scopes to request; group contains group memberships, offline_access gives us a refresh token
    scope = "openid email profile offline_access",
    redirect_after_logout_uri = "https://dev-xxxxxxxxxx.okta.com/oauth2/default/v1/logout",
    redirect_after_logout_with_id_token_hint = false,
    renew_access_token_on_expiry = true,
    access_token_expires_leeway = 60,
    -- Storing the access token also includes the refresh token letting the server transparently
    -- renew the session
    session_contents = {id_token=true, access_token=true},
    ssl_verify = "no"
  }


  -- call authenticate for OpenID Connect user authentication
  local res, err = require("resty.openidc").authenticate(opts)
          if err then
            ngx.status = 500
            ngx.say(err)
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
          end

  -- set data from the ID token as HTTP Request headers
  ngx.req.set_header("X-Auth-Audience", res.id_token.aud)
  ngx.req.set_header("X-Auth-Email", res.id_token.email)
  ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp)
  ngx.req.set_header("X-Auth-Groups", res.id_token.groups)
  ngx.req.set_header("X-Auth-Name", res.id_token.name)
  ngx.req.set_header("X-Auth-Subject", res.id_token.sub)
  ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username)
  ngx.req.set_header("X-Remote-User", res.id_token.preferred_username)

nginx.conf

user  www-data;
worker_processes  auto;

error_log  /var/log/error.log;
error_log  /var/log/error.log  notice;
error_log  /var/log/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
    use epoll;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/access.log  main;

    sendfile        on;
    tcp_nopush     on;

    keepalive_timeout  65;

    gzip  on;
    gzip_http_version 1.1;
    gzip_proxied any;
    gzip_buffers 16 8k;
    gzip_vary on;
    gzip_disable msie6;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/atom+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;

    reset_timedout_connection on;

    client_body_timeout 10;

    send_timeout 2;
    server_tokens off;

    lua_package_path '~/lua/?.lua;;';
    lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    lua_ssl_verify_depth 5;
    lua_shared_dict discovery 1m;
    lua_shared_dict jwks 1m;

    lua_shared_dict sessions 10m;
    lua_shared_dict auto_ssl 1m;
    lua_shared_dict auto_ssl_settings 64k;

    init_by_lua_block {
        auto_ssl = (require "resty.auto-ssl").new()

        auto_ssl:set("allow_domain", function(domain)
            return true
        end)

        auto_ssl:init()
    }

    init_worker_by_lua_block {
        auto_ssl:init_worker()
    }

    server {
        listen       80 default_server;
        server_name  _;

        location / {
            return 301 https://$host$request_uri;
        }

        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                auto_ssl:challenge_server()
            }
        }
    }
    server {
        listen 127.0.0.1:8999;
        client_body_buffer_size 128k;
        client_max_body_size 128k;

        location / {
            content_by_lua_block {
                auto_ssl:hook_server()
            }
        }
    }

    server {
        listen 443 ssl http2;
        server_name <FQDN>;

        ssl_certificate_by_lua_block {
            auto_ssl:ssl_certificate()
        }

        ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt;
        ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key;
        include ssl.conf;

        location /static/ {
            alias /opt/netbox/netbox/static/;
        }

        location /api {
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        location / {
            include auth.conf;
            proxy_pass http://127.0.0.1:8001;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

ssl.conf

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;


ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

add_header Strict-Transport-Security "max-age=63072000" always;

ssl_stapling on;
ssl_stapling_verify on;

resolver 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 5s;