yii2-webserver-auth/example/nginx/conf.d/auth.conf at master · marty-macfly/yii2-webserver-auth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
server {
    listen       80;
    server_name  _;

    location / {
        # Every-one can access to the root of our site
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    location /user {
        # Define permission level need to access that location,
        # in that location we don't require any specific permission
        # so we let permission empty.
        set $permission '';
        # Do we use the sso mode ('false' you will be prompt for login
        # (x-sso-token) and password (your user token), 'true' you will
        # be redirect on your yii site to login (keep in mind that sso
        # will only work if your yii site and your nginx site share the same
        # parent domain for cookie access).
        set $sso 'false';

        satisfy      any;
        auth_basic   "Authentication Required";
        auth_basic_user_file /dev/null;
        auth_request /auth;

        error_page 401 = @error401;
        error_page 403 = @error403;
    }

    location /permission {
        # Only user with 'test' permission can access that location.
        # If you don't have that permission you will add 401 indefinitely.
        set $permission 'test';
        set $sso 'false';

        satisfy      any;
        auth_basic   "Authentication Required";
        auth_basic_user_file /dev/null;
        auth_request /auth;

        error_page 401 = @error401;
        error_page 403 = @error403;
    }

    location /user-sso {
        # That location don't require any specific permission
        set $permission '';
        # Use sso
        set $sso 'true';

        auth_request /auth;

        error_page 401 = @error401;
        error_page 403 = @error403;
    }

    location /permission-sso {
        # Only user with 'test' permission can access that location.
        set $permission 'test';
        # Use sso
        set $sso 'true';

        auth_request /auth;

        error_page 401 = @error401;
        error_page 403 = @error403;
    }

    location @error401 {
        # We've got 401 so x-sso-token should certainly be expire so remove it. To force having a new one.
        add_header Set-Cookie 'x-sso-token=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; domain=lbn.fr; path=/; HttpOnly';

        # If sso 'false' send login and password prompt to browser.
        if ($sso = 'false') {
            return 401;
        }

        # If request is made from a browser redirect to the login page of our Yii site if sso 'true'
        if ($http_accept ~* "(text/html)|(application/xhtml+xml)") {
            # If you want the user to come back here after successful login add
            # the following query string "?return_url=http://127.0.0.1:8888"
            return 302 http://127.0.0.1:8080/site/login?return_url=${scheme}://${http_host}${request_uri};
            # If you don't want the user to be redirect back just remove
            # the query string
            # return 302 http://127.0.0.1:8080/site/login;
        }

        # If request is made from a cli or a robot display a simple message
        return 401 "Unauthorized: You didn't provide the authentication token";
    }

    location @error403 {
        # If request is made from a browser display an html page
        # saying user doesn't have enough right to access the location
        if ($http_accept ~* "(text/html)|(application/xhtml+xml)") {
            return 403;
        }

        # If request is made from a cli or a robot display a simple message
        return 403 "Forbidden: You don't have permissions to access that resource";
    }

    location = /auth {
        internal;

        # The rewrite is used to list the authorization the user required to
        #  access the location. You can also use the following :
        # /htaccess/auth any logged in user can access the location
        # /htaccess/auth?permission=reader any user which have 'read' permission
        # can access the location
        # /htaccess/auth?permission[]=reader&permission[]=moderator any user which have 'read'
        # or 'moderator' permission can access the location

        # In that example we use a variable to be able to define different permission
        # for different location without need to re-declare the internal location.
        rewrite ^(.*)$ /htaccess/auth?permission=${permission}? break;

        proxy_pass                      http://yii:8080;
        proxy_pass_request_headers      on;
        proxy_set_header                X-Real-IP $remote_addr;
        proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;

        # Don't forward useless data
        proxy_pass_request_body         off;
        proxy_set_header Content-Length "";
    }
}