Refactor

Dockerfile

@@ -1,30 +1,39 @@
-FROM openresty/openresty:1.25.3.1-alpine-fat
+FROM openresty/openresty:1.25.3.2-alpine-fat
 
-RUN luarocks install lua-resty-openidc
-RUN luarocks install lua-resty-template
+RUN luarocks install lua-resty-http 0.17.2
+RUN luarocks install lua-resty-session 4.0.5
+RUN luarocks install lua-resty-jwt 0.2.3
+RUN luarocks install lua-resty-openidc 1.8.0
+RUN luarocks install lua-resty-template 2.0
 
-COPY conf/ /usr/local/openresty/nginx/conf/
-COPY lua/ /etc/ipax/lua/
+COPY conf /var/ipax/conf/
+COPY lua /var/ipax/lua/
 COPY html /var/ipax/html
 COPY templates /var/ipax/templates
 
 ENV NGINX_LOG_LEVEL=warn \
     NGINX_RESOLVER=8.8.8.8 \
-    SESSION_SECRET="ipax_default_secret" \
-    SESSION_COOKIE_PERSISTENT=off \
-    SESSION_COOKIE_LIFETIME=86400 \
-    SESSION_COOKIE_SAMESITE="Lax" \
     OIDC_DISCOVERY="" \
     OIDC_SSL_VERIFY="yes" \
     OIDC_CLIENT_ID="" \
-    OIDC_USE_PKCE=false \
+    OIDC_USE_PKCE="false" \
     OIDC_CLIENT_SECRET="" \
     OIDC_SCOPE="openid profile" \
     OIDC_REDIRECT_URI="/private/redirect_uri" \
-    OIDC_LOGOUT_URI="/private/logout" \
-    OIDC_POST_LOGOUT_REDIRECT_URI="/auth" \
+    OIDC_LOGOUT_PATH="/private/logout" \
+    OIDC_POST_LOGOUT_REDIRECT_URI="/logoutSuccess.html" \
     OIDC_PROMPT="" \
     OIDC_ACR_VALUES="" \
+    SESSION_COOKIE_SAME_SITE="Lax" \
+    SESSION_COOKIE_SECURE="false" \
+    SESSION_IDLING_TIMEOUT="86400" \
+    SESSION_REMEMBER="false" \
+    SESSION_SECRET="ipax_default_secret" \
+    IPAX_APP_NAME="ipax" \
+    IPAX_DISPLAY_NAME="IPAx" \
+    IPAX_BASE_URL="http://localhost" \
+    IPAX_MODE="demoapp" \
+    API_BASE_URL="" \
     KC_DELETE_ACCOUNT_ACTION="" \
     KC_DELETE_ACCOUNT_LABEL="Delete account" \
     KC_UPDATE_EMAIL_ACTION="" \
@@ -33,9 +42,16 @@ ENV NGINX_LOG_LEVEL=warn \
     KC_UPDATE_PASSWORD_LABEL="Update password" \
     KC_ENROL_BIOMETRICS_ACTION="" \
     KC_ENROL_BIOMETRICS_LABEL="Enrol biometrics" \
-    IPAX_APP_NAME="IPAx" \
-    API_BASEURL=""
+    KC_ADD_PASSKEY_ACTION="" \
+    KC_ADD_PASSKEY_LABEL="Add Passkey" \
+    LUA_SHARED_DICT_PATH="/var/ipax/conf/lua_shared_dict" \
+    DEMOAPPS_VARIABLES_CONFIG_PATH="/var/ipax/conf/demoapps" \
+    DEMOAPPS_CONFIG_PATH="/var/ipax/conf/location_conf.d"
 
 WORKDIR /usr/local/openresty/nginx
 
-CMD ["sh", "-c", "envsubst < conf/nginx.conf.template > conf/nginx.conf && /usr/local/openresty/bin/openresty -g 'daemon off;'"]
+# HEALTHCHECK --interval=60s --timeout=1s --start-period=5s --retries=3 CMD [ "curl", "-f", "http://localhost/ipax/health" ]
+
+CMD [ ]
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT [ "/bin/bash", "/entrypoint.sh" ]

README.md

@@ -1,56 +1,14 @@
 # IPAx
 Identity-aware proxy based on NGINX, OpenResty and [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc).
 
-## IDP
-Create an OpenID Connect Client in your IDP using the following information:
-- Client Name: IPAx
-- Scopes: profile, openid
-- Grant Types: authorization_code
-- Redirect URIs: Include values like: "https://myapp.identicum.com/private/redirect_uri" (suffix is handled by `lua-resty-openidc`, can be adjusted using the `OIDC_REDIRECT_URI` environment variable)
+## Execution mode
+IPAx can be used as:
 
-## Configuration files
-Samples are provided in the [conf.samples](./conf.samples/) folder.
-Customize your files and put them into your local `./conf.d/` directory.
+### proxy
 
-## Run the container
+### demoapp (single)
 
-Run the image, mounting a local directory for configuration:
+### demoapps (multi)
 
-```sh
-docker run  -d \
-    -p 80:80 \
-    -e OIDC_DISCOVERY="https://idp.identicum.com/.well-known/openid-configuration" \
-    -e OIDC_CLIENT_ID="my_client_id" \
-    -e OIDC_CLIENT_SECRET="my_client_secret" \
-    -e OIDC_SCOPE="openid profile" \
-    -e OIDC_REDIRECT_URI="/private/redirect_uri" \
-    -e OIDC_SESSION_SECRET="some_uuid_secret" \
-    -e OIDC_POST_LOGOUT_REDIRECT_URI="https://myapp.identicum.com/logoutSuccess.html" \
-    -e OIDC_ACR_VALUES="loa-3" \
-    -v $(pwd)/conf.d/:/etc/ipax/conf.d/:ro \
-    ghcr.io/identicum/ipax:latest
-```
 
 > To use PKCE, remove `OIDC_CLIENT_SECRET` and add `OIDC_USE_PKCE` with value "true"
-
-## Certificates (optional)
-Issue as many certificates as necessary to be used in your reverse proxy.
-IPAx supports [wildcard certificates](https://en.wikipedia.org/wiki/Wildcard_certificate) and [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication).
-
-If you want to use HTTPS, add mapping for port 443 and mount volume `./certs/` as /etc/ipax/certs/
-
-### Self-signed certificate
-To test using a self-signed certificate, run the following command (replace with your domain):
-```sh
-openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout wildcard_identicum_com.key -out wildcard_identicum_com.cer
-```
-
-    Country Name (2 letter code) [XX]: `AR`
-    State or Province Name (full name) []: `CABA`
-    Locality Name (eg, city) [Default City]: `Buenos Aires`
-    Organization Name (eg, company) [Default Company Ltd]: `Identicum`
-    Organizational Unit Name (eg, section) []: ` `
-    Common Name (eg, your name or your server hostname) []: `*.identicum.com`
-    Email Address []: `no-reply@identicum.com`
-
-Put the generated certificate files into your local `./certs/` directory.

VARIABLES.md

@@ -0,0 +1,36 @@
+# Variables
+
+| Environment                   | nginx variable                | lua_resty_openidc variable         | Description                   |
+|-------------------------------|-------------------------------|------------------------------------|-------------------------------|
+| NGINX_RESOLVER                |                               |                                    |                               |
+| NGINX_LOG_LEVEL               |                               |                                    |                               |
+| OIDC_DISCOVERY                | oidc_discovery                | oidc_opts.discovery                | OIDC discovery URL            |
+| OIDC_SSL_VERIFY               | oidc_ssl_verify               | oidc_opts.ssl_verify               |                               |
+| OIDC_CLIENT_ID                | oidc_client_id                | oidc_opts.client_id                |                               |
+| OIDC_USE_PKCE                 | oidc_use_pkce                 | oidc_opts.use_pkce                 |                               |
+| OIDC_CLIENT_SECRET            | oidc_client_secret            | oidc_opts.client_secret            |                               |
+| OIDC_SCOPE                    | oidc_scope                    | oidc_opts.scope                    |                               |
+| OIDC_REDIRECT_URI             | oidc_redirect_uri             | oidc_opts.redirect_uri             |                               |
+| OIDC_LOGOUT_PATH              | oidc_logout_path              | oidc_opts.logout_path              |                               |
+| OIDC_POST_LOGOUT_REDIRECT_URI | oidc_post_logout_redirect_uri | oidc_opts.post_logout_redirect_uri |                               |
+| OIDC_PROMPT                   | oidc_prompt                   | oidc_opts.prompt                   |                               |
+| OIDC_ACR_VALUES               | oidc_acr_values               | oidc_opts.authorization_params     |                               |
+| SESSION_COOKIE_SAME_SITE      | session_cookie_same_site      | session_opts.cookie_same_site      | Lax / Strict / None / Default |
+| SESSION_COOKIE_SECURE         | session_cookie_secure         | session_opts.cookie_secure         |                               |
+| SESSION_IDLING_TIMEOUT        | session_idling_timeout        | session_opts.idling_timeout        |                               |
+| SESSION_REMEMBER              | session_remember              | session_opts.remember              |                               |
+| SESSION_SECRET                | session_secret                | session_opts.secret                |                               |
+| IPAX_APP_NAME                 | ipax_app_name                 |                                    |                               |
+| IPAX_DISPLAY_NAME             | ipax_display_name             |                                    |                               |
+| IPAX_BASE_URL                 | ipax_base_url                 |                                    |                               |
+| API_BASE_URL                  | api_base_url                  |                                    |                               |
+| KC_DELETE_ACCOUNT_ACTION      | kc_delete_account_action      |                                    |                               |
+| KC_DELETE_ACCOUNT_LABEL       |                               |                                    |                               |
+| KC_UPDATE_EMAIL_ACTION        |                               |                                    |                               |
+| KC_UPDATE_EMAIL_LABEL         |                               |                                    |                               |
+| KC_UPDATE_PASSWORD_ACTION     |                               |                                    |                               |
+| KC_UPDATE_PASSWORD_LABEL      |                               |                                    |                               |
+| KC_ENROL_BIOMETRICS_ACTION    |                               |                                    |                               |
+| KC_ENROL_BIOMETRICS_LABEL     |                               |                                    |                               |
+| KC_ADD_PASSKEY_ACTION         | kc_add_passkey_action         |                                    |                               |
+| KC_ADD_PASSKEY_LABEL          | kc_add_passkey_label          |                                    |                               |

conf/conf.d/.gitignore

@@ -0,0 +1 @@
+/*.conf

conf/conf.d/README.md

@@ -0,0 +1,5 @@
+# Host-based multihoming configuration files
+
+In `proxy` mode, this folder is mounted at execution time. See examples [here](./samples/)
+
+In `demoapps` mode, files in this folder are generated by the [ENTRYPOINT script](../../entrypoint.sh)

conf.samples/authN.conf → conf/conf.d/samples/authN.conf

@@ -2,7 +2,7 @@ server {
 	listen 443 ssl;
 	server_name authn.identicum.com;
 
-	include /etc/ipax/conf.d/wildcard_identicum_com.settings;
+	include /var/ipax/conf/conf.d/wildcard_identicum_com.settings;
 
 	location / {
 		access_by_lua_block {

conf.samples/authZ.conf → conf/conf.d/samples/authZ.conf

@@ -2,7 +2,7 @@ server {
 	listen 443 ssl;
 	server_name authz.identicum.com;
 
-	include /etc/ipax/conf.d/wildcard_identicum_com.settings;
+	include /var/ipax/conf/conf.d/wildcard_identicum_com.settings;
 
 	location / {
 		access_by_lua_block {

conf.samples/headers.conf → conf/conf.d/samples/headers.conf

@@ -2,7 +2,7 @@ server {
 	listen 443 ssl;
 	server_name wtp.identicum.com;
 
-	include /etc/ipax/conf.d/wildcard_identicum_com.settings;
+	include /var/ipax/conf/conf.d/wildcard_identicum_com.settings;
 
 	location / {
 		access_by_lua_block {

conf.samples/spa_api.conf → conf/conf.d/samples/spa_api.conf

@@ -2,7 +2,7 @@ server {
 	listen 443 ssl;
 	server_name spa.identicum.com;
 
-	include /etc/ipax/conf.d/wildcard_identicum_com.settings;
+	include /var/ipax/conf/conf.d/wildcard_identicum_com.settings;
 
 	location / {
 		access_by_lua_block {
@@ -18,7 +18,7 @@ server {
     location /api/ {
         set $api_base_url '';
         access_by_lua_block {
-            ngx.var.api_base_url = os.getenv("API_BASEURL");
+            ngx.var.api_base_url = os.getenv("API_BASE_URL");
             ngx.req.set_header("Authorization", "Bearer " .. require("ipax").get_access_token());
         }
         proxy_pass $api_base_url;

conf/default_variables.conf

@@ -0,0 +1,29 @@
+set $oidc_discovery '';
+set $oidc_ssl_verify '';
+set $oidc_client_id '';
+set $oidc_use_pkce '';
+set $oidc_client_secret '';
+set $oidc_scope '';
+set $oidc_redirect_uri '';
+set $oidc_logout_path '';
+set $oidc_post_logout_redirect_uri '';
+set $oidc_prompt '';
+set $oidc_acr_values '';
+set $session_cookie_same_site '';
+set $session_cookie_secure '';
+set $session_idling_timeout '';
+set $session_remember '';
+set $session_secret '';
+set $ipax_app_name '';
+set $ipax_display_name '';
+set $api_base_url '';
+set $kc_delete_account_action '';
+set $kc_delete_account_label '';
+set $kc_update_email_action '';
+set $kc_update_email_label '';
+set $kc_update_password_action '';
+set $kc_update_password_label '';
+set $kc_enrol_biometrics_action '';
+set $kc_enrol_biometrics_label '';
+set $kc_add_passkey_action '';
+set $kc_add_passkey_label '';

conf/default_vhost.conf

@@ -0,0 +1,13 @@
+set $template_root /var/ipax/templates;
+
+location / {
+    add_header Cache-Control no-store;
+    add_header Pragma no-cache;
+    default_type text/html;
+    content_by_lua_block {
+        local data = {
+            app_list = {"app1", "app2", "app3"}
+        }
+        require("resty.template").render_file("demoapps.html", data)
+    }
+}

conf/demoapp_template.conf

@@ -0,0 +1,38 @@
+	set $template_root /var/ipax/templates;
+
+	location / {
+		root /var/ipax/html/;
+		add_header Cache-Control no-store;
+		add_header Pragma no-cache;
+	}
+	location /landing {
+		add_header Cache-Control no-store;
+		add_header Pragma no-cache;
+		default_type text/html;
+		include /var/ipax/conf/default_variables.conf;
+		content_by_lua_block {
+			local data = { ipax_display_name = require("ipax").get_var_or_env("ipax_display_name") }
+			require("resty.template").render_file("landing.html", data)
+		}
+	}
+	location /private {
+		add_header Cache-Control no-store;
+		add_header Pragma no-cache;
+		default_type text/html;
+		include /var/ipax/conf/default_variables.conf;
+		access_by_lua_block {
+			local ipax = require("ipax")
+			local oidc_opts = ipax.get_oidc_opts()
+			local session_opts = ipax.get_session_opts()
+			ngx.ctx.res = ipax.get_res(oidc_opts, session_opts);
+			local ipax_display_name = ipax.get_var_or_env("ipax_display_name")
+			local ipax_app_name = ipax.get_var_or_env("ipax_app_name")
+			local ipax_base_url = ipax.get_var_or_env("ipax_base_url")
+			local headers = ngx.req.get_headers()
+			ngx.ctx.data = ipax.get_info_data(oidc_opts, session_opts, ipax_display_name, ipax_app_name, ipax_base_url, headers)
+		}
+		content_by_lua_block {
+			require("resty.template").render_file("info.html", ngx.ctx.data)
+		}
+	}
+

conf/demoapps/README.md

@@ -0,0 +1,4 @@
+# demoapps variables
+
+This folder is mounted at execution time to override variables when using multiple demoapps in one container.
+See [examples](../../localhost/demoapps/demoapps/)