• This repository has been archived on 08/Apr/2020
  • Stars
    star
    425
  • Rank 102,094 (Top 3 %)
  • Language
    Lua
  • License
    MIT License
  • Created almost 9 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Lua module to add Google OAuth to nginx

nginx-google-oauth

Lua module to add Google OAuth to nginx. It is based on great work from Agora Games.

Fast forward to the docker image section to try it out.

Deprecated

This project is no longer being maintained or supported by Cloudflare. Please refer to Cloudflare Access as an alternative to nginx-google-oauth.

Installation

You can copy access.lua to your nginx configurations, or clone the repository. Your installation of nginx must already be built with Lua support, and you will need the following modules:

Configuration

Add the access controls in your configuration. Because OAuth tickets will be included in cookies (and you are presumably protecting something very important), it is strongly recommended that you use SSL.

server {
  server_name supersecret.net;

  listen 443 ssl;

  ssl_certificate     /etc/nginx/certs/supersecret.net.pem;
  ssl_certificate_key /etc/nginx/certs/supersecret.net.key;

  set $ngo_client_id         "abc-def.apps.googleusercontent.com";
  set $ngo_client_secret     "abcdefg-123-xyz";
  set $ngo_token_secret      "a very long randomish string";
  set $ngo_secure_cookies    "true";
  set $ngo_http_only_cookies "true";

  access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";
}

The access controls can be configured using nginx variables. The supported variables are:

  • $ngo_callback_host The host for the callback, defaults to first entry in the server_name list (e.g supersecret.net).
  • $ngo_callback_scheme The scheme for the callback URL, defaults to that of the request (e.g. https).
  • $ngo_callback_uri The URI for the callback, defaults to /_oauth.
  • $ngo_signout_uri The URI for sign-out endpoint.
  • $ngo_client_id This is the client id key.
  • $ngo_client_secret This is the client secret.
  • $ngo_token_secret The key used to encrypt the session token stored in the user cookie. Should be long & unguessable.
  • $ngo_secure_cookies If defined, will ensure that cookies can only be transferred over a secure connection.
  • $ngo_http_only_cookies If defined, will ensure that cookies cannot be accessed via javascript.
  • $ngo_extra_validity Time in seconds to add to token validity period.
  • $ngo_domain The space separated list of domains to use for validating users when not using white- or blacklists.
  • $ngo_whitelist Optional space separated list of authorized email addresses.
  • $ngo_blacklist Optional space separated list of unauthorized email addresses.
  • $ngo_user If set, will be populated with the OAuth username returned from Google (portion left of '@' in email).
  • $ngo_email_as_user If set and $ngo_user is defined, username returned will be full email address.

Available endpoints

/_signout

Default sign-out URI, can be changed with $ngo_signout_uri variable. It clears cookies and does redirect to the / location of your domain.

/_token.json

Endpoint that reports your OAuth token in a JSON object:

{
  "email": "[email protected]",
  "token": "abc..xyz",
  "expires": 1445455680
}

/_token.txt

Endpoint that reports your OAuth token in text format:

email: [email protected]
token: abc..xyz
expires: 1445455680

/_token.curl

Endpoint that reports your OAuth token as curl arguments for header auth:

-H "OauthEmail: [email protected]" -H "OauthAccessToken: abc..xyz" -H "OauthExpires: 1445455680"

You can add it to your curl command to make it work with OAuth.

Authentication

Any request to nginx can be authenticated in two ways: with headers and with cookies. When you open your site in a web browser, it sends you to Google to obtain OAuth token and these are set as cookies. Users don't have to do anything special, it just works seamlessly.

If you are willing to protect a domain that is used by automatic CLI tools, it is problematic to use cookies from your browser. Instead, you can can use any of endpoints described in the previous section to obtain tokens and pass them to your tools.

An example would be a curl command that you might use to refresh local currency rates:

curl -s https://example.com/rates.json > ~/currency-rates.json

Now if you enabled OAuth on example.com, this command would not work anymore, resulting in 301 redirect to OAuth from Google. To make it work, you'll have to go to https://example.com/_token.curl, copy header arguments for curl and paste them into your command:

curl -s $HEADER_ARGS https://example.com/rates.json > ~/currency-rates.json

Extended token validity

OAuth token from Google are short-lived, but this is not always convenient if you want to put something frequently used behind OAuth. In this case, you can extend token validity by $ngo_extra_validity seconds. An good example would be some site you use at work. Setting $ngo_extra_validity to 43200 (12h) means that you only have to authorize on it once a day with a standard 8 hour or less work day.

Token validity can be shortened with negative values as well.

Configuring OAuth access

Visit https://console.developers.google.com. If you're signed in to multiple Google accounts, be sure to switch to the one which you want to host the OAuth credentials (usually your company's Apps domain). This should match $ngo_domain (e.g. yourcompany.com).

From the dashboard, create a new project. After selecting that project, search for "Credentials" in the search box. Make sure to fill "OAuth consent screen" section first. Then create "OAuth client ID": select "Web application", fill the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" (e.g. https://example.com/_oauth).

After completing the form you will be presented with the Client ID and Client Secret which you can use to configure $ngo_client_id and $ngo_client_secret respectively.

Since you can have unlimited OAuth client IDs in one app, but number of apps is limited, it makes sense to reuse the same app.

Username variable

$ngo_user can be used in any place where you could use variable in nginx, this includes:

  • Logging
  • Passing params to external FastCGI/UWSGI scripts
  • Headers for upstream servers
  • Lua scripts
  • etc.

Blacklist/Whitelist

For blacklist the site, not even reaching oauth, use this nginx example:

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";
    deny your_blacklist_ip;
    satisfy all

For whitelist (ie: disable oauth for this ip) use this:

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";
    allow your_whitelist_ip;
    satisfy any;

Notice the satisfy any. You can also add several allow entries.

For allowing only one ip, block all others, and still oauth it, use this:

    access_by_lua_file "/etc/nginx/lua/nginx-google-oauth/access.lua";
    allow your_whitelist_ip;
    deny all;
    satisfy all;

Docker image

You have to obtain tokens first.

There is a pre-built image: cloudflare/nginx-google-oauth. If you are hacking on this project, you might want to rebuild the image yourself.

To make it work locally, add a record to DNS or to /etc/hosts, pointing to the ip of your docker daemon, we use ngo.lol here. Make sure to add http://ngo.lol/_oauth as an "Authorized redirect URIs" in Google console.

Docker image has the following env variables for configuration:

  • NGO_CALLBACK_HOST is the value of $ngo_callback_host.
  • NGO_CALLBACK_SCHEME is the value of $ngo_callback_scheme.
  • NGO_CALLBACK_URI is the value of $ngo_callback_uri.
  • NGO_SIGNOUT_URI is the value of $ngo_signout_uri.
  • NGO_CLIENT_ID is the value of $ngo_client_id, required.
  • NGO_CLIENT_SECRET is the value of $ngo_client_secret, required.
  • NGO_TOKEN_SECRET is the value of $ngo_token_secret, required.
  • NGO_SECURE_COOKIES is the value of $ngo_secure_cookies.
  • NGO_HTTP_ONLY_COOKIES is the value of $ngo_http_only_cookies.
  • NGO_EXTRA_VALIDITY is the value of $ngo_extra_validity.
  • NGO_DOMAIN is the value of $ngo_domain.
  • NGO_WHITELIST is the value of $ngo_whitelist.
  • NGO_BLACKLIST is the value of $ngo_blacklist.
  • NGO_USER is the value of $ngo_user.
  • NGO_EMAIL_AS_USER is the value of $ngo_email_as_user.
  • PORT is the port for nginx to listen on, defaults to 80.
  • DEBUG: if set, prints the generated nginx configuation on container start
  • LOCATIONS can contain location directives that will be injected into the nginx configuration on container start. If not set, a demo page is served under location / {...}.

Run the image:

docker run --rm -it --net host \
  -e DEBUG=1 \
  -e NGO_CALLBACK_SCHEME=http \
  -e NGO_CLIENT_ID="client id from google" \
  -e NGO_CLIENT_SECRET="client secret from google" \
  -e NGO_TOKEN_SECRET="random token secret" \
  cloudflare/nginx-google-oauth:1.1.1

Then open your browser at http://ngo.lol and you should get Google OAuth screen.

Copyright

  • Copyright 2015-2020 Cloudflare
  • Copyright 2014-2015 Aaron Westendorf

License

MIT

More Repositories

1

pingora

A library for building fast, reliable and evolvable network services.
Rust
20,561
star
2

quiche

🥧 Savoury implementation of the QUIC transport protocol and HTTP/3
Rust
9,191
star
3

cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
Go
8,049
star
4

workerd

The JavaScript / Wasm runtime that powers Cloudflare Workers
C++
6,175
star
5

boringtun

Userspace WireGuard® Implementation in Rust
Rust
6,001
star
6

cloudflared

Cloudflare Tunnel client (formerly Argo Tunnel)
Go
5,870
star
7

flan

A pretty sweet vulnerability scanner
Python
3,910
star
8

miniflare

🔥 Fully-local simulator for Cloudflare Workers. For the latest version, see https://github.com/cloudflare/workers-sdk/tree/main/packages/miniflare.
TypeScript
3,719
star
9

wrangler-legacy

🤠 Home to Wrangler v1 (deprecated)
Rust
3,233
star
10

cloudflare-docs

Cloudflare’s documentation
MDX
3,009
star
11

tableflip

Graceful process restarts in Go
Go
2,549
star
12

workers-rs

Write Cloudflare Workers in 100% Rust via WebAssembly
Rust
2,478
star
13

workers-sdk

⛅️ Home to Wrangler, the CLI for Cloudflare Workers®
TypeScript
2,464
star
14

wildebeest

Wildebeest is an ActivityPub and Mastodon-compatible server
TypeScript
2,042
star
15

gokey

A simple vaultless password manager in Go
Go
1,836
star
16

ebpf_exporter

Prometheus exporter for custom eBPF metrics
C
1,639
star
17

cloudflare-go

The official Go library for the Cloudflare API
Go
1,477
star
18

lol-html

Low output latency streaming HTML parser/rewriter with CSS selector-based API
Rust
1,459
star
19

orange

TypeScript
1,400
star
20

redoctober

Go server for two-man rule style file encryption and decryption.
Go
1,373
star
21

cf-ui

💎 Cloudflare UI Framework
JavaScript
1,297
star
22

sslconfig

Cloudflare's Internet facing SSL configuration
1,287
star
23

foundations

Cloudflare's Rust service foundations library.
Rust
1,273
star
24

next-on-pages

CLI to build and develop Next.js apps for Cloudflare Pages
TypeScript
1,184
star
25

hellogopher

Hellogopher: "just clone and make" your conventional Go project
Makefile
1,153
star
26

production-saas

(WIP) Example SaaS application built in public on the Cloudflare stack!
TypeScript
1,114
star
27

bpftools

BPF Tools - packet analyst toolkit
Python
1,087
star
28

cloudflare-blog

Cloudflare Blog code samples
C
1,065
star
29

templates

A collection of starter templates and examples for Cloudflare Workers and Pages
JavaScript
996
star
30

wrangler-action

🧙‍♀️ easily deploy cloudflare workers applications using wrangler and github actions
TypeScript
993
star
31

circl

CIRCL: Cloudflare Interoperable Reusable Cryptographic Library
Go
970
star
32

cf-terraforming

A command line utility to facilitate terraforming your existing Cloudflare resources.
Go
966
star
33

wirefilter

An execution engine for Wireshark-like filters
Rust
947
star
34

workers-chat-demo

JavaScript
867
star
35

pint

Prometheus rule linter/validator
Go
827
star
36

utahfs

UtahFS is an encrypted storage system that provides a user-friendly FUSE drive backed by cloud storage.
Go
805
star
37

terraform-provider-cloudflare

Cloudflare Terraform Provider
Go
775
star
38

Stout

A reliable static website deploy tool
Go
749
star
39

goflow

The high-scalability sFlow/NetFlow/IPFIX collector used internally at Cloudflare.
Go
729
star
40

unsee

Alert dashboard for Prometheus Alertmanager
Go
710
star
41

mitmengine

A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:
Go
690
star
42

workers-graphql-server

🔥Lightning-fast, globally distributed Apollo GraphQL server, deployed at the edge using Cloudflare Workers
JavaScript
635
star
43

cloudflare-php

PHP library for the Cloudflare v4 API
PHP
616
star
44

react-gateway

Render React DOM into a new context (aka "Portal")
JavaScript
569
star
45

xdpcap

tcpdump like XDP packet capture
Go
567
star
46

ahocorasick

A Golang implementation of the Aho-Corasick string matching algorithm
Go
541
star
47

lua-resty-logger-socket

Raw-socket-based Logger Library for Nginx (based on ngx_lua)
Perl
477
star
48

mmap-sync

Rust library for concurrent data access, using memory-mapped files, zero-copy deserialization, and wait-free synchronization.
Rust
453
star
49

pages-action

JavaScript
450
star
50

speedtest

Component to perform network speed tests against Cloudflare's edge network
JavaScript
435
star
51

stpyv8

Python 3 and JavaScript interoperability. Successor To PyV8 (https://github.com/flier/pyv8)
C++
430
star
52

worker-typescript-template

ʕ •́؈•̀) TypeScript template for Cloudflare Workers
TypeScript
424
star
53

gokeyless

Go implementation of the keyless protocol
Go
420
star
54

golibs

Various small golang libraries
Go
402
star
55

sandbox

Simple Linux seccomp rules without writing any code
C
385
star
56

mmproxy

mmproxy, the magical PROXY protocol gateway
C
370
star
57

svg-hush

Make it safe to serve untrusted SVG files
Rust
368
star
58

boring

BoringSSL bindings for the Rust programming language.
Rust
357
star
59

cobweb

COBOL to WebAssembly compiler
COBOL
353
star
60

rustwasm-worker-template

A template for kick starting a Cloudflare Worker project using workers-rs. Write your Cloudflare Worker entirely in Rust!
Rust
350
star
61

workers-types

TypeScript type definitions for authoring Cloudflare Workers.
TypeScript
350
star
62

lua-resty-cookie

Lua library for HTTP cookie manipulations for OpenResty/ngx_lua
Perl
347
star
63

cloudflare-ingress-controller

A Kubernetes ingress controller for Cloudflare's Argo Tunnels
Go
344
star
64

node-cloudflare

Node.js API for Client API
JavaScript
335
star
65

serverless-registry

A Docker registry backed by Workers and R2.
TypeScript
327
star
66

cfweb3

JavaScript
313
star
67

workerskv.gui

(WIP) A cross-platform Desktop application for exploring Workers KV Namespace data
Svelte
306
star
68

JSON.is

Open-source documentation for common JSON formats.
JavaScript
302
star
69

sqlalchemy-clickhouse

Python
299
star
70

cloudflare.github.io

Cloudflare ❤️ Open Source
CSS
298
star
71

doom-wasm

Chocolate Doom WebAssembly port with WebSockets support
C
297
star
72

json-schema-tools

Packages for working with JSON Schema and JSON Hyper-Schema
JavaScript
296
star
73

chatgpt-plugin

Build ChatGPT plugins with Cloudflare's Developer Platform 🤖
JavaScript
289
star
74

chanfana

OpenAPI 3 and 3.1 schema generator and validator for Hono, itty-router and more!
TypeScript
284
star
75

tls-tris

crypto/tls, now with 100% more 1.3. THE API IS NOT STABLE AND DOCUMENTATION IS NOT GUARANTEED.
Go
283
star
76

gortr

The RPKI-to-Router server used at Cloudflare
Go
283
star
77

react-modal2

💭 Simple modal component for React.
JavaScript
279
star
78

isbgpsafeyet.com

Is BGP safe yet?
HTML
278
star
79

keyless

Cloudflare's Keyless SSL Server Reference Implementation
C
272
star
80

pp-browser-extension

Client for Privacy Pass protocol providing unlinkable cryptographic tokens
TypeScript
268
star
81

dog

Durable Object Groups
TypeScript
268
star
82

tubular

BSD socket API on steroids
C
261
star
83

go

Go with Cloudflare experimental patches
Go
260
star
84

cloudflare-rs

Rust library for the Cloudflare v4 API
Rust
256
star
85

cloudflare-typescript

The official Typescript library for the Cloudflare API
TypeScript
251
star
86

puppeteer

Puppeteer Core fork that works with Cloudflare Browser Workers
TypeScript
247
star
87

shellflip

Graceful process restarts in Rust
Rust
245
star
88

kv-asset-handler

Routes requests to KV assets
TypeScript
244
star
89

mod_cloudflare

C
243
star
90

semver_bash

Semantic Versioning in Bash
Shell
238
star
91

cfssl_trust

CFSSL's CA trust store repository
Go
226
star
92

doca

A CLI tool that scaffolds API documentation based on JSON HyperSchemas.
JavaScript
224
star
93

alertmanager2es

Receives HTTP webhook notifications from AlertManager and inserts them into an Elasticsearch index for searching and analysis
Go
218
star
94

pmtud

Path MTU daemon - broadcast lost ICMP packets on ECMP networks
C
218
star
95

origin-ca-issuer

Go
216
star
96

worker-template-router

JavaScript
216
star
97

Cloudflare-WordPress

A Cloudflare plugin for WordPress
PHP
215
star
98

cloudflare-docs-engine

A documentation engine built on Gatsby, powering Cloudflare’s docs https://github.com/cloudflare/cloudflare-docs
JavaScript
215
star
99

python-worker-hello-world

Python hello world for Cloudflare Workers
JavaScript
209
star
100

saffron

The cron parser powering Cron Triggers on Cloudflare Workers
Rust
207
star