From 5783c0b558bf65e6aa419fcf739b4fa2c8bb4bb0 Mon Sep 17 00:00:00 2001
From: Gregory Marco <greg@nanoyagi.com>
Date: Thu, 5 Dec 2024 01:50:15 -0600
Subject: [PATCH] initial commit of customized nginx

---
 .woodpecker.yml                               | 11 +++++
 Dockerfile                                    |  4 ++
 .../05-generate-configuration.sh              |  3 ++
 nginx.conf.template                           | 41 +++++++++++++++++++
 4 files changed, 59 insertions(+)
 create mode 100644 .woodpecker.yml
 create mode 100644 Dockerfile
 create mode 100755 docker-entrypoint.d/05-generate-configuration.sh
 create mode 100644 nginx.conf.template

diff --git a/.woodpecker.yml b/.woodpecker.yml
new file mode 100644
index 0000000..205b4a8
--- /dev/null
+++ b/.woodpecker.yml
@@ -0,0 +1,11 @@
+labels:
+  platform: linux/amd64
+  backend: docker
+
+steps:
+  build-image:
+    image: docker
+    commands:
+      - docker build -t . goatbin
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..38bfd55
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,4 @@
+FROM nginx
+ENV VOUCH_INTERNAL=vouch:9090
+ADD nginx.conf.template /
+ADD docker-entrypoint.d /docker-entrypoint.d
diff --git a/docker-entrypoint.d/05-generate-configuration.sh b/docker-entrypoint.d/05-generate-configuration.sh
new file mode 100755
index 0000000..9292e02
--- /dev/null
+++ b/docker-entrypoint.d/05-generate-configuration.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+sed "s#@VOUCH_INTERNAL@#$VOUCH_INTERNAL#g" /nginx.conf.template > /etc/nginx/conf.d/default.conf
+sed -i "s#@VOUCH_EXTERNAL@#$VOUCH_EXTERNAL#g" /etc/nginx/conf.d/default.conf
diff --git a/nginx.conf.template b/nginx.conf.template
new file mode 100644
index 0000000..19a26b1
--- /dev/null
+++ b/nginx.conf.template
@@ -0,0 +1,41 @@
+server {
+    listen       80;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    # send all requests to the `/validate` endpoint for authorization
+    auth_request /validate;
+
+    location = /validate {
+      # forward the /validate request to Vouch Proxy
+      proxy_pass http://@VOUCH_INTERNAL@/validate;
+      # be sure to pass the original host header
+      proxy_set_header Host $http_host;
+
+      # Vouch Proxy only acts on the request headers
+      proxy_pass_request_body off;
+      proxy_set_header Content-Length "";
+
+      # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+      auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+      # these return values are used by the @error401 call
+      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+    }
+
+    # if validate returns `401 not authorized` then forward the request to the error401block
+    error_page 401 = @error401;
+
+    location @error401 {
+        # redirect to Vouch Proxy for login
+        return 302 https://@VOUCH_EXTERNAL@/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+    }
+
+    location / {
+        autoindex on;
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+}