Add a Vouch proxy to all hosts.

Vouch uses the Host header for calculating the JWT but we can't override that (proxying won't work with an incorrect header). So instead it to each deployment so we don't have multiple proxies and can override the Host header.

Add a Vouch proxy to all hosts.
f496744b · nimrod · 9bc804a8 · f496744b · f496744b · f496744b
Commit f496744b authored 4 years ago by nimrod
--- a/conf.d/global.conf
+++ b/conf.d/global.conf
@@ -9,3 +9,5 @@ include                         snippets/common-headers.conf;
 proxy_ssl_trusted_certificate   /etc/ssl/certs/ca-certificates.crt;
 proxy_ssl_verify                on;
 proxy_ssl_verify_depth          4;
+# For proxying /validate on different hosts to Vouch.
+map $host $vouch { default vouch; }
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
  proxy:
    build:
      context: ./
-    #command: ["nginx", "-g", "daemon off;"]
+    # command: ["nginx", "-g", "daemon off;"]
    hostname: &hostname shore.co.il
    networks:
      default:
@@ -20,6 +20,23 @@ services:
      - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
      - '/var/ssl/dhparams:/var/ssl/dhparams:ro'

+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: registry.hub.docker.com/voucher/vouch-proxy:alpine-0.20.1
+    restart: always
+
 networks:
  default:
    name: shore
--- a/snippets/vouch.conf
+++ b/snippets/vouch.conf
@@ -3,9 +3,10 @@ auth_request    /validate;

 location = /validate {
  # forward the /validate request to Vouch Proxy
-  proxy_pass                        https://vouch.shore.co.il/validate;
+  proxy_pass                        http://$vouch:9090/validate;
  proxy_http_version                1.1;
  internal;
+  include                           snippets/proxy-headers.conf;

  # Vouch Proxy only acts on the request headers
  proxy_pass_request_body           off;