From f496744bbf1c177dadadfc5d7184a2aa27c62bdf Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Thu, 4 Feb 2021 13:53:56 +0200
Subject: [PATCH] Add a Vouch proxy to all hosts.

Vouch uses the Host header for calculating the JWT but we can't override
that (proxying won't work with an incorrect header). So instead it to
each deployment so we don't have multiple proxies and can override the
Host header.
---
 conf.d/global.conf  |  2 ++
 docker-compose.yml  | 19 ++++++++++++++++++-
 snippets/vouch.conf |  3 ++-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/conf.d/global.conf b/conf.d/global.conf
index a6472ba..608fe8d 100644
--- a/conf.d/global.conf
+++ b/conf.d/global.conf
@@ -9,3 +9,5 @@ include                         snippets/common-headers.conf;
 proxy_ssl_trusted_certificate   /etc/ssl/certs/ca-certificates.crt;
 proxy_ssl_verify                on;
 proxy_ssl_verify_depth          4;
+# For proxying /validate on different hosts to Vouch.
+map $host $vouch { default vouch; }
diff --git a/docker-compose.yml b/docker-compose.yml
index 0d815fd..fea34f7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,7 +4,7 @@ services:
   proxy:
     build:
       context: ./
-    #command: ["nginx", "-g", "daemon off;"]
+    # command: ["nginx", "-g", "daemon off;"]
     hostname: &hostname shore.co.il
     networks:
       default:
@@ -20,6 +20,23 @@ services:
       - '/var/ssl/site.crt:/var/ssl/site.crt:ro'
       - '/var/ssl/dhparams:/var/ssl/dhparams:ro'
 
+  vouch:
+    environment:
+      OAUTH_AUTH_URL: https://nextcloud.shore.co.il/apps/oauth2/authorize
+      OAUTH_CALLBACK_URLS: https://vouch.shore.co.il/auth
+      OAUTH_CLIENT_ID: "${VOUCH_OAUTH_CLIENT_ID}"
+      # yamllint disable-line rule:line-length
+      OAUTH_CLIENT_SECRET: "${VOUCH_OAUTH_CLIENT_SECRET}"  # pragma: allowlist secret
+      OAUTH_PROVIDER: nextcloud
+      OAUTH_SCOPES: 'openid,email.profile'
+      OAUTH_TOKEN_URL: https://nextcloud.shore.co.il/apps/oauth2/api/v1/token
+      # yamllint disable-line rule:line-length
+      OAUTH_USER_INFO_URL: https://nextcloud.shore.co.il/ocs/v2.php/cloud/user?format=json
+      VOUCH_DOMAINS: shore.co.il
+      VOUCH_JWT_SECRET: "${VOUCH_JWT_SECRET}"  # pragma: allowlist secret
+    image: registry.hub.docker.com/voucher/vouch-proxy:alpine-0.20.1
+    restart: always
+
 networks:
   default:
     name: shore
diff --git a/snippets/vouch.conf b/snippets/vouch.conf
index 20ba3e1..9571b80 100644
--- a/snippets/vouch.conf
+++ b/snippets/vouch.conf
@@ -3,9 +3,10 @@ auth_request    /validate;
 
 location = /validate {
   # forward the /validate request to Vouch Proxy
-  proxy_pass                        https://vouch.shore.co.il/validate;
+  proxy_pass                        http://$vouch:9090/validate;
   proxy_http_version                1.1;
   internal;
+  include                           snippets/proxy-headers.conf;
 
   # Vouch Proxy only acts on the request headers
   proxy_pass_request_body           off;
-- 
GitLab