nginx
nginx/Dockerfile
First basic pass at JWT auth. Mostly just a fork of https://github.com/ficusio/openresty, with a few twists: * We've narrowed down some of the configuration options, and we're passing more headers (essentially exposing all the data in the JWT as headers). * We no longer automatically return a 401 unauthorized if the JWT verification fails; we just don't assign it the headers. The consuming service can decide whether or not they want to accept the request. * We automatically fail the verification of a JWT if the token has expired in the last minute (or shouldn't be used for the next minute). If the token has expired, we return a 401 that our clients can catch and use a refresh token automatically from. If the token can't be used for another minute, we quietly just refuse to add auth headers to the request.
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/Dockerfile Mon Jun 22 00:42:40 2015 -0400 1.3 @@ -0,0 +1,70 @@ 1.4 +FROM alpine:3.1 1.5 + 1.6 +ENV OPENRESTY_VERSION 1.7.10.1 1.7 +ENV OPENRESTY_PREFIX /opt/secondbit 1.8 +ENV NGINX_PREFIX /opt/secondbit/nginx 1.9 +ENV VAR_PREFIX /var/nginx 1.10 + 1.11 +# NginX prefix is automatically set by OpenResty to $OPENRESTY_PREFIX/nginx 1.12 +# look for $ngx_prefix in https://github.com/openresty/ngx_openresty/blob/master/util/configure 1.13 + 1.14 +ADD nginx-jwt.lua $OPENRESTY_PREFIX/lualib/nginx-jwt.lua 1.15 +ADD jwt-lib/basexx.lua $OPENRESTY_PREFIX/lualib/basexx.lua 1.16 +ADD jwt-lib/resty/hmac.lua $OPENRESTY_PREFIX/lualib/resty/hmac.lua 1.17 +ADD jwt-lib/resty/jwt.lua $OPENRESTY_PREFIX/lualib/resty/jwt.lua 1.18 + 1.19 +RUN echo "==> Installing dependencies..." \ 1.20 + && apk update \ 1.21 + && apk add make gcc musl-dev \ 1.22 + pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev \ 1.23 + curl perl \ 1.24 + && mkdir -p /root/ngx_openresty \ 1.25 + && cd /root/ngx_openresty \ 1.26 + && echo "==> Downloading OpenResty..." \ 1.27 + && curl -sSL http://openresty.org/download/ngx_openresty-${OPENRESTY_VERSION}.tar.gz | tar -xvz \ 1.28 + && cd ngx_openresty-* \ 1.29 + && echo "==> Configuring OpenResty..." \ 1.30 + && readonly NPROC=$(grep -c ^processor /proc/cpuinfo 2>/dev/null || 1) \ 1.31 + && echo "using upto $NPROC threads" \ 1.32 + && ./configure \ 1.33 + --prefix=$OPENRESTY_PREFIX \ 1.34 + --http-client-body-temp-path=$VAR_PREFIX/client_body_temp \ 1.35 + --http-proxy-temp-path=$VAR_PREFIX/proxy_temp \ 1.36 + --http-log-path=$VAR_PREFIX/access.log \ 1.37 + --error-log-path=$VAR_PREFIX/error.log \ 1.38 + --pid-path=$VAR_PREFIX/nginx.pid \ 1.39 + --lock-path=$VAR_PREFIX/nginx.lock \ 1.40 + --with-luajit \ 1.41 + --with-pcre-jit \ 1.42 + --with-ipv6 \ 1.43 + --with-http_ssl_module \ 1.44 + --without-http_ssi_module \ 1.45 + --without-http_userid_module \ 1.46 + --without-http_fastcgi_module \ 1.47 + --without-http_uwsgi_module \ 1.48 + --without-http_scgi_module \ 1.49 + --without-http_memcached_module \ 1.50 + -j${NPROC} \ 1.51 + && echo "==> Building OpenResty..." \ 1.52 + && make -j${NPROC} \ 1.53 + && echo "==> Installing OpenResty..." \ 1.54 + && make install \ 1.55 + && echo "==> Finishing..." \ 1.56 + && ln -sf $NGINX_PREFIX/sbin/nginx /usr/local/bin/nginx \ 1.57 + && ln -sf $NGINX_PREFIX/sbin/nginx /usr/local/bin/openresty \ 1.58 + && ln -sf $OPENRESTY_PREFIX/bin/resty /usr/local/bin/resty \ 1.59 + && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* $OPENRESTY_PREFIX/luajit/bin/lua \ 1.60 + && ln -sf $OPENRESTY_PREFIX/luajit/bin/luajit-* /usr/local/bin/lua \ 1.61 + && apk del \ 1.62 + make gcc musl-dev pcre-dev openssl-dev zlib-dev ncurses-dev readline-dev curl perl \ 1.63 + && apk add \ 1.64 + libpcrecpp libpcre16 libpcre32 openssl libssl1.0 pcre libgcc libstdc++ \ 1.65 + && rm -rf /var/cache/apk/* \ 1.66 + && rm -rf /root/ngx_openresty 1.67 + 1.68 +WORKDIR $NGINX_PREFIX/ 1.69 + 1.70 +ONBUILD RUN rm -rf conf/* html/* 1.71 +ONBUILD COPY nginx $NGINX_PREFIX/ 1.72 + 1.73 +CMD ["nginx", "-g", "daemon off; error_log /dev/stderr info;"]