nginx Changelog

http://code.secondbit.org/nginx/ en-us nginx Changelog nginx Changelog [default] Make nginx kubernetes-ready. http://code.secondbit.org/nginx/rev/ac9c19126939 http://code.secondbit.org/nginx/rev/ac9c19126939 changeset ac9c19126939 branch default bookmark tag tip user Paddy <paddy@secondbit.org> description Make nginx kubernetes-ready.

We had to update to use a ubuntu-based image to build nginx into, because (and I
kid you not) alpine linux straight-up ignores your resolv.conf file, meaning any
attempt to use it with kubernetes DNS is doomed to fail. Who thought this was a
good idea?

So we're using a bloated image instead. Oh well.

We also are running a wrapper script instead of nginx directly, so we can inject
the JWT_SECRET environment variable based on a kubernetes secret file.

We define the secret file (using a placeholder secret, obvs) so that
future-Paddy can remember what the hell it looks like, when he inevitably loses
the file and needs to sin up a new cluster. Or whatever.

Finally, we updated the token expiration error message to be in an errors array,
as God (and our API conventions) intended. files Dockerfile
nginx-jwt.lua
secrets/jwt.json
wrapper.sh
]]> Paddy <paddy@secondbit.org> Tue, 30 Jun 2015 00:27:03 -0400 First basic pass at JWT auth. http://code.secondbit.org/nginx/rev/68478c1bddde http://code.secondbit.org/nginx/rev/68478c1bddde changeset 68478c1bddde branch bookmark tag user Paddy <paddy@secondbit.org> description First basic pass at JWT auth.

Mostly just a fork of https://github.com/ficusio/openresty, with a few twists:

* We've narrowed down some of the configuration options, and we're passing more
headers (essentially exposing all the data in the JWT as headers).
* We no longer automatically return a 401 unauthorized if the JWT verification
fails; we just don't assign it the headers. The consuming service can decide
whether or not they want to accept the request.
* We automatically fail the verification of a JWT if the token has expired in
the last minute (or shouldn't be used for the next minute). If the token has
expired, we return a 401 that our clients can catch and use a refresh token
automatically from. If the token can't be used for another minute, we quietly
just refuse to add auth headers to the request. files Dockerfile
README.md
jwt-lib/basexx.lua
jwt-lib/resty/hmac.lua
jwt-lib/resty/jwt.lua
nginx-jwt.lua
]]> Paddy <paddy@secondbit.org> Mon, 22 Jun 2015 00:42:40 -0400