initial openresty/a0 configuration for ss

playbooks/entry.yml

@@ -15,4 +15,5 @@
     - { role: "relay", primary: true, tags: ["relay1"] }
     - { role: "relay", primary: false, tags: ["relay2"] }
     - { role: "scheduler", tags: ["scheduler"] }
+    - { role: "selfservice", tags: ["selfservice"] }
     - { role: "td-agent", tags: ["td-agent"] }

playbooks/roles/selfservice/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+openrestysrc: "https://openresty.org/download/openresty-1.11.2.3.tar.gz"
+openrestysrc_sha: "7a0a8570fd3eb193913eb2287f7c926b47e363f376e80c7aa332c35d0fccde69"
+openidcsrc: "https://raw.githubusercontent.com/mozilla-iam/lua-resty-openidc/master/lib/resty/openidc.lua"
+openidcsrc_sha: "28370cfa69b4b32ab121912c8aa54741e2ce2abae03481678eeddabfa334681f"

playbooks/roles/selfservice/files/nginx.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=nginx
+After=network.target
+
+[Service]
+Type=forking
+PIDFile=/run/nginx.pid
+ExecStart=/usr/local/openresty/nginx/sbin/nginx
+ExecPreStart=/usr/local/openresty/nginx/sbin/nginx -t
+ExecReload=/bin/kill -s HUP $MAINPID
+ExecStop=/bin/kill -s QUIT $MAINPID
+Restart=always
+RestartSec=60
+StartLimitInterval=0
+
+[Install]
+WantedBy=multi-user.target

playbooks/roles/selfservice/files/openidc_layer.lua

@@ -0,0 +1,61 @@
+-- Lua reference for nginx: https://github.com/openresty/lua-nginx-module
+-- Lua reference for openidc: https://github.com/pingidentity/lua-resty-openidc
+local oidc = require("resty.openidc")
+local cjson = require( "cjson" )
+
+-- Load config
+local f, e = loadfile(ngx.var.config_loader)
+if f == nil then
+  ngx.log(ngx.ERR, "can't initialize loadfile: "..e)
+end
+ok, e = pcall(f)
+if not ok then
+  ngx.log(ngx.ERR, "can't load configuration: "..e)
+end
+
+-- Authenticate with lua-resty-openidc if necessary (this will return quickly if no authentication is necessary)
+local res, err, url, session = oidc.authenticate(opts)
+
+-- Check if authentication succeeded, otherwise kick the user out
+if err then
+  if session ~= nil then
+    session:destroy()
+  end
+  ngx.redirect(opts.logout_path)
+end
+
+-- Access control: only allow specific users in (this is optional, without it all authenticated users are allowed in)
+-- (TODO: add example)
+
+-- Set headers with user info and OIDC claims for the underlaying web application to use (this is optional)
+-- These header names are voluntarily similar to Apaches mod_auth_openidc, but may of course be modified
+ngx.req.set_header("REMOTE_USER", session.data.id_token.email)
+ngx.req.set_header("X-Forwarded-User", session.data.id_token.email)
+ngx.req.set_header("OIDC_CLAIM_ACCESS_TOKEN", session.data.access_token)
+ngx.req.set_header("OIDC_CLAIM_ID_TOKEN", session.data.enc_id_token)
+ngx.req.set_header("via",session.data.id_token.email)
+
+local function build_headers(t, name)
+  for k,v in pairs(t) do
+    -- unpack tables
+    if type(v) == "table" then
+      local j = cjson.encode(v)
+      ngx.req.set_header("OIDC_CLAIM_"..name..k, j)
+    else
+      ngx.req.set_header("OIDC_CLAIM_"..name..k, tostring(v))
+    end
+  end
+end
+
+build_headers(session.data.id_token, "ID_TOKEN_")
+build_headers(session.data.user, "USER_PROFILE_")
+
+-- Flat groups, useful for some RP's that won't read JSON
+for k,v in pairs(session.data.id_token.groups) do
+  if grps == nil then
+    grps = string.gsub(cjson.encode(v), '"', '')
+  else
+    grps = string.gsub(grps.."|"..cjson.encode(v), '"', '')
+  end
+end
+ngx.req.set_header("X-Forwarded-Groups", grps)

playbooks/roles/selfservice/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart nginx
+  service:
+    name: nginx
+    state: restarted

playbooks/roles/selfservice/tasks/main.yml

@@ -0,0 +1,98 @@
+---
+- include_vars: default.yml
+- include_vars: cfoutput.yml
+- include_vars: sec.yml
+
+- name: Install packages
+  package:
+    name: "{{ item }}"
+  with_items:
+    - libreadline-dev
+    - libncurses5-dev
+    - libpcre3-dev
+    - libssl-dev
+    - perl
+    - make
+    - build-essential
+    - curl
+    - luarocks
+
+- name: Get openresty src
+  get_url:
+    url: "{{ openrestysrc }}"
+    dest: "/root/openresty.tar.gz"
+    checksum: "sha256:{{ openrestysrc_sha }}"
+  register: openrestynewsrc
+
+- name: Install openresty
+  shell: >
+    mkdir openresty && tar -C openresty --strip-components=1 -zxf openresty.tar.gz &&
+    (cd openresty && ./configure && make && make install)
+  args:
+    chdir: /root
+  when: openrestynewsrc.changed
+  notify: Restart nginx
+
+- name: Install initial version of lua-resty-openidc
+  command: luarocks install lua-resty-openidc
+  args:
+    creates: /usr/local/lib/luarocks/rocks/lua-resty-openidc
+
+- name: Create openresty log directory
+  file:
+    path: /var/log/openresty
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Update nginx configuration
+  template:
+    src: nginx.conf
+    dest: /usr/local/openresty/nginx/conf/nginx.conf
+    mode: 0644
+    owner: root
+    group: root
+  notify: Restart nginx
+
+- name: Install nginx service
+  copy:
+    src: nginx.service
+    dest: /etc/systemd/system/nginx.service
+    mode: 0644
+    owner: root
+    group: root
+  notify: Restart nginx
+
+- name: Install OIDC layer
+  copy:
+    src: openidc_layer.lua
+    dest: /usr/local/openresty/nginx/conf/openidc_layer.lua
+    mode: 0644
+    owner: root
+    group: root
+  notify: Restart nginx
+
+- name: Create resty lua site directory
+  file:
+    path: /usr/local/openresty/site/lualib/resty
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Fetch openidc lua
+  get_url:
+    url: "{{ openidcsrc }}"
+    dest: /usr/local/openresty/site/lualib/resty/openidc.lua
+    checksum: "sha256:{{ openidcsrc_sha }}"
+  notify: Restart nginx
+  
+- name: Install auth0 configuration
+  template:
+    src: config.lua
+    dest: /usr/local/openresty/nginx/conf/config.lua
+    mode: 0600
+    owner: www-data
+    group: www-data
+  notify: Restart nginx

playbooks/roles/selfservice/templates/config.lua

@@ -0,0 +1,13 @@
+-- lua-resty-openidc options
+opts = {
+  redirect_uri_path = "/redirect_uri",
+  discovery = "https://auth.mozilla.auth0.com/.well-known/openid-configuration",
+  client_id = "{{ a0clientid }}",
+  client_secret = "{{ a0clientsec }}",
+  scope = "openid email profile",
+  iat_slack = 600,
+  redirect_uri_scheme = "https",
+  logout_path = "/logout",
+  redirect_after_logout_uri = "https://{{ selfservicednszone }}/lnd",
+  refresh_session_interval = 900
+}

playbooks/roles/selfservice/templates/nginx.conf

@@ -0,0 +1,110 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /usr/local/openresty/nginx/conf/mime.types;
+	default_type application/octet-stream;
+
+	resolver 8.8.8.8;
+	lua_package_path '~/lua/?.lua;/usr/share/lua/5.1/?.lua;;';
+	lua_package_cpath '/usr/share/lua/5.1/?.so;/usr/lib64/lua/5.1/?.so;;';
+	lua_ssl_trusted_certificate "/etc/ssl/certs/ca-certificates.crt";
+	lua_ssl_verify_depth 5;
+	lua_shared_dict discovery 1m;
+	lua_shared_dict introspection 15m;
+	lua_shared_dict sessions 10m;
+
+	add_header Strict-Transport-Security max-age=15768000;
+	add_header Content-Security-Policy "default-src 'none'; img-src 'self'; font-src 'self'; style-src 'self'";
+	add_header X-Content-Type-Options nosniff;
+	add_header X-Frame-Options DENY;
+	add_header X-XSS-Protection "1; mode=block";
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/openresty/access.log;
+	error_log /var/log/openresty/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	server {
+		listen       80;
+		server_name  {{ selfservicednszone }};
+		set $session_storage shm;
+		set $session_cookie_persistent on;
+		set $session_cookie_path "/";
+		# SSI check must be off or Nginx will kill our sessions when using lua-resty-session (which we do use)
+		set $session_check_ssi off;
+		set $session_secret "{{ sessionsecret }}"; #Output of openssl rand -hex 32 for example (must be 32 characters);
+		set $config_loader "/usr/local/openresty/nginx/conf/config.lua";
+		location / {
+			access_by_lua_file "/usr/local/openresty/nginx/conf/openidc_layer.lua";
+			proxy_pass  http://127.0.0.1:81/;
+			proxy_redirect default;
+		}
+	}
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}