NGINX auth_request module support, additional service LABELs for automated setup#281
Open
runleveldev wants to merge 10 commits intomainfrom
Open
NGINX auth_request module support, additional service LABELs for automated setup#281runleveldev wants to merge 10 commits intomainfrom
runleveldev wants to merge 10 commits intomainfrom
Conversation
Add per-service authRequired flag for HTTP services. When enabled, NGINX uses auth_request to verify authentication via the manager app before proxying requests. Unauthenticated users are redirected to the login page with a cross-domain redirect back to the original URL. Changes: - Add authRequired boolean to HTTPService model - Add managerUrl field to ExternalDomain model - Add GET /verify endpoint for NGINX auth_request subrequests - Update NGINX template with auth_request blocks and login redirect - Add isSafeRedirectUrl() for cross-domain redirect validation - Update login router to allow safe cross-domain redirects - Update container and external-domain forms with new fields - Upgrade express-session to 1.19 for dynamic cookie domain support - Add auth-unavailable error page for misconfigured services - Update OpenAPI spec Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add support for named OCI labels to define multiple HTTP services with per-service configuration: org.mieweb.opensource-server.services.http.<name>.port org.mieweb.opensource-server.services.http.<name>.hostnameSuffix org.mieweb.opensource-server.services.http.<name>.requireAuth The form auto-populates services from image metadata, building external hostnames as <hostname>-<suffix> and setting the auth flag. The existing default-port label remains supported for backward compatibility. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The HTTP column now displays all HTTP services for each container instead of only the first one. Each entry is a clickable link when an external URL is configured. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
runleveldev
changed the title
The /verify endpoint is called by NGINX auth_request on every proxied request. Its 401 responses for unauthenticated users were counting against the rate limit, quickly blocking legitimate traffic. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
NGINX auth_request subrequests to /verify fire on every proxied request, drowning out meaningful log entries. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
runleveldev
force-pushed
the
rgingras/223-integrate-ozwell-api-with-the-manager-webui
branch
from
7303a30 to
1b076ef
Compare
- external-domains.md: auth server config, requirements, identity headers, cookie sharing, and Mermaid auth flow diagram - docker-images.md: named service labels (port, hostnameSuffix, requireAuth) with examples - database-schema.md: authRequired on HTTPServices, authServer on ExternalDomains with updated descriptions and ERD - system-architecture.md: authenticated HTTP services sequence diagram - containers.md: auth note under Service Exposure Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> docs: move service labels to user docs Move the Service Labels section from developers/docker-images.md into users/creating-containers/using-environment-variables.mdx (Building Custom Templates). Add a typo warning and update cross-references. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove isValidHostname utility function and replace with Sequelize 'is' regex validation on Container.hostname and HTTPService.externalHostname. Validation now happens at the model layer instead of the router. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Remove proxy, dev, serve-with-proxy custom scripts and concurrently devDependency. The proxy-server.js file was already removed. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
runleveldev
force-pushed
the
rgingras/223-integrate-ozwell-api-with-the-manager-webui
branch
from
6356fbe to
8907d78
Compare
Add proxy_cache for auth_request subrequests keyed on Cookie and Authorization headers. 200s cached 5m, 401s cached 30s. Cache invalidates automatically when credentials change. Revert the /verify skip from morgan and express-rate-limit since NGINX caching eliminates the high request volume to the auth server. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Authentication updates: https://youtube.com/shorts/f5uIQzKqglQ?si=3yYa5_fx7VXXnQtQ
Ozwell Studio related automation: https://youtube.com/shorts/0cGmEpbwLF8?si=vyI6LGKLoK5BwPD3
Related to mieweb/ozwell-studio#2
Copilot Summary
This pull request introduces authentication support for HTTP services using NGINX's
auth_requestprotocol, allowing certain HTTP endpoints to require user authentication via a configurable auth server per external domain. It also updates the data models, API, and session cookie handling to support these features. Additionally, it adds a new/verifyendpoint for lightweight authentication checks and refines how HTTP services and external domains are managed and exposed.Authentication for HTTP Services:
authRequiredboolean column to theHTTPServicesmodel and database table, enabling per-service authentication requirements. This is reflected in service creation, update, and API schemas. [1] [2] [3] [4] [5] [6] [7]External Domain Auth Server Support:
authServerstring column to theExternalDomainsmodel and database table, allowing each domain to specify an auth server URL for use withauth_request. [1] [2] [3]authServerfield. [1] [2]NGINX Auth Protocol Implementation:
/verifyendpoint that implements the NGINXauth_requestprotocol, supporting both session and API key authentication, and returning user identity headers if authenticated.Security and Utility Improvements:
/verifyrequests for efficiency. [1] [2]Dependency Update:
express-sessionpackage from1.18.2to1.19.0to ensure compatibility and security. [1] [2] [3]