Update project structure to use a src/ directory layout and improve documentation across multiple files. - Update README.md build command to use ./src - Add directory structure documentation - Update status endpoint to include DB health status - Add pagination support (limit/offset) to whitelist list endpoints - Document new query parameters with examples - Update deployment guide to mark API token as required - Add testing instructions - Clarify audit log rotation in design documentation
114 lines
2.3 KiB
Markdown
114 lines
2.3 KiB
Markdown
# Deployment Instructions
|
|
|
|
## Prerequisites
|
|
|
|
- Docker (v19+)
|
|
- Docker Compose (v2+)
|
|
- NGINX (with auth_request module)
|
|
|
|
## Build
|
|
|
|
```bash
|
|
docker build -t db123/auth-proxy:latest .
|
|
```
|
|
or
|
|
```bash
|
|
docker pull git.yejayekhoob.com/db123/auth-proxy:latest
|
|
```
|
|
|
|
## Run
|
|
|
|
```bash
|
|
docker-compose up -d
|
|
```
|
|
|
|
## NGINX integration
|
|
|
|
### 1. Create the auth-proxy include file
|
|
|
|
```nginx
|
|
# /etc/nginx/snippets/auth-proxy.conf
|
|
#
|
|
# This is the shared auth_request configuration. Include it in any
|
|
# server block that needs authentication.
|
|
#
|
|
# Important: we use X-Real-IP (set by NGINX) rather than
|
|
# X-Forwarded-For. X-Forwarded-For is client-controlled and can be
|
|
# spoofed. If you need a CDN, configure the realip module instead
|
|
# of trusting the header.
|
|
|
|
location = /_auth_proxy {
|
|
location = /_auth_proxy {
|
|
internal;
|
|
|
|
proxy_pass_request_body on;
|
|
proxy_set_header Content-Length "";
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Original-Host $host;
|
|
proxy_set_header X-Original-URI $request_uri;
|
|
proxy_set_header Authorization $http_authorization;
|
|
|
|
proxy_pass http://auth-proxy:8080/auth;
|
|
}
|
|
```
|
|
|
|
### 2. Apply the include to sensitive server blocks
|
|
|
|
```nginx
|
|
server {
|
|
listen 443 ssl;
|
|
server_name phpmyadmin.yejayekhoob.com;
|
|
|
|
include /etc/nginx/snippets/auth-proxy.conf;
|
|
|
|
location / {
|
|
auth_request /_auth_proxy;
|
|
auth_request_set $auth_status $upstream_status;
|
|
|
|
proxy_pass http://phpmyadmin:80/;
|
|
# ... other proxy settings ...
|
|
}
|
|
}
|
|
```
|
|
|
|
### 3. Test and reload
|
|
|
|
```bash
|
|
nginx -t
|
|
nginx -s reload
|
|
```
|
|
|
|
## Environment variables
|
|
|
|
| Variable | Description | Default |
|
|
|----------|-------------|---------|
|
|
| AUTH_PROXY_PORT | HTTP listen port | 8080 |
|
|
| AUTH_PROXY_API_TOKEN | API bearer token | (required) |
|
|
| AUTH_PROXY_DB_PATH | SQLite database path | /data/auth-proxy.db |
|
|
| DATA_DIR | Data directory | /data |
|
|
| CLEANUP_INTERVAL | Cleanup interval | 60s |
|
|
|
|
## Testing
|
|
|
|
```bash
|
|
go test ./src/...
|
|
```
|
|
|
|
## Graceful shutdown
|
|
|
|
```bash
|
|
docker-compose down
|
|
```
|
|
|
|
The service waits up to 30 seconds for in-flight requests to complete.
|
|
|
|
## Hardened deployment
|
|
|
|
For production, use the Dockerfile from this repository. It:
|
|
|
|
- Builds the binary in a separate stage (smaller image).
|
|
- Runs the service as a non-root user.
|
|
- Drops all Linux capabilities.
|
|
- Sets the no-new-privileges flag.
|
|
- Mounts /tmp as tmpfs (no persistence).
|