Files
auth-proxy/docs/deploy.md

113 lines
2.3 KiB
Markdown

# Deployment Instructions
## Prerequisites
- Docker (v19+)
- Docker Compose (v2+)
- NGINX (with auth_request module)
## Build
```bash
docker build -t db123/auth-proxy:latest .
```
or
```bash
docker pull git.yejayekhoob.com/db123/auth-proxy:latest
```
## Run
```bash
docker-compose up -d
```
## NGINX integration
### 1. Create the auth-proxy include file
```nginx
# /etc/nginx/snippets/auth-proxy.conf
#
# This is the shared auth_request configuration. Include it in any
# server block that needs authentication.
#
# Important: we use X-Real-IP (set by NGINX) rather than
# X-Forwarded-For. X-Forwarded-For is client-controlled and can be
# spoofed. If you need a CDN, configure the realip module instead
# of trusting the header.
location = /_auth_proxy {
internal;
proxy_pass_request_body on;
proxy_set_header Content-Length "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Original-Host $host;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header Authorization $http_authorization;
proxy_pass http://auth-proxy:8080/auth;
}
```
### 2. Apply the include to sensitive server blocks
```nginx
server {
listen 443 ssl;
server_name phpmyadmin.yejayekhoob.com;
include /etc/nginx/snippets/auth-proxy.conf;
location / {
auth_request /_auth_proxy;
auth_request_set $auth_status $upstream_status;
proxy_pass http://phpmyadmin:80/;
# ... other proxy settings ...
}
}
```
### 3. Test and reload
```bash
nginx -t
nginx -s reload
```
## Environment variables
| Variable | Description | Default |
|----------|-------------|---------|
| AUTH_PROXY_PORT | HTTP listen port | 8080 |
| AUTH_PROXY_API_TOKEN | API bearer token | (required) |
| AUTH_PROXY_DB_PATH | SQLite database path | /data/auth-proxy.db |
| DATA_DIR | Data directory | /data |
| CLEANUP_INTERVAL | Cleanup interval | 60s |
## Testing
```bash
go test ./src/...
```
## Graceful shutdown
```bash
docker-compose down
```
The service waits up to 30 seconds for in-flight requests to complete.
## Hardened deployment
For production, use the Dockerfile from this repository. It:
- Builds the binary in a separate stage (smaller image).
- Runs the service as a non-root user.
- Drops all Linux capabilities.
- Sets the no-new-privileges flag.
- Mounts /tmp as tmpfs (no persistence).