Enforce Google Authentication for Any Application with nginx and Vouch Proxy
By configuring your nginx webserver to use the auth_request
module and Vouch Proxy you can protect any website with Google Authentication.
Announcement: Lasso was renamed to Vouch Proxy in January 2019 and the project page was moved to https://github.com/vouch/vouch-proxy
Vouch Proxy, written in Go, performs a one time authentication against Google (or any other OAuth provider) and then for the next four hours (or more or less if you like) validates requests in less than 1ms using a JSON Web Token (JWT).
This is the first in a series of posts showing how to setup nginx and Vouch Proxy with a variety of OAuth providers.
Lets say you help to administer a network for an organization that uses GSuite by Google for GMail, Drive, Docs, Groups, Calendar, etc. As team members join or leave the organization you add and remove access to the organization’s Google account. At the same time you provide access to other web based tools your group uses hosted privately on your own servers.
With Nginx’s auth_request
module and Vouch Proxy, you can enforce OAuth login to GSuite. As your team members change, you can add and remove accounts via Google and be assured that proper access rights are being maintained without having to touch every application you’re running and manage access on each application individually. No Puppet, no Chef, no Ansible, no re-deployments, no running around trying to be sure you got them all.
Nginx and Vouch Proxy to the Rescue!
For every request received for private.yourcorp.com nginx first forwards the request to Lasso via the auth_request
module. Lasso reviews the request headers and responds to nginx with 200 OK
for authorized requests or with 401 Not Authorized
. Authorization takes less than 1ms.
If the request is authorized it will be forwarded through to private.yourcorp.com
If the request is not authorized then nginx 302 redirect
the end user’s browser first to Vouch Proxy, which immediately 302 redirect
the end user on to Google’s OAuth Login screen…
After successful login, Google returns the user back to Vouch Proxy. Vouch Proxy sets the JWT into a cookie and 302 redirect
back to private.yourcorp.com.
While the end user interacts with Vouch Proxy twice, its unlikely that they will even notice that Vouch Proxy was involved.
4 Easy Steps to Install Vouch and Configure Nginx
Should take less than 30 Minutes
Step 1: install Vouch Proxy
go get github.com/vouch/vouch-proxy
cd ~/go/src/github.com/vouch/vouch-proxy
go build
cp config/config.yml_example_google config/config.yml
Vouch Proxy can also be run as a Docker container
Step 2: create a Google OAuth App and configure Lasso
use Google’s developer console to generate the client_id
and the client_secret
and to set your callback_urls .
Add these to config/config.yml
Also add your top level domains and/or private domains to the vouch.domains
configuration option
Add the following to the nginx server {}
block for each webapp you’d like to secure..
Step 4: run Vouch Proxy!
./vouch-proxy
And that’s it! It really should be that easy.
But if it’s not, please do reach out to us on github or on the freenode irc channel #vouch. We‘re happy to help you get Lasso up and running.
If you find Vouch Proxy to be of use to you, please do us the kind favor of letting one other devops professional know about Vouch Proxy.
Benjamin Foote is a Systems Engineer and devops pro from Portland Oregon. During his 20 year career Ben has worked with Fortune 500 Corporations, startups and everything in between. When he’s not riding his bicycle to another meeting he can be found tending to his garden.