diff --git a/.python-version b/.python-version index 35f236d..4eba2a6 100755 --- a/.python-version +++ b/.python-version @@ -1 +1 @@ -3.12.6 +3.13.0 diff --git a/FastapiOpenRestyConfigurator/requirements.txt b/FastapiOpenRestyConfigurator/requirements.txt index aa4122a..795b288 100644 --- a/FastapiOpenRestyConfigurator/requirements.txt +++ b/FastapiOpenRestyConfigurator/requirements.txt @@ -1,6 +1,6 @@ -fastapi==0.115.0 -uvicorn==0.30.6 -werkzeug==3.0.6 +fastapi==0.115.5 +uvicorn==0.32.0 +werkzeug==3.1.3 Jinja2==3.1.4 python-dotenv==1.0.1 gunicorn==23.0.0 diff --git a/ansible/roles/forc_api/templates/nginx.conf.j2 b/ansible/roles/forc_api/templates/nginx.conf.j2 index 1ca40a0..559cba7 100644 --- a/ansible/roles/forc_api/templates/nginx.conf.j2 +++ b/ansible/roles/forc_api/templates/nginx.conf.j2 @@ -50,27 +50,49 @@ http { + + {% if FORC_SERVICE_USE_HTTPS %} server { listen {{ FORC_SERVICE_PORT }} ssl http2; ssl_certificate /etc/letsencrypt/live/{{ DOMAIN }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ DOMAIN }}/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy 'strict-origin'; ssl_stapling on; ssl_stapling_verify on; - location / { - proxy_pass http://unix:/var/run/forc.sock; - } + access_by_lua_block { + -- Start actual openid authentication procedure + local res, err = require("resty.openidc").authenticate(opts2) + -- If it fails for some reason, escape via HTTP 500 + if err then + ngx.status = 500 + ngx.say(err) + ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) + end + ngx.req.set_header("X-Auth-Audience", res.id_token.aud) + ngx.req.set_header("X-Auth-Email", res.id_token.email) + ngx.req.set_header("X-Auth-ExpiresIn", res.id_token.exp) + ngx.req.set_header("X-Auth-Name", res.id_token.name) + ngx.req.set_header("X-Auth-Subject", res.id_token.sub) + ngx.req.set_header("X-Auth-Userid", res.id_token.preferred_username) + ngx.req.set_header("X-Auth-Username", res.id_token.preferred_username) + ngx.req.set_header("X-Auth-Locale", res.id_token.locale) + + } } + } + {% else %} +server { + listen {{ FORC_LOCAL_IP }}:{{ FORC_SERVICE_PORT }}; + location / { + proxy_pass http://unix:/var/run/forc.sock; + } +} + {% endif %} + server { listen 0.0.0.0:80 default_server; diff --git a/ansible/roles/forc_api/vars/main.yml b/ansible/roles/forc_api/vars/main.yml index 3ebb28d..7ed8fc9 100644 --- a/ansible/roles/forc_api/vars/main.yml +++ b/ansible/roles/forc_api/vars/main.yml @@ -30,6 +30,11 @@ FORC_TEMPLATE_PATH: "/var/forc/template_path/" # The Port on which OpenResty will bind forc to. FORC_SERVICE_PORT: 5000 +# If Forc Service will use HTTPs -- if not FORC_LOCAL_NETWORK must be provided +FORC_SERVICE_USE_HTTPS: true + +#IF Forc Service does not use https needs to provided to allow requests only for the local reachable ip +FORC_LOCAL_IP: "" # Set this to no if you don't use certbot for autogenerating ssl certs. CERTBOT_USED: "yes"