add auth/nginx sample

Signed-off-by: Doug Davis <[email protected]>

Author: Doug Davis

README.md

@@ -100,6 +100,9 @@ is demonstrating.
 - [helloworld](helloworld)<br>
   Similar to [hello](hello) except this is written in golang and adds a few
   bells-n-whistles to allow you to control what it does when invoked.
+- [auth](auth)<br>
+  This shows how to setup an nginx proxy in-front of a private application
+  to ensure that only authorized people can access it.
 - [bind-app](bind-app)<br>
   This will create an instance of DB2 in the IBM Cloud and then ask Code
   Engine to bind it to an Application so we can access it from the App. The

auth/Dockerfile.app

@@ -0,0 +1,8 @@
+FROM golang:alpine
+COPY app.go /
+RUN go build -o /app /app.go
+
+# Copy the exe into a smaller base image
+FROM alpine
+COPY --from=0 /app /app
+CMD /app

auth/Dockerfile.nginx

@@ -0,0 +1,16 @@
+# A special NGINX image due to current limitations, that should be removed soon
+FROM nginxinc/nginx-unprivileged
+USER 101
+
+# call-ngninx is just a script that'll replace "NS" in the config file with
+# the proper project ID
+COPY call-nginx /
+
+# htpasswd contains the user/password info - for auth
+COPY htpasswd /etc/apache2/.htpasswd
+
+# Use our custom nginx config file
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+# At runtime, call the wrapper script to do the "NS" substitutions
+CMD ["/call-nginx"]

auth/README.md

@@ -0,0 +1,27 @@
+# Authentication Proxy
+
+This sample will show how to setup an application using `nginx` that acts
+as proxy, and authentication checker, for a secondary application. The
+secondary application is not exposed to the internet (it is "cluster local"),
+to ensure that only authorized users can access it.
+
+The nginx authentication checks are done by checking the username and password
+values that are stored in the `htpasswd` file.
+
+There is a bit of a trick here in that we need to modify our nginx config
+file to include the Code Engine subdomain name (ie. kubernetes namespace)
+as part of the proxy configuration. To do that, we'll wrapper the call to
+`nginx` at runtime with a bash script that will replace all `NS` strings
+in the nginx config file with the subdomain value we pick up from the
+`CE_SUBDOMAIN` environment variable.
+
+- - -
+
+As noted in [the main README](../README.md), this sample has two pieces:
+
+- a `build` script which will build the container image(s) used
+- a `run` script which deploys resources that use those images
+
+The main purpose of this example is the `run` script, but the `build`
+script is included for complete educational (and reuse) purposes.
+

auth/app.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+)
+
+// This func will handle all incoming HTTP requests
+func HandleHTTP(w http.ResponseWriter, r *http.Request) {
+	fmt.Fprintf(w, "You made it to the real app!\n")
+}
+
+func main() {
+	fmt.Printf("Listening on port 8080\n")
+	http.HandleFunc("/", HandleHTTP)
+	http.ListenAndServe(":8080", nil)
+}

auth/build

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+# Env Vars:
+# REGISTRY: name of the image registry/namespace to store the images
+# NOCACHE: set this to "--no-cache" to turn off the Docker build cache
+#
+# NOTE: to run this you MUST set the REGISTRY environment variable to
+# your own image registry/namespace otherwise the `docker push` commands
+# will fail due to an auth failure. Which means, you also need to be logged
+# into that registry before you run it.
+
+set -ex
+export REGISTRY=${REGISTRY:-ibmcom}
+
+# Build the images
+docker build ${NOCACHE} -f Dockerfile.nginx -t ${REGISTRY}/auth-proxy .
+docker build ${NOCACHE} -f Dockerfile.app -t ${REGISTRY}/auth-app .
+
+# And push them
+docker push ${REGISTRY}/auth-proxy
+docker push ${REGISTRY}/auth-app

auth/call-nginx

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -ex
+
+# Replace all "NS" in the config file with the Code Engine subdomain (k8s ns)
+sed -i "s/NS/$CE_SUBDOMAIN/g" /etc/nginx/conf.d/default.conf
+
+# Now run nginx
+nginx-debug -g "daemon off;"

auth/htpasswd

@@ -0,0 +1,6 @@
+# Sample basic auth user/password file. The values are:
+# admin:letmein
+# user:please
+
+admin:$apr1$YH9W13n4$u9DCsxvaObzIprCR4hb37/
+user:$apr1$LxEps0ig$6kMGGh5fdKxx.mzbGzs3U/

auth/nginx.conf

@@ -0,0 +1,32 @@
+access_log /dev/stdout main;
+server {
+    listen 8080 ;
+    server_name *.codeengine.appdomain.cloud ;
+
+    location / {
+		# Send request on to Application called "app"
+		# The "NS" will be replaced by the "call-nginx" script at runtime
+        proxy_pass http://auth-app.NS.svc.cluster.local ;
+
+		# We need the Host header to point to the right Application
+        proxy_set_header Host auth-app.NS.svc.cluster.local ;
+
+		# Set some other headers
+        proxy_set_header X-Real-IP $remote_addr ;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
+
+        # Websocket stuff
+        proxy_http_version 1.1 ;
+        proxy_set_header Upgrade $http_upgrade ;
+        proxy_set_header Connection "upgrade" ;
+        proxy_set_header X-Scheme $scheme ;
+
+		# Misc stuff
+        proxy_cache_bypass $http_upgrade ;
+        proxy_redirect off ;
+
+		# Setup our Basic Auth stuff
+        auth_basic           "Protected Area" ;
+        auth_basic_user_file /etc/apache2/.htpasswd ;
+    }
+}

auth/run

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+function clean() {
+  set +ex
+  echo Cleaning...
+  (
+  ibmcloud ce app delete -n auth-proxy -f
+  ibmcloud ce app delete -n auth-app -f
+  rm -f out
+  ) > /dev/null 2>&1
+}
+
+clean
+[[ "$1" == "clean" ]] && exit 0
+
+set -ex
+
+export REGISTRY=${REGISTRY:-ibmcom}
+
+# Create our business logic app - don't expose it on the internet
+ibmcloud ce app create -n auth-app --image $REGISTRY/auth-app --cluster-local
+
+# Now create our proxy/authorization app, this one is exposed on the internet
+ibmcloud ce app create -n auth-proxy --image $REGISTRY/auth-proxy
+
+# Get its URL
+URL=$(ibmcloud ce app get -n auth-proxy -o url)
+
+# Now call the proxy app twice, first with proper credentials...
+curl -fqu user:please $URL
+
+# Now call again w/o credential, it should fail
+curl -fq $URL && echo "It was supposed to fail" && exit 1
+
+# Clean up
+clean