include an example docker-compose file, nginx.conf

Dockerfile

@@ -6,11 +6,11 @@ RUN mkdir -p /app/node_modules && chown -R node:node /app
 
 WORKDIR /app
 
-COPY --chown=node:node package.json yarn.lock ./
+COPY --chown=node:node package.json ./
 
 USER node
 
-RUN yarn install
+RUN npm install
 
 COPY --chown=node:node public public
 COPY --chown=node:node views views

README.md

@@ -65,6 +65,13 @@ sudo docker build -t auth-server .
 sudo docker run -it -p 3000:3000 -e AUTH_PASSWORD=test -e AUTH_TOKEN_SECRET=verysecret auth-server
 ```
 
+
+### Docker Compose
+
+```sh
+docker compose up
+```
+
 ## Example NGINX conf
 
 Use the following in our NGINX server conf. You should change the port number (default of `3000`) to match the port number you are running the auth server on.

default.conf

@@ -0,0 +1,65 @@
+server {
+        listen       80;
+        listen  [::]:80;
+        server_name  _;
+
+        # optional:
+        # internal redirect to /login if there is a auth failure, delete or comment this out if you don't want this behaviour and just show a generic 401 error
+        error_page 401 /login;
+
+        location / {
+            auth_request /auth;
+
+            # pass Set-Cookie headers from the subrequest response back to requestor
+            auth_request_set $auth_cookie $upstream_http_set_cookie;
+            add_header Set-Cookie $auth_cookie;
+
+            auth_request_set $auth_status $upstream_status;
+
+            root /usr/share/nginx/html;
+            try_files /index.html index index.htm;
+        }
+
+        location = /auth {
+            # internaly only, /auth can not be accessed from outside
+            internal;
+
+            # internal proxy to auth-server running on port 3000, responses expected from proxy:
+            #   2xx response = access allowed via auth_request
+            #   401 or 403 response = access denied via auth_request
+            #   anything else = error
+            proxy_pass http://auth-server:3000;
+
+            # don't pass request body to proxied server, we only need the headers which are passed on by default
+            proxy_pass_request_body off;
+
+            # there is no content length since we stripped the request body
+            proxy_set_header Content-Length "";
+
+            # let proxy server know more details of request
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-Original-Remote-Addr $remote_addr;
+            proxy_set_header X-Original-Host $host;
+        }
+
+        # these are handled by the proxy as part of the auth routines
+        location ~ ^/(login|logged-in|logout)$ {
+            proxy_pass http://auth-server:3000;
+            proxy_set_header X-Original-URI $request_uri;
+            proxy_set_header X-Original-Remote-Addr $remote_addr;
+            proxy_set_header X-Original-Host $host;
+        }
+
+        # this CSS is used by the three requests above and is served by the proxy
+        location ~* ^/(auth_style\.css|auth_padlock\.svg)$ {
+            proxy_pass http://auth-server:3000;
+        }
+
+        # optional location block
+        # if you have other location blocks, be sure to add auth_request there too otherwise these requests won't get protected, for example
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+            expires 90d;
+            log_not_found off;
+            auth_request /auth;
+        }
+}

docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  nginx:
+    image: nginx
+    container_name: nginx-auth
+    volumes:
+      - ./default.conf:/etc/nginx/conf.d/default.conf
+    ports:
+      - 80:80
+
+  auth-server:
+    build: ./
+    container_name: auth-server
+    environment:
+      - AUTH_PASSWORD=test
+      - AUTH_TOKEN_SECRET=verysecret