3 files changed, 36 insertions, 0 deletions

diff --git a/roles/nginx/auth/sso/base/defaults/main.yml b/roles/nginx/auth/sso/base/defaults/main.yml
new file mode 100644
index 00000000..4e5d9d4b
--- /dev/null
+++ b/roles/nginx/auth/sso/base/defaults/main.yml
@@ -0,0 +1,7 @@
+---
+# nginx_sso_backends:
+#   example:
+#     auth_url: http://127.0.0.1:8082
+#     base_url: https://login.example.com
+#   foo:
+#     base_url: https://login.foo.bar
diff --git a/roles/nginx/auth/sso/base/tasks/main.yml b/roles/nginx/auth/sso/base/tasks/main.yml
new file mode 100644
index 00000000..dbae0bd4
--- /dev/null
+++ b/roles/nginx/auth/sso/base/tasks/main.yml
@@ -0,0 +1,6 @@
+---
+- name: generate nginx snippets
+  loop: "{{ nginx_sso_backends | dict2items }}"
+  template:
+    src: nginx.snippet.j2
+    dest: "/etc/nginx/snippets/sso-{{ item.key }}.conf"
diff --git a/roles/nginx/auth/sso/base/templates/nginx.snippet.j2 b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
new file mode 100644
index 00000000..f8558d59
--- /dev/null
+++ b/roles/nginx/auth/sso/base/templates/nginx.snippet.j2
@@ -0,0 +1,23 @@
+auth_request /sso-auth;
+error_page 401 = @error401;
+
+location /sso-auth {
+    internal;
+
+    proxy_pass {{ item.value.auth_url | default(item.value.base_url + '/auth') }};
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+    proxy_set_header X-Origin-URI $request_uri;
+    proxy_set_header X-Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+}
+
+location /sso-logout {
+    return 302 {{ item.value.base_url }}/logout?go=$scheme://$http_host/;
+}
+
+location @error401 {
+    return 302 {{ item.value.base_url }}/login?go=$scheme://$http_host$request_uri;
+}