Nginx配方：通过ESIA授权

要通过ESIA准备授权，我们需要nginx本身及其插件cryptod -session ， headers-more ， auth_request ， uuid4 ， set-misc ， echo ， json ， sign和jwt 。 （我提供了到fork的链接，因为我做了一些尚未塞入原始存储库的更改。您还可以使用现成的图像 。）

首先，让我们进行设置

encrypted_session_key "abcdefghijklmnopqrstuvwxyz123456"; 

接下来，以防万一，禁用授权标头

 more_clear_input_headers Authorization; 

现在我们通过授权保护一切

 auth_request /auth; location =/auth { internal; set_decode_base64 $auth_decode $cookie_auth; #    set_decrypt_session $auth_decrypt $auth_decode; #    if ($auth_decrypt = "") { return 401 UNAUTHORIZED; } #    ,      more_set_input_headers "Authorization: Basic $auth_decrypt"; #    basic (   $remote_user) echo -n OK; #   } 

对于授权用户，我们显示其文件夹中的内容

 location / { alias html/$remote_user/; } 

在没有授权的情况下，我们重定向到ESIA

 error_page 401 = @error401; location @error401 { set $client_id ; #    set $scope openid; #    uuid4 $state; #    set_formatted_local_time $timestamp "%Y.%m.%d %H:%M:%S %z"; #  -     sign_certificate /data/nginx/esia.crt; #   (    ) sign_certificate_key /data/nginx/esia.key; #    sign_set $client_secret $scope$timestamp$client_id$state; #     set_escape_uri $access_type_escape online; #         set_escape_uri $client_id_escape $client_id; #   set_escape_uri $client_secret_escape $client_secret; #   set_escape_uri $request_uri_escape $request_uri; #    set_escape_uri $redirect_uri_escape $scheme://$server_name:$server_port/login?request_uri=$request_uri_escape; #      set_escape_uri $response_type_escape code; #      set_escape_uri $scope_escape $scope; #   set_escape_uri $state_escape $state; #   set_escape_uri $timestamp_escape $timestamp; #  - return 303 https://esia.gosuslugi.ru/aas/oauth2/ac?access_type=$access_type_escape&client_id=$client_id_escape&client_secret=$client_secret_escape&redirect_uri=$redirect_uri_escape&response_type=$response_type_escape&scope=$scope_escape&state=$state_escape&timestamp=$timestamp_escape; #    

在ESIA中成功授权用户后，他将被重定向到寄信人地址

 location =/login { auth_request off; #    auth_jwt_key /data/nginx/esia.pub file; #    (    )    auth_jwt $arg_code; #   json_loads $jwt_grant_json $jwt_grant; #      json_dumps $oid $jwt_grant_json urn:esia:sbj urn:esia:sbj:oid; #  oid try_files /try?username=$oid; #     } location =/try { internal; if ($arg_username = "") { return 401 UNAUTHORIZED; } #  oid  ,      encrypted_session_expires 43200; #     12  (12 * 60 * 60 = 43200) set_secure_random_alphanum $password 8; #     basic  set $username_password ESIA-$arg_username:$password; #  basic  set_encode_base64 $username_password_encode $username_password; #  basic  set_encrypt_session $auth_encrypt $username_password_encode; #  basic  set_encode_base64 $auth_encode $auth_encrypt; #   basic  add_header Set-Cookie "Auth=$auth_encode; Max-Age=43200"; #   basic      12  (12 * 60 * 60 = 43200) set $arg_request_uri_or_slash $arg_request_uri; #     set_if_empty $arg_request_uri_or_slash "/"; #    ,   set_unescape_uri $request_uri_unescape $arg_request_uri_or_slash; #   return 303 $request_uri_unescape; #     }