BorderPatrol is an nginx module to perform authentication and session management at the border of your network.
BorderPatrol makes the assumption that you have some set of services that require authentication and a service that hands out tokens to clients to access that service. You may not want those tokens to be sent across the internet, even over SSL, for a variety of reasons. To this end, BorderPatrol maintains a lookup table of session-id to auth token in memcached.
Assumption: All content to be access via BorderPatrol requires authentication
There are three primary use cases for BorderPatrol:
- A client has an auth token in the session store and the request is forwarded to the downstream service -or-
- A client does not have an
auth_tokenfor the specified service but has a master token, a call to the auth service will be made to get a service token for the downstream service -or- - A client does not have an
auth_token, and the client is redirected to a login page which posts back to nginx, performs an auth service lookup (and returns a master token and a service token from the auth service) and, on success, creates an entry in the session store for subsequent requests.
- Client requests a protected resource via BorderPatrol
- BorderPatrol looks up the
session_idfrom the HTTP request in the SessionStore - If service token present, BorderPatrol sets the Auth-Token header to the service token and allows the request to continue to the protected resource
- Client requests a protected resource via BorderPatrol
- BorderPatrol looks up the
session_idfrom the HTTP request in the SessionStore - Record exists in cache and there is a master token but no service token for specified downstream service
- A call is made to the Auth Service using the master token to get a service token
- BorderPatrol updates the
session_id/{master_token, service_token_1, service_token_2...}pair in the SessionStore with appropriate expiry - BorderPatrol redirects with the appropriate service Auth-Token header to the protected resource
- Client requests a protected resource via BorderPatrol
- BorderPatrol looks up the
session_idfrom the HTTP request in the SessionStore - If there is a cache miss, BorderPatrol serves up a login page
- On submittal, this posts to the AuthService (via BorderPatrol)
- On successful authentication (which returns a master token and a service token for the downstream service), the AuthService sets the Auth-Token header
- BorderPatrol sets the
session_id/{master_token, service_token}pair in the SessionStore with appropriate expiry - BorderPatrol redirects with the appropriate service Auth-Token header to the protected resource
The tokens cached in the session store are a string representation of a JSON structure as follows.
{
"master_token" : "MMM",
"service_tokens" : { "service_a": "AAA", "service_b": "BBB" }
}
The token that has the key of master_token is the Master Token, and can be
used to make a call to the Auth Service to get other service tokens. Service
Tokens have a key name that corresponds to the name of the downstream service.
Join #borderpatrol on the Freenode
Ensure you are using lua51, since the Lua Nginx support is 5.1 only.
- Get homebrew
- brew install luarocks
- brew install pcre
- brew install lua
- brew install luajit
- make
- apt-get install luarocks
- make
You'll need the Test::Nginx CPAN module.
- cpan install Test::Nginx
- cpan install Test::Nginx::Socket
- make test
- bundle install
- make mocktest
- In a browser, hit localhost:4443/b/ or business.localhost:4443
make mocktest uses God to run 4 processes, on the following ports
4443Mock BorderPatrol9081Mock Authorization service9082Mock downstream service A9083Mock downstream service B9084Mock Account Service
To test and work with subdomain routing locally, ensure to update your /etc/hosts file to include subdomains to localhost.
For example:
127.0.0.1 business.localhost
127.0.0.1 enterprise.localhost
Once you stop Mocktest, sometimes you must manually kill the processes above (i.e)
pkill -9 -f nginx pkill -9 -f god pkill -9 -f shotgun