reorganized

i believe everything works

apps/vouch/config.sample.yml

@@ -0,0 +1,57 @@
+# https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example
+
+vouch:
+  # logLevel: debug # VOUCH_LOGLEVEL
+  logLevel: debug
+
+  # testing: false - VOUCH_TESTING
+  # force all 302 redirects to be rendered as a webpage with a link
+  # if you're having problems, turn on testing
+#   testing: true
+
+  listen: 0.0.0.0  # VOUCH_LISTEN
+  port: 9090       # VOUCH_PORT
+  
+  # document_root - VOUCH_DOCUMENT_ROOT
+  # see README for `Vouch Proxy "in a path"` - https://github.com/vouch/vouch-proxy#vouch-proxy-in-a-path
+  document_root: /vouch
+
+  # domains - VOUCH_DOMAINS
+  # each of these domains must serve the url https://vouch.$domains[0] https://vouch.$domains[1] ...
+  # so that the cookie which stores the JWT can be set in the relevant domain
+  # you usually *don't* want to list every individual website that will be protected
+  # if you have siteA.internal.yourdomain.com and siteB.internal.yourdomain.com 
+  # then your domains should be set as yourdomain.com or perhaps internal.yourdomain.com   
+  # usually you'll just have one.
+  # Comment `domains:` out if you set allowAllUser:true
+  domains:
+  - rpg.ascorrea.com
+  - localhost
+  
+  # whiteList (optional) allows only the listed usernames - VOUCH_WHITELIST
+  # usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise
+  whiteList:
+  - anthonyscorrea@gmail.com
+  - anthony@correa.co
+  - bridgetcrase@gmail.com
+  - brandonmboo@gmail.com
+  - acorre20@gmail.com
+  
+oauth:
+
+  # Google
+  provider: google
+  # create new credentials at:
+  # https://console.developers.google.com/apis/credentials
+  client_id: ...
+  client_secret: ...
+  callback_urls:
+    - https://rpg.ascorrea.com/vouch/auth
+    - https://localhost/vouch/auth
+
+  # preferredDomain: yourdomain.com
+  # optionally set scopes, defaults to 'email'
+  # https://developers.google.com/identity/protocols/googlescopes#google_sign-in
+  # scopes:
+  #  - email
+  

apps/vouch/vouch.nginx.conf

@@ -0,0 +1,22 @@
+# https://github.com/vouch/vouch-proxy#vouch-proxy-in-a-path
+
+location /vouch {
+      proxy_pass http://vouch:9090/vouch; # must not! have a slash at the end
+      proxy_set_header Host $http_host;
+      proxy_pass_request_body off;
+      proxy_set_header Content-Length "";
+      
+      # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+      auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+      # these return values are used by the @error401 call
+      auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+      auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+      auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+
+location @error401 {
+        # redirect to Vouch Proxy for login
+        return 302 https://$host/vouch/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+    }