-
Notifications
You must be signed in to change notification settings - Fork 184
/
docker-compose.yml
130 lines (112 loc) · 4.45 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
version: '3'
services:
# ===========================================================================
# sso services
#
# Here we provide a minimal sso installation for demo purposes that allows
# any valid google account to log in, and hard codes the various secrets
# required to secure communication.
#
# A more realistic deployment will likely require a specific organization's
# email domain and restrict access to upstream services based on Google Group
# membership.
#
# The sso-proxy service is handing requests to any domain under
# *.sso.localtest.me and the sso-auth service is available at sso-
# auth.localtest.me.
#
# There are two upstream services defined below, which can be accessed at
# - http://hello-world.sso.localtest.me
# - http://httpbin.sso.localtest.me
# ===========================================================================
sso-proxy:
image: buzzfeed/sso-dev:latest # change this to `build: ..` to try local changes
entrypoint: /bin/sso-proxy
environment:
# Allow any google account to log in for demo purposes
- EMAIL_DOMAIN=*
- UPSTREAM_CONFIGS=/sso/upstream_configs.yml
- PROVIDER_URL=http://sso-auth.localtest.me
- PROXY_PROVIDER_URL=http://host.docker.internal
# CLIENT_ID and CLIENT_SECRET must match sso-auth's PROXY_CLIENT_ID and
# PROXY_CLIENT_SECRET configuration
- CLIENT_ID=aGNHd3FqWUVDb1Z0NVFVZDE4Vk8xbWhQeVdoc3pjMnU=
- CLIENT_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
# XXX: These secrets are for demonstration purposes only! Use
#
# openssl rand -base64 32
#
# to generate your own.
- AUTH_CODE_SECRET=SVM0NEFMUUlaZGxyaFVhOGxsQ0wvOFYyZTh2S2Fha1U=
- COOKIE_SECRET=WEl0Y054TXNUN2ltTWRkazZ0YmNpRTlucXBPQUY2VHU=
# Disable https for demo purposes
- COOKIE_SECURE=false
# TODO: these config values should probably have defaults
- CLUSTER=dev
- STATSD_HOST=127.0.0.1
- STATSD_PORT=8125
# Tells nginx-proxy service how to route requests to this service
- VIRTUAL_HOST=*.sso.localtest.me
volumes:
- ./upstream_configs.yml:/sso/upstream_configs.yml:ro
expose:
- 4180
sso-auth:
image: buzzfeed/sso-dev:latest # change this to `build: ..` to try local changes
entrypoint: /bin/sso-auth
env_file:
./env
environment:
# Allow any google account to log in for demo purposes
- SSO_EMAIL_DOMAIN=*
- HOST=sso-auth.localtest.me
- REDIRECT_URL=http://sso-auth.localtest.me
- PROXY_ROOT_DOMAIN=localtest.me
# These values must match sso-proxy's CLIENT_ID and CLIENT_SECRET values
- PROXY_CLIENT_ID=aGNHd3FqWUVDb1Z0NVFVZDE4Vk8xbWhQeVdoc3pjMnU=
- PROXY_CLIENT_SECRET=aDducXQzK2tPY3R4TmdqTGhaYS80eGYxcTUvWWJDb2M=
# XXX: These secrets are for demonstration purposes only! Use
#
# openssl rand -base64 32
#
# to generate your own.
- AUTH_CODE_SECRET=c1kxTHcyN3FwdGRiZHpZRU15TUpNdFlpb1ZEUUw5R3M=
- COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
# Disable https for demo purposes
- COOKIE_SECURE=false
# TODO: these config values should probably have defaults
- CLUSTER=dev
- STATSD_HOST=127.0.0.1
- STATSD_PORT=8125
# TODO: remove the need for this config value
- OLD_COOKIE_SECRET=V2JBZk0zWGtsL29UcFUvWjVDWWQ2UHExNXJ0b2VhcDI=
# Tells nginx-proxy service how to route requests to this service
- VIRTUAL_HOST=sso-auth.localtest.me,host.docker.internal
expose:
- 4180
# ===========================================================================
# Upstream services protected by sso
#
# These services can be accessed at
# - hello-world.sso.localtest.me
# - httpbin.sso.localtest.me
# ===========================================================================
httpbin:
image: mccutchen/go-httpbin:latest
expose:
- 8080
hello-world:
image: tutum/hello-world:latest
expose:
- 80
# ===========================================================================
# nginx-proxy handles routing of requests to the sso-proxy and sso-auth
# containers. See its docs for more info:
# https://github.com/jwilder/nginx-proxy
# ===========================================================================
nginx-proxy:
image: jwilder/nginx-proxy:latest
ports:
- "80:80"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro