Openresty proxy with following features:
- LetsEncrypt HTTPS
- SSO via nginx auth requests
- Simple static site hosting (with optional path proxying)
- Dynamic config updates via Gomplate remote datasources
Docker image available on docker hub.
The nginx config is generated from the yaml structure using Gomplate.
Gomplate supports many kinds of datasources ( local file, remote file over http, git, you name it!).
By default the proxy expects the config file at /etc/lurch/apps.yaml.
This can be modified with env:
- APPS_CONFIG_PATH
Alternatively the config can be passed directly as env with:
- APPS_CONFIG_YAML
The config looks like this:
---
services:
- name: my-service
subdomains:
- name: www
enabled: 'true'
enableClientCerts: false
enableSsl: true
baseUrl: local.foo.bar
origin:
type: remote
port: 9111
host: app.upstream.comSee test/apps.yaml to see examples
Sending a SIGHUP to the container will rebuild the template and reload openresty.
An app can have multiple subdomains
Top level options
| Service options | Required | Default | Description |
|---|---|---|---|
workerConnections |
false | 1024 | No of worker connections |
proxyReadTimeout |
false | 120 | Read timeout to upstream |
proxySendTimeout |
false | 120 | Send timeout to upstream |
sendTimeout |
false | 120 | Send timeout |
readTimeout |
false | 120 | Read timeout |
authRequestRedirect |
false | Where to redirect to if auth request fails | |
authRequestUpstream |
false | Where to send auth requests to | |
authRequestCookie |
false | Name of cookie to take bearer token from | |
letsEncrypt.endpoint |
false | Endpoint for letsencrypt | |
resolver |
false | DNS resolver ip |
service options
| Service options | Required | Default | Description |
|---|---|---|---|
name |
true | The service name | |
subdomains |
true | The subdomains for the service | |
origin |
true | The origin settings for the service |
subdomain options explained
| Subdomain options | Required | Default | Description |
|---|---|---|---|
name |
true | The subdommain | |
enabled |
true | Whether or not the domain is visible | |
enableSsl |
true | Whether or not to apply ssl server side | |
enableLetsEncrypt |
false | false | Whether or not to apply auto ssl |
enableSso |
false | false | Whether or not to shield with single-sign-on |
enableClientCerts |
true | Whether or not to require client ssl cert as well | |
baseUrl |
true | Base domain for the sub domain | |
port |
false | 443 | The port to listen on publicly for this domain |
clientMaxBodySize |
false | 20m | Max upload body size |
origin options
If origin.type = "remote"
| Remote options | Required | Default | Description |
|---|---|---|---|
host |
true | The host to proxy to | |
port |
true | The port to proxy to |
If origin.type = "local"
| Local options | Required | Default | Description |
|---|---|---|---|
root |
true | The root dir where the files are hosted | |
errorPages |
false | Error pages config | |
pathRules |
false | Array of pathRules |
pathRules options explained
| Path Rules options | Required | Default | Description |
|---|---|---|---|
type |
true | One of [ prefix ] | |
path |
true | The url path to apply the rule to | |
stripPath |
false | Strip the path value when proxying requests |
|
origin |
true | Origin object |
Example yaml:
type: prefix
path: "/api/"
stripPath: true
origin:
type: remote
host: nginx-api.web
port: 80errorPages options explained
This is an object where keys are the http status code.
Each status code key value is an object with one property file.
'404':
file: 404.htmlNOTE: A subdomain of 'www' also will be available at 'foo.bar' or whatever the base-url is set to.
---
services:
- name: static
subdomains:
- name: static
enabled: 'true'
baseUrl: test.com
enableSsl: false
port: 80
origin:
type: local
root: "/data/static/html"
fallbacks:
- "/index.html;"
errorPages:
'404':
file: "/404.html"
pathRules:
- type: prefix
path: "/api/"
stripPath: true
origin:
type: remote
host: backend.web
port: 80The default error page can be overridden by changing the template file:
/etc/lurch/error.html.
Note that the syntax in error.html is for resty.template, not golang templating
Check lua/error_page.lua.
A default certificate needs to be supplied, even when using letsencrypt (in case issuance fails).
Lurch generates a self-signed one for you automatically, but should you need to add your own, lurch expects
a server.crt and server.key and placed in /usr/local/openresty/nginx/ssl/<baseUrl>/.
FYI: A subdomain with no port will default to 443