oauth2-proxy and nginx configuration sample

nginx-prometheus.conf

server {
  listen 80;
  server_name _;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name _;

  access_log /var/log/nginx/prometheus.access.log;
  error_log /var/log/nginx/prometheus.error.log;
  include /etc/nginx/options-ssl-nginx.conf;
  ssl_dhparam /etc/nginx/ssl-dhparams.pem;

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

  location /oauth2/ {
    proxy_pass            http://127.0.0.1:8080;
    proxy_read_timeout    1800;
    proxy_connect_timeout 1800;

    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header    X-Client-Verify   SUCCESS;
    proxy_set_header    X-Client-DN       $ssl_client_s_dn;
    proxy_set_header    X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header    X-SSL-Issuer      $ssl_client_i_dn;
    proxy_set_header    X-Auth-Request-Redirect $request_uri;
    proxy_set_header    X-Forwarded-Proto http;
  }

  location /oauth2/auth {
    proxy_pass              http://127.0.0.1:8080;
    proxy_pass_request_body off;
    proxy_read_timeout      1800;
    proxy_connect_timeout   1800;

    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header    X-Client-Verify   SUCCESS;
    proxy_set_header    X-Client-DN       $ssl_client_s_dn;
    proxy_set_header    X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header    X-SSL-Issuer      $ssl_client_i_dn;
    proxy_set_header    X-Forwarded-Proto http;
    proxy_set_header    Content-Length   "";
  }

  location ^~ /prometheus/ {
    error_page          401 = /oauth2/sign_in;
    add_header          Set-Cookie        $auth_cookie;

    auth_request        /oauth2/auth;
    auth_request_set    $user             $upstream_http_x_auth_request_user;
    auth_request_set    $email            $upstream_http_x_auth_request_email;
    auth_request_set    $auth_cookie      $upstream_http_set_cookie;

    proxy_pass          http://localhost:9090;
    proxy_set_header    X-User            $user;
    proxy_set_header    X-Email           $email;
    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header    X-Client-Verify   SUCCESS;
    proxy_set_header    X-Client-DN       $ssl_client_s_dn;
    proxy_set_header    X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header    X-SSL-Issuer      $ssl_client_i_dn;
  }

  location / {
    auth_request          /oauth2/auth;
    error_page            401 = /oauth2/sign_in;

    proxy_pass            http://localhost:9090;
    proxy_read_timeout    1800;
    proxy_connect_timeout 1800;
    proxy_set_header      Host              $host;
    proxy_set_header      X-Real-IP         $remote_addr;
    proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header      X-Client-Verify   SUCCESS;
    proxy_set_header      X-Client-DN       $ssl_client_s_dn;
    proxy_set_header      X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header      X-SSL-Issuer      $ssl_client_i_dn;
    proxy_set_header      X-Forwarded-Proto http;
  }
}

nginx-transmission-daemon.conf

server {
  listen 80;
  server_name _;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name _;

  access_log /var/log/nginx/transmission.access.log;
  error_log /var/log/nginx/transmission.error.log;
  include /etc/nginx/options-ssl-nginx.conf;
  ssl_dhparam /etc/nginx/ssl-dhparams.pem;

  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

  location /oauth2/ {
    proxy_pass            http://127.0.0.1:8080;
    proxy_read_timeout    1800;
    proxy_connect_timeout 1800;

    proxy_set_header      Host                    $host;
    proxy_set_header      X-Real-IP               $remote_addr;
    proxy_set_header      X-Forwarded-For         $proxy_add_x_forwarded_for;
    proxy_set_header      X-Client-Verify         SUCCESS;
    proxy_set_header      X-Client-DN             $ssl_client_s_dn;
    proxy_set_header      X-SSL-Subject           $ssl_client_s_dn;
    proxy_set_header      X-SSL-Issuer            $ssl_client_i_dn;
    proxy_set_header      X-Auth-Request-Redirect $request_uri;
    proxy_set_header      X-Forwarded-Proto       http;
  }

  location /oauth2/callback {
    proxy_pass              http://127.0.0.1:8080;
    proxy_pass_request_body off;
    proxy_read_timeout      1800;
    proxy_connect_timeout   1800;

    proxy_set_header        Host              $host;
    proxy_set_header        X-Real-IP         $remote_addr;
    proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header        X-Client-Verify   SUCCESS;
    proxy_set_header        X-Client-DN       $ssl_client_s_dn;
    proxy_set_header        X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header        X-SSL-Issuer      $ssl_client_i_dn;
    proxy_set_header        X-Forwarded-Proto http;
    proxy_set_header        Content-Length    "";
  }

  location / {
    auth_request          /oauth2/auth;
    error_page            401 = /oauth2/signin;

    proxy_pass            http://127.0.0.1:8080;
    proxy_read_timeout    1800;
    proxy_connect_timeout 1800;

    proxy_set_header      Host              $host;
    proxy_set_header      X-Real-IP         $remote_addr;
    proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header      X-Client-Verify   SUCCESS;
    proxy_set_header      X-Client-DN       $ssl_client_s_dn;
    proxy_set_header      X-SSL-Subject     $ssl_client_s_dn;
    proxy_set_header      X-SSL-Issuer      $ssl_client_i_dn;
    proxy_set_header      X-Forwarded-Proto http;
  }
}