-
-
Save flox1an/e18cef846cfbe3ec92cb35bb560f6b65 to your computer and use it in GitHub Desktop.
server { | |
listen 80; | |
server_name localhost; | |
location /oauth2/ { | |
proxy_pass http://oauth-proxy:4180; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header X-Auth-Request-Redirect $request_uri; | |
} | |
location / { | |
auth_request /oauth2/auth; | |
error_page 401 = /oauth2/start; | |
# pass information via X-User and X-Email headers to backend, | |
# requires running with --set-xauthrequest flag | |
auth_request_set $user $upstream_http_x_auth_request_user; | |
auth_request_set $email $upstream_http_x_auth_request_email; | |
proxy_set_header X-User $user; | |
proxy_set_header X-Email $email; | |
# if you enabled --cookie-refresh, this is needed for it to work with auth_request | |
auth_request_set $auth_cookie $upstream_http_set_cookie; | |
add_header Set-Cookie $auth_cookie; | |
proxy_pass http://backend:8080/; | |
} | |
} |
# run oauth2-proxy with required paramters for gitlab auth | |
docker run -it --rm --name oauth-proxy a5huynh/oauth2_proxy \ | |
--cookie-secure=false \ | |
--upstream="http://upstream:80" \ | |
--http-address="0.0.0.0:4180" \ | |
--provider gitlab \ | |
--scope read_user \ | |
--login-url="https://gitlab.yourcompany.com/oauth/authorize" \ | |
--redeem-url="https://gitlab.yourcompany.com/oauth/token" \ | |
--validate-url="https://gitlab.yourcompany.com/api/v4/user" \ | |
--redirect-url="http://localhost:8080/oauth2/callback" \ | |
--email-domain="*" \ | |
--cookie-secret=5emaI8pW6kNr4ICj4TmTSg \ | |
--client-id=4f40001533f4a1da5361b476bb93cc0f0f5218b0f7e306e5810a16ef4810f713 \ | |
--client-secret=0a69708d09b905f19858263c32c3e7eef366c892eb99e5a3c854fb4fa9b4d6f8 \ | |
--set-xauthrequest | |
# run a demo backend that echos headers | |
docker run -it --rm --name backend brndnmtthws/nginx-echo-headers | |
# then run nginx pointing to the oauth-proxy and backend containers | |
docker run -it --rm -p 8080:80 -v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf --link oauth-proxy --link backend nginx | |
Is the --upstream
flag utilised in this case?
Have you encountered the error "Error loading cookied session: http: named cookie not present, removing session"? I've scoured the internet, and nothing has fixed my issue. I've setup with these settings - not sure if maybe it's docker-related or otherwise?
@es-
Have you encountered the error "Error loading cookied session: http: named cookie not present, removing session"? I've scoured the internet, and nothing has fixed my issue. I've setup with these settings - not sure if maybe it's docker-related or otherwise?
You should disable secure_cookies if you run with http connection.
cookie_secure = false
cookie_httponly = false
Thanks! For posterity, these are the settings that ultimately worked for me. I am running HTTPS.
upstreams=[
"https://nginx_container:443/",
]
https_address="oauth2_proxy_container:443"
whitelist_domains=[
".domainhere.com",
]
reverse_proxy=true
email_domains=[
"domainhere.com",
"perhapsanotherdomain.com",
"etc.com"
]
set_xauthrequest=true
set_authorization_header=true
cookie_expire="0h45m0s"
cookie_secret="randomstringhere"
cookie_secure=true
cookie_httponly=false
cookie_samesite="none"
tls_cert_file="/oauth2_proxy/ssl/domain.crt"
tls_key_file="/oauth2_proxy/ssl/domain.rsa"
provider="azure"
skip_provider_button=true
pass_authorization_header=true
pass_access_token=true
proxy_prefix="/oauth2"
cookie_refresh=true
session_store_type="redis"
redis_connection_url="redis://:$REDIS_PASSWORD@redis:6379/0"
redirect_url="https://domainhere.com/oauth2/callback"
@fmaul you should probably obfuscate
--cookie-secret
,--client-id
and--client-secret
(maybe that's already fake ones, but just in case)