Last active
September 1, 2023 07:26
-
-
Save flox1an/e18cef846cfbe3ec92cb35bb560f6b65 to your computer and use it in GitHub Desktop.
nginx config that uses the oauth2-proxy (via auth_request) to authenticate against gitlab and then proxies all requests to a backend service while setting the auth headers X-User and X-Email
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| server_name localhost; | |
| location /oauth2/ { | |
| proxy_pass http://oauth-proxy:4180; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Scheme $scheme; | |
| proxy_set_header X-Auth-Request-Redirect $request_uri; | |
| } | |
| location / { | |
| auth_request /oauth2/auth; | |
| error_page 401 = /oauth2/start; | |
| # pass information via X-User and X-Email headers to backend, | |
| # requires running with --set-xauthrequest flag | |
| auth_request_set $user $upstream_http_x_auth_request_user; | |
| auth_request_set $email $upstream_http_x_auth_request_email; | |
| proxy_set_header X-User $user; | |
| proxy_set_header X-Email $email; | |
| # if you enabled --cookie-refresh, this is needed for it to work with auth_request | |
| auth_request_set $auth_cookie $upstream_http_set_cookie; | |
| add_header Set-Cookie $auth_cookie; | |
| proxy_pass http://backend:8080/; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # run oauth2-proxy with required paramters for gitlab auth | |
| docker run -it --rm --name oauth-proxy a5huynh/oauth2_proxy \ | |
| --cookie-secure=false \ | |
| --upstream="http://upstream:80" \ | |
| --http-address="0.0.0.0:4180" \ | |
| --provider gitlab \ | |
| --scope read_user \ | |
| --login-url="https://gitlab.yourcompany.com/oauth/authorize" \ | |
| --redeem-url="https://gitlab.yourcompany.com/oauth/token" \ | |
| --validate-url="https://gitlab.yourcompany.com/api/v4/user" \ | |
| --redirect-url="http://localhost:8080/oauth2/callback" \ | |
| --email-domain="*" \ | |
| --cookie-secret=5emaI8pW6kNr4ICj4TmTSg \ | |
| --client-id=4f40001533f4a1da5361b476bb93cc0f0f5218b0f7e306e5810a16ef4810f713 \ | |
| --client-secret=0a69708d09b905f19858263c32c3e7eef366c892eb99e5a3c854fb4fa9b4d6f8 \ | |
| --set-xauthrequest | |
| # run a demo backend that echos headers | |
| docker run -it --rm --name backend brndnmtthws/nginx-echo-headers | |
| # then run nginx pointing to the oauth-proxy and backend containers | |
| docker run -it --rm -p 8080:80 -v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf --link oauth-proxy --link backend nginx | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks! For posterity, these are the settings that ultimately worked for me. I am running HTTPS.
upstreams=[
"https://nginx_container:443/",
]
https_address="oauth2_proxy_container:443"
whitelist_domains=[
".domainhere.com",
]
reverse_proxy=true
email_domains=[
"domainhere.com",
"perhapsanotherdomain.com",
"etc.com"
]
set_xauthrequest=true
set_authorization_header=true
cookie_expire="0h45m0s"
cookie_secret="randomstringhere"
cookie_secure=true
cookie_httponly=false
cookie_samesite="none"
tls_cert_file="/oauth2_proxy/ssl/domain.crt"
tls_key_file="/oauth2_proxy/ssl/domain.rsa"
provider="azure"
skip_provider_button=true
pass_authorization_header=true
pass_access_token=true
proxy_prefix="/oauth2"
cookie_refresh=true
session_store_type="redis"
redis_connection_url="redis://:$REDIS_PASSWORD@redis:6379/0"
redirect_url="https://domainhere.com/oauth2/callback"