Oauth2 authentication for zipkin web UI using oauth2_proxy

README.md

Tech: nginx + oauth2_proxy

1. Install oauth2_proxy (https://github.com/bitly/oauth2_proxy):

   $ go get github.com/bitly/oauth2_proxy
   

2. Set up your favourite OAuth2 provider (see https://github.com/bitly/oauth2_proxy for detailed instructions)

3. Run:

   $ oauth2_proxy --client-id=CLIENT_ID --client-secret=CLIENT_SECRET --cookie-secret=COOKIE_SECRET --email-domain=pricingmonkey.com
   

4. Change your nginx.conf to match this gist (or just copy-paste if doing this from scratch).

5. Make sure these variables match your configuration:

• oauth2_proxy_uri
• upstream_uri

Known limitations

• no visible log out link (user will be logged out when they navigate to: http://ZIPKIN_URL/oauth2/sign_in).
• auth_request does not support conditional authentication. We need this to allow unauthenticated insertion of spans (POST api/v1/span). I hacked away around it, but this clearly increases complexity. (Source: https://stackoverflow.com/questions/29210428/nginx-optional-auth-request)

nginx.conf

server {
    listen 80;
    
    set $oauth2_proxy_uri 127.0.0.1:4180;
    set $upstream_uri 127.0.0.1:9411;
    
    location /oauth2/ {
        proxy_pass       http://$oauth2_proxy_uri;
        proxy_set_header Host                    $host;
        proxy_set_header X-Real-IP               $remote_addr;
        proxy_set_header X-Scheme                $scheme;
        proxy_set_header X-Auth-Request-Redirect $request_uri;
    }

    location /__auth {
        internal;
        proxy_pass http://$oauth2_proxy_uri/oauth2/auth;
    }

    location / {
        if ($request_method != POST) {
            rewrite ^(.*)$ /_auth$1 last;
        }
        proxy_pass http://$upstream_uri;
        proxy_connect_timeout 300;
    }

    location ~ /_auth(.*) {
        internal;

        set $actual_path $1;
        auth_request /__auth;
        error_page 401 = /oauth2/sign_in;

        # pass information via X-User and X-Email headers to backend,
        # requires running with --set-xauthrequest flag
        auth_request_set $user   $upstream_http_x_auth_request_user;
        auth_request_set $email  $upstream_http_x_auth_request_email;
        proxy_set_header X-User  $user;
        proxy_set_header X-Email $email;

        # if you enabled --cookie-refresh, this is needed for it to work with auth_request
        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header Set-Cookie $auth_cookie;

        proxy_pass http://$upstream_uri$actual_path/?$query_string;
        proxy_connect_timeout 300;
    }
}