-
-
Save shbatm/ee64c8975380d1994d18099403d4de4d to your computer and use it in GitHub Desktop.
nginx config that uses the oauth2-proxy (via auth_request) to authenticate against gitlab and then proxies all requests to a backend service while setting the auth headers X-User and X-Email
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| server_name localhost; | |
| location /oauth2/ { | |
| proxy_pass http://oauth-proxy:4180; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Scheme $scheme; | |
| proxy_set_header X-Auth-Request-Redirect $request_uri; | |
| } | |
| location / { | |
| auth_request /oauth2/auth; | |
| error_page 401 = /oauth2/start; | |
| # pass information via X-User and X-Email headers to backend, | |
| # requires running with --set-xauthrequest flag | |
| auth_request_set $user $upstream_http_x_auth_request_user; | |
| auth_request_set $email $upstream_http_x_auth_request_email; | |
| proxy_set_header X-User $user; | |
| proxy_set_header X-Email $email; | |
| # if you enabled --cookie-refresh, this is needed for it to work with auth_request | |
| auth_request_set $auth_cookie $upstream_http_set_cookie; | |
| add_header Set-Cookie $auth_cookie; | |
| proxy_pass http://backend:8080/; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # run oauth2-proxy with required paramters for gitlab auth | |
| docker run -it --rm --name oauth-proxy a5huynh/oauth2_proxy \ | |
| --cookie-secure=false \ | |
| --upstream="http://upstream:80" \ | |
| --http-address="0.0.0.0:4180" \ | |
| --provider gitlab \ | |
| --scope read_user \ | |
| --login-url="https://gitlab.yourcompany.com/oauth/authorize" \ | |
| --redeem-url="https://gitlab.yourcompany.com/oauth/token" \ | |
| --validate-url="https://gitlab.yourcompany.com/api/v4/user" \ | |
| --redirect-url="http://localhost:8080/oauth2/callback" \ | |
| --email-domain="*" \ | |
| --cookie-secret=5emaI8pW6kNr4ICj4TmTSg \ | |
| --client-id=4f40001533f4a1da5361b476bb93cc0f0f5218b0f7e306e5810a16ef4810f713 \ | |
| --client-secret=0a69708d09b905f19858263c32c3e7eef366c892eb99e5a3c854fb4fa9b4d6f8 \ | |
| --set-xauthrequest | |
| # run a demo backend that echos headers | |
| docker run -it --rm --name backend brndnmtthws/nginx-echo-headers | |
| # then run nginx pointing to the oauth-proxy and backend containers | |
| docker run -it --rm -p 8080:80 -v $(pwd)/default.conf:/etc/nginx/conf.d/default.conf --link oauth-proxy --link backend nginx | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment