Authenticate our Reverse Proxy

README.md

General

• This note, just wanna to share about OAUTH2PROXY for authenticate all our endpoints behind Nginx.

Prepare OAUTH2PROXY

wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.4.0/oauth2-proxy-v7.4.0.linux-amd64.tar.gz
tar -xzvf oauth2-proxy-v7.4.0.linux-amd64.tar.gz
cd oauth2-proxy-v7.4.0.linux-amd64

OAUTH2Proxy Configurar

./oauth2-proxy \
   --email-domain=*  \
   --cookie-secret=ababababababababababcabc \
   --cookie-secure=true \
   --provider=github \
   --client-id=XXXXXXXXXXXXXXXXXXXX \
   --client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY \
   --http-address="0.0.0.0:4180" \
   --github-user=exampleuser \
   --scope="user:email" \
   --upstream=http://172.17.0.3

On that configurar we can achieve :

• no restrict spesific email domain, cause --email-domain are *
• --clinet-id can get from Github or any IdP
• --client-secret can get from Github or any IdP
• --github-user strict to exampleuser
• --http-address="0.0.0.0:4180" so we can connect to oauth2proxy from any IP with port 4180
• --upstream=172.17.0.3 so after user authenticated, oauth2proxy will redirect to our apps (for example on here, my apps run on 172.17.0.3)
• --redirect-url=https://oauth.example.org/oauth2/callback OPTIONAL parameter
• You can get more parameter from Oauth2proxy Webpage

SystemD version

[Unit]
Description=OAUTH2PROXY
After=network.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --client-id=XXXXXXXXXXXXXXXXXXXX --client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY --http-address="0.0.0.0:4180" --github-org=someorganization --scope="user:email" --upstream=http://172.17.0.3

[Install]
WantedBy=multi-user.target

• If your upstream are HTTPS you can use --ssl-upstream-insecure-skip-verify=true

Example for Strict to Spesific Github User

[Unit]
Description=OAUTH2PROXY-Pritunl
After=network.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --github-user=usernameGithub --scope="user:email" --client-id=5fd1b0f98dcbb1juhsy3 --client-secret=449c55276e4e308872ea0ded5fju4g3bd0c1da5d --http-address="0.0.0.0:8011" --upstream=https://192.168.100.250 --redirect-url=https://yourdomaincallback/oauth2/callback --ssl-upstream-insecure-skip-verify=true

[Install]
WantedBy=multi-user.target

Websocket & Bypass Token

You can use this parameter :

• --pass-access-token=true --proxy-websockets=true
  • Reference 1

Reference

• https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls
• https://developers.canal-plus.com/blog/install-nginx-reverse-proxy-with-github-oauth2/
• https://github.com/openai/oauth2_proxy/blob/master/README.md
• for K8s : https://github.com/gilangvperdana/K8s-PlayGround/blob/master/Oauth2Proxy/oauth2proxy-values.yml