- This note, just wanna to share about
OAUTH2PROXY
for authenticate all our endpoints behind Nginx.
wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.4.0/oauth2-proxy-v7.4.0.linux-amd64.tar.gz
tar -xzvf oauth2-proxy-v7.4.0.linux-amd64.tar.gz
cd oauth2-proxy-v7.4.0.linux-amd64
./oauth2-proxy \
--email-domain=* \
--cookie-secret=ababababababababababcabc \
--cookie-secure=true \
--provider=github \
--client-id=XXXXXXXXXXXXXXXXXXXX \
--client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY \
--http-address="0.0.0.0:4180" \
--github-user=exampleuser \
--scope="user:email" \
--upstream=http://172.17.0.3
On that configurar we can achieve :
- no restrict spesific email domain, cause
--email-domain
are*
--clinet-id
can get from Github or any IdP--client-secret
can get from Github or any IdP--github-user
strict toexampleuser
--http-address="0.0.0.0:4180"
so we can connect to oauth2proxy from any IP with port 4180--upstream=172.17.0.3
so after user authenticated, oauth2proxy will redirect to our apps (for example on here, my apps run on 172.17.0.3)--redirect-url=https://oauth.example.org/oauth2/callback
OPTIONAL parameter--real-client-ip-header=X-Forwarded-For --reverse-proxy
<- if you want to pass IP Real- You can get more parameter from Oauth2proxy Webpage
[Unit]
Description=OAUTH2PROXY
After=network.target
[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --client-id=XXXXXXXXXXXXXXXXXXXX --client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY --http-address="0.0.0.0:4180" --github-org=someorganization --scope="user:email" --upstream=http://172.17.0.3
[Install]
WantedBy=multi-user.target
- If your upstream are
HTTPS
you can use--ssl-upstream-insecure-skip-verify=true
[Unit]
Description=OAUTH2PROXY-Pritunl
After=network.target
[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --github-user=usernameGithub --scope="user:email" --client-id=5fd1b0f98dcbb1juhsy3 --client-secret=449c55276e4e308872ea0ded5fju4g3bd0c1da5d --http-address="0.0.0.0:8011" --upstream=https://192.168.100.250 --redirect-url=https://yourdomaincallback/oauth2/callback --ssl-upstream-insecure-skip-verify=true
[Install]
WantedBy=multi-user.target
You can use this parameter :
--pass-access-token=true --proxy-websockets=true
- https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls
- https://developers.canal-plus.com/blog/install-nginx-reverse-proxy-with-github-oauth2/
- https://github.com/openai/oauth2_proxy/blob/master/README.md
- for K8s : https://github.com/gilangvperdana/K8s-PlayGround/blob/master/Oauth2Proxy/oauth2proxy-values.yml