Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana
Last active July 8, 2024 06:03
Show Gist options
  • Save gilangvperdana/ee3c009d67509dcbea58c19ce650cf9b to your computer and use it in GitHub Desktop.
Save gilangvperdana/ee3c009d67509dcbea58c19ce650cf9b to your computer and use it in GitHub Desktop.
Authenticate our Reverse Proxy

General

  • This note, just wanna to share about OAUTH2PROXY for authenticate all our endpoints behind Nginx.

Prepare OAUTH2PROXY

wget https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v7.4.0/oauth2-proxy-v7.4.0.linux-amd64.tar.gz
tar -xzvf oauth2-proxy-v7.4.0.linux-amd64.tar.gz
cd oauth2-proxy-v7.4.0.linux-amd64

OAUTH2Proxy Configurar

./oauth2-proxy \
   --email-domain=*  \
   --cookie-secret=ababababababababababcabc \
   --cookie-secure=true \
   --provider=github \
   --client-id=XXXXXXXXXXXXXXXXXXXX \
   --client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY \
   --http-address="0.0.0.0:4180" \
   --github-user=exampleuser \
   --scope="user:email" \
   --upstream=http://172.17.0.3

On that configurar we can achieve :

  • no restrict spesific email domain, cause --email-domain are *
  • --clinet-id can get from Github or any IdP
  • --client-secret can get from Github or any IdP
  • --github-user strict to exampleuser
  • --http-address="0.0.0.0:4180" so we can connect to oauth2proxy from any IP with port 4180
  • --upstream=172.17.0.3 so after user authenticated, oauth2proxy will redirect to our apps (for example on here, my apps run on 172.17.0.3)
  • --redirect-url=https://oauth.example.org/oauth2/callback OPTIONAL parameter
  • --real-client-ip-header=X-Forwarded-For --reverse-proxy <- if you want to pass IP Real
  • You can get more parameter from Oauth2proxy Webpage

SystemD version

[Unit]
Description=OAUTH2PROXY
After=network.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --client-id=XXXXXXXXXXXXXXXXXXXX --client-secret=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY --http-address="0.0.0.0:4180" --github-org=someorganization --scope="user:email" --upstream=http://172.17.0.3

[Install]
WantedBy=multi-user.target
  • If your upstream are HTTPS you can use --ssl-upstream-insecure-skip-verify=true

Example for Strict to Spesific Github User

[Unit]
Description=OAUTH2PROXY-Pritunl
After=network.target

[Service]
Type=simple
RemainAfterExit=yes
ExecStart=/root/dll/oauth2proxy/oauth2-proxy-v7.4.0.linux-amd64/oauth2-proxy --email-domain=* --cookie-secret=ababababababababababcabc --cookie-secure=true --provider=github --github-user=usernameGithub --scope="user:email" --client-id=5fd1b0f98dcbb1juhsy3 --client-secret=449c55276e4e308872ea0ded5fju4g3bd0c1da5d --http-address="0.0.0.0:8011" --upstream=https://192.168.100.250 --redirect-url=https://yourdomaincallback/oauth2/callback --ssl-upstream-insecure-skip-verify=true

[Install]
WantedBy=multi-user.target

Websocket & Bypass Token

You can use this parameter :

  • --pass-access-token=true --proxy-websockets=true

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment